< ciso
brief />
Tag Banner

All news with #arbitrary file write tag

17 articles

GhostApproval symlink flaw lets agents overwrite files

🛡️ Researchers at Wiz disclosed GhostApproval, a symlink-based flaw in six AI coding assistants that can trick an approval prompt into writing to sensitive files. The attack uses a repository with a symlink pointing to targets like ~/.ssh/authorized_keys or ~/.zshrc; the assistant asks to edit an innocuous file but writes to the real destination. Three tools have fixes, two are still unpatched, and Anthropic disputes the classification as a bug.
read more →

Cisco SD‑WAN flaw highlights management‑plane risk

🔒 Cisco has issued patches for a vulnerability in Cisco Catalyst SD‑WAN Manager that allowed authenticated users with write access to create or overwrite files via a flawed file upload API, potentially enabling later privilege escalation to root. The flaw, tracked as CVE‑2026‑20262, affected all deployment types and had been subject to limited exploitation; Cisco advised upgrading to fixed releases and reviewing logs for suspicious uploads such as index.jsp and .war files. Analysts warn that compromise of the management plane can lead to network‑wide control‑plane impact and recommend isolating, hardening, and tightly monitoring SD‑WAN managers as Tier‑0 assets.
read more →

Cisco issues patches for SD‑WAN file upload flaw

🔒 Cisco has released updates fixing a medium‑severity flaw in Cisco Catalyst SD‑WAN Manager (CVE‑2026‑20262) that is being actively exploited. The bug allows an authenticated attacker with write access to create or overwrite files via a vulnerable web UI file upload API, which can be leveraged to escalate privileges. Affected on‑prem and cloud SD‑WAN deployments have fixes available across multiple release tracks; customers are urged to apply patches and audit logs for suspicious WAR uploads.
read more →

Path traversal in Langflow exploited to write files

🛡️ A high-severity path traversal flaw (CVE-2026-5027) in the AI development platform Langflow is being actively exploited to write arbitrary files to exposed servers. Tenable discovered the issue, which stems from unsanitized filenames in the POST /api/v2/files endpoint, and disclosed it on March 27, 2026. Patches were released in langflow-base 0.8.3 and Langflow 1.9.0, and users are urged to upgrade to version 1.10.0.
read more →

Critical Everest Forms Pro Flaw Lets Site Takeover

⚠️ A critical vulnerability (CVE-2026-3300) in Everest Forms Pro versions 1.9.12 and earlier allows unauthenticated attackers to execute arbitrary PHP on affected WordPress sites via the plugin's Complex Calculation feature. The issue stems from user-supplied values being inserted into an eval() string without properly escaping single quotes, enabling code injection. Wordfence telemetry shows active exploitation creating rogue administrator accounts, and a patch was issued by the developer on March 18.
read more →

Siemens ROS# Path Traversal Vulnerability — Update to 2.2.2

🔒 A path traversal flaw exists in the ROS# file_server prior to 2.2.2, allowing attackers to read and write arbitrary files accessible to the account running the service. The issue arises from improper input sanitization and is tracked as CWE-23 with a CVSS v3 score of 9.1. Siemens released 2.2.2 as the vendor fix and recommends immediate updates. Temporary mitigations include running the service only on trusted networks and with restricted user rights.
read more →

Critical file upload flaw exploited in Breeze Cache

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.
read more →

GIGABYTE Control Center has critical file-write flaw

⚠️ The GIGABYTE Control Center contains a critical arbitrary file-write vulnerability (CVE-2026-4415) affecting versions 25.07.21.01 and earlier when the pairing feature is enabled. Taiwan's CERT warns unauthenticated remote attackers could write files anywhere on the underlying OS, enabling arbitrary code execution, privilege escalation, or denial-of-service. GIGABYTE released version 25.12.10.01 with fixes for download path management, message processing, and command encryption and strongly advises immediate upgrade; users should obtain installers only from the vendor portal to avoid trojanized packages.
read more →

