< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles · page 4 of 18

Cisco fixes CVE-2026-20182 SD-WAN Controller bypass

🔒 Cisco has released fixes for a maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) that it says has been exploited in limited attacks. The flaw allows a remote unauthenticated attacker to become an authenticated peer and obtain administrative privileges by abusing the peering authentication mechanism. Affected deployments include On-Prem, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP); Cisco urges immediate patching and recommends auditing /var/log/auth.log for suspicious peering or publickey entries.
read more →

Siemens SIPROTEC 5 Session ID Randomness Vulnerability

⚠️ The Siemens SIPROTEC 5 series employs insufficiently random values for session identifiers on a subset of web endpoints, enabling an unauthenticated remote actor to brute-force and hijack valid sessions. Exploitation can permit limited read access to web server information without authorization. Siemens is preparing fixes and recommends updating to V11.0 or later where available, validating updates, and applying network protections such as segmentation, firewalls, and controlled remote access procedures.
read more →

Siemens Opcenter RDnL: ActiveMQ Artemis Authentication Flaw

🔒 Siemens reports that Opcenter RDnL is affected by a Missing Authentication for Critical Function in Apache ActiveMQ Artemis. An unauthenticated actor on an adjacent network can force a broker to open an outbound Core federation to an attacker-controlled broker, risking message injection and availability impacts. Siemens and Apache recommend updating to Apache Artemis 2.52.0 or later and applying mitigations such as Core interceptors, disabling Core on exposed acceptors, and enforcing two-way SSL.
read more →

PraisonAI Authentication Bypass CVE-2026-44338 Exploited

🔒 PraisonAI contained a critical authentication bypass (CVE-2026-44338) in its legacy Flask API server that sets AUTH_ENABLED = False and AUTH_TOKEN = None by default. Exploitation allows unauthenticated callers to enumerate configured agents via /agents and to trigger workflows through /chat, potentially consuming model quotas and exposing run results. The flaw affects versions 2.5.6–4.6.33 and was fixed in v4.6.34; operators are advised to update, audit deployments, and rotate exposed credentials.
read more →

PraisonAI Authentication Bypass Scanned by Internet

🔍 Sysdig reported that a newly disclosed authentication bypass in the open-source orchestration framework PraisonAI was probed by internet scanners about 3 hours and 44 minutes after a GitHub advisory published on May 11. The flaw stems from a legacy Flask API server that ships with authentication disabled by default, affecting versions 2.5.6 through 4.6.33 and fixed in 4.6.34. Researchers urge immediate upgrades and monitoring for the “CVE-Detector/1.0” user-agent and suspicious /api/agents and related paths.
read more →

Windows BitLocker Zero-Day: YellowKey and GreenPlasma

🔒 A researcher known as Chaotic Eclipse (Nightmare-Eclipse on GitHub) published proof-of-concept exploits named YellowKey and GreenPlasma that bypass BitLocker protections and enable local privilege escalation on affected Windows versions. YellowKey abuses the Windows Recovery Environment (WinRE) and NTFS transaction replay to spawn a shell and access encrypted volumes, while GreenPlasma allows arbitrary memory-section creation that can be escalated to SYSTEM. The author said the disclosures were driven by dissatisfaction with Microsoft's handling of reports. Microsoft says it investigates and supports coordinated disclosure.
read more →

Android 17 Expands Banking Call and Theft Protections

🔒Android 17, rolling out next month, expands security and privacy features to combat device theft, enhance threat detection, and block banking scam calls. The OS will work with banking apps to verify caller authenticity via app-level queries and bank-provided number lists, and will automatically terminate suspected scam calls. Initial partners include Revolut, Itaú Unibanco, and Nubank, and Google plans support back to Android 11. The release also broadens Live Threat Detection, strengthens Advanced Protection, and adds biometric Mark as lost locking and other anti-theft measures.
read more →

ABB WebPro SNMP Card PowerValue: Multiple Vulnerabilities

🔒 ABB disclosed multiple vulnerabilities in the WebPro SNMP Card PowerValue affecting earlier firmware releases. The flaws include an authentication bypass (the device validates only the first character of session cookies and tokens), insufficient session expiration and uncontrolled resource consumption that can cause DoS and Modbus instability on port 502. ABB issued fixes in v1.1.8.p and recommends contacting ABB Digital Service Support and applying defensive measures from the product manual.
read more →

ABB AC500 V3 Multiple Vulnerabilities and Fixes Notice

⚠️ABB disclosed multiple vulnerabilities in AC500 V3 PLCs that can bypass user management, expose visualization files, compromise PKI certificates, or cause denial-of-service (CVE-2025-2595, CVE-2025-41659, CVE-2025-41691). The issues stem from forced browsing, a permission flaw in the optional CmpOpenSSL component, and a NULL pointer dereference in CmpDevice. ABB corrected the issues in firmware 3.9.0 via Automation Builder 2.9.0; no workarounds are available and customers should apply the update promptly.
read more →

