< ciso
brief />
Tag Banner

All news with #privilege escalation tag

259 articles · page 9 of 13

Schneider Electric EcoStruxure Privilege Escalation Fix

⚠️ Schneider Electric has issued a fix for a local privilege escalation vulnerability in EcoStruxure Process Expert (CVE-2025-13905) caused by incorrect default permissions. An attacker with local access could modify executable service binaries and gain elevated privileges when services restart. Version 2025 contains the vendor fix; interim mitigations include application whitelisting and restricting privileged accounts.
read more →

Hubitat Elevation Privilege Escalation Vulnerability

⚠️ CISA warns of an Authorization Bypass Through User-Controlled Key flaw (CVE-2026-1201) in Hubitat Elevation controllers that can allow an authenticated user to escalate privileges and control devices beyond their authorized scope. Affected models — C3, C4, C5, C7, C8, and C8 pro — are vulnerable prior to firmware 2.4.2.157. The issue carries a CVSS v3.1 base score of 9.1 (CRITICAL). Hubitat has released firmware 2.4.2.157 and CISA recommends timely upgrades and standard network isolation measures.
read more →

Weintek cMT X Series Privilege Escalation Vulnerabilities

🔒 CISA reports two high-severity vulnerabilities in Weintek cMT X Series HMI devices that allow low-privileged users to escalate privileges and potentially take full control of affected units. Both issues (CVE-2025-14750 and CVE-2025-14751) receive a CVSS 3.1 base score of 8.3. Vendor firmware updates are available for specific models; apply vendor-supplied patches and follow network-segmentation mitigations.
read more →

ACF Extended Bug Lets Attackers Gain Admin Access Now

⚠️ A critical vulnerability in ACF Extended (CVE-2025-14533) allows unauthenticated attackers to obtain administrative privileges by abusing the plugin's 'Insert User / Update User' form action in versions up to 0.9.2.1. The flaw fails to enforce role restrictions at the form level, enabling attackers to set arbitrary roles, including administrator, when a role field is present. The vendor released a patch in version 0.9.2.2 on December 14, 2025; administrators should update immediately and audit any forms that create or update users because roughly 50,000 sites may still be exposed.
read more →

CODESYS Runtime Vulnerabilities Affecting Schneider Electric

⚠️ Schneider Electric warns that multiple vulnerabilities in the CODESYS Runtime System V3 communication server affect many Schneider products and third-party devices embedding CODESYS. Exploitable issues include denial-of-service and, in some configurations, remote code execution; several CVEs carry CVSS scores up to 8.8. Schneider has published patches and mitigations for many affected product families; operators should apply vendor updates and follow immediate network and access controls to reduce exposure.
read more →

ServiceNow BodySnatcher Flaw Exposes AI Agent Risks

⚠️ Research firm AppOmni disclosed a critical privilege-escalation vulnerability called BodySnatcher in ServiceNow’s Now Assist AI Agents and Virtual Agent API that could let unauthenticated actors execute workflows as arbitrary users. ServiceNow says hosted instances were patched at the end of October and customers should upgrade to specified Now Assist and Virtual Agent API versions. AppOmni warns that default example agents and permissive authentication choices mean similar risky configurations could still exist in custom code or third-party integrations, and recommends enforcing MFA, reviewing agents, and applying the updates promptly.
read more →

Google Vertex AI permissions raise insider threat risks

⚠️ XM Cyber disclosed privilege-escalation flaws in Google’s Vertex AI that let low‑privileged users manipulate Google-managed Service Agents to gain elevated project-wide permissions. Google told XM Cyber this behavior is "working as intended." Security experts warn that managed service identities and insecure defaults create invisible, structural risks. CISOs are urged to audit service identities, reduce authentication scope, and monitor agent activity like privileged users.
read more →

Modular DS Flaw Lets Attackers Gain Instant WordPress Admin

🔓 Modular DS versions 2.5.1 and earlier contain a critical privilege-escalation bug (CVE-2026-23550) that lets unauthenticated attackers gain full WordPress admin access by calling unprotected API routes under /api/modular-connector/. Patchstack reported active exploitation and the vendor released Modular DS 2.5.2 on January 14, 2026. Administrators should update immediately, check for rogue admin accounts, enable two-factor authentication, apply IP restrictions, and consider Patchstack’s mitigation rules if immediate patching isn’t possible.
read more →

Critical Modular DS WordPress Flaw Enables Admin Takeover

⚠️ Patchstack reports a maximum-severity vulnerability (CVE-2026-23550, CVSS 10.0) in the Modular DS WordPress plugin affecting all versions up to and including 2.5.1. The flaw permits unauthenticated privilege escalation via routes under /api/modular-connector/ when the "direct request" mode with an "origin=mo" parameter is used, bypassing authentication. Exploitation was observed beginning Jan 13, 2026, and the issue is patched in 2.5.2; administrators should update immediately.
read more →

AVEVA Process Optimization: Multiple Critical Flaws

⚠️ AVEVA has released patches for multiple vulnerabilities in Process Optimization that could allow remote code execution, SQL injection, privilege escalation, and disclosure of sensitive data. The most severe, CVE-2025-61937, permits unauthenticated remote code execution at OS System privileges (CVSS 10.0). AVEVA's remediation requires updating to Process Optimization v2025; CISA and the vendor also recommend firewall restrictions, ACLs, and ensuring encrypted channels.
read more →

