< ciso
brief />
Tag Banner

All news with #authentication bypass tag

344 articles · page 5 of 18

Critical Authentication Bypass in ABB Edgenius Portal

🔒 CISA reports a critical authentication bypass in ABB Edgenius Management Portal (CVE-2025-10571) that permits an attacker with network access to send a specially crafted message to a system node and bypass authentication. Successful exploitation can allow arbitrary code execution, removal of installed applications, and modification of application configurations. ABB has released a fix in Ability Edgenius 3.2.2.0 and urges immediate upgrade; until patched, disabling the portal and reducing network exposure are recommended.
read more →

CISA Adds CVE-2026-41940 to Known Exploited Vulnerabilities

⚠️ CISA added CVE-2026-41940 to its Known Exploited Vulnerabilities Catalog for a missing authentication for critical function in WebPros cPanel & WHM and WP2 (WordPress Squared). The issue has evidence of active exploitation and represents a common attack vector that can enable unauthorized access to protected functionality. Under BOD 22-01 federal agencies are required to remediate affected systems by the specified due date; CISA strongly urges all organizations to prioritize patching, apply vendor updates, and implement compensating controls promptly.
read more →

Critical cPanel and WHM Authentication Bypass Zero-Day

🔒 CVE-2026-41940 is a critical authentication-bypass affecting cPanel, WHM, and WP Squared that has been actively exploited in the wild. The flaw stems from a CRLF injection in login and session-loading where unsanitized Authorization header data is written into server-side session files before authentication, enabling bypass. Patches released April 28 cover multiple 11.x release lines and vendors published detection scripts; short-term mitigations include blocking management ports (2083/2087/2095/2096) or stopping cpsrvd and cpdavd.
read more →

Qinglong auth bypass flaws exploited for cryptomining

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.
read more →

Emergency cPanel/WHM Update Fixes Critical Auth Bypass

🔒 A critical authentication bypass was identified in cPanel and WHM, prompting an emergency update that requires administrators to run /scripts/upcp –force to install patched builds. Hosting provider Namecheap temporarily blocked ports 2083 and 2087 used by the control panels while vendors issued fixes, underscoring the severity. Systems on unsupported cPanel releases will not receive security updates and should be upgraded immediately.
read more →

Critical cPanel Authentication Flaw — Update Immediately

⚠️ cPanel has released urgent security updates to remediate an authentication vulnerability affecting all currently supported versions of its control panel. The vendor issued patched builds (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, 11.134.0.20) and advises immediate updating. If you run an unsupported version, cPanel warns you to upgrade as it may also be affected. Hosting provider Namecheap temporarily blocked TCP ports 2083 and 2087 while applying the fixes and is actively deploying the official patches across its servers.
read more →

UK NCSC Urges Businesses to Offer Passkeys by Default

🔐The UK National Cyber Security Centre now recommends offering passkeys as the default authentication option for consumer accounts, saying passwords are "no longer resilient enough" for modern threats. The agency highlights that FIDO2-based passkeys rely on device-bound cryptographic keys and local verification (biometrics or PINs), making them resistant to phishing and credential reuse. Where passkeys are not yet supported it advises using password managers and strong multi-factor verification, and warns organisations to secure account recovery and fallback processes.
read more →

Yadea T5 Electric Bicycle Weak Authentication Risk

🔓 CISA warns that Yadea T5 electric bicycles are affected by a weak authentication vulnerability tracked as CVE-2025-70994. A local attacker who intercepts a legitimate key fob transmission can forge signals to unlock and start the bicycle, enabling theft; CISA assigns a CVSS v3.1 score of 7.3 (High) and notes the issue is not remotely exploitable. Yadea did not respond to coordination efforts; users should secure property with external locks, keep devices updated, and contact vendor support.
read more →

SpiceJet Booking System: Two High-Severity Exposure Flaws

⚠️ CISA reports two high-severity authorization and authentication flaws in SpiceJet Online Booking System (CVE-2026-6375, CVE-2026-6376) that permit unauthenticated disclosure of passenger information. Both issues carry a CVSS 3.1 base score of 7.5 and allow PNR enumeration and full booking retrieval without proper access controls. SpiceJet did not respond to coordination requests; CISA recommends defensive network segmentation and other mitigations.
read more →

Critical Authentication Bypass in Xiongmai XM530 IP Cameras

⚠️ A critical authentication bypass (CVE-2025-65856) affects Hangzhou Xiongmai Technology Co., Ltd XM530 IP cameras running firmware V5.00.R02.000807D8.10010.346624.S.ONVIF_21.06. The ONVIF implementation fails to enforce authentication on 31 endpoints, allowing unauthenticated remote attackers to access sensitive device information and live video streams. CISA rates the issue CRITICAL (CVSS 3.1 9.8). The vendor has not cooperated with CISA; users should minimize network exposure, isolate devices behind firewalls, and contact Xiongmai support for guidance.
read more →

Critical Carlson VASCO-B GNSS Receiver Authentication Flaw

⚠️ The Carlson VASCO-B GNSS Receiver contains an authentication bypass that allows unauthenticated network access to device configuration and operational functions. Affected firmware builds are versions prior to 1.4.0 (CVE-2026-3893) and the issue carries a CVSS 3.1 base score of 9.4 (Critical). Carlson Software recommends updating to 1.4.0 or later and restricting network exposure. Follow network segmentation and firewall controls to mitigate exposure until you apply the update.
read more →