SAP May 2026 Fixes Critical Flaws in Commerce Cloud

🔒 SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws affecting Commerce Cloud and S/4HANA. The most severe (CVE-2026-34263) is a missing authentication check in Commerce Cloud that can allow unauthenticated remote code execution via improper Spring Security configuration. The other critical (CVE-2026-34260) permits low-complexity SQL injection by attackers with basic privileges, risking sensitive data exposure and potential service crashes. SAP also patched one high and 11 medium-severity issues and reports no evidence of in-the-wild exploitation to date.
read more →

Securing MCP Infrastructure: Zero-Trust for AI Agents

🔒 Knostic’s internet-wide reconnaissance discovered 1,862 exposed MCP servers, and manual checks of 119 instances showed every sampled server returned internal tool listings without authentication. High-impact flaws like EchoLeak (CVE-2025-32711) and mcp-remote (CVE-2025-6514) illustrate how poisoned documents and command-injection in widely used packages can enable silent data exfiltration or full system compromise. The article prescribes immediate adoption of zero-trust controls: authentication on every interaction, network segmentation, cryptographic signing for tool definitions, continuous integrity monitoring, and human approval for sensitive actions.
read more →

PamDOORa: PAM-Based Linux Backdoor Enables Persistent SSH

🔐 Researchers disclosed a new Linux backdoor called PamDOORa, advertised on the Russian cybercrime forum Rehub by an actor named "darkworm". The PAM-based post-exploitation toolkit provides persistent OpenSSH access via a magic password and specific TCP port and can harvest credentials for all users who authenticate through the compromised host. Flare.io says the implant also includes anti-forensic features to tamper with authentication logs and evasion techniques. The seller listed it at $1,600 in March 2026, later reducing the price to about $900.
read more →

Critical WebSocket Flaw in Cline Kanban Enables RCE

🔒 A critical WebSocket vulnerability in Cline's Kanban server (CVSS 9.7) allows any webpage a developer visits to silently exfiltrate workspace data, inject terminal commands and terminate agent sessions. Disclosed by Oasis Security on May 7, it affects the Kanban npm package v0.1.59 and stems from missing origin validation and authentication on three local WebSocket endpoints. Updating to v0.1.66 and disabling the default bypass permissions flag are recommended mitigations.
read more →

Fixing the password problem: why '123456' still works

🔐 The most-used password globally remains '123456', according to NordPass, and the author found that some mainstream services still accept trivial credentials in direct tests. Examples include Evite (breached in 2019) and parts of major social platforms that permit easily guessable strings like '1234567!'. The article highlights inconsistent password policies across sites and argues for stronger authentication requirements—preferably mandated MFA—with regulatory backing where necessary.
read more →

Progress patches critical MOVEit Automation flaws urgently

⚠️ Progress Software issued updates for MOVEit Automation to address two vulnerabilities: a critical authentication bypass (CVE-2026-4670, CVSS 9.8) and an improper input validation flaw that could enable privilege escalation (CVE-2026-5174, CVSS 7.7). Affected branches include releases <=2025.1.4, <=2025.0.8, and <=2024.1.7; fixes are available in 2025.1.5, 2025.0.9, and 2024.1.8. Airbus SecLab researchers reported the issues, and Progress states there are no workarounds and no confirmed in-the-wild exploitation; administrators should apply updates promptly and review access to service backend command ports.
read more →

Critical MOVEit Automation Auth Bypass Patch Urged

🚨 Progress warns customers to patch a critical authentication bypass in MOVEit Automation tracked as CVE-2026-4670, affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. Remote attackers can exploit the flaw without privileges in low-complexity, no-interaction attacks. Progress says upgrading with the full installer is the only remediation and that an outage will occur during the upgrade. The vendor also released a fix for a high-severity privilege escalation, CVE-2026-5174.
read more →

Critical cPanel Flaw Hits Southeast Asian Government Sites

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.
read more →

cPanel Auth Bypass CVE-2026-41940 Exploited Widely Now

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.
read more →

ABB OPTIMAX Azure AD SSO Authentication Bypass Vulnerability

🔒 A high-severity authentication bypass (CVE-2025-14510, CVSS 8.1) affects ABB Ability OPTIMAX systems that use Azure Active Directory Single Sign-On, potentially permitting an attacker to bypass user authentication remotely. Affected builds include all 6.1 and 6.2 releases and 6.3/6.4 builds prior to 6.3.1-251120 and 6.4.1-251120. ABB has published fixes (for example, 6.3.1-251120); administrators should follow the ABB PSIRT advisory, apply available updates, and implement network segmentation and secure remote access controls while performing impact analysis prior to changes.
read more →

ABB AWIN Gateways: High-Risk Authentication Flaws Updates

🔒 CISA published an advisory on 2026-04-30 describing multiple authentication-related vulnerabilities in ABB AWIN Gateways that permit unauthenticated queries to disclose system configuration and, in one case, remotely reboot devices. The issues include an authentication bypass via capture-replay and missing authentication for critical functions. Affected firmware includes AWIN GW100 rev.2 (2.0-0, 2.0-1) and AWIN GW120 (1.2-0, 1.2-1); ABB released fixes (FW 2.1-0 and FW 2.0-0, Product IDs 3BNP102988R1 and 3BNP103003R1) and PSIRT advisory 4JNO000329. CISA recommends isolating devices, removing internet exposure, using secure remote access (for example, up‑to‑date VPNs), and conducting impact analysis before deploying mitigations.
read more →