< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 7 of 13

Qilin and Warlock Ransomware Use Vulnerable Drivers

🔒 Cisco Talos and Trend Micro say Qilin and Warlock ransomware groups have adopted a bring-your-own vulnerable driver (BYOVD) approach to disable endpoint security on compromised hosts. Talos identified a malicious DLL named msimg32.dll that side-loads a PE loader which decrypts and executes an in-memory EDR killer. The payload leverages renamed drivers such as rwdrv.sys (a repackaged ThrottleStop.sys) and hlpdrv.sys to access physical memory and terminate over 300 EDR drivers. Warlock has similarly used NSecKrnl.sys and a suite of legitimate tools to persist, move laterally, and exfiltrate data.
read more →

Attackers Exploiting Trusted Tools: Why You Miss It

⚠️ Attackers increasingly bypass classic defenses by abusing trusted, built-in tools such as PowerShell, WMIC, and Certutil to move laterally, escalate privileges, and maintain persistence without dropping new malware. These Living Off The Land (LOTL) techniques mimic routine admin tasks and produce minimal alerts, creating stealthy blind spots for detection-focused teams. A data-driven Internal Attack Surface Assessment reveals unnecessary access, maps realistic attack paths, and prioritizes low-impact remediations so organizations can harden systems without disrupting workflows.
read more →

GIGABYTE Control Center has critical file-write flaw

⚠️ The GIGABYTE Control Center contains a critical arbitrary file-write vulnerability (CVE-2026-4415) affecting versions 25.07.21.01 and earlier when the pairing feature is enabled. Taiwan's CERT warns unauthenticated remote attackers could write files anywhere on the underlying OS, enabling arbitrary code execution, privilege escalation, or denial-of-service. GIGABYTE released version 25.12.10.01 with fixes for download path management, message processing, and command encryption and strongly advises immediate upgrade; users should obtain installers only from the vendor portal to avoid trojanized packages.
read more →

Double Agents: Security Blind Spots in Vertex AI on GCP

🔒 Unit 42 researchers discovered that AI agents deployed with Google Cloud’s Vertex AI ADK can inherit overly broad default permissions, enabling a deployed agent to leak service‑agent credentials and act as a “double agent.” By exploiting the Per‑Project, Per‑Product Service Agent (P4SA), the team pivoted into consumer projects and downloaded restricted Artifact Registry images from Google‑managed producer projects. Google collaborated with Unit 42, updated documentation, and recommended Bring Your Own Service Account (BYOSA) as a mitigation. Palo Alto Networks highlights protection via Prisma AIRS, Cortex Cloud Identity Security, and Cortex AI‑SPM.
read more →

OpenCode OC Messaging & USSD Gateway Vulnerability

⚠️ OpenCode Systems' OC Messaging and USSD Gateway version 6.32.2 contain an improper access control vulnerability (CVE-2025-70614, CVSS 3.1 Base Score 8.1) that can allow an authenticated low-privileged user to access SMS messages outside their tenant by providing a crafted company/tenant identifier. OpenCode released version 6.33.11 on 2026-01-06 to remediate the issue. Administrators should upgrade affected systems to 6.33.11 or later and limit network exposure of messaging gateways.
read more →

Chained Cisco Catalyst 9300 Flaws Could Cause DoS Outage

🔒 Cisco's Catalyst 9300 switches contain four vulnerabilities — two of which can be chained to escalate privileges and induce a denial-of-service by forcing the device into maintenance mode. Opswat's Unit 515 CIP Lab reported CVE-2026-20114 (command injection) and CVE-2026-20110 (insufficient sanitization), which together allow a low-privileged Lobby Ambassador account to gain higher privileges. Cisco released fixes in its March 25, 2026 IOS and IOS XE advisory; administrators should run the Software Checker, enable MFA for Lobby Ambassador accounts, and, where possible, set the privilege level for the 'start maintenance' command from the CLI.
read more →

