All news with #authentication bypass tag

⚠️ABB disclosed multiple vulnerabilities in AC500 V3 PLCs that can bypass user management, expose visualization files, compromise PKI certificates, or cause denial-of-service (CVE-2025-2595, CVE-2025-41659, CVE-2025-41691). The issues stem from forced browsing, a permission flaw in the optional CmpOpenSSL component, and a NULL pointer dereference in CmpDevice. ABB corrected the issues in firmware 3.9.0 via Automation Builder 2.9.0; no workarounds are available and customers should apply the update promptly.

🔒 SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws affecting Commerce Cloud and S/4HANA. The most severe (CVE-2026-34263) is a missing authentication check in Commerce Cloud that can allow unauthenticated remote code execution via improper Spring Security configuration. The other critical (CVE-2026-34260) permits low-complexity SQL injection by attackers with basic privileges, risking sensitive data exposure and potential service crashes. SAP also patched one high and 11 medium-severity issues and reports no evidence of in-the-wild exploitation to date.

🔒 Knostic’s internet-wide reconnaissance discovered 1,862 exposed MCP servers, and manual checks of 119 instances showed every sampled server returned internal tool listings without authentication. High-impact flaws like EchoLeak (CVE-2025-32711) and mcp-remote (CVE-2025-6514) illustrate how poisoned documents and command-injection in widely used packages can enable silent data exfiltration or full system compromise. The article prescribes immediate adoption of zero-trust controls: authentication on every interaction, network segmentation, cryptographic signing for tool definitions, continuous integrity monitoring, and human approval for sensitive actions.

🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.

🔒 A critical WebSocket vulnerability in Cline's Kanban server (CVSS 9.7) allows any webpage a developer visits to silently exfiltrate workspace data, inject terminal commands and terminate agent sessions. Disclosed by Oasis Security on May 7, it affects the Kanban npm package v0.1.59 and stems from missing origin validation and authentication on three local WebSocket endpoints. Updating to v0.1.66 and disabling the default bypass permissions flag are recommended mitigations.

🔐 The most-used password globally remains '123456', according to NordPass, and the author found that some mainstream services still accept trivial credentials in direct tests. Examples include Evite (breached in 2019) and parts of major social platforms that permit easily guessable strings like '1234567!'. The article highlights inconsistent password policies across sites and argues for stronger authentication requirements—preferably mandated MFA—with regulatory backing where necessary.

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.

🔒 A high-severity authentication bypass (CVE-2025-14510, CVSS 8.1) affects ABB Ability OPTIMAX systems that use Azure Active Directory Single Sign-On, potentially permitting an attacker to bypass user authentication remotely. Affected builds include all 6.1 and 6.2 releases and 6.3/6.4 builds prior to 6.3.1-251120 and 6.4.1-251120. ABB has published fixes (for example, 6.3.1-251120); administrators should follow the ABB PSIRT advisory, apply available updates, and implement network segmentation and secure remote access controls while performing impact analysis prior to changes.

🔒 CISA published an advisory on 2026-04-30 describing multiple authentication-related vulnerabilities in ABB AWIN Gateways that permit unauthenticated queries to disclose system configuration and, in one case, remotely reboot devices. The issues include an authentication bypass via capture-replay and missing authentication for critical functions. Affected firmware includes AWIN GW100 rev.2 (2.0-0, 2.0-1) and AWIN GW120 (1.2-0, 1.2-1); ABB released fixes (FW 2.1-0 and FW 2.0-0, Product IDs 3BNP102988R1 and 3BNP103003R1) and PSIRT advisory 4JNO000329. CISA recommends isolating devices, removing internet exposure, using secure remote access (for example, up‑to‑date VPNs), and conducting impact analysis before deploying mitigations.

🔒 CISA reports a critical authentication bypass in ABB Edgenius Management Portal (CVE-2025-10571) that permits an attacker with network access to send a specially crafted message to a system node and bypass authentication. Successful exploitation can allow arbitrary code execution, removal of installed applications, and modification of application configurations. ABB has released a fix in Ability Edgenius 3.2.2.0 and urges immediate upgrade; until patched, disabling the portal and reducing network exposure are recommended.

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.

🔒 CVE-2026-41940 is a critical authentication-bypass affecting cPanel, WHM, and WP Squared that has been actively exploited in the wild. The flaw stems from a CRLF injection in login and session-loading where unsanitized Authorization header data is written into server-side session files before authentication, enabling bypass. Patches released April 28 cover multiple 11.x release lines and vendors published detection scripts; short-term mitigations include blocking management ports (2083/2087/2095/2096) or stopping cpsrvd and cpdavd.

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.

🔒 A critical authentication bypass was identified in cPanel and WHM, prompting an emergency update that requires administrators to run /scripts/upcp –force to install patched builds. Hosting provider Namecheap temporarily blocked ports 2083 and 2087 used by the control panels while vendors issued fixes, underscoring the severity. Systems on unsupported cPanel releases will not receive security updates and should be upgraded immediately.

⚠️ cPanel has released urgent security updates to remediate an authentication vulnerability affecting all currently supported versions of its control panel. The vendor issued patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20) and advises immediate updating. If you run an unsupported version, cPanel warns you to upgrade as it may also be affected. Hosting provider Namecheap temporarily blocked TCP ports 2083 and 2087 while applying the fixes and is actively deploying the official patches across its servers.

🔐The UK National Cyber Security Centre now recommends offering passkeys as the default authentication option for consumer accounts, saying passwords are "no longer resilient enough" for modern threats. The agency highlights that FIDO2-based passkeys rely on device-bound cryptographic keys and local verification (biometrics or PINs), making them resistant to phishing and credential reuse. Where passkeys are not yet supported it advises using password managers and strong multi-factor verification, and warns organisations to secure account recovery and fallback processes.

🔓 CISA warns that Yadea T5 electric bicycles are affected by a weak authentication vulnerability tracked as CVE-2025-70994. A local attacker who intercepts a legitimate key fob transmission can forge signals to unlock and start the bicycle, enabling theft; CISA assigns a CVSS v3.1 score of 7.3 (High) and notes the issue is not remotely exploitable. Yadea did not respond to coordination efforts; users should secure property with external locks, keep devices updated, and contact vendor support.