All news with #advisory tag

🔔 CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-3909 (Google Skia out-of-bounds write) and CVE-2026-3910 (Google Chromium V8 unspecified). The agency cites evidence of active exploitation and reminds Federal Civilian Executive Branch agencies of remediation obligations under BOD 22-01. CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to attacks.

⚠️ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.

⚠️ The FBI warns that criminals are impersonating city and county planning and zoning officials to phish businesses and individuals with active land-use or permit applications. Victims receive emails referencing permit details, zoning application numbers, or property addresses and are instructed to pay invoices via wire transfers, peer-to-peer platforms, or cryptocurrency, often pressured with urgency. The agency urges recipients to verify sender domains, call local government offices to confirm fees, and report incidents to the IC3.

⚠️The UK National Cyber Security Centre (NCSC) has issued an advisory warning British organisations of an elevated risk of Iranian cyberattacks amid the ongoing Middle East conflict. While the NCSC says there is not yet a significant change in the direct threat to the UK, state‑sponsored and Iran‑linked actors likely retain some capability despite Iran’s domestic Internet blackout. Organisations with operations or supply chains in the region are urged to follow guidance on DDoS, phishing, and ICS targeting, review external attack surfaces, and increase monitoring.

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.

🔔 CISA and international partners warn of active exploitation of Cisco SD-WAN systems, adding CVE-2026-20127 and CVE-2022-20775 to the Known Exploited Vulnerabilities Catalog. FCEB agencies are required by Emergency Directive 26-03 to inventory, update, and assess SD-WAN deployments. Organizations should collect artifacts, apply vendor updates, follow the Catalyst SD-WAN Hardening Guide, and hunt for evidence of compromise immediately.

⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.

⚠️ Security researcher Wietze Beukema disclosed several techniques at Wild West Hackin' Fest that manipulate Windows .lnk shortcut files to display a benign target in Explorer while executing a different program, including use of malformed LinkTargetIDList and EnvironmentVariableDataBlock fields. These variants can hide command-line arguments and exploit forbidden path characters to show deceptive targets such as "invoice.pdf" while invoking PowerShell or other payloads. Microsoft told the researcher it will not treat the primary finding as a security vulnerability, saying exploitation requires user interaction and pointing to Microsoft Defender, Smart App Control, and built-in warnings for downloaded .lnk files. Beukema published lnk-it-up, an open-source toolkit to generate and detect such shortcuts for testing and research.

🔒 It's Patch Tuesday: more than 60 software vendors released security updates addressing flaws across OS, cloud, and networking platforms. Microsoft fixed 59 vulnerabilities, including six actively exploited zero-days that can bypass protections, escalate privileges, or cause DoS. SAP patched two critical bugs — a SQL injection in CRM/S/4HANA (CVE-2026-0488, CVSS 9.9) and a missing authorization in NetWeaver ABAP (CVE-2026-0509, CVSS 9.6) — which may require kernel updates and role or UCON adjustments. Intel and Google also disclosed five TDX 1.5 vulnerabilities and numerous improvement suggestions; Adobe released multiple product updates with no known in-the-wild exploits reported.

🔒 The ZOLL ePCR iOS mobile application (version 2.6.7) contains a WebView input-sanitization flaw (CVE-2025-12699) that can reflect attacker-controlled strings into rendered HTML/JavaScript. Proof-of-concept testing shows injected scripts may read local application files, potentially exposing device telemetry and protected health information (PHI). CISA assigns a CVSS v3.1 base score of 5.5 (MEDIUM), notes the issue is not remotely exploitable, and reports no known public exploitation. ZOLL decommissioned the iOS app in May 2025 and has no replacement planned.

⚠️ AVEVA reported that PI to CONNECT Agent (<=v2.4.2520) contains a vulnerability that can record sensitive proxy connection details in event logs. An attacker with local Event Log Reader (S-1-5-32-573) privileges could extract proxy URLs and credentials from those logs and gain unauthorized access to the proxy server. The issue is not remotely exploitable; the vendor’s fix is v2.5.2790 or later. Users should review and sanitize logs, rotate proxy credentials, avoid plain-text passwords in proxy URLs, and restrict Event Log Reader privileges.

⚠️ Yokogawa's FAST/TOOLS (versions R9.01–R10.04) contains multiple web and cryptographic vulnerabilities tracked across 14 CVEs that could enable redirection to malicious sites, decryption of communications, man-in-the-middle attacks, cross-site request forgery, script execution, and unauthorized file access. Example CVSS v3 scores reach up to 8.2 for some issues. Yokogawa advises updating to R10.04, applying patch CS_e12787, then installing R10.04 SP3. CISA recommends minimizing Internet exposure for control systems, isolating OT networks behind firewalls, and using secure remote access.

⚠ AVEVA's PI Data Archive contains an uncaught-exception vulnerability (CVE-2026-1507) that can allow an unauthenticated remote attacker to crash PI core services and cause denial of service. Affected versions include PI Server <=2018_SP3_Patch_7, 2023 (including 2023_Patch_1), and 2024. The issue has a CVSS 3.1 base score of 7.5 (High). AVEVA recommends upgrading to PI Server 2024 R2 or applying vendor patches and restricting inbound access to TCP port 5450.

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.

🔒 CISA ordered federal agencies to remove edge devices that no longer receive vendor security updates and to strengthen lifecycle management within 12–18 months. Directive 26-02 requires agencies to catalog devices, update supported software immediately, report end-of-support items in three months, and decommission listed devices in 12 months and others in 18 months. CISA published an end-of-support edge device list and highlighted routers, firewalls, load balancers, wireless access points and IoT edge gear as high-risk targets for exploitation.

🔒 CISA has ordered Federal Civilian Executive Branch agencies to inventory, update where possible, and remove all end-of-support edge devices—firewalls, routers, VPN gateways, load balancers, and other network security appliances—within an 18-month timeline. Agencies must report inventories within three months and begin removals within 12 months. CISA warned unsupported devices represent a substantial and constant threat and urged private sector adoption of similar measures.

⚠️ CISA has issued BOD 26-02 requiring U.S. federal agencies to identify and remove end-of-life (EOL) network edge devices such as routers, firewalls, and switches that no longer receive security updates. Agencies must inventory devices on CISA's end-of-support list within three months, decommission pre-directive EOL devices within 12 months, and replace all identified EOL edge equipment within 18 months. The directive also requires agencies to implement continuous discovery processes within 24 months and encourages non-federal organizations to follow CISA's guidance to mitigate exploitation risks.

⚠️ Hitachi Energy disclosed a critical vulnerability (CVE-2024-3596) affecting XMC20 devices that use remote RADIUS authentication. An MD5 Response Authenticator weakness permits a local attacker to forge or convert valid RADIUS responses (Access-Accept, Access-Reject, Access-Challenge), affecting confidentiality, integrity, and availability. Vendor guidance is to upgrade to XMC20 R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server; where upgrades are not possible, segment FOX management traffic and apply network mitigations. CISA republishes the vendor advisory for visibility.