Schneider Electric Plant iT/Brewmaxx: Critical Redis Flaws

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.
read more →

CISA Warns to Harden Endpoint Management After Intune Attack

🔒 CISA is urging IT and security leaders to harden endpoint management configurations after pro‑Iranian group Handala reportedly abused Microsoft Intune in a March 11 attack on Stryker that disrupted operations and enabled remote wipes. The guidance emphasizes least‑privilege administrative roles, phishing‑resistant MFA, privileged access hygiene, and multi‑admin approval for destructive actions. Although focused on Intune, CISA says these defensive principles apply to any UEM. Organizations should audit admin access, require multi‑party approvals, and continuously monitor privileged activity.
read more →

Critical GNU inetutils Telnet RCE Allows Root Access

⚠️ Security researchers at Dream Security disclosed a critical buffer overflow in GNU inetutils telnetd (CVE-2026-32746) that enables unauthenticated remote code execution as root during Telnet negotiation. The flaw originates in the SLC handler which writes into a fixed 108‑byte buffer without bounds checking, producing an arbitrary write. Dream notified maintainers on March 11 and a patch was prepared the next day; administrators should disable telnetd, restrict or block TCP/23, or migrate to SSH until updates are applied.
read more →

Preventing Privilege Escalation via Password Resets

🔒 Many organizations invest heavily in login protections but leave password reset paths less scrutinized, creating an easy escalation route once attackers gain a foothold. The article explains common abuse scenarios — from helpdesk social engineering and intercepted reset tokens to misuse by over-permissioned admins — and recommends seven practical mitigations, including MFA, device posture checks, strict password policies, and avoiding knowledge-based authentication. It also highlights Specops tools to harden reset workflows and block breached passwords.
read more →

Ubiquiti patches UniFi flaw that may enable takeover

🔒 Ubiquiti has released patches for two vulnerabilities in the UniFi Network application, including a maximum-severity path traversal flaw tracked as CVE-2026-22557. The path traversal affects versions up to 10.1.85 and is addressed in 10.1.89 and later; a separate authenticated NoSQL injection that could enable privilege escalation has also been fixed. Administrators should update to 10.1.89 or later and apply vendor fixes to mitigate account takeover and escalation risks.
read more →

Schneider Electric PME/EPO Deserialization Vulnerability

⚠️ Schneider Electric disclosed a deserialization-of-untrusted-data vulnerability affecting EcoStruxure Power Monitoring Expert (PME) and the Advanced Reporting and Dashboards module for EcoStruxure Power Operation (EPO). A locally authenticated attacker can supply crafted data to trigger unsafe deserialization and achieve arbitrary code execution with administrative privileges. Schneider has released hotfixes and recommends upgrading to PME 2024 R3; contact Customer Care to obtain fixes. Hotfixes for supported branches report no reboot required.
read more →

ConnectWise fixes ScreenConnect signature flaw, critical

🔒 ConnectWise warned customers about a critical cryptographic signature verification bug in ScreenConnect (tracked as CVE-2026-3564) that affects versions prior to 26.1 and can enable unauthorized session authentication and privilege escalation. The vulnerability allows attackers who obtain ASP.NET machine key material to generate or modify protected values the server will accept, potentially resulting in hijacked sessions and elevated access. ConnectWise patched the issue in ScreenConnect 26.1 by adding encrypted storage and improved handling for machine keys; cloud-hosted instances were auto-upgraded while on-premises administrators must upgrade immediately. The vendor reported observed attempts to abuse disclosed machine key material in the wild but has no confirmed evidence of exploitation against ConnectWise-hosted instances and urges responsible disclosure of active findings.
read more →

Ubuntu Desktop Flaw Allows Local Elevation to Root

⚠ A local privilege escalation vulnerability (CVE-2026-3888) affects default installations of Ubuntu Desktop 24.04 and later, enabling attackers with low-level access to obtain full root privileges. The flaw stems from an interaction between snap-confine and systemd-tmpfiles that enables a timing-based attack leveraging automated temporary-file cleanup. Exploitation requires patience due to a built-in 10–30 day cleanup window, but no user interaction is needed; Qualys rated the issue CVSS 7.8 and urges immediate upgrade to patched snapd releases.
read more →

