< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles · page 10 of 18

Two Critical Sandbox Escapes in n8n AI Lead to Full Takeover

🔒 Pillar Security identified two maximum-severity sandbox escape vulnerabilities in the n8n workflow automation platform that allow any authenticated user to gain full server control and exfiltrate stored credentials (API keys, cloud keys, database passwords and OAuth tokens) on both self-hosted and cloud instances. The first flaw was patched by n8n, but researchers found a bypass within 24 hours, prompting the vendor to release n8n v2.4.0 in January 2026. Immediate mitigation steps include upgrading to 2.4.0, rotating the n8n encryption key and all stored credentials, auditing workflows for suspicious expressions and monitoring AI-related outbound activity.
read more →

CISA: Synectix LAN 232 TRIO Unauthenticated Web Interface

🔒 The Synectix LAN 232 TRIO 3‑port serial-to-Ethernet adapter exposes its web management interface without requiring authentication, enabling unauthenticated actors to modify critical device settings or perform a factory reset. Tracked as CVE-2026-1633 and rated CVSS v3.1 10.0 (Critical), the product is end-of-life and Synectix is no longer in business, so firmware fixes are unavailable. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using up-to-date VPNs or other secure remote-access methods while operators pursue replacement or isolation of affected units.
read more →

Avation Light Engine Pro: Critical Missing Authentication

🛡️ Avation's Light Engine Pro devices expose configuration and control interfaces without authentication, tracked as CVE-2026-1341. Successful exploitation could allow an attacker to take full control of affected units. Avation has not responded to CISA's coordination request; users should contact the vendor and apply mitigations such as isolating devices from the internet, placing them behind firewalls, and using VPNs for remote access. CISA reports no public exploitation to date.
read more →

MOMA Seismic Station Authentication Bypass Vulnerability

⚠️ MOMA Seismic Station versions v2.4.2520 and earlier expose the device web management interface without requiring authentication, enabling unauthenticated actors to modify configuration, retrieve device data, or remotely reset the device. The vulnerability is tracked as CVE-2026-1632 and classified as Missing Authentication for Critical Function (CWE-306). CISA assigns a CRITICAL severity (CVSS v3.1 Base Score 9.1) and notes that RISS SRL did not provide a vendor-supplied patch in the advisory.
read more →

Microsoft to Disable NTLM Authentication by Default in Windows

🔒 Microsoft has moved the long-planned phase-out of NTLM into a default-disable posture for Windows 11 and Windows Server. Introduced in the 1990s and largely superseded by Kerberos since Windows 2000, NTLM still appears in many legacy enterprise systems and enables attacks such as NTLM relay. Administrators have been preparing for years, but Microsoft now considers NTLM deprecated and has published a timetable for deactivation to help organizations plan.
read more →

Microsoft Begins Three-Stage NTLM Phase-Out Plan for Windows

🔒 Microsoft announced a three-stage plan to make NTLM disabled by default and move Windows environments to stronger, Kerberos-based authentication. Phase 1 (available now) introduces enhanced NTLM auditing to identify where legacy authentication is used. Phase 2 (pre-release) will address migration blockers with features such as IAKerb and a Local KDC and update core Windows components to prefer Kerberos (targeted H2 2026). Phase 3 will ship NTLM disabled by default in the next Windows Server and associated client, with policy controls to explicitly re-enable legacy behavior.
read more →

Researcher Shows Private Instagram Profiles Leaking

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.
read more →

KiloView Encoder Series: Missing Auth (CVE-2026-1453)

⚠️ CISA warns of a critical Missing Authentication for Critical Function vulnerability (CVE-2026-1453) in KiloView Encoder Series devices that could let an unauthenticated attacker create or delete administrator accounts and gain full administrative control. Multiple E1, E1-s, E2, G1, P1, P2 and RE1 hardware and firmware builds are affected. No public exploitation has been reported to CISA, and KiloView has not engaged with CISA; users should minimize network exposure, ensure devices are not directly reachable from the Internet, and contact KiloView support for guidance.
read more →

Google strengthens Android theft protection features

🔒 Google has introduced stronger authentication safeguards and enhanced recovery tools to make smartphones harder targets for thieves. The update adds granular controls for Failed Authentication Lock, expands Identity Check to protect all apps using the Android Biometric Prompt (including Google Password Manager and third‑party banking apps), and introduces longer lockout times to slow guessing attempts. Remote Lock now offers an optional security challenge to verify ownership, and for new devices in Brazil Google will enable Theft Detection Lock and Remote Lock by default. Authentication safeguards require Android 16+; recovery tools require Android 10+.
read more →

