All news with #authentication bypass tag

🔒 CISA warns of multiple high-severity vulnerabilities in EVMAPA electric vehicle charging station software, including missing authentication on a WebSocket endpoint (CVE-2025-54816), unlimited authentication attempts (CVE-2025-53968), and insufficient session expiration (CVE-2025-55705). Exploitation could enable unauthorized remote command execution, spoofing of station statuses, or denial-of-service, with a top CVSS score of 9.4. Vendor responses vary: EVMAPA plans BASIC auth for OCPP 2.x, uses WSS and vendor VPN for some deployments, and reports one issue has been fixed.

🔒 Researchers report an authentication bypass in SmarterTools SmarterMail (tracked as WT-2026-0001) being actively exploited days after a Jan 15, 2026 patch (Build 9511). An unauthenticated HTTP request to the /api/v1/auth/force-reset-password endpoint can set an IsSysAdmin flag and reset any administrator password if the attacker knows the admin username. The same privileged path enables SYSTEM-level remote code execution via the product's Volume Mount Command feature. watchTowr Labs went public after community reports showed the endpoint was used to change an admin password on Jan 17, indicating rapid patch reversal by attackers.

🔒 A critical two-factor authentication bypass (CVE-2026-0723) in GitLab Community and Enterprise editions allows an attacker who knows a user’s credentials to submit forged device responses and bypass MFA. GitLab released patches in versions 18.8.2, 18.7.2 and 18.6.4 and strongly recommends that all self-managed instances upgrade immediately. Additional fixes address several denial-of-service and authorization flaws; GitLab.com and Dedicated tenants are already protected.

🚨Fortinet customers report attackers bypassing a previously patched FortiGate authentication flaw (CVE-2025-59718) to create admin accounts on devices running FortiOS 7.4.9 and 7.4.10. Fortinet reportedly plans releases of FortiOS 7.4.11, 7.6.6 and 8.0.0 to fully remediate the issue. Until those updates are available, admins are advised to disable FortiCloud SSO using the GUI or the CLI mitigation steps Fortinet published. Shadowserver found over 25,000 devices with FortiCloud SSO enabled in mid-December, and CISA has listed the vulnerability as actively exploited and ordered expedited patching.

🔒 GitLab has patched a high-severity two-factor authentication bypass (CVE-2026-0723) that could allow attackers who know a target's account ID to submit forged device responses and bypass 2FA. The release also addresses two high-severity denial-of-service flaws (CVE-2025-13927, CVE-2025-13928) and two medium-severity DoS issues affecting Wiki rendering and SSH authentication. Administrators should upgrade to 18.8.2, 18.7.2, or 18.6.4 immediately; GitLab.com is already patched.

🔒 A newly disclosed flaw called WhisperPair (CVE-2025-36911) lets an attacker pair with many Bluetooth headsets by abusing Google Fast Pair requests, even when accessories are not in pairing mode. In roughly 10 seconds and within about 14 meters, a hostile device can assume owner-level privileges, enabling microphone access, audio control, or remote location tracking via Google Find Hub. iPhone and other non‑Android users face elevated risk because an attacker can register the headset to their Google account if it has never been paired to Android. Mitigations include installing vendor firmware updates, performing a factory reset, or using a trusted Android device to claim ownership if no patch is available.

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.

🔒 Cloudflare patched a vulnerability in its ACME HTTP-01 validation logic that could allow requests to bypass WAF protections and reach customer origin servers. Discovered by FearsOff in October 2025, the flaw arose when edge logic disabled WAF handling for requests matching an ACME challenge token without confirming the token belonged to the requested hostname. Cloudflare said it found no evidence of exploitation and implemented a code change on October 27, 2025 to only disable WAF features when the token is a valid challenge for that specific hostname.

🔓 Mandiant released a pre-computed Net-NTLMv1 rainbow table so anyone can map challenge-response data back to real NT hashes, a move intended to force organizations to abandon the insecure NTLMv1 protocol. The dataset, hosted via the Google Cloud Research Dataset portal, can recover keys in about 12 hours using roughly $600 of hardware. Mandiant says the goal is to demonstrate immediate risk and prompt remediation rather than to create new vulnerabilities.

🔒 Hackers are actively exploiting a maximum-severity authentication bypass in the Modular DS WordPress plugin (CVE-2026-23550) to gain admin-level access on vulnerable installs. The flaw affects versions 2.5.1 and earlier and was first observed in the wild on January 13; the vendor released a fix in version 2.5.2 shortly after disclosure. Site owners should update immediately, review server logs, verify admin accounts, and regenerate WordPress salts after patching.

