< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 8 of 13

Talos Discloses DirectX, OpenFOAM, Libbiosig Vulnerabilities

🛡️ Cisco Talos’ Vulnerability Discovery & Research team disclosed multiple vulnerabilities affecting Microsoft DirectX, OpenCFD OpenFOAM, and the BioSig project’s libbiosig library. Most issues have been patched by their respective vendors in accordance with Cisco’s disclosure policy, while the DirectX local privilege escalation remains unpatched. Talos published detailed advisories and Snort rule guidance to detect exploitation. Affected CVEs include CVE-2025-68623, CVE-2025-61982, CVE-2025-64736, CVE-2026-22891, and CVE-2026-20777.
read more →

Microsoft Patches Two Publicly Disclosed Zero-Day Flaws

🔒 Microsoft released its March Patch Tuesday updates addressing 79 vulnerabilities, including two publicly disclosed zero-day flaws. The zero-days are CVE-2026-21262, an SQL Server elevation-of-privilege issue (CVSS 8.8), and CVE-2026-26127, a .NET denial-of-service vulnerability. Security researchers warn that while only three flaws were rated critical, the bulk of fixes are elevation-of-privilege bugs in core Windows components and should be prioritised to avoid escalation chains and operational disruption.
read more →

Microsoft March Patch Tuesday: 84 Flaws, 2 Zero-Days

🔒Microsoft released its March Patch Tuesday updates addressing 84 security vulnerabilities, including two publicly disclosed zero-days. Of the fixes, eight are rated Critical and 76 Important, spanning privilege escalation, remote code execution, information disclosure and other classes. The highest-scoring issue is CVE-2026-21536 (CVSS 9.8) in the Microsoft Devices Pricing Program, which Microsoft says is fully mitigated. Administrators should review MSRC advisories and apply updates based on risk and exposure.
read more →

Microsoft Patch Tuesday — March 2026 Security Fixes

🔒 Microsoft released fixes for at least 77 vulnerabilities across Windows and related products in its March 2026 Patch Tuesday. Two issues were previously disclosed publicly, including a SQL Server privilege elevation (CVE-2026-21262) that can allow network-based escalation to sysadmin. Several critical remote code execution bugs in Microsoft Office and other components, plus a notable AI-discovered 9.8-rated RCE (CVE-2026-21536), merit prioritized attention. Administrators should review privilege escalation and RCE patches first and monitor for any post-update issues.
read more →

Critical WordPress plugin bug lets attackers create admins

⚠️ A critical vulnerability in the User Registration & Membership WordPress plugin (CVE-2026-1492, CVSS 9.8) is being actively exploited to create unauthenticated administrator accounts. The flaw allows attackers to supply a role during membership registration and obtain full admin privileges. Defiant's Wordfence blocked over 200 exploit attempts in the past 24 hours, indicating live attacks. WPEverest released a fix in 5.1.3 (the article notes 5.1.4 was released last week); update immediately or disable the plugin until you can patch.
read more →

Hitachi Energy Relion REB500 Privilege Escalation Fix

⚠️ Hitachi Energy disclosed authentication-based directory access vulnerabilities in the Relion REB500 product (firmware versions ≤ 8.3.3.0), tracked as CVE-2026-2459 and CVE-2026-2460. Authenticated users with certain roles can access and modify directories beyond their authorization. The vendor advises updating to REB500 v8.3.3.1 and recommends disabling or tightly controlling the Installer role as an interim mitigation.
read more →

Portwell Engineering Toolkits Vulnerability: CVE-2026-3437

⚠️ CISA warns of a high-severity driver vulnerability, CVE-2026-3437, in Portwell Engineering Toolkits v4.8.2 allowing a local authenticated user to read and write arbitrary memory. The flaw (CWE-119) can enable privilege escalation or denial-of-service, and carries a CVSS v3.1 base score of 8.8. Portwell has not responded to CISA coordination requests; users should minimize device exposure and contact Portwell support for guidance.
read more →

Chrome WebView Flaw Allowed Malicious Extension Abuse

🔒 Google patched a high-severity WebView policy enforcement bug, CVE-2026-0628 (CVSS 8.8), in early January 2026 that could let a malicious extension inject scripts or HTML into the browser's new Gemini side panel. Discovered by Palo Alto Networks Unit 42 researcher Gal Weizman, the flaw could have enabled privilege escalation to access local files, take screenshots, and turn on camera or microphone without consent. The fix shipped in Chrome 143.0.7499.192/.193 (Windows/Mac) and 143.0.7499.192 (Linux).
read more →

Chrome Gemini Vulnerability Allowed Extension Hijack

🛡 Unit 42 discovered CVE-2026-0628, a high-severity flaw in Chrome's new Gemini Live panel that allowed extensions with only declarativeNetRequest permissions to inject JavaScript into the privileged panel context. That injection could escalate extension privileges to access camera and microphone, read local files, take screenshots and render phishing content inside a trusted browser UI. Google was notified on 2025-10-23 and issued a patch in early January 2026. Palo Alto Networks recommends mitigations such as Prisma Browser and related protections.
read more →

