< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 10 of 35

Mass Credential Theft via CVE-2025-55182 Targets Next.js

🔓 Cisco Talos has linked a large-scale credential harvesting campaign to a threat cluster tracked as UAT-10608 that exploited CVE-2025-55182 in React Server Components and the Next.js App Router to breach at least 766 hosts. The intruders deployed a multi-stage dropper that collected environment variables, SSH keys, cloud metadata credentials, API keys, and other secrets before aggregating them in a password-protected web GUI called NEXUS Listener. Researchers accessed an exposed instance and observed a broad array of stolen items, including Stripe keys, GitHub tokens, AI platform keys, webhook secrets, and database connection strings. Organizations are urged to patch vulnerable Next.js deployments, enforce least privilege, enable IMDSv2, rotate credentials, and implement secret scanning.
read more →

Cisco Patches Critical IMC and SSM Flaws (CVSS 9.8)

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.
read more →

Pre-auth RCE Chain in Progress ShareFile Storage Zones

🔓 Researchers at watchTowr disclosed two critical flaws in Progress ShareFile Storage Zones Controller (SZC): an authentication bypass (CVE-2026-2699) and a remote code execution via file upload/extraction (CVE-2026-2701). The issues can be chained to grant unauthenticated access to the admin interface, modify zone configuration, and deploy ASPX webshells to the application webroot. Progress issued a patch in ShareFile 5.12.4 on March 10; administrators should apply it immediately given thousands of internet-exposed SZC instances.
read more →

Hitachi Energy JasperReports RCE in Ellipse Products

⚠ Hitachi Energy disclosed a critical Java deserialization flaw in the Jaspersoft/Jasper Report library used by Ellipse, tracked as CVE-2025-10492, which can enable remote code execution. Affected versions include Ellipse 9.0.50 and earlier and the issue carries a CVSS 3.1 score of 9.8. Immediate mitigations include restricting loading of external custom reports to only administrator-approved Jasper files, isolating control systems from public networks, and following updates from Hitachi Energy PSIRT.
read more →

UAT-10608: Large-scale automated credential harvesting

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.
read more →

14,000+ F5 BIG-IP APM Instances Exposed to RCE Attacks

⚠️ Shadowserver reports over 14,000 Internet-exposed BIG-IP APM instances remain vulnerable to CVE-2025-53521 after the flaw was reclassified from DoS to remote code execution. F5 confirmed the reclassification and warned that attackers are exploiting unpatched systems with access policies on virtual servers. F5 and CISA have published IOCs and mitigation guidance, and F5 recommends rebuilding compromised devices from known-good sources.
read more →

GIGABYTE Control Center has critical file-write flaw

⚠️ The GIGABYTE Control Center contains a critical arbitrary file-write vulnerability (CVE-2026-4415) affecting versions 25.07.21.01 and earlier when the pairing feature is enabled. Taiwan's CERT warns unauthenticated remote attackers could write files anywhere on the underlying OS, enabling arbitrary code execution, privilege escalation, or denial-of-service. GIGABYTE released version 25.12.10.01 with fixes for download path management, message processing, and command encryption and strongly advises immediate upgrade; users should obtain installers only from the vendor portal to avoid trojanized packages.
read more →

Claude-assisted discovery: Vim and Emacs file-open RCE

🛡️ Researcher Hung Nguyen used the Claude assistant to locate remote code execution flaws in Vim and GNU Emacs that can trigger simply by opening a crafted file. Claude produced multiple refined proof‑of‑concept exploits and suggested mitigations. Vim was patched in Vim 9.2.0272, while the Emacs issue remains unpatched because maintainers attribute the root cause to Git's core.fsmonitor behavior; users should avoid opening untrusted files.
read more →

Critical RCE in F5 BIG-IP APM Originally Labeled DoS

⚠️ Five-month-old F5 BIG-IP APM flaw initially classified as a denial-of-service is now confirmed as a pre-authentication remote code execution vulnerability (CVE-2025-53521) being exploited in the wild. F5 updated its advisory, raised the CVSS to 9.8, and CISA added the issue to its KEV catalog after reports of active exploitation and observed root‑level malware persistence. Affected versions include 15.1.x, 16.1.x, 17.1.x and 17.5.x; F5 has released fixes, IOCs, and hardening guidance, but organizations should patch immediately and perform compromise assessments rather than rely solely on backups.
read more →

OpenAI patches Codex and ChatGPT leaks, fixes two bugs

🔒 Researchers disclosed two vulnerabilities in OpenAI’s AI stack affecting Codex and ChatGPT. BeyondTrust found a command injection flaw in Codex that let a malicious GitHub branch name execute code inside task containers and expose short-lived GitHub tokens. Check Point Research discovered a hidden outbound channel in ChatGPT’s code execution runtime that could silently transmit chats, uploads, or outputs to an external server. OpenAI patched both issues before public disclosure and researchers warn that autonomous code execution increases long-term risk.
read more →

