All news with #authentication bypass tag

⚠️ The Labkotec LID-3300IP ice detector contains an unauthenticated remote-access vulnerability (CVE-2026-1775) that allows an attacker to modify device parameters and execute operational commands by sending specially crafted packets. CISA assigns a CVSS v3.1 base score of 9.4 (Critical). Labkotec recommends migrating to the LID-3300IP Type 2, installing firmware V2.40, and enabling HTTPS; until remediation, operators should remove Internet exposure, segment networks, enforce strong credentials, and monitor device activity.

⚠️ Researchers have revealed a high-severity "ClawJacked" vulnerability in OpenClaw that can allow a malicious webpage to take full control of the AI assistant platform. The issue arises because the gateway binds to localhost and treats local connections as trusted, permitting a script to brute-force credentials and auto-register as a trusted node. Once authenticated, an attacker can enumerate devices, read logs and dispatch commands. Users are urged to upgrade to 2026.2.25 or later immediately.

🔒 Security researchers disclosed a high-severity ClawJacked vulnerability in OpenClaw that allowed a malicious website to silently brute-force a locally running gateway and take control. Oasis Security reported the issue and OpenClaw released a fix in version 2026.2.26 on February 26. The update hardens WebSocket checks, removes unsafe localhost exemptions, and closes avenues for silent device pairing and credential theft. Administrators should update immediately.

🔒OpenClaw addressed a high‑severity vulnerability codenamed ClawJacked that allowed attacker‑controlled webpages to connect to a local OpenClaw gateway, brute‑force its password (no rate limiting), and register as a trusted device with admin privileges because localhost registrations were silently approved. The vendor released 2026.2.25 on Feb 26, 2026, and urges immediate updates, access audits, and stronger governance for agent identities.

🔒 Researchers at Oasis Security disclosed a chain of flaws that allowed malicious websites to connect to a locally running OpenClaw agent and seize control. The issue exploits browser behavior that permits WebSocket connections to localhost combined with the agent’s automatic device pairing, weak authentication and disabled rate limits. Tracked as CVE-2026-25253, the vulnerability enabled silent password brute-forcing and device registration. OpenClaw issued a prompt fix (v2026.2.25+) but experts warn architectural changes and stronger controls are needed.

🔒 CISA reports multiple vulnerabilities in Chargemap's public charging infrastructure that could allow attackers to impersonate charging stations, hijack sessions, and disrupt services. The most severe issue (CVE-2026-25851) involves unauthenticated OCPP WebSocket endpoints and carries a CVSS 3.1 base score of 9.4. Chargemap did not respond to coordination; users should contact vendor support and reduce network exposure until fixes are available.

⚠️ CISA warns of multiple critical vulnerabilities in CloudCharge cloudcharge.se affecting OCPP WebSocket endpoints (four CVEs, highest CVSS 9.4). Exploits can enable station impersonation, session hijacking, credential exposure, and large-scale denial of service by suppressing or misrouting telemetry. CloudCharge did not respond to coordination requests; operators should apply network mitigations and restrict Internet exposure. CISA identifies Energy and Transportation sectors as at risk worldwide.

🔒 Successful exploitation of vulnerabilities in SWITCH EV charging infrastructure could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate telemetry, and manipulate backend data. The advisory identifies four CVEs affecting all product versions, including CVE-2026-27767 with a CVSS 3.1 base score of 9.4 (Critical). Vendor coordination was not received; CISA recommends minimizing network exposure, isolating control-system networks, using secure remote access, and contacting the vendor for remediation status. No known public exploitation has been reported.

🔒 CISA reports multiple critical vulnerabilities in EV2GO ev2go.io WebSocket interfaces that allow unauthenticated actors to impersonate charging stations, hijack sessions, and manipulate backend data. Exploitation can lead to large-scale denial of service, suppression or misrouting of legitimate telemetry, and unauthorized control of charging infrastructure; affected versions are all and the highest CVSS score is 9.4. Vendor coordination was not received; operators should minimize Internet exposure, isolate ICS networks, and implement stronger authentication, session management, and rate limiting.

🔒 CISA reports an authentication bypass vulnerability (CVE-2026-1241) affecting Pelco Sarix Professional 3 Series IP cameras running firmware <=02.52. Successful exploitation can permit unauthenticated access to live video streams and sensitive device data, creating privacy, operational, and compliance risks across multiple critical infrastructure sectors. Pelco has released firmware 02.53 to address the issue; users should update promptly and follow network hardening guidance such as isolating camera networks, minimizing internet exposure, and placing devices behind firewalls.

