< ciso
brief />
Tag Banner

All news with #insecure deserialization tag

42 articles

CISA Adds SharePoint RCE CVE-2026-45659 to KEV Catalog

πŸ”’ CISA has added a high-severity SharePoint Server vulnerability, CVE-2026-45659 (CVSS 8.8), to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. Microsoft patched the deserialization-based remote code execution flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The issue can be triggered by any authenticated attacker with as little as Site Member permissions and does not require elevated privileges. Federal agencies are advised to apply updates by July 4, 2026, while Microsoft assesses public exploitation as "Exploitation Less Likely."
read more β†’

Critical PTC Windchill PLM Flaw Under Active Exploitation

πŸ›‘οΈ Hackers are exploiting a critical unsafe deserialization vulnerability in PTC Windchill and FlexPLM that enables remote code execution. The flaw, tracked as CVE-2026-12569 and scored 9.3 CVSS, affects the Windchill PDMLink web component. PTC issued mitigations and patches on June 17–19 and provided indicators of compromise after reports of web shell deployment. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
read more β†’

CISA Adds PTC Windchill RCE to KEV Catalog

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical RCE vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw, tracked as CVE-2026-12569 with a CVSS score of 9.3, allows arbitrary code execution via improper input validation and deserialization of untrusted data. Patches were released last week, but PTC warns of ongoing attacks deploying JSP web shells and published IoCs and mitigations.
read more β†’

Critical LangGraph flaw chain risks remote code execution

πŸ”’ Researchers disclosed three patched vulnerabilities in LangGraph, including a critical SQL injection and unsafe deserialization chain that could enable remote code execution in self-hosted deployments. LangGraph is an open-source framework from LangChain for building stateful, multi-agent AI applications. Check Point and researcher Yarden Porat reported the issues, which affect SQLite and Redis checkpointers but not LangChain's managed LangSmith service.
read more β†’

Critical LangGraph Vulnerabilities Put AI Agents at Risk

πŸ”’ Check Point Research discovered a critical vulnerability chain in LangGraph, an open-source AI agent framework with ~46.5M monthly downloads, that can lead to full remote code execution. The issue centers on the checkpointer persistence layer where an SQL injection in get_state_history() can be chained with a msgpack deserialization flaw to execute attacker-controlled code. Three CVEs were assigned and patched; affected teams should upgrade and place authentication and network controls in front of self-hosted deployments.
read more β†’

KnowledgeDeliver zero-day enables web shell installs

πŸ›‘οΈ Mandiant found attackers exploited a critical unauthenticated deserialization flaw (CVE-2026-5426) in KnowledgeDeliver LMS to deliver the Godzilla web shell. The issue stemmed from a shared hardcoded ASP.NET machineKey across customer deployments, allowing signed malicious ViewState payloads and remote code execution. Compromised installations were used to push fake installers, deploy Cobalt Strike beacons, and modify site scripts to load attacker-controlled payloads.
read more β†’

Microsoft fixes critical SharePoint remote code flaw

πŸ›‘οΈ Microsoft released updates to address a SharePoint remote code execution vulnerability, CVE-2026-45659, rated CVSS 8.8 and classified as Important. The flaw involves deserialization of untrusted data, allowing an authenticated attacker with minimal Site Member permissions to execute code over a network without elevated privileges. Microsoft credited researcher MEOW for the discovery and urged administrators to apply the updates for affected SharePoint versions. The advisory follows recent fixes for other SharePoint issues that have been exploited in the wild.
read more β†’

KnowledgeDeliver LMS ViewState Flaw Enables Web Shell

πŸ›‘οΈ A high-severity ASP.NET ViewState deserialization flaw (CVE-2026-5426) in Digital Knowledge KnowledgeDeliver was exploited as a zero-day to deploy the Godzilla web shell and later Cobalt Strike Beacon. Google Mandiant and GTIG found attackers abused hard-coded machineKey values in vendor-supplied web.config files to craft malicious __VIEWSTATE payloads, gaining unauthenticated RCE on affected instances prior to February 24, 2026. The intrusion included file system escalation, tampering with site JavaScript to deliver a fake security plugin, and a targeted encrypted payload named for the victim organization.
read more β†’

Critical CVE-2026-25874 in LeRobot Enables Remote RCE

⚠️ A critical vulnerability, CVE-2026-25874, was disclosed in Hugging Face's open-source robotics framework LeRobot, enabling unauthenticated remote code execution via unsafe deserialization with pickle.loads(). The flaw affects the async inference PolicyServer handling gRPC calls (SendPolicyInstructions, SendObservations, GetActions) over unauthenticated channels and has been validated against LeRobot 0.4.3. A patch is planned for version 0.6.0; operators should treat exposed instances as high-risk and apply mitigations such as enabling TLS, restricting network access, and eliminating pickle-based deserialization.
read more β†’

