< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles

CISA directs rapid patching of Langflow auth bypass

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to urgently patch an actively exploited Langflow authentication bypass (CVE-2026-55255) that lets authenticated actors access other users' flows by abusing the /api/v1/responses endpoint with a victim's UUID. First observed in the wild by Sysdig on June 25, attackers sought code execution, implants, compute and credentials. CISA added the flaw to its Known Exploited Vulnerabilities Catalog and required FCEB remediation under BOD 26-04 by Friday.
read more β†’

CISA Adds Four Newly Exploited Vulnerabilities

πŸ›‘οΈ The US Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities catalog, citing active exploitation. The flaws include critical Adobe ColdFusion path traversal (CVE-2026-48282), Joomlack Page Builder improper access control (CVE-2026-56290), Langflow authorization bypass (CVE-2026-55255), and JoomShaper SP Page Builder unrestricted file upload (CVE-2026-48908). Exploitation observed ranged from immediate post-disclosure attacks to targeted campaigns stealing credentials and deploying web shells. Agencies are urged to apply patches by July 10, 2026.
read more β†’

Undocumented backdoor in Tenda router firmware exposed

πŸ”’ CERT/CC warns that an undocumented authentication backdoor in multiple Tenda router firmware versions (CVE-2026-11405) can grant administrative access via an alternate plaintext password stored in sys.rzadmin.password. The backdoor bypasses normal MD5 authentication in the '/bin/httpd' login() function, accepting any username if the backdoor password is supplied. No patch is available and Tenda could not be reached; users are advised to disable remote web management and restrict LAN exposure.
read more β†’

BeyondTrust patches critical remote access authentication flaws

πŸ”’ BeyondTrust has issued urgent patches for critical authentication flaws affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Two pre-authentication vulnerabilities (CVE-2026-40138 and CVE-2026-40139) could allow attackers to bypass access controls under specific authentication configurations. Additional high-severity issues (CVE-2026-40140 and CVE-2026-40141) address potential denial-of-service and restricted-resource access. Cloud instances were patched on April 21, 2026; self-hosted customers must apply the April security rollup or upgrade to RS/PRA 25.3.3+.
read more β†’

CERT/CC warns of hidden admin backdoor in Tenda

πŸ”’ The CERT Coordination Center (CERT/CC) has disclosed that multiple Tenda router firmware versions contain an undocumented authentication backdoor (CVE-2026-11405) that allows attackers to bypass password checks and gain administrative access. The backdoor resides in the login() function of the /bin/httpd binary and compares a submitted password to a configuration-stored value obtained via GetValue("sys.rzadmin.password"). Any username is accepted when the backdoor password matches, enabling full device takeover. Users should disable remote management and change default LAN IPs while a patch is pending.
read more β†’

BeyondTrust issues critical authentication patches

πŸ”’ BeyondTrust released updates to address multiple critical vulnerabilities in its Remote Support (RS) and Privileged Remote Access (PRA) products. The flaws include pre-authentication authentication-bypass and input-validation issues that could allow unauthenticated attackers to gain elevated access or cause denial-of-service. Fixes are available in RS/PRA 25.3.3 and later; users are urged to patch promptly.
read more β†’

Why CAPTCHAs are Disappearing from the Web

πŸ” CAPTCHAs began as distorted text and audio tests but have evolved into image challenges and now experimental gesture videos as AI improves. Google’s new hand-gesture approach records brief camera footage to verify 21 hand key points, raising privacy concerns despite reassurances about data handling. Alternative defenses include behavioral analysis, Cloudflare Turnstile, and hCaptcha, while passkeys offer a passwordless path that can reduce the need for human checks.
read more β†’

Threat actors scan for Gitea Docker authentication flaw

πŸ” Security researchers report that threat actors have started probing a critical Gitea Docker image vulnerability, CVE-2026-20896 (CVSS 9.8). The flaw arises because the official Docker image sets REVERSE_PROXY_TRUSTED_PROXIES = * by default, allowing unauthenticated clients to send an X-WEBAUTH-USER header and gain elevated access when reverse-proxy authentication is enabled. Gitea patched the issue in version 1.26.3 by removing the wildcard and making reverse-proxy authentication opt-in, and Sysdig observed initial exploitation attempts shortly after disclosure.
read more β†’

Argo CD flaw highlights GitOps as tier-zero risk

πŸ”’ A critical vulnerability in Argo CD repo-server exposes risks inherent to GitOps platforms. Synacktiv found the unauthenticated GenerateManifest gRPC endpoint can be abused via Kustomize/Helm options to execute commands if an attacker can reach both the repo-server and Redis ports. The issue affects typical Helm deployments where Kubernetes network policies are not enabled by default, enabling lateral movement from a compromised pod. Synacktiv disclosed details July 1, 2026 and recommends strict network segmentation until a patch is available.
read more β†’

Critical SimpleHelp RMM authentication bypass exploited

πŸ”’ A critical authentication bypass in SimpleHelp's RMM software was exploited to forge a technician login token and deliver two previously unseen malware families. Researchers at Blackpoint Cyber found the flaw (CVE-2026-48558) allowed unauthenticated token forgery by skipping cryptographic signature checks in OpenID Connect. Attackers abused built-in file transfer and remote execution to deploy a Node.js loader named TaskWeaver and a cross-platform stealer called Djinn Stealer. The vulnerability received a CVSS score of 10 and was patched in late May; CISA added it to KEV on June 29.
read more β†’