⚠️ Copeland has released patches addressing numerous severe vulnerabilities in XWEB and XWEB Pro appliances that may allow authentication bypass, remote code execution, denial-of-service, path traversal, and memory corruption. Affected firmware includes XWEB 300D PRO, 500D PRO, and 500B PRO running version 1.12.1 or earlier. Several issues are rated high or critical, including one pre-authentication vulnerability with a CVSS v3.1 score of 10.0. Administrators should apply vendor updates immediately and minimize device exposure on untrusted networks.

⚠ Mobility46 charging stations running mobility46.se are affected by multiple OCPP WebSocket vulnerabilities that can allow unauthorized administrative access, session hijacking, credential exposure, and denial-of-service. Four CVEs are documented, including one critical issue with a CVSS 3.1 base score of 9.4. Mobility46 did not respond to CISA coordination; operators should isolate devices, apply network controls, and contact the vendor for guidance.

🔒 CISA warns of multiple critical and high-severity vulnerabilities in EV Energy ev.energy software that could permit unauthorized administrative control, session hijacking, credential exposure, and denial-of-service against charging stations. The advisory identifies four CVEs (including CVE-2026-27772) affecting all versions and assigns a top CVSS score of 9.4 for the most severe issue. EV Energy did not respond to coordination requests; CISA recommends vendor fixes and immediate network hardening, including minimizing Internet exposure and restricting access to charge point endpoints.

⚠️ Government security agencies have urged immediate patching of a critical zero-day, CVE-2026-20127, impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The authentication bypass can grant unauthenticated remote attackers administrative privileges, NETCONF access and the ability to alter SD-WAN configuration. Authorities including CISA and Five Eyes partners require urgent patching and threat hunting; Cisco released fixes on 25 February 2026.

🔒 A maximum-severity vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 10.0), lets an unauthenticated remote attacker bypass authentication and obtain elevated administrative privileges by sending a crafted request. Cisco reports active exploitation across on-prem and Cisco-hosted deployments by a sophisticated actor identified as UAT-8616, with malicious activity dating to 2023. Customers should apply vendor fixes immediately, audit /var/log/auth.log for unexpected "Accepted publickey for vmanage-admin" entries, and follow CISA emergency guidance.

⚠️ Federal and allied cybersecurity agencies issued an emergency directive after Cisco Talos disclosed active exploitation of a critical flaw in Cisco Catalyst SD-WAN controllers (CVE-2026-20127). The vulnerability allows unauthenticated attackers to bypass authentication and gain administrative access to SD‑WAN control-plane components. Cisco has released patches with no workarounds; CISA and Five Eyes partners urge immediate patching, inventorying of in-scope systems, log collection and active hunting for compromise.

⚠️ Cisco warns of a critical authentication bypass in Cisco Catalyst SD-WAN (CVE-2026-20127) that has been exploited in zero-day attacks beginning in 2023. The flaw allows attackers to authenticate as a high-privileged non-root account, add rogue peers, and manipulate NETCONF to alter SD-WAN fabric configuration. Cisco and partners report active exploitation, and vendors have issued software updates; there are no full workarounds, so immediate patching and hardening are urged.

🔒 CISA reports multiple high‑severity vulnerabilities in Gardyn Home Kit firmware, cloud API, and mobile application that could permit unauthenticated access, remote command execution, and extraction of administrative credentials. Affected versions include the mobile app prior to 2.11.0, cloud API before 2.12.2026, and firmware older than master.619. Gardyn has released fixes in updated software; users should update apps and firmware and keep devices connected to receive automatic patches.

🔍 Endor Labs found six high-to-critical flaws in the open-source AI agent framework OpenClaw, including SSRF paths, missing webhook verification, authentication bypasses, and a path traversal in browser uploads. The team used an AI-driven SAST engine to trace attacker-controlled data flows and produced working proof-of-concept exploits that confirmed real-world exploitability. OpenClaw maintainers were notified and have published patches and security advisories addressing the issues.

🛡️ The Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller contains an authentication vulnerability tracked as CVE-2026-24790 that permits remote influence of the underlying PLC without proper safeguards. Successful exploitation could cause over- or under-odorization events, impacting safety and process control. CISA rates this issue High (CVSS 3.1 8.2) and recommends contacting Welker, minimizing network exposure, isolating control networks, and using secure remote-access methods such as updated VPNs.