Hitachi Energy JasperReports RCE in Ellipse Products

⚠ Hitachi Energy disclosed a critical Java deserialization flaw in the Jaspersoft/Jasper Report library used by Ellipse, tracked as CVE-2025-10492, which can enable remote code execution. Affected versions include Ellipse 9.0.50 and earlier and the issue carries a CVSS 3.1 score of 9.8. Immediate mitigations include restricting loading of external custom reports to only administrator-approved Jasper files, isolating control systems from public networks, and following updates from Hitachi Energy PSIRT.
read more β†’

LangChain and LangGraph Flaws Expose Files and Secrets

πŸ”’ Researchers disclosed three vulnerabilities in LangChain and LangGraph that can expose filesystem files, environment secrets, and conversation history. The flaws β€” a path traversal, insecure deserialization, and an SQL injection β€” provide independent attack paths enabling exfiltration of Docker configs, API keys, and stored chats. Patches are available for the affected packages and organizations are urged to update immediately and audit prompt templates, deserialization paths, and checkpoint metadata.
read more β†’

Schneider Electric Foxboro DCS Deserialization Flaw Patched

πŸ”’ Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.
read more β†’

Ransomware Group Exploited Cisco Firewall Zero-Day

⚠️ Amazon disclosed that the ransomware group Interlock exploited a critical deserialization flaw in Cisco Secure Firewall Management Center (CVE-2026-20131) as a zero-day beginning January 26, roughly 38 days before Cisco released a patch on March 4. The bug carries a CVSS score of 10 and was addressed in Cisco’s semiannual firewall update alongside a second high-severity FMC issue. Using its MadPot honeypot network, Amazon captured attacker activity, recovered a malicious ELF binary, and traced a full attack chain that leveraged a single poorly secured staging server. The findings underscore the limits of patching alone and the need for layered defenses and urgent log hunting for provided indicators.
read more β†’

CISA Adds Cisco FMC Deserialization Flaw to KEV Catalog

⚠️ CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability involves deserialization of untrusted data in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. This class of flaw is a common attack vector and poses significant risk. CISA reminds Federal Civilian Executive Branch agencies to remediate per BOD 22-01 and urges all organizations to prioritize timely remediation as part of normal vulnerability management.
read more β†’

Schneider Electric PME/EPO Deserialization Vulnerability

⚠️ Schneider Electric disclosed a deserialization-of-untrusted-data vulnerability affecting EcoStruxure Power Monitoring Expert (PME) and the Advanced Reporting and Dashboards module for EcoStruxure Power Operation (EPO). A locally authenticated attacker can supply crafted data to trigger unsafe deserialization and achieve arbitrary code execution with administrative privileges. Schneider has released hotfixes and recommends upgrading to PME 2024 R3; contact Customer Care to obtain fixes. Hotfixes for supported branches report no reboot required.
read more β†’

Critical Microsoft SharePoint Flaw Now Exploited in Attacks

πŸ”΄ The Cybersecurity and Infrastructure Security Agency (CISA) warned that a critical deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2026-20963, is being exploited in the wild. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and can allow unauthenticated remote code execution on unpatched servers. Microsoft patched the issue during January Patch Tuesday but has not labeled it as exploited; CISA added the vulnerability to its actively exploited catalog and ordered federal agencies to remediate by March 21.
read more β†’

CISA Adds CVE-2026-20963 to Known Exploited Vulnerabilities

⚠️ CISA has added CVE-2026-20963 β€” a Microsoft SharePoint deserialization of untrusted data vulnerability β€” to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This class of flaw is a frequent attack vector that can allow malicious actors to execute code or manipulate data when untrusted input is deserialized. CISA reminds Federal Civilian Executive Branch agencies that BOD 22-01 requires remediation by the assigned due dates and strongly urges all organizations to prioritize timely fixes.
read more β†’

Inductive Automation Ignition Deserialization Vulnerability

πŸ”’ A deserialization vulnerability in Inductive Automation Ignition (CVE-2025-13913) allows a privileged, authenticated user to import a crafted file that executes embedded code during deserialization, potentially running with the OS application service account's permissions. The flaw affects Ignition versions prior to 8.3.0 and carries a CVSS v3.1 base score of 6.3; CISA reports it is not remotely exploitable and no public exploitation is known. Remediation is to upgrade to 8.3.0 or later. As interim mitigations, follow the Ignition Security Hardening Guide, restrict project imports to trusted sources, use dedicated low-privilege service accounts, and segment gateways from corporate networks.
read more β†’

CISA: Critical SolarWinds Web Help Desk RCE Exploited

πŸ”’ CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.
read more β†’

Critical RCE in Hitachi Energy Asset Suite (Jasper)

⚠️ Hitachi Energy has disclosed a critical remote code execution vulnerability in Asset Suite, caused by a Java deserialization flaw in the Jaspersoft library (CVE-2025-10492). The issue affects Asset Suite versions 9.7 and earlier and carries a CVSS v3.1 base score of 9.8 β€” allowing attackers to execute arbitrary code on vulnerable systems. Hitachi Energy advises upgrading to version 9.8 to remediate the defect. Until patched, administrators should restrict loading of external custom reports, segment networks, and deny internet exposure for control system devices.
read more β†’