All news with #authentication bypass tag

🔒OpenClaw has patched six vulnerabilities disclosed by Endor Labs, including SSRF, missing webhook authentication and a path traversal issue that range from moderate to high severity. The set includes CVE-2026-26322 (Gateway SSRF, CVSS 7.6), CVE-2026-26319 (Telnyx webhook auth bypass, CVSS 7.5) and several GitHub Security Advisories such as GHSA-56f2-hvwg-5743. Endor warns that agent frameworks’ multi-layered architectures mean vulnerabilities can span files and components, requiring data-flow analysis and layered validation to mitigate exploitation. SecurityScorecard also flagged many publicly exposed OpenClaw instances, raising enterprise risk.

🔒 CISA has issued an advisory for a critical Honeywell CCTV vulnerability tracked as CVE-2026-1670. An unauthenticated API endpoint can be abused to change the account recovery email, enabling account takeover and unauthorized access to camera feeds. The advisory lists several mid-range models; Honeywell users should contact support and limit network exposure until vendor guidance or patches are available.

🔒 CISA reports a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that exposes an unauthenticated API endpoint allowing an attacker to change the forgot password recovery email. Successful exploitation can enable account takeover and unauthorized access to camera feeds, and the issue is scored CVSS v3.1 9.8 (CRITICAL). Affected firmware includes several 2MP and 25M IPC/PTZ variants. Honeywell recommends contacting support for patches; CISA urges reducing Internet exposure, segmenting networks, and using secure remote access.

⚠️ OpenClaw is an open‑source AI‑agent orchestration tool that runs locally, integrates with common chat apps and can use any LLM backend, driving rapid adoption. Researchers have found widespread exposed instances, critical authentication‑bypass flaws, plaintext credentials in the ClawHub marketplace and hundreds of malicious skills enabling credential theft and remote code execution. Experts urge enterprises to ban or tightly restrict use, enforce least privilege, MFA, endpoint segmentation and continuous telemetry if pilots are allowed.

🔒 Siemens ProductCERT reports a Missing Authorization vulnerability in the Webhooks implementation of Siveillance Video Management Servers that can allow authenticated users with read-only privileges to gain full access to the Webhooks API. Affected releases include V2023 R1–R3, V2024 R1, and V2025 builds older than the specified hotfix revisions. Siemens has published fixes and recommends updating to the listed hotfix revisions. If patching is delayed, audit role settings and limit network exposure to affected devices.

⚠️ OpenClaw is a rapidly adopted local agent orchestration tool (formerly Clawdbot/Moltbot) that integrates with chat apps, operating systems, smart-home devices, browsers and productivity platforms and can be configured to use any LLM backend. Its GitHub repo and the Moltbook social layer saw millions of visits and hundreds of thousands of agents and downloads in recent weeks. Security researchers warn the tool is insecure-by-default: exposed instances, authentication bypasses, plaintext credentials and malicious third-party skills create serious enterprise risk. Organizations are advised to block traffic, rotate credentials and restrict experimentation to isolated, managed environments.

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.

🔒 SmarterTools confirmed that the Warlock ransomware group breached its network after exploiting an authentication-bypass flaw in a single, unpatched SmarterMail VM (CVE-2026-23760) on January 29, allowing attackers to reset admin passwords and obtain full privileges. The intrusion led to compromise of 12 Windows servers in the company’s office network and a secondary data center used for testing and hosting, while the company’s Linux infrastructure was not affected. Security tooling, including SentinelOne, blocked the final encryption payload, impacted systems were isolated, and data was restored from backups; SmarterTools urges administrators to upgrade to Build 9511 or later.

🔒 BeyondTrust has released updates to address a critical pre-authentication remote code execution vulnerability affecting Remote Support and older Privileged Remote Access versions. The flaw, tracked as CVE-2026-1731, is an operating-system command injection rated 9.9 on the CVSS scale and allows unauthenticated attackers to execute OS commands in the context of the site user. Patches (BT26-02-RS and BT26-02-PRA) or upgrades to the fixed releases should be applied immediately, and self-hosted customers without automatic updates must apply the fix manually.

⚠️ Hitachi Energy disclosed a critical vulnerability (CVE-2024-3596) affecting XMC20 devices that use remote RADIUS authentication. An MD5 Response Authenticator weakness permits a local attacker to forge or convert valid RADIUS responses (Access-Accept, Access-Reject, Access-Challenge), affecting confidentiality, integrity, and availability. Vendor guidance is to upgrade to XMC20 R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server; where upgrades are not possible, segment FOX management traffic and apply network mitigations. CISA republishes the vendor advisory for visibility.