Critical Oracle E‑Business Suite Flaw Actively Exploited

πŸ”’ A critical authentication and privilege-management vulnerability, tracked as CVE-2026-46817 (CVSS 9.8), affects Oracle Payments in E‑Business Suite versions 12.2.3 through 12.2.15 and has been observed under active exploitation. Patches were released in Oracle's last Critical Security Patch Update, but Defused Cyber reported exploitation against their honeypots and noted no prior public PoC. Details about the attack method, attribution, and campaign scope remain unknown, while experts urge rapid incident response and patching.
read more β†’

DifyTap vulnerabilities expose cross-tenant AI data

πŸ›‘οΈ Cybersecurity researchers disclosed four vulnerabilities in Dify, an open-source agentic workflow platform, that could let attackers read AI conversations across tenants without authentication. Codenamed DifyTap by Zafran Security, two flaws are critical and three enable cross-tenant impact on Dify's multi-tenant cloud service. Issues include authorization bypasses, path traversal to internal Plugin Daemon APIs, and file preview leaks. Patches were released in v1.14.2 for all but one flaw, with the remaining fix forthcoming.
read more β†’

Apple patches Beats Studio Buds high-severity bug

πŸ”’ Apple released a Beats Firmware Update (1B211) to address a high-severity Bluetooth authorization flaw (CVE-2025-20701, CVSS 8.8) in the Airoha audio SDK that could allow attackers within Bluetooth range to pair and eavesdrop without user consent. The issue, reported by ERNW researchers in 2025 alongside related Airoha SoC flaws, enables remote privilege escalation and unauthorized microphone access. Apple’s advisory confirms the risk and the firmware update resolves the vulnerability.
read more β†’

Apple patches Beats Studio Buds eavesdropping flaw

πŸ”’ Apple released a security update to fix a high-severity vulnerability in Beats Studio Buds that could let attackers within Bluetooth range listen through an unpaired device's microphone. The flaw (CVE-2025-20701) was found in Airoha SoC open-source code and disclosed by ERNW researchers at TROOPERS. Apple deployed Beats Firmware Update 1B211, which installs automatically when paired and in range; users can verify the firmware via Bluetooth settings. Chained with related CVEs, attackers could hijack HFP connections to issue phone commands or access contacts, though practical attacks are complex and require proximity.
read more β†’

Multiple authentication and crash issues in industrial historian

πŸ”’ Rockwell Automation's FactoryTalk Historian Site Edition and related AVEVA PI Data Archive components contain vulnerabilities that can allow authentication bypass, denial of service, or crashes. Race conditions (CWE-362) and uncaught exceptions (CWE-248) are cited; repeated login requests may yield valid tokens. Vendors provide mitigations and patches; CISA urges network segmentation, restricted access, and defensive best practices.
read more β†’

AVer PTC Camera Remote Code Execution Advisory

πŸ”’ AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras contain an input validation flaw that could permit unauthenticated remote arbitrary code execution via a crafted web request. Affected devices are rated CVSS v3 9.8 and relate to CWE-552 Files or Directories Accessible to External Parties. AVer has released firmware to address the issue and CISA advises minimizing network exposure, placing devices behind firewalls, and using secure remote access methods such as updated VPNs.
read more β†’

Rockwell FLEX I/O EtherNet/IP Adapter Flaws Fixed

πŸ”’ Rockwell Automation FLEX I/O EtherNet/IP adapters (1794-AENTR) contain vulnerabilities that could enable unauthorized access, account takeover, and denial-of-service. A memory-handling flaw in CIP request processing may cause adapter faults and loss of I/O connectivity, while an embedded web server issue allows unauthenticated password changes via a crafted HTTP GET. Rockwell recommends updating to firmware 2.013 to remediate these issues.
read more β†’

Critical OIDC flaw lets attackers add SimpleHelp technicians

πŸ”’ A critical vulnerability (CVE-2026-48558) in SimpleHelp allows unauthenticated actors to create privileged Technician accounts when OIDC authentication is enabled. Researchers at Horizon3.ai attribute the issue to improper validation of identity assertions from OIDC identity providers. The vendor released fixes in versions 5.5.16 and 6.0RC2 on June 9, and mitigations include IP allowlists and monitoring for suspicious technician registrations.
read more β†’

Palo Alto Warns of Active Exploitation of PAN‑OS Bug

πŸ”’ Palo Alto Networks has observed active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS affecting GlobalProtect portal and gateway components that can enable unauthorized VPN connections. Initial in-the-wild activity was seen on May 17, 2026, though the threat actor remains unidentified. The company provided IoCs and urges customers to search GlobalProtect logs for gateway-connected events and specific client configuration indicators.
read more β†’

phpBB fixes decade-old authentication bypass

πŸ”’ Researchers discovered a 10-year-old authentication bypass in phpBB that allows logging in as any user, including administrators. The flaw affects versions 4.0.0-a2 and 3.3.16 and below and can be exploited with a single HTTP request on default configurations. Aikido reported the issue on June 2 and phpBB patched it in version 3.3.17 on June 6; 4.x users must await a safe release.
read more β†’