AI Agents Become Hidden Privilege Escalation Paths

🔒 Organizational AI agents are increasingly embedded in critical workflows and often run under shared service identities with broad, long-lived permissions. Because actions execute under the agent identity, users can indirectly obtain access they don’t have, and audit logs typically attribute activity to the agent rather than the initiating user. This creates invisible privilege-escalation paths and complicates least-privilege enforcement. Wing is cited for continuously discovering agents, mapping their access to critical assets, and restoring visibility and accountability.
read more →

Siemens TeleControl Server Basic Privilege Escalation

⚠ Siemens disclosed a local privilege escalation vulnerability (CVE-2025-40942) in TeleControl Server Basic affecting product versions earlier than V3.1.2.4. The flaw could allow an attacker with local access to execute arbitrary code with elevated privileges and is rated High under CVSS 3.1 (8.8). Siemens released V3.1.2.4 to remediate the issue. Administrators should apply the update promptly and follow network-segmentation and access-control best practices to reduce exposure.
read more →

Microsoft Releases Windows 10 KB5073724 ESU Update

🔒 Microsoft released the KB5073724 Extended Security Update for Windows 10, available to Windows 10 Enterprise LTSC and systems enrolled in the ESU program. Install via Settings → Windows Update by performing a manual “Check for Updates”; installs update and raises builds to 19045.6809 (Windows 10) and 19044.6809 (Enterprise LTSC 2021). The update contains only security and bug fixes — including patches for three zero-days, an actively exploited elevation-of-privilege fix in Agere modem drivers, an updated WinSqlite3.dll, and targeted handling for expiring Secure Boot certificates.
read more →

Trend Micro Patches Critical Flaws in Apex Central

🛡️ Trend Micro has released a security update for Apex Central after vulnerability management vendor Tenable identified multiple serious flaws affecting all on-premises builds earlier than 7190. The most severe is a 9.8-rated LoadLibraryEX issue that can allow an unauthenticated attacker to force the server to load and execute an attacker-controlled DLL as SYSTEM. Two additional high-severity, unauthenticated flaws can cause denial-of-service. Trend Micro urges customers to apply build 7190 and review remote access controls immediately.
read more →

Coolify patches 11 critical flaws enabling root compromise

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.
read more →

Critical Veeam Backup & Replication Flaws Require Patch

🔒 Veeam has released a patch addressing four vulnerabilities in Backup & Replication v13 that let users with Backup Admin, Backup Operator, or Tape Operator roles exceed intended privileges. The most severe, CVE-2025-59470 (CVSS 9.0), can enable remote code execution as the Postgres user; others permit file writes as root or RCE via malicious configuration files. Veeam recommends immediate installation of version 13.0.1.1071; the vendor says core backup data remains immutable and intact.
read more →

Mustang Panda Uses Signed Kernel Driver to Deploy TONESHELL

🔒 Kaspersky observed Mustang Panda leveraging a signed, previously undocumented kernel‑mode rootkit driver to deliver a new TONESHELL backdoor in mid‑2025 against targets in Asia. The driver, tracked as ProjectConfiguration.sys, uses an old certificate issued to Guangzhou Kingteller Technology Co., Ltd., likely leaked or stolen, and registers as a high‑altitude minifilter to intercept I/O. It spawns an injected svchost.exe and loads a memory‑only TONESHELL implant that communicates with C2 servers and resists disk‑based detection.
read more →

Webrat Lures Researchers with Fake GitHub Exploit PoCs

🐀 Attackers are hosting counterfeit proof-of-concept exploit repositories on GitHub to deliver the Webrat backdoor to unsuspecting users. Kaspersky analysts observed polished, likely machine-generated README files that mask a password-protected ZIP; the archive password is hidden in filenames and often missed. Inside are decoy DLLs, batch loaders and executables (e.g., rasmanesc.exe) that disable Windows Defender, escalate privileges, and fetch the real payload from hardcoded C2 servers. The campaign, active since at least September 2025, appears tuned to catch novice researchers and students who analyze PoCs outside isolated environments.
read more →

WebRAT Distributed via Fake PoC Exploits on GitHub

🛡️ Kaspersky researchers found WebRAT backdoor being distributed through GitHub repositories that posed as proof‑of‑concept exploits for recently disclosed vulnerabilities. The malicious packages were delivered as password‑protected ZIPs containing a corrupted decoy DLL, a batch script, and a main dropper named rasmanesc.exe that elevates privileges, disables Defender, and downloads WebRAT. All identified repositories have been removed, but developers are urged to verify PoC sources and test untrusted code in isolated environments.
read more →

UEFI IOMMU Flaw Lets Early-Boot DMA Bypass on Motherboards

⚠️ Certain motherboard models from vendors including ASRock, ASUS, GIGABYTE, and MSI are affected by a firmware flaw that reports DMA protection as active but fails to initialize the IOMMU during early boot. That discrepancy allows a physically present attacker with a DMA-capable PCIe device to read or modify system memory and potentially enable pre-boot code injection before OS protections load. CERT/CC warned the gap undermines boot integrity and access to sensitive memory. Affected vendors have released firmware updates to correct the IOMMU initialization sequence; users and administrators should apply patches promptly.
read more →