< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles

Ubiquiti issues urgent UniFi security patches

πŸ”’ Ubiquiti has released updates to remediate several critical vulnerabilities across UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. The flaws include command injection, authenticated SQL injection, SSRF, and improper access control, with multiple CVSS scores at or near 10.0. Affected versions are identified for each product and updated builds are available that address the issues.
read more β†’

CISA directs federal patch for ColdFusion zero-day

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to patch an actively exploited, maximum-severity vulnerability in Adobe ColdFusion (CVE-2026-48282) by Friday. Adobe published fixes for affected ColdFusion versions last week and urged administrators to install updates immediately. The flaw enables unauthenticated remote code execution in low-complexity attacks and has been observed in the wild soon after disclosure. CISA added the issue to its KEV catalog and invoked BOD 26-04 to enforce remediation timelines for FCEB agencies.
read more β†’

Critical Dialogflow CX 'Rogue Agent' code execution flaw

πŸ›‘οΈ A critical flaw in Google Dialogflow CX's Code Blocks could let an attacker with edit rights on one agent compromise other Code Block-enabled agents in the same Google Cloud project. Varonis named the issue Rogue Agent; it required the dialogflow.playbooks.update permission and thus implied a malicious insider or compromised developer account rather than an unauthenticated internet attacker. Google fixed the vulnerability after Varonis disclosed it via the VRP; there are no signs of exploitation.
read more β†’

Max-severity Adobe ColdFusion flaw being actively exploited

πŸ”§ Adobe has issued emergency updates to fix a maximum-severity ColdFusion vulnerability (CVE-2026-48282) that is now being actively exploited, the Canadian Center for Cyber Security (CCCS) warned. The flaw affects ColdFusion 2025.9, 2023.20, and earlier, enabling unauthenticated remote code execution on unpatched systems. Adobe urges administrators to install the patch immediately, and Shadowserver reports nearly 800 exposed ColdFusion instances online.
read more β†’

Seven vulnerabilities disclosed in ubiquitous FatFs library

πŸ”’ Security firm runZero disclosed seven vulnerabilities in the FatFs filesystem library used to read FAT/exFAT on many embedded devices. The bugsβ€”rated Medium to Highβ€”can lead to memory corruption, crashes, data leaks, or code execution when a device mounts malformed media or firmware images. Only the GPT hang issue is fixed upstream; most fixes must come from downstream vendors who bundle FatFs. runZero published PoCs and urges vendors and integrators to audit wrappers and treat physical ports and update channels as attack surfaces.
read more β†’

Argo CD flaw highlights GitOps as tier-zero risk

πŸ”’ A critical vulnerability in Argo CD repo-server exposes risks inherent to GitOps platforms. Synacktiv found the unauthenticated GenerateManifest gRPC endpoint can be abused via Kustomize/Helm options to execute commands if an attacker can reach both the repo-server and Redis ports. The issue affects typical Helm deployments where Kubernetes network policies are not enabled by default, enabling lateral movement from a compromised pod. Synacktiv disclosed details July 1, 2026 and recommends strict network segmentation until a patch is available.
read more β†’

CISA Adds SharePoint RCE CVE-2026-45659 to KEV Catalog

πŸ”’ CISA has added a high-severity SharePoint Server vulnerability, CVE-2026-45659 (CVSS 8.8), to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. Microsoft patched the deserialization-based remote code execution flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. The issue can be triggered by any authenticated attacker with as little as Site Member permissions and does not require elevated privileges. Federal agencies are advised to apply updates by July 4, 2026, while Microsoft assesses public exploitation as "Exploitation Less Likely."
read more β†’

Cursor IDE sandbox bypasses enable RCE via prompt injection

πŸ›‘οΈ Researchers discovered two vulnerabilities in the Cursor AI-enabled IDE that enable prompt-injection-driven remote code execution by escaping the command execution sandbox. The flaws, CVE-2026-50548 and CVE-2026-50549, allow attackers to change the working directory and exploit symlink canonicalization fallbacks to write or overwrite files outside the project scope. Cursor patched the issues in version 3.0, and the findings underscore broader risks in agentic AI workflows and the difficulty of defending against prompt injection.
read more β†’

Unpatched Argo CD repo-server flaw risks code execution

πŸ”’ Synacktiv disclosed an unpatched vulnerability in Argo CD's repo-server that allows unauthenticated attackers to execute arbitrary commands if they can reach the component's internal gRPC port. The flaw abuses kustomize's --helm-command option to run attacker-controlled scripts, demonstrated against Argo CD v2.13.3, and can lead to full cluster takeover by leveraging exposed Redis credentials. There is no fixed release or CVE; operators must enable Kubernetes network policies to isolate repo-server and Redis until a patch is available.
read more β†’

Adobe fixes critical ColdFusion and Campaign flaws

πŸ›‘οΈ Adobe released urgent patches addressing multiple maximum-severity vulnerabilities in ColdFusion and Adobe Campaign Classic, including several CVSS 10.0 issues. The ColdFusion fixes are included in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, while the Campaign patch is in ACC v7: 7.4.3 build 9397. Adobe reports no known active exploitation and credited external researchers for several reports.
read more β†’