Critical Juniper PTX Flaw Enables Full Router Takeover

🚨 A critical privilege escalation vulnerability in Junos OS Evolved on PTX Series routers (CVE-2026-21902) can allow unauthenticated remote code execution as root by exposing the On-Box Anomaly Detection framework on an externally accessible port. Because the service runs as root and is enabled by default, an attacker with network access could fully compromise affected devices. Juniper released fixes in 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO, and recommends applying updates, restricting access with firewall filters or ACLs, or disabling the service using request pfe anomalies disable.
read more →

Critical Serv-U RCE Flaws Extend SolarWinds Risk Profile

⚠ SolarWinds has issued four critical patches for its Serv-U managed file transfer server to remediate remote code execution and broken access-control vulnerabilities that can lead to root or other privileged account takeover. The most severe, CVE-2025-40538, can create system admin users and execute arbitrary code, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws and CVE-2025-40541 is another broken access-control issue. Organizations should treat this as a high-urgency patch event: update immediately, verify internet exposure, check logs for signs of compromise, and rotate associated credentials.
read more →

Wormable XMRig Campaign Uses BYOVD to Boost Hashrate

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.
read more →

Windows Admin Center: Microsoft Patches Privilege Bug

🔒 Microsoft disclosed and patched a high-severity flaw in Windows Admin Center that could allow an attacker to escalate privileges. Tracked as CVE-2026-26119 with a CVSS score of 8.8, Microsoft credited Semperis researcher Andrea Pierini and included the fix in Windows Admin Center version 2511 (Dec 2025). The vendor described the issue as improper authentication and tagged it as Exploitation More Likely; technical details are currently restricted. Administrators are advised to apply the update promptly and restrict access to the management endpoint.
read more →

Siemens SINEC NMS and UMC DLL Load Vulnerabilities

⚠️ Siemens has published fixes for two local privilege escalation vulnerabilities affecting SINEC NMS and the User Management Component (UMC). A low-privileged user could modify configuration files to force the application to load malicious DLLs, potentially enabling arbitrary code execution with elevated (including SYSTEM) privileges. The issues are tracked as CVE-2026-25655 and CVE-2026-25656 (CWE-427) with a CVSS v3.1 base score of 7.8. Administrators should apply SINEC NMS V4.0 SP2 and UMC V2.15.2.1 or later as provided by Siemens ProductCERT.
read more →

ZLAN5143D Critical Authentication Bypass and Reset Flaws

⚠️ CISA reports two critical authentication vulnerabilities in ZLAN Information Technology Co. ZLAN5143D v1.600. CVE-2026-25084 allows authentication bypass via direct access to internal URLs, while CVE-2026-24789 exposes an unprotected API that enables remote password changes without credentials. Both are scored CVSS 3.1 9.8. CISA notes the vendor did not respond to coordination; users should minimize network exposure, restrict internet access to devices, contact the vendor, and keep systems updated.
read more →

Critical n8n Vulnerabilities Allow Remote Code Execution

🔒 Multiple critical vulnerabilities in the open-source workflow platform n8n (tracked as CVE-2026-25049) allow any authenticated user who can create or edit workflows to escape sandboxing and execute arbitrary code on the host server. Independent researchers at Pillar Security, Endor Labs and SecureLayer7 identified sanitization and AST-sandboxing bypasses — including a type-confusion issue and Function-constructor exploits — enabling access to Node.js globals, the filesystem, credentials and connected cloud accounts. n8n released fixes (notably 2.4.0, later 2.5.2 and 1.123.17) and recommends immediate patching, rotating the N8N_ENCRYPTION_KEY and stored credentials, and limiting workflow creation until environments are hardened.
read more →

Mitsubishi FREQSHIP-mini for Windows: Incorrect Permissions

⚠️ A high-severity vulnerability (CVE-2025-10314) affects Mitsubishi Electric FREQSHIP-mini for Windows versions 8.0.0 through 8.0.2 due to incorrect default permissions. A local attacker with write access to the installation directory could replace service executables or DLLs and execute code with SYSTEM privileges, potentially modifying or destroying data or causing denial of service. Mitsubishi released version 8.1.0 to address the issue; administrators should install the update and apply vendor mitigations, limit remote access, and maintain endpoint protections.
read more →

Privileged File System Flaw in Iconics Suite CVE-2025-0921

🔒 Unit 42 researchers discovered CVE-2025-0921, a privileged file system operations vulnerability in Iconics Suite (GENESIS64) that can be abused to corrupt critical binaries and cause a denial-of-service. The issue affects certain Windows deployments of Iconics Suite and can be chained with CVE-2024-7587 (GenBroker32 installer) to gain effective write access to protected log paths. Iconics released an advisory and a workaround that, if applied, mitigates the reported issues; organizations should apply vendor guidance and limit local write access to application directories.
read more →

Trivial Telnet Auth Bypass Enables Complete Device Takeover

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.
read more →

Osiris Ransomware Employs POORTRY Driver to Evade Detection

🔒 Symantec and Carbon Black disclosed a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. The attackers deployed a bespoke malicious driver named POORTRY in a BYOVD-style technique to disable security tooling and elevate privileges, and they exfiltrated data to Wasabi cloud buckets using Rclone before encryption. Osiris uses a hybrid per-file encryption scheme that generates unique keys per file, can stop services and terminate processes, and targets numerous backup and productivity services; defenders are advised to limit RDP exposure, monitor dual‑use tools, enforce MFA, adopt application allowlisting where feasible, and maintain off-site backups.
read more →