SolarWinds Fixes Critical Web Help Desk Vulnerabilities

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.
read more →

SolarWinds WHD Critical RCE and Auth Bypass Flaws Revealed

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.
read more →

SolarWinds Patches Critical Web Help Desk RCE and Bypass

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.
read more →

Fortinet guidance: ongoing CVE-2026-24858 SSO bypass

🔒 Fortinet released guidance after disclosure of CVE-2026-24858, an authentication bypass in FortiCloud single sign-on (SSO) that can allow an attacker with a FortiCloud account to access devices registered to other users. The flaw affects multiple products including FortiOS, FortiManager, FortiWeb, FortiProxy, and FortiAnalyzer. Fortinet temporarily disabled FortiCloud SSO on Jan. 26, 2026 and restored the service with mitigations on Jan. 27; CISA added the CVE to its KEV Catalog and urges operators to check for indicators of compromise and apply vendor updates immediately.
read more →

WhatsApp Launches Strict Account Settings Lockdown

🔒 Meta has begun rolling out a new WhatsApp feature called Strict Account Settings that provides lockdown-style protections for journalists, public figures, and other high-risk users. The option, enabled only from a user's primary device under Settings > Privacy > Advanced, enforces the strictest privacy controls, including mandatory two-step verification and blocking media and calls from unknown senders. It also hides profile data, disables link previews, and limits features that could expose users to sophisticated spyware. Meta said the feature is intended for the small number of users who face targeted, high-risk campaigns.
read more →

Critical FortiCloud SSO Zero-Day Forces Emergency Fix

⚠️ Fortinet disclosed a critical authentication-bypass zero-day (CVE-2026-24858) that affects FortiCloud SSO and can let attackers compromise FortiGate, FortiManager, and FortiAnalyzer devices. The vendor temporarily disabled FortiCloud SSO globally on Jan 26 to stop active exploitation and re-enabled it Jan 27 with server-side blocking that prevents logins from vulnerable firmware. FortiOS 7.4.11 is available and additional patched releases are being rolled out; most fixes are still listed as "upcoming."
read more →

Fortinet fixes FortiOS SSO bypass in active exploitation

🔒 Fortinet has released security updates to address a critical authentication bypass (CVE-2026-24858) affecting FortiOS, FortiManager, and FortiAnalyzer. The flaw allows a FortiCloud account with a registered device to access other devices when FortiCloud SSO is enabled, enabling creation of local admin accounts and configuration changes. Fortinet locked malicious FortiCloud accounts, temporarily disabled SSO, and urges customers to update firmware, audit configurations, and rotate credentials.
read more →

Fortinet blocks exploited FortiCloud SSO zero-day; patch due

🔒 Fortinet confirmed a critical FortiCloud SSO authentication bypass (CVE-2026-24858) actively exploited to gain administrative access to customer devices. The company has implemented server-side mitigations that block SSO logins from vulnerable firmware versions while patches for FortiOS, FortiManager, and FortiAnalyzer are developed. Administrators are advised to review accounts and credentials; disabling SSO remains an optional mitigation.
read more →

6,000+ SmarterMail Servers Exposed to Hijacking Attacks

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.
read more →

CISA Adds Fortinet Authentication Bypass CVE to KEV Catalog

🔒 CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities (KEV) Catalog for a Fortinet Multiple Products Authentication Bypass that leverages an alternate path or channel. The agency reports evidence of active exploitation and characterizes this class of flaw as a frequent and serious attack vector. Under BOD 22-01, federal agencies must remediate KEV entries by their due dates; CISA strongly urges all organizations to prioritize timely remediation, apply vendor patches, implement compensating controls, and monitor for indicators of compromise.
read more →

Fortinet confirms new zero-day targeting SAML SSO on devices

🔒 Fortinet has confirmed a new attack campaign that exploits an unpatched zero-day vulnerability to bypass authentication across SAML SSO implementations, including FortiCloud SSO. The activity, observed in mid-January, involves extraction of firewall configurations and creation of administrative and VPN-capable accounts. Fortinet is working on a fix and recommends updating to the latest releases, restoring clean backups, rotating all credentials, disabling FortiCloud SSO administrative logins, and restricting administrative access to trusted subnets.
read more →