All news with #advisory tag

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-11953 (React Native Community CLI OS command injection) and CVE-2026-24423 (SmarterTools SmarterMail missing authentication for critical function). The additions reflect evidence of active exploitation and elevated risk to the federal enterprise. Under BOD 22-01 federal agencies must remediate KEV entries by the due date. CISA strongly urges all organizations to prioritize timely remediation.

⚠️ o6 Automation's Open62541 contains a heap out-of-bounds write in builds with PubSub and JSON enabled. A crafted JSON message can overwrite heap memory prior to authentication, reliably crashing the process and causing memory corruption. The vulnerability affects versions >=1.5-rc1 and <1.5-rc2 (CVE-2026-1301). Upgrade to v1.5.0 and apply network-access mitigations such as isolating control networks and restricting remote access to reduce exposure.

⚠️ A critical vulnerability (CVE-2025-15080) affects Mitsubishi Electric MELSEC iQ-R Series firmware (R08/16/32/120PCPU) versions 48 and earlier. An attacker can read device data or parts of control programs, write device data, or cause a denial-of-service by sending specially crafted SLMP or proprietary protocol packets. Mitsubishi Electric recommends updating affected firmware to version 49 or later and, until patched, restricting access via firewalls, IP filters, VPNs, and LAN-only operation.

⚠️ CISA warns of multiple high‑severity vulnerabilities in Ilevia EVE X1 Server (≤ 4.7.18.0), including pre‑auth path traversal, unauthenticated OS command injection, plaintext credential exposure in logs, and reflected XSS. Successful exploitation can allow arbitrary shell execution and disclosure of sensitive files on critical manufacturing systems. Ilevia and CISA recommend updating the Ilevia Manager, closing TCP/8080, enforcing strong credentials, applying network segmentation, and monitoring for unauthorized access.

🔒 Hitachi Energy reported a critical vulnerability in FOX61x devices when configured to use remote RADIUS authentication. The RADIUS implementation is vulnerable to a chosen-prefix collision attack on the MD5 Response Authenticator, allowing an attacker able to manipulate responses to forge Access-Accept/Access-Reject/Access-Challenge messages and affect confidentiality, integrity, and availability. Affected versions include FOX61x R17A and earlier; update to R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server. If immediate upgrade is not possible, segment FOX management traffic to reduce exposure.

🔒 A vulnerability in the TP‑Link VIGI Series IP Camera local web interface allows an attacker on the same LAN to bypass authentication in the password recovery flow and reset the administrator password by manipulating client-side state. Successful exploitation grants full administrative access, compromising device configuration and network security. TP‑Link has released firmware updates and strongly recommends installing the latest builds; CISA advises isolating affected devices from public networks and using secure remote access such as updated VPNs.

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.

⚠️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40551 — a critical remote code execution flaw in SolarWinds Web Help Desk — to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vendor patched multiple high-severity bugs on January 28 and assigned CVSS scores of 9.8. Administrators are urged to apply the vendor update to Web Help Desk 2026.1 immediately to mitigate unauthenticated deserialization and authentication-bypass risks.

⚠ CISA has added a critical SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities catalog and flagged it as actively exploited. The flaw is an untrusted data deserialization vulnerability that can enable remote code execution without authentication, allowing attackers to run commands on affected hosts. SolarWinds released patches in WHD version 2026.1 that also address several related high-severity CVEs. Federal Civilian Executive Branch agencies are required to remediate this flaw under BOD 22-01, with a February 6, 2026, deadline.

🔒 CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.

🛡️ Researchers disclosed a critical prompt-injection flaw, codenamed DockerDash, that allowed malicious Docker image metadata to hijack the Ask Gordon AI assistant in Docker Desktop and the Docker CLI. The vulnerability, discovered by Noma Labs, could enable remote code execution or sensitive data exfiltration by treating unverified LABEL fields as executable instructions. Docker fixed the issue in Ask Gordon version 4.50.0 (November 2025). Administrators should upgrade and apply zero-trust validation to AI toolchains and MCP/Gateway integrations.

🔒 A SQL injection vulnerability in the Quiz and Survey Master (QSM) WordPress plugin affected more than 40,000 sites running versions 10.3.1 and earlier. The flaw allowed any logged-in user with Subscriber-level privileges or higher to supply crafted input to a REST API parameter named is_linking, which was concatenated into a database query without sanitisation. Patchstack credited Doan Dinh Van for the report and QSM released version 10.3.2 to enforce integer casting (intval) and mitigate the issue; the defect is tracked as CVE-2025-67987. There is no public evidence of active exploitation, but the bug underscores risks from trusting request data and the need for prepared statements.

🔒 The Synectix LAN 232 TRIO 3‑port serial-to-Ethernet adapter exposes its web management interface without requiring authentication, enabling unauthenticated actors to modify critical device settings or perform a factory reset. Tracked as CVE-2026-1633 and rated CVSS v3.1 10.0 (Critical), the product is end-of-life and Synectix is no longer in business, so firmware fixes are unavailable. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using up-to-date VPNs or other secure remote-access methods while operators pursue replacement or isolation of affected units.

🛡️ Avation's Light Engine Pro devices expose configuration and control interfaces without authentication, tracked as CVE-2026-1341. Successful exploitation could allow an attacker to take full control of affected units. Avation has not responded to CISA's coordination request; users should contact the vendor and apply mitigations such as isolating devices from the internet, placing them behind firewalls, and using VPNs for remote access. CISA reports no public exploitation to date.

⚠️ MOMA Seismic Station versions v2.4.2520 and earlier expose the device web management interface without requiring authentication, enabling unauthenticated actors to modify configuration, retrieve device data, or remotely reset the device. The vulnerability is tracked as CVE-2026-1632 and classified as Missing Authentication for Critical Function (CWE-306). CISA assigns a CRITICAL severity (CVSS v3.1 Base Score 9.1) and notes that RISS SRL did not provide a vendor-supplied patch in the advisory.

🔒 CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Evidence indicates active exploitation and these issues pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by required deadlines. CISA strongly urges all organizations to prioritize timely remediation and will continue updating the catalog.

⚠️ NatWest and the UK's National Crime Agency (NCA) have launched a joint awareness campaign to highlight rising invoice fraud affecting businesses, including BEC and payment redirection. The initiative warns that fraudsters impersonate suppliers, intercept emails and pressure victims into urgent payments that are then diverted. Guidance urges businesses to Check, Verify, Never transfer funds until payment details are independently confirmed. The campaign also stresses that Accounts Payable and Finance teams are frequent targets of these schemes.

⚠️ Microsoft says recent Windows 11 boot failures following the January 2026 cumulative update are tied to earlier failed attempts to install the December 2025 security update, which left some systems in an "improper state." After applying KB5074109, affected devices showed a BSOD with stop error UNMOUNTABLE_BOOT_VOLUME. Microsoft is working on a partial resolution to prevent new no-boot cases, but it warns this fix will not repair devices already unable to boot or stop systems from entering the improper state. The company also says the issue appears limited to physical machines.

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.

⚠️ Microsoft released three out-of-band updates in January 2026, including a security update addressing CVE-2026-21509 in Microsoft Office, which has been reportedly exploited in the wild. The vulnerability is rated Important with a CVSS 3.1 score of 7.8 and is considered local, requiring a user to open a malicious Office document or for an attacker to have system access. Microsoft notes the issue cannot be triggered via the Preview Pane and has published mitigation guidance. Talos published Snort and ClamAV detections and advises customers to apply the latest rules and SRU updates.