🔒 Security researchers at KU Leuven disclosed a critical flaw dubbed WhisperPair (CVE-2025-36911) in the Fast Pair protocol that lets attackers forcibly pair with and control Bluetooth audio accessories. The issue stems from devices failing to enforce the Fast Pair requirement to ignore pairing requests when not in pairing mode, enabling silent hijacking and eavesdropping. Hundreds of millions of headphones, earbuds, and speakers from vendors including Google, Jabra, Sony, OnePlus, Xiaomi, and others are affected, and patches are being coordinated with manufacturers.

🔒 Researchers disclosed a critical vulnerability in Google's Fast Pair protocol, tracked as CVE-2025-36911 and dubbed WhisperPair. The flaw stems from many accessories failing to ignore pairing requests when not in pairing mode, enabling attackers to pair without user consent. Exploits can hijack audio devices, enable eavesdropping and location tracking, and affect hundreds of millions of headsets from vendors including Google, Sony, Jabra, JBL, OnePlus. Only manufacturer firmware updates mitigate the risk; disabling Fast Pair on phones does not protect accessories.

🔒 Siemens and CISA report an authorization bypass in multiple Siemens Industrial Edge and related devices (CVE-2025-40805) that can allow an unauthenticated remote attacker who knows a legitimate user's identity to impersonate that user. Siemens has released firmware and software updates for many affected models and is preparing additional fixes. Where updates are not yet available, Siemens and CISA advise network isolation, minimizing internet exposure, use of secure remote access (VPNs), and other compensating controls to limit risk.

🔒 Users of Siemens Industrial Edge Device Kit should apply updates immediately. CISA reports an authorization bypass (CVE-2025-40805) that enables unauthenticated attackers to impersonate legitimate users by abusing unsecured API endpoints; the issue is rated CVSS v3.1 10.0. Siemens has published patches for multiple arm64 and x86-64 builds (for example V1.24.2 and V1.25.1) and advises restricting network access where fixes are not yet available.

🔒 CISA reported several vulnerabilities in the YoSmart YoLink ecosystem impacting the cloud server, Smart Hub, and mobile application. Exploitation could let attackers remotely control other users' devices, intercept unencrypted MQTT traffic, and hijack sessions. YoSmart pushed server-side fixes and will deliver a hub firmware update over-the-air; users should update the YoLink mobile app to 1.40.45 or later.

🔒 ServiceNow has released fixes for a critical flaw in its ServiceNow AI Platform that could allow an unauthenticated actor to impersonate other users and perform arbitrary actions. Tracked as CVE-2025-12420 with a CVSS score of 9.3, the issue was addressed on October 30, 2025 and deployed to the majority of hosted instances. Patches were also shared with partners and self-hosted customers; administrators are advised to apply updates promptly to mitigate risk.

🔐 Amazon MQ now supports certificate-based authentication for RabbitMQ brokers using mutual TLS (mTLS). The new capability lets brokers running RabbitMQ 4.2 and later use the auth_mechanism_ssl plugin, configured via the broker's configuration file. To enable it, create a new RabbitMQ 4.2 broker (M7g instance type) and update the configuration; the feature is available in all regions where Amazon MQ RabbitMQ 4 instances are offered.

🛡️ This week's ThreatsDay highlights a critical RustFS gRPC authentication flaw with a hard-coded token (CVSS 9.8) that allowed network attackers to perform privileged operations and was patched in 1.0.0-alpha.78. Other notable stories include GeoServer-based XMRig miners, an evolution in Iran-linked MuddyWater custom backdoors, a surge in Taiwanese infrastructure attacks, and CISA's KEV catalog expansion. Organizations should apply patches, enable MFA, and monitor credentials and exposed services.

⚠ Microsoft is investigating an Exchange Online outage (EX1215307) that intermittently prevents users from accessing mailboxes via IMAP4. Microsoft attributes the disruption to a recent IMAP deployment that introduced a code conflict and authentication misconfiguration, and says a configuration fix has been deployed and is being rolled out. Other connection methods are not affected, and Microsoft advises retries may restore access while the update completes.

🔒 Cisco has issued updates to address a medium-severity XML parsing vulnerability (CVE-2026-20029, CVSS 4.9) in Identity Services Engine (ISE) and ISE Passive Identity Connector. The flaw in the licensing feature allows an authenticated administrator to upload a crafted file and read arbitrary files from the underlying operating system. Cisco lists specific fixed releases and patches (pre-3.2 must migrate; 3.2/3.3/3.4 have patches; 3.5 not vulnerable), reports no workaround, and acknowledges a public PoC while noting no known in-the-wild exploitation. The advisory also includes fixes for two Snort 3 DCE/RPC issues affecting multiple Cisco products.