🔒 Hitachi Energy reported a critical vulnerability in FOX61x devices when configured to use remote RADIUS authentication. The RADIUS implementation is vulnerable to a chosen-prefix collision attack on the MD5 Response Authenticator, allowing an attacker able to manipulate responses to forge Access-Accept/Access-Reject/Access-Challenge messages and affect confidentiality, integrity, and availability. Affected versions include FOX61x R17A and earlier; update to R18 and enable the RADIUS Message-Authenticator on both the device and the RADIUS server. If immediate upgrade is not possible, segment FOX management traffic to reduce exposure.

🔒 A vulnerability in the TP‑Link VIGI Series IP Camera local web interface allows an attacker on the same LAN to bypass authentication in the password recovery flow and reset the administrator password by manipulating client-side state. Successful exploitation grants full administrative access, compromising device configuration and network security. TP‑Link has released firmware updates and strongly recommends installing the latest builds; CISA advises isolating affected devices from public networks and using secure remote access such as updated VPNs.

🔒 Pillar Security identified two maximum-severity sandbox escape vulnerabilities in the n8n workflow automation platform that allow any authenticated user to gain full server control and exfiltrate stored credentials (API keys, cloud keys, database passwords and OAuth tokens) on both self-hosted and cloud instances. The first flaw was patched by n8n, but researchers found a bypass within 24 hours, prompting the vendor to release n8n v2.4.0 in January 2026. Immediate mitigation steps include upgrading to 2.4.0, rotating the n8n encryption key and all stored credentials, auditing workflows for suspicious expressions and monitoring AI-related outbound activity.

🔒 The Synectix LAN 232 TRIO 3‑port serial-to-Ethernet adapter exposes its web management interface without requiring authentication, enabling unauthenticated actors to modify critical device settings or perform a factory reset. Tracked as CVE-2026-1633 and rated CVSS v3.1 10.0 (Critical), the product is end-of-life and Synectix is no longer in business, so firmware fixes are unavailable. CISA recommends minimizing network exposure, isolating control networks behind firewalls, and using up-to-date VPNs or other secure remote-access methods while operators pursue replacement or isolation of affected units.

🛡️ Avation's Light Engine Pro devices expose configuration and control interfaces without authentication, tracked as CVE-2026-1341. Successful exploitation could allow an attacker to take full control of affected units. Avation has not responded to CISA's coordination request; users should contact the vendor and apply mitigations such as isolating devices from the internet, placing them behind firewalls, and using VPNs for remote access. CISA reports no public exploitation to date.

⚠️ MOMA Seismic Station versions v2.4.2520 and earlier expose the device web management interface without requiring authentication, enabling unauthenticated actors to modify configuration, retrieve device data, or remotely reset the device. The vulnerability is tracked as CVE-2026-1632 and classified as Missing Authentication for Critical Function (CWE-306). CISA assigns a CRITICAL severity (CVSS v3.1 Base Score 9.1) and notes that RISS SRL did not provide a vendor-supplied patch in the advisory.

🔒 Microsoft has moved the long-planned phase-out of NTLM into a default-disable posture for Windows 11 and Windows Server. Introduced in the 1990s and largely superseded by Kerberos since Windows 2000, NTLM still appears in many legacy enterprise systems and enables attacks such as NTLM relay. Administrators have been preparing for years, but Microsoft now considers NTLM deprecated and has published a timetable for deactivation to help organizations plan.

🔒 Microsoft announced a three-stage plan to make NTLM disabled by default and move Windows environments to stronger, Kerberos-based authentication. Phase 1 (available now) introduces enhanced NTLM auditing to identify where legacy authentication is used. Phase 2 (pre-release) will address migration blockers with features such as IAKerb and a Local KDC and update core Windows components to prefer Kerberos (targeted H2 2026). Phase 3 will ship NTLM disabled by default in the next Windows Server and associated client, with policy controls to explicitly re-enable legacy behavior.

🔍 A security researcher published evidence that some Instagram private profiles returned links to user photos and captions inside the page HTML, making them visible to unauthenticated visitors on certain mobile devices. Researcher Jatin Banga showed the polaris_timeline_connection JSON object embedded encoded CDN links pointing to images that should have been private. In tests of private accounts he controlled or had permission to use, about 28% exposed captions and CDN links. Banga reported the issue to Meta on October 12, 2025; Meta later closed the report as "not applicable" and did not provide a root-cause analysis, though the behavior ceased roughly October 16.

⚠️ CISA warns of a critical Missing Authentication for Critical Function vulnerability (CVE-2026-1453) in KiloView Encoder Series devices that could let an unauthenticated attacker create or delete administrator accounts and gain full administrative control. Multiple E1, E1-s, E2, G1, P1, P2 and RE1 hardware and firmware builds are affected. No public exploitation has been reported to CISA, and KiloView has not engaged with CISA; users should minimize network exposure, ensure devices are not directly reachable from the Internet, and contact KiloView support for guidance.