Unauthenticated File-Upload Flaw in Ceragon Siklu Devices

⚠️ A vulnerability in Ceragon / Siklu EtherHaul and MultiHaul microwave antennas allows unauthenticated uploads to any writable path via the rfpiped service on TCP port 555. File metadata uses weak encryption while file contents are transmitted in cleartext, and no authentication or path validation is performed. The issue is tracked as CVE-2025-57176 with a CVSS v3.1 base score of 5.3. Vendor firmware updates are available and should be applied promptly.
read more →

Cisco Flags More Catalyst SD-WAN Flaws as Actively Exploited

🔔 Cisco has warned that two additional Catalyst SD-WAN Manager vulnerabilities — a high-severity arbitrary file overwrite (CVE-2026-20122) and a medium-severity information disclosure flaw (CVE-2026-20128) — are being actively exploited. The file-overwrite vulnerability can be triggered remotely by attackers with valid read-only API credentials; the information-disclosure issue requires local vManage credentials. Cisco says the flaws affect the software regardless of device configuration and urges administrators to upgrade to fixed releases immediately.
read more →

RealHomes CRM Plugin Flaw Patched After Site Takeovers

⚠️ A critical flaw in the RealHomes CRM WordPress plugin—bundled with the widely used RealHomes theme and present on more than 30,000 sites—allowed any logged-in user with Subscriber access or higher to upload arbitrary files via a CSV import. Assigned CVE-2025-67968, the bug affected versions 1.0.0 and earlier and could lead to full site takeover. Developers released v1.0.1, adding a current_user_can check and file-type validation via wp_check_filetype; users should update immediately.
read more →

Critical AdonisJS bodyparser Path Traversal Risks File Write

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.
read more →

CISA Adds One Vulnerability to Known Exploited Catalog

🔒 CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The listed issue, CVE-2018-4063, affects Sierra Wireless AirLink ALEOS and involves an unrestricted upload of files with dangerous types, a common attack vector. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by prescribed deadlines, and CISA urges all organizations to prioritize timely remediation to reduce exposure.
read more →

Unpatched Gogs Zero-Day Actively Exploited on 700+ Hosts

⚠️ A high-severity unpatched vulnerability in Gogs (tracked as CVE-2025-8110, CVSS 8.7) is under active exploitation, with Wiz reporting more than 700 compromised internet-facing instances. The flaw is a file-overwrite bug in the PutContents API that mishandles symbolic links, enabling attackers to overwrite arbitrary files and achieve local code execution. A vendor fix is reportedly in development; operators should disable open registration, limit exposure, and scan for randomly named repositories.
read more →

Critical Flaws in King Addons for Elementor Risk Takeover

⚠️ King Addons for Elementor, installed on over 10,000 WordPress sites, contains two unauthenticated critical vulnerabilities that can enable full site takeover. Patchstack identified an arbitrary file upload (CVE-2025-6327) and a registration-based privilege escalation (CVE-2025-6325) that allow remote attackers to place files in web-accessible directories and create administrative accounts. The vendor released version 51.1.37 to add a role allowlist, input sanitization, upload permission checks and stricter file-type validation — administrators should update immediately and verify whether the 'King Addons Login | Register Form' widget is active.
read more →

CrowdStrike Falcon Blocks Git Vulnerability CVE-2025-48384

🔒 CrowdStrike has identified active exploitation of Git vulnerability CVE-2025-48384 and confirms that Falcon detections can block the observed attack chain. The vulnerability, which affects macOS and Linux, arises from inconsistent handling of carriage return characters in configuration and submodule path parsing and can enable arbitrary file writes during a recursive clone. Observed attacks combined social engineering with malicious repositories that place crafted .gitmodules entries and submodule hooks to execute post-checkout scripts. CrowdStrike urges organizations to patch Git, enable layered protections, deploy provided detection rules and hunting queries, and use Falcon Insight XDR prevention settings to reduce exposure.
read more →

Schneider Electric SESU Link-Following Flaw CVE-2025-5296

⚠ Schneider Electric has released an update addressing a link‑following vulnerability (CVE‑2025‑5296) in SESU that could allow an authenticated, low‑privileged actor to write arbitrary data to protected locations. The issue, rated CVSS v3.1 base score 7.3, affects SESU versions prior to 3.0.12 and numerous Schneider Electric products that bundle SESU. Version 3.0.12 contains the fix; apply the update or restrict access to the installation directory and follow CISA mitigation guidance.
read more →