< ciso
brief />
Tag Banner

All news with #command injection tag

33 articles

Ubiquiti patches max-severity UniFi OS flaws

πŸ”’ Ubiquiti released updates addressing seven critical UniFi OS vulnerabilities, including a maximum-severity command injection flaw (CVE-2026-50746) in the UniFi Connect Application. The flaw affects versions 3.4.16 and earlier and could allow a network-based attacker to execute commands on the host. Users are advised to upgrade UniFi Connect to version 3.4.20 or later. Six additional critical issues across UniFi Talk, Access, Protect, UniFi OS Server, and multiple devices were also patched.
read more β†’

CISA orders three-day patch for Ivanti Sentry flaw

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch an actively exploited Ivanti Sentry flaw (CVE-2026-10520) within three days under Binding Operational Directive BOD 26-04. The vulnerability, an OS command injection in Ivanti's security gateway appliance, has been confirmed exploited and added to CISA's Known Exploited Vulnerabilities Catalog. Shadowserver reports multiple Sentry gateways have already been backdoored and warns unpatched systems are likely compromised.
read more β†’

Maximum-severity Ivanti Sentry flaw now exploited

πŸ”’ Attackers are exploiting a recently patched maximum-severity OS command injection in Ivanti Sentry (formerly MobileIron Sentry), tracked as CVE-2026-10520, to achieve root code execution on Internet-exposed gateways. Ivanti released patches in Sentry R10.5.2, R10.6.2, and R10.7.1, but Shadowserver reports many publicly reachable appliances have already been backdoored. Shadowserver warned that their scans undercount exposures due to blocklisting and urged immediate patching, while Ivanti has not revised its advisory and maintains no evidence of customer exploitation at disclosure.
read more β†’

Universal Robots Polyscope 5 Command Injection Fix

⚠️ A critical OS command injection in the Dashboard Server of Universal Robots Polyscope 5 (CVSS 9.8) allows unauthenticated attackers to execute commands on the robot's operating system. Affected releases are versions prior to 5.25.1; the vendor has issued Polyscope 5 v5.25.1 as a corrective update. CISA advises immediate patching and network defenses including segmentation, firewalling, and limiting internet exposure.
read more β†’

Siemens Ruggedcom Rox OS Command Injection Fix Released

⚠ An input validation vulnerability in the feature key installation process of Siemens Ruggedcom Rox allows an authenticated remote attacker to inject OS commands and achieve arbitrary code execution with root privileges. Siemens has released updates and advises customers to upgrade affected devices to V2.17.1 or later without delay. CISA and Siemens recommend isolating control networks, restricting access, and following Siemens' operational guidelines to reduce exposure.
read more β†’

Siemens Ruggedcom Rox OS Command Injection Advisory

⚠️An input validation vulnerability in the Scheduler feature of Siemens Ruggedcom Rox devices allows an authenticated remote attacker to inject OS commands via the device's Web UI. Successful exploitation can execute arbitrary commands with root privileges on the underlying operating system. Siemens has released updates and recommends upgrading to V2.17.1 or later; CISA urges operators to apply the patch and implement network protections such as firewalls, isolation, and secure remote access.
read more β†’

Nexcorium Mirai Variant Exploits DVR Command Injection

⚠️Fortinet researchers observed a campaign exploiting a command injection flaw (CVE-2024-3721) in TBK DVR systems to deploy a Mirai-based, multi-architecture botnet called Nexcorium. Attackers deliver a downloader via crafted HTTP requests that retrieves ARM, MIPS and x86-64 payloads and executes them with elevated privileges. The malware leverages an XOR-encoded configuration, embedded credential lists for brute-force access and multiple persistence mechanisms, and network traffic includes a custom HTTP header referencing Nexus Team that may indicate the actor.
read more β†’

Chained Cisco Catalyst 9300 Flaws Could Cause DoS Outage

πŸ”’ Cisco's Catalyst 9300 switches contain four vulnerabilities β€” two of which can be chained to escalate privileges and induce a denial-of-service by forcing the device into maintenance mode. Opswat's Unit 515 CIP Lab reported CVE-2026-20114 (command injection) and CVE-2026-20110 (insufficient sanitization), which together allow a low-privileged Lobby Ambassador account to gain higher privileges. Cisco released fixes in its March 25, 2026 IOS and IOS XE advisory; administrators should run the Software Checker, enable MFA for Lobby Ambassador accounts, and, where possible, set the privilege level for the 'start maintenance' command from the CLI.
read more β†’

Low-cost KVM-over-IP Flaws Risk Remote Network Takeover

πŸ”’ Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.
read more β†’

CISA Adds Two Known-Exploited Vulnerabilities to KEV Catalog

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2026, after observing evidence of active exploitation. The entries include CVE-2026-21385, a memory corruption issue impacting multiple Qualcomm chipsets, and CVE-2026-22719, a command injection vulnerability affecting Broadcom VMware Aria Operations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged flaws by the required due dates; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to add vulnerabilities that meet its KEV criteria.
read more β†’