Critical Azure SRE Agent Flaw Allowed Silent Eavesdropping

🔒 A high-severity authentication flaw in Azure SRE Agent exposed agent activity streams to unauthorized tenants, researcher Yanir Tsarimi of Enclave AI reported. Tracked as CVE-2026-32173 with a CVSS score of 8.6, the vulnerability stemmed from an Entra ID app registration configured as multi-tenant and a WebSocket hub that accepted tokens without tenant authorization checks. The hub broadcast agent prompts, internal reasoning, commands and outputs to all connected clients. Microsoft applied a server-side fix and says no customer action is required, but organizations that ran the agent during preview should review any credentials or sensitive data that may have traversed agent interactions.
read more →

Siemens Industrial Edge Management Authentication Bypass

🔒 Siemens has disclosed an authorization bypass vulnerability in Industrial Edge Management that may allow an unauthenticated remote attacker to circumvent authentication and access connected devices using the product's remote connection feature. Tracked as CVE-2026-33892, the flaw has a CVSS v3.1 base score of 7.1 (High). Siemens released patched versions and urges operators to update immediately and restrict network access to affected systems.
read more →

Siemens SINEC NMS UMC Authentication Bypass Vulnerability

⚠️ A vulnerability in Siemens SINEC NMS when used with the User Management Component (UMC) allows an unauthenticated remote attacker to bypass authentication and gain unauthorized access to the application. Tracked as CVE-2026-24032 and scored CVSS v3.1 7.3 (High), the flaw stems from insufficient validation of user identity in the UMC. Siemens released an update; operators should upgrade to V4.0 SP3 or later. Limit network exposure, isolate control networks behind firewalls, and follow Siemens' industrial security guidance when applying fixes.
read more →

Zero Motorcycles Bluetooth Pairing Vulnerability Reported

🔒 Zero Motorcycles firmware versions 44 and earlier contain a Bluetooth pairing flaw (CVE-2026-1354) that can allow an attacker to forcibly pair with a motorcycle while it is in pairing mode. Once paired and in proximity, an attacker could use over-the-air firmware update capability to upload malicious firmware. The motorcycle must remain paired and within range for the entire update. Zero recommends secure pairing practices, physical key security, and plans a firmware update in May 2026; users should install updates when available.
read more →

Multiple critical vulnerabilities in SenseLive X3050 devices

⚠️ The CISA advisory reports multiple high-severity vulnerabilities in SenseLive X3050 (V1.523) that can allow an attacker on the network to bypass authentication, obtain administrative access, and perform unauthorized firmware operations. Affected issues include hard-coded credentials, missing authentication and authorization, insufficient session handling, cleartext management traffic, CSRF, and unsafe configuration controls that may destabilize device operation. CISA notes no known public exploitation to date; administrators should reduce exposure and contact the vendor.
read more →

Siemens SINEC NMS Authorization Bypass Vulnerability

⚠ Siemens ProductCERT reports an authorization bypass in SINEC NMS prior to V4.0 SP3 that permits an authenticated attacker to reset the password of any user account. The vulnerability arises from improper validation of authorization when processing password reset requests. Siemens has released V4.0 SP3 to remediate the flaw and CISA republished the vendor advisory. Until systems are updated, organizations should apply network restrictions, isolate control networks, and require secure remote access.
read more →

Critical Missing Authorization in AVEVA Pipeline Simulation

🔒 A critical authorization vulnerability (CVE-2026-5387) in AVEVA Pipeline Simulation allows an unauthenticated actor to perform actions reserved for Simulator Instructor or Developer roles, with the potential to modify simulation parameters, training configuration, and training records. Affected versions are <=2025_SP1_build_7.1.9497.6351. AVEVA provides a fix: upgrade to 2025 SP1 P01 (build 7.1.9580.8513) or later; interim mitigations include restricting API network access and enforcing TLS.
read more →

Critical Nginx UI Auth-Bypass (MCP) Flaw Actively Exploited

⚠️ A critical authentication bypass in nginx-ui (CVE-2026-33032) allows unauthenticated attackers to invoke privileged MCP actions via an unprotected /mcp_message endpoint. Exploitation can write, modify, and reload Nginx configuration files, enabling full server takeover from a single request. NGINX issued fixes (starting with 2.3.4, latest secure build 2.3.6) after disclosures; administrators should update and audit exposed instances immediately.
read more →

Critical nginx-ui MCP Authentication Bypass Exploited

🔒 A critical authentication bypass in nginx-ui (CVE-2026-33032, CVSS 9.8) is being actively exploited in the wild, allowing a single unauthenticated API request to take full control of exposed servers. The flaw stems from a missing authentication check on the /mcp_message endpoint while the companion /mcp endpoint retained middleware, exposing 12 MCP tools—seven of which enable destructive actions such as injecting configs, reloading services and intercepting traffic. Maintainers issued a fix in v2.3.4 the day after disclosure; organisations should update immediately, disable MCP if they cannot patch, restrict access to management interfaces and review logs and configurations for unauthorized changes.
read more →