< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles · page 11 of 18

Critical Telnetd Auth Bypass in GNU InetUtils Exploited

⚠️ A coordinated campaign is exploiting a critical authentication-bypass flaw in the GNU InetUtils telnetd server, tracked as CVE-2026-24061. The bug, present since 2015, lets attackers set the USER environment variable (for example USER=-f root) to bypass /usr/bin/login and obtain a root shell. Patches are in InetUtils 2.8; mitigations include disabling telnetd or blocking TCP port 23. GreyNoise observed limited, mostly automated exploitation activity and recommends immediate patching and hardening.
read more →

Fortinet: Active FortiCloud SSO Bypass on Patched FortiGate

🔒 Fortinet confirmed active exploitation of a FortiCloud SSO authentication bypass affecting fully patched FortiGate firewalls. The vendor said attackers exploited a new attack path that can circumvent patches addressing CVE-2025-59718 and CVE-2025-59719 by using crafted SAML messages when FortiCloud SSO is enabled. Observed activity includes creation of generic admin accounts, configuration changes to enable VPN access, and configuration exfiltration. Fortinet recommends restricting internet-facing administrative access and disabling the admin-forticloud-sso-login feature while a full remediation is finalized.
read more →

Fortinet confirms FortiCloud SSO auth bypass remains unpatched

⚠️ Fortinet confirmed it is still addressing a critical FortiCloud SSO authentication bypass (CVE-2025-59718) after reports that attackers are able to bypass patches and compromise fully updated firewalls. Security firm Arctic Wolf says automated attacks beginning January 15 created VPN-access admin accounts and quickly exfiltrated firewall configurations. Fortinet advises disabling FortiCloud SSO, restricting administrative access with a local-in policy, and treating affected systems as compromised while a full fix is developed.
read more →

Trivial Telnet Auth Bypass Enables Complete Device Takeover

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.
read more →

SmarterMail auth bypass exploited to hijack admins

🔒 An authentication bypass in SmarterTools SmarterMail allows unauthenticated actors to reset system administrator passwords via the publicly exposed 'force-reset-password' API endpoint. The endpoint accepts attacker-controlled JSON and an IsSysAdmin flag that, when set to true, triggers admin password reset logic without verifying the old password. watchTowr reported the issue on January 8 and SmarterMail released Build 9511 on January 15; researchers observed exploitation within days. Administrators should apply the update immediately to prevent full account takeover.
read more →

Critical GNU InetUtils telnetd Flaw Allows Root Login

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.
read more →

Appsmith authentication flaw enables account takeovers

🔒 A critical authentication vulnerability (CVE-2026-22794) in the Appsmith low-code platform allowed attackers to manipulate password reset links by supplying a malicious HTTP Origin header, causing reset tokens to be redirected to attacker-controlled infrastructure. Exploitation can lead to full account takeover, including administrator access. The flaw affects Appsmith 1.92 and earlier and was corrected in 1.93; internet scans identified 1,666 publicly accessible instances.
read more →

RealHomes CRM Plugin Flaw Patched After Site Takeovers

⚠️ A critical flaw in the RealHomes CRM WordPress plugin—bundled with the widely used RealHomes theme and present on more than 30,000 sites—allowed any logged-in user with Subscriber access or higher to upload arbitrary files via a CSV import. Assigned CVE-2025-67968, the bug affected versions 1.0.0 and earlier and could lead to full site takeover. Developers released v1.0.1, adding a current_user_can check and file-type validation via wp_check_filetype; users should update immediately.
read more →

EVMAPA EV Charging Stations: Critical Authentication Flaws

🔒 CISA warns of multiple high-severity vulnerabilities in EVMAPA electric vehicle charging station software, including missing authentication on a WebSocket endpoint (CVE-2025-54816), unlimited authentication attempts (CVE-2025-53968), and insufficient session expiration (CVE-2025-55705). Exploitation could enable unauthorized remote command execution, spoofing of station statuses, or denial-of-service, with a top CVSS score of 9.4. Vendor responses vary: EVMAPA plans BASIC auth for OCPP 2.x, uses WSS and vendor VPN for some deployments, and reports one issue has been fixed.
read more →

