All news with #advisory tag

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.

🔒 Microsoft has issued emergency out-of-band updates to patch a high-severity Office zero-day, tracked as CVE-2026-21509, which is being actively exploited. The vulnerability allows an unauthenticated local attacker to bypass Office security features by convincing a user to open a malicious file; Microsoft says the preview pane is not an attack vector. Updates cover Microsoft 365 Apps and Office LTSC 2021/2024; fixes for Office 2016 and 2019 are pending. Microsoft and reporting outlets published registry-based mitigations administrators can apply until official updates are available.

🔐 CISA has published an initial list of hardware and software product categories that either support or are expected to support post-quantum cryptography (PQC) standards, following Executive Order 14306 issued on 6 June 2025. Compiled in collaboration with the NSA, the list covers cloud services, collaboration and web software, endpoint security and networking products, and is intended to guide procurement and risk planning as organizations prepare for quantum threats.

⚠️ CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, affecting Linux Kernel, SmarterMail, Microsoft Office, and GNU InetUtils. The newly listed CVEs are CVE-2018-14634, CVE-2025-52691, CVE-2026-21509, CVE-2026-23760, and CVE-2026-24061 and represent frequent attack vectors that pose significant risks to federal and enterprise environments. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by required due dates, and CISA urges all organizations to prioritize timely remediation as part of vulnerability management.

⚠️ Schneider Electric has issued a fix for a local privilege escalation vulnerability in EcoStruxure Process Expert (CVE-2025-13905) caused by incorrect default permissions. An attacker with local access could modify executable service binaries and gain elevated privileges when services restart. Version 2025 contains the vendor fix; interim mitigations include application whitelisting and restricting privileged accounts.

🔒 AutomationDirect reported two vulnerabilities in CLICK Programmable Logic Controllers (PLCs) — CVE-2025-67652 and CVE-2025-25051 — that expose stored credentials and weak encoding. Both issues carry a CVSS 3.1 base score of 6.1 (Medium) and affect C0-0x, C0-1x, and C2-x product versions. AutomationDirect recommends updating CLICK PLUS and PLC firmware to V3.90; until the update can be applied, implement compensating controls such as network isolation, restricted access, application whitelisting, and enhanced logging and monitoring. CISA notes these vulnerabilities are not exploitable remotely and no public exploitation has been reported.

⚠️ Rockwell Automation's CompactLogix 5370 controllers are affected by a denial-of-service vulnerability (CVE-2025-11743) that can produce a major nonrecoverable fault requiring a restart. The issue is triggered by a malformed CIP Forward Open message and has a CVSS v3.1 base score of 6.5. Affected versions include <=34.013, <=35.012, and 36.011; fixed releases include 37.011, 34.016, 35.015, and 36.012. Rockwell reported the issue to CISA; no known public exploitation has been reported and CISA notes the vulnerability is not exploitable remotely. Users unable to upgrade should follow security best practices to limit exposure.

🔒 CISA warns of multiple high-severity vulnerabilities in EVMAPA electric vehicle charging station software, including missing authentication on a WebSocket endpoint (CVE-2025-54816), unlimited authentication attempts (CVE-2025-53968), and insufficient session expiration (CVE-2025-55705). Exploitation could enable unauthorized remote command execution, spoofing of station statuses, or denial-of-service, with a top CVSS score of 9.4. Vendor responses vary: EVMAPA plans BASIC auth for OCPP 2.x, uses WSS and vendor VPN for some deployments, and reports one issue has been fixed.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

⚠️ DIAView contains a command injection vulnerability (CVE-2026-0975) that allows project scripts to execute shell commands when a malicious project is opened. Successful exploitation can result in arbitrary code execution on affected installations of Delta Electronics DIAView version 4.2.0. Delta recommends updating to DIAView v4.4 or later and following defensive measures such as isolating control networks, avoiding untrusted files or links, and using secure remote access methods.

🔔 LastPass is warning users about an active phishing campaign observed from around January 19, 2026, that impersonates the service and urges users to create local backups within 24 hours to harvest master passwords. The messages route recipients through a staged AWS S3 URL that then redirects to a fraudulent domain (mail-lastpass[.]com) and originate from several spoofed support addresses. LastPass said it will never ask for master passwords and is working with partners to take down the malicious infrastructure while urging users to report suspicious messages.

🔒 Cloudflare patched a logic flaw in its ACME HTTP-01 handling that could disable certain WAF protections for specific challenge paths. The issue was reported by researchers from FearsOff through Cloudflare’s bug bounty program on October 13, 2025, and affected requests to /.well-known/acme-challenge/*. In some cases, challenge requests could reach customer origins when they should have been blocked because WAF features were incorrectly disabled. Cloudflare implemented a code change to ensure WAF disabling only occurs when Cloudflare will serve a valid ACME challenge response; no customer action is required and there is no known abuse.

⚠️ Researchers disclosed that a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) with public proof-of-concept code is being abused in active attacks. Horizon3.ai described the issue as an unauthenticated OS command injection via exposed phMonitor command handlers that enables arbitrary writes and escalation to root, and Fortinet released security updates plus a port-restriction workaround for phMonitor (7900). Administrators should upgrade affected FortiSIEM versions 6.7 through 7.5 to the patched releases and review phMonitor logs for indicators of compromise.

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.

⚠️ Check Point Research links the Linux-based RondoDox botnet to a coordinated exploitation campaign against HPE OneView, leveraging the critical RCE flaw CVE-2025-37164. The vulnerability, published to the NVD on 16 December 2025 and rated CVSS 3.1 = 10 by HPE, has been the subject of tens of thousands of automated attack attempts. Check Point reported blocking more than 40,000 hits on 7 January 2026 and urged organizations to patch immediately and implement compensating controls.

⚠️ Microsoft has confirmed that the January 13, 2026 cumulative update (KB5073455) can prevent some Windows 11, version 23H2 devices with System Guard Secure Launch enabled from shutting down or entering hibernation, causing them to restart instead. The issue is limited to Enterprise and IoT editions where the update is offered. Microsoft recommends the temporary workaround shutdown /s /t 0 for shutdowns and warns there is currently no hibernation workaround. Users should save work and perform manual shutdowns to avoid battery drain.

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.

🔐 Researchers at Varonis Threat Labs uncovered 'Reprompt', a one-click attack that abuses Microsoft Copilot Personal by embedding prompts in URLs and using follow-up server requests to exfiltrate data. It combines a URL 'q' parameter injection, a double-request bypass of initial sanitization, and chained server instructions to siphon conversation history and files without further user interaction. Microsoft issued a patch; organizations should treat prefilled prompts as untrusted and enforce continuous authentication, least privilege, prompt hygiene, auditing, and anomaly detection.

🔒 Palo Alto Networks has released patches for PAN-OS after a researcher disclosed CVE-2026-0227, a high-severity (CVSS 7.7) vulnerability in GlobalProtect gateway and portal components that can trigger a denial-of-service and force affected firewalls into maintenance mode. The vendor reports no known in-the-wild exploitation but acknowledges proof-of-concept code exists. Prisma Access customers have largely been upgraded; on-premises NGFWs must apply vendor updates per the posted remediation table. There are no official workarounds; temporarily disabling the VPN interface may reduce risk while patching.

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.