CISA Confirms Active Exploitation of FileZen Flaw Now

🚨 CISA has added a recently disclosed FileZen vulnerability, CVE-2026-25108 (CVSS v4 8.7), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The issue is an OS command injection that allows an authenticated user to execute arbitrary commands via specially crafted HTTP requests. Affected versions include 4.2.1–4.2.8 and 5.0.0–5.0.10; Soliton advises updating to 5.0.11 or later and changing passwords if exploitation is suspected. Federal agencies must remediate by March 17, 2026.
read more β†’

VMware patches Aria Operations command injection flaw

πŸ”’Recent patches from VMware address several high- and medium-risk vulnerabilities in Aria Operations, Cloud Foundation, and Telco Cloud products. The most serious, CVE-2026-22719, is an unauthenticated command injection that could lead to remote code execution but requires support-assisted product migration to be exploitable, so it is rated high rather than critical. Broadcom recommends upgrading to Aria Operations 8.18.6 and applying corresponding updates for VMware Cloud Foundation and Telco Cloud components to mitigate these issues.
read more β†’

Tirith tool blocks homoglyph and terminal injection attacks

πŸ”’ Tirith is an open-source, cross-platform tool that inspects pasted commands and blocks impostor attacks that rely on Unicode homoglyphs, invisible characters, and terminal injection techniques. It hooks into common shells (zsh, bash, fish, PowerShell), analyzes URLs and command patterns locally, and halts execution when suspicious input is detected. The author reports sub-millisecond overhead, no cloud or telemetry dependencies, and options to analyze commands without running them.
read more β†’

DIAView Command Injection Advisory β€” CVE-2026-0975

⚠️ DIAView contains a command injection vulnerability (CVE-2026-0975) that allows project scripts to execute shell commands when a malicious project is opened. Successful exploitation can result in arbitrary code execution on affected installations of Delta Electronics DIAView version 4.2.0. Delta recommends updating to DIAView v4.4 or later and following defensive measures such as isolating control networks, avoiding untrusted files or links, and using secure remote access methods.
read more β†’

FortiSIEM phMonitor Command Injection: CVE-2025-64155

⚠️ A critical command injection vulnerability in Fortinet FortiSIEM (phMonitor, tracked as CVE-2025-64155) enables unauthenticated attackers to inject commands and write files that are executed as the root user. Exploit code was disclosed publicly after a responsible disclosure to Fortinet in August 2025, and researchers warn the flaw may have allowed remote root access for nearly three years. Fortinet has released patched builds and advises restricting access to TCP port 7900 and applying updates immediately.
read more β†’

CISA Flags Exploited Digiever NVR Flaw; Urges Mitigation

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.
read more β†’

Johnson Controls iSTAR Controllers: OS Command Injection

πŸ”’ Johnson Controls disclosed two OS command injection vulnerabilities (CVE-2025-43873, CVE-2025-43874) affecting multiple iSTAR Ultra, iSTAR Ultra G2, and iSTAR Edge G2 door controller firmware versions. Successful exploitation could allow remote attackers to execute OS commands, modify firmware, and gain full device control. Both issues are rated high severity (CVSS v3.1 8.8; CVSS v4 8.7) and are exploitable with low attack complexity. Users are advised to apply vendor firmware updates and reduce network exposure immediately.
read more β†’

Johnson Controls iSTAR: Remote OS Command Flaws Discovery

πŸ”’ Johnson Controls disclosed two command-injection vulnerabilities in its iSTAR series (CVE-2025-43875, CVE-2025-43876). Both are classified as CWE-78 and carry high severity (CVSS v3.1 8.8; CVSS v4 8.7), exploitable remotely with low complexity. Johnson Controls and CISA advise upgrading affected devices to the fixed firmware and applying network isolation and secure remote-access controls.
read more β†’

JPCERT Confirms Active Command-Injection in ArrayOS

⚠️ JPCERT/CC warns that a command injection flaw in Array Networks AG Series secure access gateways' DesktopDirect feature has been actively exploited since August 2025, enabling attackers to execute arbitrary commands. The vendor patched the issue in ArrayOS 9.4.5.9 on May 11, 2025; affected versions include 9.4.5.8 and earlier. JPCERT/CC confirms web shells were dropped on devices in Japan and notes attacks from IP 194.233.100[.]138. Administrators should apply the update or disable DesktopDirect and block URLs containing a semicolon as a temporary mitigation.
read more β†’

Attackers Exploit ArrayOS AG VPN Bug to Deploy Webshells

πŸ”’ Threat actors are exploiting a command injection vulnerability in Array Networks ArrayOS AG VPN appliances to plant PHP webshells and create rogue user accounts. The flaw affects ArrayOS AG 9.4.5.8 and earlier when the DesktopDirect feature is enabled; Array issued a May update (9.4.5.9) to address the issue. Japan's CERT (JPCERT/CC) reports attacks since at least August originating from IP 194.233.100[.]138. If immediate patching is not possible, disable DesktopDirect or block URLs containing a semicolon as a temporary mitigation.
read more β†’