Ubuntu CVE-2026-3888: snap-confine Privilege Escalation

⚠️ A high-severity vulnerability tracked as CVE-2026-3888 affects default Ubuntu Desktop installations starting with 24.04, allowing an unprivileged local attacker to escalate to root by abusing the interaction between snap-confine and systemd-tmpfiles. The exploit relies on a timing window (roughly 10–30 days) in which systemd-tmpfiles removes stale /tmp entries, enabling an attacker to recreate sandbox directories with malicious payloads that are later bind-mounted as root. Ubuntu and upstream snapd have released patches; administrators should upgrade snapd and follow vendor guidance to mitigate exposure.
read more →

CrackArmor: AppArmor Linux Flaws Allow Local Root Access

🛡️ Qualys TRU has disclosed 'CrackArmor,' a set of nine AppArmor vulnerabilities present since Linux kernel 4.11 (2017). These AppArmor flaws allow local, unprivileged users to manipulate security profiles via kernel pseudo-files, enabling local privilege escalation, container isolation bypass, Denial-of-Service and potential kernel-memory exposure. Qualys developed proof-of-concept exploits but has not publicly released the code to limit risk. Organizations should prioritize applying vendor kernel updates and scanning for affected systems.
read more →

Microsoft Removes Samsung App After C: Drive Access Issues

⚠️ Microsoft removed the Samsung Galaxy Connect app from the Microsoft Store after a joint investigation concluded the app (used for screen mirroring, file sharing and data transfer) was triggering "C:\ is not accessible – Access denied" errors on certain Windows 11 Samsung Galaxy Book 4 and desktop models. Affected users reported blocked applications, failure to access files, and privilege elevation problems that impeded diagnostics. Samsung republished a stable previous version to stop further occurrences, but recovery options for impacted devices remain limited. Microsoft and Samsung have not published a workaround yet; users should contact Samsung for device-specific support.
read more →

Nine Critical AppArmor Flaws Expose Millions of Linux Hosts

⚠ Qualys disclosed nine critical vulnerabilities in AppArmor, the Linux Security Module enabled by default on Ubuntu, Debian, and SUSE. Dubbed “CrackArmor,” the flaws date back to the Linux 4.11 kernel and allow an unprivileged local user to manipulate profiles to gain full root, escape containers, or crash systems. Qualys estimates over 12.6 million exposed enterprise instances and emphasizes immediate kernel patching; fixes have been landed upstream in coordination with major distro maintainers.
read more →

CrackArmor: Nine AppArmor Flaws Enable Local Root Escalation

🔒 Qualys Threat Research Unit disclosed nine vulnerabilities collectively named CrackArmor in the Linux kernel's AppArmor module that let unprivileged users tamper with security profiles, bypass user-namespace restrictions, and escalate to root. Qualys says the problems have existed since 2017 and affect kernels since 4.11, with no CVEs assigned yet. The vendor is withholding PoC exploits and urges immediate kernel patching across affected distributions such as Ubuntu, Debian, and SUSE.
read more →

Apple Backports Coruna Exploit Patches to Older iPhones

🔒 Apple has released security updates that backport fixes for vulnerabilities exploited by the Coruna exploit kit to older iPhones and iPads that cannot run the latest iOS releases. The patches, issued as iOS/iPadOS 15.8.7 and 16.7.15 builds, remediate kernel and WebKit issues — including CVE-2023-41974, CVE-2024-23222, CVE-2023-43000 and CVE-2023-43010 — to prevent privilege escalation and remote code execution. Affected legacy devices include a range of iPhone 6s through iPhone X models, multiple iPad Air/Pro and mini models, and the 7th‑gen iPod touch.
read more →