All news with #privilege escalation tag

⚠️ CISA warns of a high-severity driver vulnerability, CVE-2026-3437, in Portwell Engineering Toolkits v4.8.2 allowing a local authenticated user to read and write arbitrary memory. The flaw (CWE-119) can enable privilege escalation or denial-of-service, and carries a CVSS v3.1 base score of 8.8. Portwell has not responded to CISA coordination requests; users should minimize device exposure and contact Portwell support for guidance.

🔒 Google patched a high-severity WebView policy enforcement bug, CVE-2026-0628 (CVSS 8.8), in early January 2026 that could let a malicious extension inject scripts or HTML into the browser's new Gemini side panel. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw could have enabled privilege escalation to access local files, take screenshots, and turn on camera or microphone without consent. The fix shipped in Chrome 143.0.7499.192/.193 (Windows/Mac) and 143.0.7499.192 (Linux).

🛡 Unit 42 discovered CVE-2026-0628, a high-severity flaw in Chrome's new Gemini Live panel that allowed extensions with only declarativeNetRequest permissions to inject JavaScript into the privileged panel context. That injection could escalate extension privileges to access camera and microphone, read local files, take screenshots and render phishing content inside a trusted browser UI. Google was notified on 2025-10-23 and issued a patch in early January 2026. Palo Alto Networks recommends mitigations such as Prisma Browser and related protections.

🚨 A critical privilege escalation vulnerability in Junos OS Evolved on PTX Series routers (CVE-2026-21902) can allow unauthenticated remote code execution as root by exposing the On-Box Anomaly Detection framework on an externally accessible port. Because the service runs as root and is enabled by default, an attacker with network access could fully compromise affected devices. Juniper released fixes in 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO, and recommends applying updates, restricting access with firewall filters or ACLs, or disabling the service using request pfe anomalies disable.

⚠ SolarWinds has issued four critical patches for its Serv-U managed file transfer server to remediate remote code execution and broken access-control vulnerabilities that can lead to root or other privileged account takeover. The most severe, CVE-2025-40538, can create system admin users and execute arbitrary code, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws and CVE-2025-40541 is another broken access-control issue. Organizations should treat this as a high-urgency patch event: update immediately, verify internet exposure, check logs for signs of compromise, and rotate associated credentials.

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.

🔒 Microsoft disclosed and patched a high-severity flaw in Windows Admin Center that could allow an attacker to escalate privileges. Tracked as CVE-2026-26119 with a CVSS score of 8.8, Microsoft credited Semperis researcher Andrea Pierini and included the fix in Windows Admin Center version 2511 (Dec 2025). The vendor described the issue as improper authentication and tagged it as Exploitation More Likely; technical details are currently restricted. Administrators are advised to apply the update promptly and restrict access to the management endpoint.

⚠️ Siemens has published fixes for two local privilege escalation vulnerabilities affecting SINEC NMS and the User Management Component (UMC). A low-privileged user could modify configuration files to force the application to load malicious DLLs, potentially enabling arbitrary code execution with elevated (including SYSTEM) privileges. The issues are tracked as CVE-2026-25655 and CVE-2026-25656 (CWE-427) with a CVSS v3.1 base score of 7.8. Administrators should apply SINEC NMS V4.0 SP2 and UMC V2.15.2.1 or later as provided by Siemens ProductCERT.

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.

🔒 Multiple critical vulnerabilities in the open-source workflow platform n8n (tracked as CVE-2026-25049) allow any authenticated user who can create or edit workflows to escape sandboxing and execute arbitrary code on the host server. Independent researchers at Pillar Security, Endor Labs and SecureLayer7 identified sanitization and AST-sandboxing bypasses — including a type-confusion issue and Function-constructor exploits — enabling access to Node.js globals, the filesystem, credentials and connected cloud accounts. n8n released fixes (notably 2.4.0, later 2.5.2 and 1.123.17) and recommends immediate patching, rotating the N8N_ENCRYPTION_KEY and stored credentials, and limiting workflow creation until environments are hardened.

⚠️ A high-severity vulnerability (CVE-2025-10314) affects Mitsubishi Electric FREQSHIP-mini for Windows versions 8.0.0 through 8.0.2 due to incorrect default permissions. A local attacker with write access to the installation directory could replace service executables or DLLs and execute code with SYSTEM privileges, potentially modifying or destroying data or causing denial of service. Mitsubishi released version 8.1.0 to address the issue; administrators should install the update and apply vendor mitigations, limit remote access, and maintain endpoint protections.

🔒 Unit 42 researchers discovered CVE-2025-0921, a privileged file system operations vulnerability in Iconics Suite (GENESIS64) that can be abused to corrupt critical binaries and cause a denial-of-service. The issue affects certain Windows deployments of Iconics Suite and can be chained with CVE-2024-7587 (GenBroker32 installer) to gain effective write access to protected log paths. Iconics released an advisory and a workaround that, if applied, mitigates the reported issues; organizations should apply vendor guidance and limit local write access to application directories.

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.

🔒 Symantec and Carbon Black disclosed a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attackers deployed a bespoke malicious driver named POORTRY in a BYOVD-style technique to disable security tooling and elevate privileges, and they exfiltrated data to Wasabi cloud buckets using Rclone before encryption. Osiris uses a hybrid per-file encryption scheme that generates unique keys per file, can stop services and terminate processes, and targets numerous backup and productivity services; defenders are advised to limit RDP exposure, monitor dual‑use tools, enforce MFA, adopt application allowlisting where feasible, and maintain off-site backups.

⚠️ Schneider Electric has issued a fix for a local privilege escalation vulnerability in EcoStruxure Process Expert (CVE-2025-13905) caused by incorrect default permissions. An attacker with local access could modify executable service binaries and gain elevated privileges when services restart. Version 2025 contains the vendor fix; interim mitigations include application whitelisting and restricting privileged accounts.

⚠️ CISA warns of an Authorization Bypass Through User-Controlled Key flaw (CVE-2026-1201) in Hubitat Elevation controllers that can allow an authenticated user to escalate privileges and control devices beyond their authorized scope. Affected models — C3, C4, C5, C7, C8, and C8 pro — are vulnerable prior to firmware 2.4.2.157. The issue carries a CVSS v3.1 base score of 9.1 (CRITICAL). Hubitat has released firmware 2.4.2.157 and CISA recommends timely upgrades and standard network isolation measures.

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.

⚠️ Schneider Electric warns that multiple vulnerabilities in the CODESYS Runtime System V3 communication server affect many Schneider products and third-party devices embedding CODESYS. Exploitable issues include denial-of-service and, in some configurations, remote code execution; several CVEs carry CVSS scores up to 8.8. Schneider has published patches and mitigations for many affected product families; operators should apply vendor updates and follow immediate network and access controls to reduce exposure.

⚠️ Research firm AppOmni disclosed a critical privilege-escalation vulnerability called BodySnatcher in ServiceNow’s Now Assist AI Agents and Virtual Agent API that could let unauthenticated actors execute workflows as arbitrary users. ServiceNow says hosted instances were patched at the end of October and customers should upgrade to specified Now Assist and Virtual Agent API versions. AppOmni warns that default example agents and permissive authentication choices mean similar risky configurations could still exist in custom code or third-party integrations, and recommends enforcing MFA, reviewing agents, and applying the updates promptly.