SmarterMail authentication bypass patched, now exploited

🔒 Researchers report an authentication bypass in SmarterTools SmarterMail (tracked as WT-2026-0001) being actively exploited days after a Jan 15, 2026 patch (Build 9511). An unauthenticated HTTP request to the /api/v1/auth/force-reset-password endpoint can set an IsSysAdmin flag and reset any administrator password if the attacker knows the admin username. The same privileged path enables SYSTEM-level remote code execution via the product's Volume Mount Command feature. watchTowr Labs went public after community reports showed the endpoint was used to change an admin password on Jan 17, indicating rapid patch reversal by attackers.
read more →

GitLab 2FA Bypass Vulnerability Requires Immediate Patch

🔒 A critical two-factor authentication bypass (CVE-2026-0723) in GitLab Community and Enterprise editions allows an attacker who knows a user’s credentials to submit forged device responses and bypass MFA. GitLab released patches in versions 18.8.2, 18.7.2 and 18.6.4 and strongly recommends that all self-managed instances upgrade immediately. Additional fixes address several denial-of-service and authorization flaws; GitLab.com and Dedicated tenants are already protected.
read more →

Patched FortiGate Firewalls Still Being Compromised

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.
read more →

GitLab warns of 2FA bypass and multiple DoS vulnerabilities

🔒 GitLab has patched a high-severity two-factor authentication bypass (CVE-2026-0723) that could allow attackers who know a target's account ID to submit forged device responses and bypass 2FA. The release also addresses two high-severity denial-of-service flaws (CVE-2025-13927, CVE-2025-13928) and two medium-severity DoS issues affecting Wiki rendering and SSH authentication. Administrators should upgrade to 18.8.2, 18.7.2, or 18.6.4 immediately; GitLab.com is already patched.
read more →

WhisperPair: Bluetooth Headset Tracking Vulnerability

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.
read more →

ACF Extended Bug Lets Attackers Gain Admin Access Now

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.
read more →

Cloudflare Fixes ACME Validation Bug Exposing Origins

🔒 Cloudflare patched a vulnerability in its ACME HTTP-01 validation logic that could allow requests to bypass WAF protections and reach customer origin servers. Discovered by FearsOff in October 2025, the flaw arose when edge logic disabled WAF handling for requests matching an ACME challenge token without confirming the token belonged to the requested hostname. Cloudflare said it found no evidence of exploitation and implemented a code change on October 27, 2025 to only disable WAF features when the token is a valid challenge for that specific hostname.
read more →

Mandiant Publishes Tool to Expose NTLMv1 Insecurity

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.
read more →

Modular DS WordPress Flaw Lets Attackers Gain Admin

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.
read more →

WhisperPair Flaw Lets Attackers Hijack Bluetooth Audio

🔒 Security researchers at KU Leuven disclosed a critical flaw dubbed WhisperPair (CVE-2025-36911) in the Fast Pair protocol that lets attackers forcibly pair with and control Bluetooth audio accessories. The issue stems from devices failing to enforce the Fast Pair requirement to ignore pairing requests when not in pairing mode, enabling silent hijacking and eavesdropping. Hundreds of millions of headphones, earbuds, and speakers from vendors including Google, Jabra, Sony, OnePlus, Xiaomi, and others are affected, and patches are being coordinated with manufacturers.
read more →

Critical Fast Pair Flaw Lets Attackers Hijack Headsets

🔒 Researchers disclosed a critical vulnerability in Google's Fast Pair protocol, tracked as CVE-2025-36911 and dubbed WhisperPair. The flaw stems from many accessories failing to ignore pairing requests when not in pairing mode, enabling attackers to pair without user consent. Exploits can hijack audio devices, enable eavesdropping and location tracking, and affect hundreds of millions of headsets from vendors including Google, Sony, Jabra, JBL, OnePlus. Only manufacturer firmware updates mitigate the risk; disabling Fast Pair on phones does not protect accessories.
read more →