All news with #privilege escalation tag

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.

🔒 CISA is urging IT and security leaders to harden endpoint management configurations after pro‑Iranian group Handala reportedly abused Microsoft Intune in a March 11 attack on Stryker that disrupted operations and enabled remote wipes. The guidance emphasizes least‑privilege administrative roles, phishing‑resistant MFA, privileged access hygiene, and multi‑admin approval for destructive actions. Although focused on Intune, CISA says these defensive principles apply to any UEM. Organizations should audit admin access, require multi‑party approvals, and continuously monitor privileged activity.

⚠️ Security researchers at Dream Security disclosed a critical buffer overflow in GNU inetutils telnetd (CVE-2026-32746) that enables unauthenticated remote code execution as root during Telnet negotiation. The flaw originates in the SLC handler which writes into a fixed 108‑byte buffer without bounds checking, producing an arbitrary write. Dream notified maintainers on March 11 and a patch was prepared the next day; administrators should disable telnetd, restrict or block TCP/23, or migrate to SSH until updates are applied.

🔒 Many organizations invest heavily in login protections but leave password reset paths less scrutinized, creating an easy escalation route once attackers gain a foothold. The article explains common abuse scenarios — from helpdesk social engineering and intercepted reset tokens to misuse by over-permissioned admins — and recommends seven practical mitigations, including MFA, device posture checks, strict password policies, and avoiding knowledge-based authentication. It also highlights Specops tools to harden reset workflows and block breached passwords.

🔒 Ubiquiti has released patches for two vulnerabilities in the UniFi Network application, including a maximum-severity path traversal flaw tracked as CVE-2026-22557. The path traversal affects versions up to 10.1.85 and is addressed in 10.1.89 and later; a separate authenticated NoSQL injection that could enable privilege escalation has also been fixed. Administrators should update to 10.1.89 or later and apply vendor fixes to mitigate account takeover and escalation risks.

⚠️ Schneider Electric disclosed a deserialization-of-untrusted-data vulnerability affecting EcoStruxure Power Monitoring Expert (PME) and the Advanced Reporting and Dashboards module for EcoStruxure Power Operation (EPO). A locally authenticated attacker can supply crafted data to trigger unsafe deserialization and achieve arbitrary code execution with administrative privileges. Schneider has released hotfixes and recommends upgrading to PME 2024 R3; contact Customer Care to obtain fixes. Hotfixes for supported branches report no reboot required.

🔒 ConnectWise warned customers about a critical cryptographic signature verification bug in ScreenConnect (tracked as CVE-2026-3564) that affects versions prior to 26.1 and can enable unauthorized session authentication and privilege escalation. The vulnerability allows attackers who obtain ASP.NET machine key material to generate or modify protected values the server will accept, potentially resulting in hijacked sessions and elevated access. ConnectWise patched the issue in ScreenConnect 26.1 by adding encrypted storage and improved handling for machine keys; cloud-hosted instances were auto-upgraded while on-premises administrators must upgrade immediately. The vendor reported observed attempts to abuse disclosed machine key material in the wild but has no confirmed evidence of exploitation against ConnectWise-hosted instances and urges responsible disclosure of active findings.

⚠ A local privilege escalation vulnerability (CVE-2026-3888) affects default installations of Ubuntu Desktop 24.04 and later, enabling attackers with low-level access to obtain full root privileges. The flaw stems from an interaction between snap-confine and systemd-tmpfiles that enables a timing-based attack leveraging automated temporary-file cleanup. Exploitation requires patience due to a built-in 10–30 day cleanup window, but no user interaction is needed; Qualys rated the issue CVSS 7.8 and urges immediate upgrade to patched snapd releases.

⚠️ A high-severity vulnerability tracked as CVE-2026-3888 affects default Ubuntu Desktop installations starting with 24.04, allowing an unprivileged local attacker to escalate to root by abusing the interaction between snap-confine and systemd-tmpfiles. The exploit relies on a timing window (roughly 10–30 days) in which systemd-tmpfiles removes stale /tmp entries, enabling an attacker to recreate sandbox directories with malicious payloads that are later bind-mounted as root. Ubuntu and upstream snapd have released patches; administrators should upgrade snapd and follow vendor guidance to mitigate exposure.

🛡️ Qualys TRU has disclosed 'CrackArmor,' a set of nine AppArmor vulnerabilities present since Linux kernel 4.11 (2017). These AppArmor flaws allow local, unprivileged users to manipulate security profiles via kernel pseudo-files, enabling local privilege escalation, container isolation bypass, Denial-of-Service and potential kernel-memory exposure. Qualys developed proof-of-concept exploits but has not publicly released the code to limit risk. Organizations should prioritize applying vendor kernel updates and scanning for affected systems.

