All news with #authentication bypass tag

🤖 A user attempting to remotely control his own DJI Romo robot vacuum inadvertently gained control of approximately 7,000 devices around the world. The incident highlights how insecure many consumer IoT devices remain and how a single action can cascade into widespread exposure. Beyond mere nuisance, such mass control raises privacy and safety concerns if exploited at scale. The episode underscores the urgent need for stronger device authentication, secure update mechanisms, and clearer vendor responsibility.

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.

🔐 By 2026, the central competition in identity-related work will be the ability to prove that the person behind a high-impact action is a real, accountable human. Generative AI and deepfakes create synthetic identities that can pass routine checks, contaminate risk models and hijack estate workflows. Defenses must focus on provenance, cross-channel consistency and continuous, risk-based verification tied to audit-grade trails.

🔒 Apple has issued Background Security Improvements to address CVE-2026-20643, a cross-origin flaw in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. Apple fixed the issue by improving input validation and shipped patches in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Researcher Thomas Espach is credited with the report. Users should keep Automatically Install enabled in Settings > Privacy and Security to receive these lightweight fixes promptly.

🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.

🔒 CloudSEK researchers have identified an Android OS-level attack that manipulates the runtime via LSPosed modules to hijack legitimate payment apps without modifying APKs or invalidating app signatures. The campaign, associated with a module dubbed Digital Lutera, intercepts SMS, spoofs device identities, and captures 2FA in real time, effectively bypassing protections like Google Play Protect and persistent integrity checks. Reinstalling apps does not remove the malicious hooks, making detection and remediation difficult.

🛑 The UK’s Companies House has suspended its WebFiling dashboard after researchers Dan Neidle and John Hewitt revealed a simple flaw that allows an authenticated user to view another company’s dashboard by selecting “file for another company” and using the browser back button to bypass an authentication code. The weakness could expose personal and corporate details for millions of directors and, in some cases, permit unauthorized changes to registrations. The agency is investigating and directors are advised to review their filings.

🔔 CISA has issued Emergency Directive 26-03 after reports that threat actors are actively exploiting a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127, CVSS 10). The directive instructs federal agencies to inventory affected systems, forward logs externally, collect forensic artifacts, apply vendor updates, hunt for signs of compromise and rebuild infrastructure if root access is detected. Agencies must report remediation and logging actions to CISA by multiple deadlines through March 23, 2026.

⚠️ CISA published an advisory for Trane Tracer SC, Tracer SC+, and Tracer Concierge reporting five vulnerabilities that could lead to information disclosure, arbitrary command execution, or denial-of-service. The issues (CVE-2026-28252 through CVE-2026-28256) include broken cryptography, excessive memory allocation, missing authorization, and hard-coded credentials/constants. Affected builds include Tracer SC < v4.4_SP7 and Tracer SC+/Concierge < v6.3.2310; Trane released Tracer SC+ v6.30.2313 to address these flaws. CISA advises isolating control networks, restricting remote access, applying vendor updates, and following ICS defensive best practices.

🔐 Fortinet disclosed multiple FortiOS vulnerabilities that affect Siemens RUGGEDCOM APE1808 devices. Siemens has issued firmware updates and advises operators to install vendor fixes promptly. Issues include an authentication bypass, HTTP request smuggling, and an externally controlled format string that can enable code execution or unauthorized access. Apply vendor patches and limit device exposure.

⚠️ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SD‑WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.

⚠️ HPE Aruba Networking released patches for five vulnerabilities in AOS-CX switch software, including a critical web-management flaw that allows unauthenticated remote actors to bypass authentication and potentially reset administrator credentials. The most severe issue, CVE-2026-23813 (CVSS 9.8), can be triggered entirely over the network without user interaction. Additional CLI command-injection vulnerabilities and an open-redirect flaw were also fixed; administrators should apply updates and restrict management interfaces immediately.

🔒 HPE has released patches for multiple vulnerabilities in the AOS-CX network OS, including a critical authentication bypass (CVE-2026-23813) that can allow unauthenticated actors to reset administrator passwords via the web management interface. The company reports no known public exploits at publication. Until updates are applied, HPE recommends isolating management interfaces, enforcing ACLs, disabling unnecessary HTTP(S) on SVIs and routed ports, and increasing logging and monitoring.

⚠️CISA warns that Honeywell IQ4x Building Management System controllers expose a factory-default web HMI without authentication (tracked as CVE-2026-3611). An unauthenticated actor able to reach the HTTP interface can create administrative accounts via the U.htm function, gain full read/write control, and potentially lock out legitimate operators. Honeywell has not issued a patch; apply network mitigations immediately.

🔴 CISA has added a recently patched Ivanti Endpoint Manager vulnerability (CVE-2026-1603) to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate within three weeks. The flaw allows unauthenticated remote actors to bypass authentication and exfiltrate credentials via low-complexity cross-site scripting. Ivanti released EPM 2024 SU5 last month, which also addressed an SQL injection issue, and says it has no confirmed reports of exploitation while Shadowserver still tracks over 700 Internet-facing instances.

🔐 Organizations often assume multi-factor authentication (MFA) eliminates credential risk, but in many Windows environments that assumption is incomplete. Cloud IdPs like Microsoft Entra ID, Okta, and Google Workspace protect federated sign‑ins, yet traditional Windows authentication paths — including interactive logons, RDP, NTLM, Kerberos ticket abuse, SMB, local admin and service accounts — commonly bypass those controls. The result: attackers can use stolen passwords, NTLM hashes, stolen or forged Kerberos tickets, or reused local credentials to move laterally and maintain persistent access without triggering cloud MFA. Vendor solutions such as Specops Secure Access and Specops Password Policy are presented as practical mitigations to enforce MFA for Windows logon, block compromised passwords, and reduce legacy protocol exposure.

🔒 Cisco has released updates for two maximum-severity vulnerabilities in Cisco Secure FMC that allow unauthenticated remote attackers to obtain root on affected systems. CVE-2026-20079 is an authentication-bypass flaw exploitable via crafted HTTP requests to gain root, while CVE-2026-20131 is a remote code execution vulnerability triggered by a crafted serialized Java object that can execute arbitrary Java code as root. Cisco also patched dozens of other issues and says its PSIRT has no evidence these flaws are being actively exploited.

🔒 CISA reports multiple critical vulnerabilities in Everon OCPP Backends (api.everon.io) that permit unauthenticated access, session hijacking, credential exposure, and denial-of-service. The advisory details four CVEs, including a CVSS 3.1 score of 9.4 for missing authentication on WebSocket endpoints. Everon reportedly shut down the platform on December 1, 2025; CISA recommends isolating control networks, restricting Internet access, and using secure remote access methods.

🔒 CISA warns that ePower epower.ie charging stations contain multiple WebSocket authentication and session-management vulnerabilities that could allow attackers to impersonate chargers, hijack sessions, or disrupt charging services. The advisory catalogs four CVEs, led by a critical authentication bypass (CVE-2026-22552, CVSS 9.4). ePower has not responded to CISA's coordination requests; operators should apply recommended mitigations and minimize network exposure.

🔒 This advisory details critical authentication and session-management flaws in Mobiliti's e-mobi.hu charging platform that could permit unauthorized administrative access, session hijacking, and denial-of-service against chargers and backend services. Affected versions include all released e-mobi.hu builds. Operators should restrict network exposure, isolate charging networks behind firewalls, and contact Mobiliti support for vendor guidance.