PX4 MAVLink Missing Authentication Allows Remote Shell

⚠️ A critical authentication flaw (CVE-2026-1579) in the MAVLink protocol used by PX4 Autopilot can allow unauthenticated actors with MAVLink access to execute arbitrary shell commands via the SERIAL_CONTROL message. The issue affects PX4 Autopilot v1.16.0_SITL_latest_stable. PX4 recommends enabling MAVLink 2.0 message signing for all non‑USB links and following the vendor's security hardening guidance to reduce exposure.
read more →

NCSC Urges Immediate Patching of Critical F5 BIG-IP Flaw

⚠️ The UK’s NCSC is urging organisations to immediately patch a critical vulnerability in F5 BIG-IP Access Policy Manager (APM) tracked as CVE-2025-53521, which is under active exploitation and can enable remote code execution when an APM access policy is configured on a virtual server. F5 has reclassified the issue from a denial‑of‑service to RCE with a revised CVSS of 9.8 after new information, and CISA has added it to its KEV catalog with a mandated federal patch deadline. Customers should follow F5’s incident‑handling and forensic guidance, isolate or rebuild affected systems, and report suspected compromises to the NCSC.
read more →

Critical F5 BIG-IP APM Flaw Reclassified as RCE; Patch Now

⚠️F5 Networks has reclassified a previously patched BIG-IP APM denial-of-service flaw (CVE-2025-53521) as a critical remote code execution vulnerability after evidence of active exploitation. Attackers are deploying webshells on unpatched devices that have access policies configured on virtual servers. F5 and CISA have published advisories and IOCs and are urging immediate patching, forensic checks of disks, logs, and terminal history, and adherence to incident-handling policies.
read more →

Critical FortiClient EMS SQL Injection Now Exploited

🔴 Threat intelligence firm Defused reports active exploitation of a critical SQL injection in Fortinet FortiClient EMS, tracked as CVE-2026-21643. The vulnerability lets unauthenticated attackers inject SQL via the HTTP 'Site' header to the EMS web GUI, enabling arbitrary code or command execution on unpatched systems. Fortinet fixed the issue in 7.4.5; administrators must upgrade immediately and block public access to EMS interfaces. Defused observed first exploitation four days after discovery and Shodan/Shadowserver data indicate many publicly exposed instances.
read more →

CISA Adds F5 BIG-IP CVE-2025-53521 to KEV After Exploitation

⚠️ CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) list after evidence of active exploitation against F5 BIG-IP APM. The flaw, reclassified from a DoS to an RCE with a CVSS v4 score of 9.3, permits unauthenticated remote code execution when an APM access policy is configured on a virtual server. F5 published file, log, and traffic indicators and warned that webshells may run in memory. Organizations and FCEB agencies were directed to apply the vendor fixes by March 30, 2026.
read more →

Critical Langflow RCE Exploited Hours After Disclosure

🚨 Attackers weaponized a critical Langflow remote code execution flaw within hours of disclosure, prompting CISA to add CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The issue stems from an unauthenticated build_public_tmp API endpoint that accepts workflow data and executes embedded Python code without sandboxing, enabling unauthenticated RCE on versions up to 1.8.2. Langflow released a fix in v1.9.0 and agencies are urged to patch by April 8, 2026.
read more →

CISA Adds F5 BIG-IP RCE to Known Exploited Vulnerabilities

⚠️ CISA has added CVE-2025-53521, a remote code execution vulnerability in F5 BIG-IP, to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The agency notes this class of flaw is a frequent attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by assigned due dates. CISA strongly urges all organizations to prioritize timely remediation, apply vendor fixes or mitigations, and maintain active monitoring to reduce exposure.
read more →

CISA Warns: Critical Langflow RCE (CVE-2026-33017)

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.
read more →

Talos: Critical Bugs Found in Canva, TP-Link, HikVision

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.
read more →

Rapid Weaponization of Critical Oracle WebLogic RCE

⚠ A critical Oracle WebLogic RCE (CVE-2026-21962, CVSS 10.0) was weaponized the same day public exploit code was released, a CloudSEK honeypot study found. The high-interaction honeypot, run between January 22 and February 3, 2026, recorded immediate automated scanning and exploitation attempts. Researchers also observed probes for older WebLogic flaws and widespread generic web reconnaissance. Organizations are urged to apply patches, restrict console access, deploy WAFs and monitor logs.
read more →