Critical Cursor sandbox escape bugs demand urgent patch

πŸ›‘οΈ Two high-severity flaws in the Cursor AI code editor allow a crafted prompt to escape the editor's sandbox and execute arbitrary commands on a developer's machine without any user interaction. Discovered by Cato AI Labs as DuneSlide and tracked as CVE-2026-50548 and CVE-2026-50549 (both rated 9.8), the issues are patched in Cursor 3.0 released April 2; versions before 3.0 are affected. The vulnerabilities exploit how Cursor handles a tool parameter and symlink resolution to cause writes that disable the sandbox, enabling full code execution as the user.
read more β†’

Adobe fixes seven critical ColdFusion and Campaign flaws

πŸ›‘οΈ Adobe released patches addressing seven maximum-severity vulnerabilities in ColdFusion and Campaign Classic. These issues allow low-complexity, no-interaction attacks and were assigned priority 1, prompting administrators to update within 72 hours. Six flaws impact ColdFusion 2025.9, 2023.20 and earlier, enabling remote code execution, while one affects on-premises Campaign Classic builds and may permit arbitrary code execution in the user context.
read more β†’

Critical Progress Kemp LoadMaster API RCE Patch

πŸ›‘οΈ A critical vulnerability in Progress Kemp LoadMaster allows unauthenticated attackers to execute arbitrary commands as root by sending a crafted request to the appliance API. Tracked as CVE-2026-8037 with a ZDI CVSS of 9.8, Progress published an advisory on June 4 and released patches (GA v7.2.63.2 and LTSF v7.2.54.18). Researchers at watchTowr Labs published a technical write-up and proof-of-concept on June 29; administrators should update immediately if the API is enabled.
read more β†’

Critical libssh2 Integer Overflow POC Released

πŸ›‘οΈ A public proof-of-concept is available for CVE-2026-55200, a critical libssh2 flaw that allows a malicious SSH server to trigger memory corruption on connecting clients, potentially enabling code execution without credentials or user interaction. The bug affects all releases up to 1.11.1 and scores 9.2 (CVSS 4.0). It stems from an unbounded packet_length parsed during the SSH handshake, producing a 32-bit wrap and an out-of-bounds heap write. A patch was merged on June 12 and the CVE published June 17; distributions are backporting fixes while a tagged release is prepared.
read more β†’

Critical PTC Windchill PLM Flaw Under Active Exploitation

πŸ›‘οΈ Hackers are exploiting a critical unsafe deserialization vulnerability in PTC Windchill and FlexPLM that enables remote code execution. The flaw, tracked as CVE-2026-12569 and scored 9.3 CVSS, affects the Windchill PDMLink web component. PTC issued mitigations and patches on June 17–19 and provided indicators of compromise after reports of web shell deployment. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog.
read more β†’

CISA Adds PTC Windchill RCE to KEV Catalog

πŸ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical RCE vulnerability affecting PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The flaw, tracked as CVE-2026-12569 with a CVSS score of 9.3, allows arbitrary code execution via improper input validation and deserialization of untrusted data. Patches were released last week, but PTC warns of ongoing attacks deploying JSP web shells and published IoCs and mitigations.
read more β†’

Critical FFmpeg MagicYUV Flaw Demands SBOM Focus

πŸ”’ A critical heap out-of-bounds write in the MagicYUV decoder of FFmpeg (CVE-2026-8461), dubbed PixelSmash, can crash applications or enable remote code execution. Researchers at JFrog demonstrated full exploits against Jellyfin and Nextcloud by uploading crafted media files; any app using libavcodec is potentially affected. Users and vendors should upgrade to FFmpeg 8.1.2 or disable the MagicYUV decoder if unused.
read more β†’

FFmpeg patches PixelSmash MagicYUV vulnerability

πŸ›‘οΈ FFmpeg fixed a high-severity heap out-of-bounds flaw dubbed PixelSmash (CVE-2026-8461) in the MagicYUV decoder that can be triggered by crafted AVI, MKV, or MOV files. The bug allows denial-of-service in many media apps and can enable remote code execution in specific setups β€” for example, Jellyfin and Nextcloud instances β€” particularly if ASLR is disabled or chained with another vulnerability. FFmpeg 8.1.2 addresses the issue and vendors are updating or applying mitigations.
read more β†’

Microsoft fixes AutoGen Studio flaw enabling code execution

πŸ›‘οΈ Microsoft patched a vulnerability chain named AutoJack in AutoGen Studio that could allow a visiting webpage to coerce a developer’s AI agent into executing arbitrary commands on the host. AutoGen Studio is the graphical interface for Microsoft’s open-source AutoGen framework for multi-agent AI systems; the flaw was fixed during development and never shipped in a PyPI release. The issue affected developers who built from the main GitHub branch in a limited window and allowed attacker-supplied commands to be launched with the developer’s account privileges. Microsoft urges running AutoGen Studio only as a developer prototype in isolated, low-privilege environments and avoiding exposure to untrusted content.
read more β†’

AutoJack exploit chains AI agent to local code execution

πŸ”’ Microsoft researchers disclosed AutoJack, an exploit chain that lets an AI browsing agent load a malicious web page which then reaches a privileged local service and spawns processes on the host. The issue resides in AutoGen Studio's MCP WebSocket handler, present only in two pre-release PyPI builds (0.4.3.dev1 and dev2). A vanilla pip install (0.4.2.2) is not affected; fixes are merged to GitHub main but not yet released on PyPI.
read more β†’