⚠️ Microsoft removed the Samsung Galaxy Connect app from the Microsoft Store after a joint investigation concluded the app (used for screen mirroring, file sharing and data transfer) was triggering "C:\ is not accessible – Access denied" errors on certain Windows 11 Samsung Galaxy Book 4 and desktop models. Affected users reported blocked applications, failure to access files, and privilege elevation problems that impeded diagnostics. Samsung republished a stable previous version to stop further occurrences, but recovery options for impacted devices remain limited. Microsoft and Samsung have not published a workaround yet; users should contact Samsung for device-specific support.

⚠ Qualys disclosed nine critical vulnerabilities in AppArmor, the Linux Security Module enabled by default on Ubuntu, Debian, and SUSE. Dubbed “CrackArmor,” the flaws date back to the Linux 4.11 kernel and allow an unprivileged local user to manipulate profiles to gain full root, escape containers, or crash systems. Qualys estimates over 12.6 million exposed enterprise instances and emphasizes immediate kernel patching; fixes have been landed upstream in coordination with major distro maintainers.

🔒 Qualys Threat Research Unit disclosed nine vulnerabilities collectively named CrackArmor in the Linux kernel's AppArmor module that let unprivileged users tamper with security profiles, bypass user-namespace restrictions, and escalate to root. Qualys says the problems have existed since 2017 and affect kernels since 4.11, with no CVEs assigned yet. The vendor is withholding PoC exploits and urges immediate kernel patching across affected distributions such as Ubuntu, Debian, and SUSE.

🔒 Apple has released security updates that backport fixes for vulnerabilities exploited by the Coruna exploit kit to older iPhones and iPads that cannot run the latest iOS releases. The patches, issued as iOS/iPadOS 15.8.7 and 16.7.15 builds, remediate kernel and WebKit issues — including CVE-2023-41974, CVE-2024-23222, CVE-2023-43000 and CVE-2023-43010 — to prevent privilege escalation and remote code execution. Affected legacy devices include a range of iPhone 6s through iPhone X models, multiple iPad Air/Pro and mini models, and the 7th‑gen iPod touch.

🛡️ Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting Microsoft DirectX, OpenCFD OpenFOAM, and the BioSig project’s libbiosig library. Most issues have been patched by their respective vendors in accordance with Cisco’s disclosure policy, while the DirectX local privilege escalation remains unpatched. Talos published detailed advisories and Snort rule guidance to detect exploitation. Affected CVEs include CVE-2025-68623, CVE-2025-61982, CVE-2025-64736, CVE-2026-22891, and CVE-2026-20777.

🔒 Microsoft released its March Patch Tuesday updates addressing 79 vulnerabilities, including two publicly disclosed zero-day flaws. The zero-days are CVE-2026-21262, an SQL Server elevation-of-privilege issue (CVSS 8.8), and CVE-2026-26127, a .NET denial-of-service vulnerability. Security researchers warn that while only three flaws were rated critical, the bulk of fixes are elevation-of-privilege bugs in core Windows components and should be prioritised to avoid escalation chains and operational disruption.

🔒Microsoft released its March Patch Tuesday updates addressing 84 security vulnerabilities, including two publicly disclosed zero-days. Of the fixes, eight are rated Critical and 76 Important, spanning privilege escalation, remote code execution, information disclosure and other classes. The highest-scoring issue is CVE-2026-21536 (CVSS 9.8) in the Microsoft Devices Pricing Program, which Microsoft says is fully mitigated. Administrators should review MSRC advisories and apply updates based on risk and exposure.

🔒 Microsoft released fixes for at least 77 vulnerabilities across Windows and related products in its March 2026 Patch Tuesday. Two issues were previously disclosed publicly, including a SQL Server privilege elevation (CVE-2026-21262) that can allow network-based escalation to sysadmin. Several critical remote code execution bugs in Microsoft Office and other components, plus a notable AI-discovered 9.8-rated RCE (CVE-2026-21536), merit prioritized attention. Administrators should review privilege escalation and RCE patches first and monitor for any post-update issues.

⚠️ A critical vulnerability in the User Registration & Membership WordPress plugin (CVE-2026-1492, CVSS 9.8) is being actively exploited to create unauthenticated administrator accounts. The flaw allows attackers to supply a role during membership registration and obtain full admin privileges. Defiant's Wordfence blocked over 200 exploit attempts in the past 24 hours, indicating live attacks. WPEverest released a fix in 5.1.3 (the article notes 5.1.4 was released last week); update immediately or disable the plugin until you can patch.

⚠️ Hitachi Energy disclosed authentication-based directory access vulnerabilities in the Relion REB500 product (firmware versions ≤ 8.3.3.0), tracked as CVE-2026-2459 and CVE-2026-2460. Authenticated users with certain roles can access and modify directories beyond their authorization. The vendor advises updating to REB500 v8.3.3.1 and recommends disabling or tightly controlling the Installer role as an interim mitigation.