All news with #authentication bypass tag

🔒Cisco has released patches for a critical authentication bypass in its Integrated Management Controller (IMC), tracked as CVE-2026-20093. The flaw, caused by incorrect handling of password changes, can be exploited via specially crafted HTTP requests to gain unauthenticated admin access. Affected platforms include standalone UCS C-Series, UCS E-Series, Catalyst 8300, and 5000 Series systems. Administrators should apply updates and restrict IMC exposure immediately.

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.

🔓 Researchers at watchTowr disclosed two critical flaws in Progress ShareFile Storage Zones Controller (SZC): an authentication bypass (CVE-2026-2699) and a remote code execution via file upload/extraction (CVE-2026-2701). The issues can be chained to grant unauthenticated access to the admin interface, modify zone configuration, and deploy ASPX webshells to the application webroot. Progress issued a patch in ShareFile 5.12.4 on March 10; administrators should apply it immediately given thousands of internet-exposed SZC instances.

🔒 Cisco has released patches for a critical Integrated Management Controller (IMC) authentication bypass (CVE-2026-20093) that allows unauthenticated, remote attackers to gain Admin privileges by sending a crafted HTTP password-change request. The flaw affects CIMC on UCS C-Series and E-Series servers and permits altering any account password, including Admin. Cisco's PSIRT reports no known in-the-wild exploitation or public proof-of-concept yet and stresses there are no workarounds, so customers should upgrade to fixed software immediately.

⚠️ Anritsu Remote Spectrum Monitor models MS27100A, MS27101A, MS27102A, and MS27103A contain an inherent authentication bypass (CVE-2026-3356) that permits unauthenticated network users to access and control the device management interface. The vendor reports no planned patch and confirms the issue is a design limitation with no configurable authentication. Successful exploitation can expose signal data, change operational settings, or render devices unavailable. CISA recommends isolating affected devices and restricting network access.

⚠️ A critical authentication flaw (CVE-2026-1579) in the MAVLink protocol used by PX4 Autopilot can allow unauthenticated actors with MAVLink access to execute arbitrary shell commands via the SERIAL_CONTROL message. The issue affects PX4 Autopilot v1.16.0_SITL_latest_stable. PX4 recommends enabling MAVLink 2.0 message signing for all non‑USB links and following the vendor's security hardening guidance to reduce exposure.

⚠️ CISA has ordered federal agencies to patch Citrix NetScaler appliances for CVE-2026-3055 by Thursday, April 2, after vendors warned the flaw is being actively exploited. The vulnerability arises from insufficient input validation in ADC and Gateway appliances configured as SAML identity providers and can enable unauthenticated attackers to steal admin session IDs and other sensitive information. Watchtowr reported in-the-wild abuse days after Citrix released fixes on March 23, and CISA has added the issue to its KEV Catalog and invoked BOD 22-01.

⚠️ A critical SQL injection, CVE-2026-21643, is being actively exploited against FortiClient EMS, allowing unauthenticated attackers to execute arbitrary SQL via crafted HTTP requests. The flaw affects EMS 7.4.4 when multi-tenant mode is enabled; Fortinet released 7.4.5 to remediate. Researchers note the endpoint returns database error messages and lacks lockout protections, enabling rapid data extraction and credential theft. Administrators should patch immediately, remove internet exposure, and inspect HTTP headers for anomalous SQL.

🔒 TP-Link released firmware updates for its Archer NX200, NX210, NX500, and NX600 routers to fix multiple vulnerabilities, including a critical authentication bypass that can permit unauthenticated firmware uploads via certain HTTP CGI endpoints. The vendor additionally removed a hardcoded cryptographic key and patched two command injection flaws that require administrative access. TP-Link warned customers to install the latest firmware immediately to block potential attacks. Failure to update may leave devices susceptible to takeover or configuration manipulation.

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.

⚠ Citrix has published updates for NetScaler ADC and NetScaler Gateway to fix two vulnerabilities, including a critical memory overread (CVE-2026-3055) that can leak sensitive information from appliance memory. Exploitation requires specific configurations—SAML IdP for CVE-2026-3055 and gateway or AAA roles for CVE-2026-4368. Affected builds include 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23; customers should inspect configurations and apply patches immediately.

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.

🔒 Oracle has released fixes for a critical pre-authentication remote code execution flaw, CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The issue carries a CVSS score of 9.8 and is described by NVD as "easily exploitable" over HTTP by unauthenticated attackers. Oracle says the flaw can enable full takeover of vulnerable instances and urges customers to apply updates immediately.

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.

⚠ A newly disclosed vulnerability called PolyShell affects all Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated code execution and potential account takeover. Adobe has issued a fix only in the 2.4.9 alpha, leaving production sites exposed. Sansec warns the exploit method is already circulating and urges admins to restrict access to pub/media/custom_options/, verify nginx/Apache rules, and scan for uploaded shells or backdoors.

🧛 Cisco Talos highlights a growing trend in 2025: attackers increasingly seek to be authorised as legitimate users rather than relying solely on loud exploits. Telemetry shows nearly a third of MFA spray attacks targeted IAM applications and fraudulent device registrations surged 178%, indicating adversaries focus on the mechanisms that grant access. Talos urges organisations to harden authentication, prioritise patching, manage EOS/EOL devices, and adopt phishing-resistant controls as part of a broader defensive posture.

🔒 Many organizations invest heavily in login protections but leave password reset paths less scrutinized, creating an easy escalation route once attackers gain a foothold. The article explains common abuse scenarios — from helpdesk social engineering and intercepted reset tokens to misuse by over-permissioned admins — and recommends seven practical mitigations, including MFA, device posture checks, strict password policies, and avoiding knowledge-based authentication. It also highlights Specops tools to harden reset workflows and block breached passwords.

🔒 Multiple vulnerabilities in IGL-Technologies eParking.fi allow unauthenticated actors to connect to OCPP WebSocket endpoints, impersonate charging stations, issue commands, hijack sessions, or disrupt charging services via denial-of-service. CISA rates the most severe issue CVSSv3.1 9.4 (Critical). IGL-Technologies has implemented stronger authentication, device-level whitelisting, rate limiting, and enhanced monitoring; encrypted OCPP deployments and the proprietary eTolppa protocol are not impacted.

⚠️ Multiple authentication and session-management vulnerabilities in CTEK Chargeportal could allow remote attackers to impersonate charging stations, send unauthorized OCPP commands, or disrupt charging services. The highest-severity issue (CVE-2026-25192) affects WebSocket authentication and is rated CVSS 9.4 (Critical). Other flaws enable brute-force attempts, session hijacking, and exposure of station identifiers. CTEK plans to sunset Chargeportal in April 2026; operators should restrict network exposure, isolate control networks, and contact CTEK support for guidance.