All news with #remote code execution tag

⚠️ Ox Security has disclosed a zero-click remote code execution (RCE) vulnerability affecting FreeScout, tracked as CVE-2026-28289 (Mail2Shell), which bypasses an earlier fix (CVE-2026-27636). By sending a single crafted email to any address configured in FreeScout, an attacker can execute code on the server without authentication and without any user interaction. Ox warned thousands of instances may be exposed and urged immediate upgrades to v1.8.207 or later. Administrators are also advised to disable AllowOverrideAll in Apache on affected servers.

🔒 Cisco has published 25 joint advisories addressing 48 vulnerabilities across its Secure Firewall ASA, Secure FMC and FTD product lines. The two most critical flaws, CVE-2026-20079 and CVE-2026-20131, are rated CVSS 10 and impact Secure FMC, enabling authentication bypass and remote code execution respectively. The auth bypass can be triggered with crafted HTTP requests against a boot-created system process, while the RCE stems from insecure deserialization of a user-supplied Java byte stream to the web management interface. There are no workarounds; Cisco urges customers to install the fixed software and the bundle also addresses 15 high and 31 medium severity issues.

⚠️ A newly disclosed maximum-severity flaw, CVE-2026-28289, enables zero-click remote code execution against FreeScout by defeating filename validation. Researchers at OX Security found that inserting a zero-width space (U+200B) before a filename bypasses the prior patch, allowing an attacker to upload a .htaccess-style payload that is later processed as a dotfile. The uploaded file can be reached via the platform's /storage/attachment/ path and used to execute commands without authentication. FreeScout 1.8.207 fixes the bypass; admins should update immediately and consider disabling AllowOverrideAll in Apache.

🔒 Cisco has released updates for two maximum-severity vulnerabilities in Cisco Secure FMC that allow unauthenticated remote attackers to obtain root on affected systems. CVE-2026-20079 is an authentication-bypass flaw exploitable via crafted HTTP requests to gain root, while CVE-2026-20131 is a remote code execution vulnerability triggered by a crafted serialized Java object that can execute arbitrary Java code as root. Cisco also patched dozens of other issues and says its PSIRT has no evidence these flaws are being actively exploited.

⚠️ CISA has added a high‑severity VMware Aria Operations flaw, CVE-2026-22719, to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation; the issue is an unauthenticated command injection that can allow arbitrary command execution and potential remote code execution. Broadcom released fixes for VMware Cloud Foundation, vSphere Foundation 9.0.2.0 and Aria Operations 8.18.6, and provided a shell-script workaround (aria-ops-rce-workaround.sh) for appliance nodes. Public details of in‑the‑wild exploitation and attribution remain scarce. Federal civilian agencies must apply the fixes by March 24, 2026.

🚨 CISA has added a VMware Aria Operations command injection flaw (CVE-2026-22719) to its Known Exploited Vulnerabilities catalog and is treating the issue as exploited in attacks. Broadcom says it is aware of reports of exploitation but cannot independently confirm them. VMware released patches on February 24 and provided a temporary workaround script (aria-ops-rce-workaround.sh) that disables vulnerable migration components; administrators should apply the updates or the workaround immediately.

⚠️ Kaspersky's GReAT discovered a critical flaw, CVE-2026-3102, in ExifTool that can execute embedded shell commands when processing crafted image metadata on macOS if ExifTool is invoked with the -n/--printConv flag. The issue affects ExifTool versions 13.49 and earlier and can be exploited in automated workflows or apps that bundle the library. Update to ExifTool 13.50 immediately, isolate processing of untrusted files, and verify third-party tools do not include older copies of the library.

⚠️ Researchers have revealed a high-severity "ClawJacked" vulnerability in OpenClaw that can allow a malicious webpage to take full control of the AI assistant platform. The issue arises because the gateway binds to localhost and treats local connections as trusted, permitting a script to brute-force credentials and auto-register as a trusted node. Once authenticated, an attacker can enumerate devices, read logs and dispatch commands. Users are urged to upgrade to 2026.2.25 or later immediately.

🔒 Security researchers disclosed a high-severity ClawJacked vulnerability in OpenClaw that allowed a malicious website to silently brute-force a locally running gateway and take control. Oasis Security reported the issue and OpenClaw released a fix in version 2026.2.26 on February 26. The update hardens WebSocket checks, removes unsafe localhost exemptions, and closes avenues for silent device pairing and credential theft. Administrators should update immediately.

🔒 Juniper PTX core routers running Junos OS Evolved contain a critical vulnerability that can allow an unauthenticated, network-based attacker to execute code as root. The flaw is in the On-Box Anomaly detection framework, which is enabled by default and should not be externally reachable. Juniper says it is unaware of any active exploitation and urges installation of 25.4R1-S1-EVO, while recommending ACLs or firewall filters and the alternative command request pfe anomalies disable as temporary mitigations.

⚠ The Shadowserver Foundation reports that more than 900 FreePBX instances remain infected with web shells after exploitation of the CVE-2025-64328 post-auth command injection flaw. The vulnerability (CVSS 8.6) affects versions >=17.0.2.36 and was fixed in 17.0.3; recommended mitigations include restricting access to the Administration Control Panel, updating the filestore module, and applying available updates. Fortinet links active exploitation since December 2025 to the INJ3CTOR3 actor delivering an EncystPHP web shell that enables arbitrary shell execution as the asterisk user and can initiate outbound call activity via compromised PBX instances.

⚠️ Trend Micro has released patches for two critical Apex One management console vulnerabilities (CVE-2025-71210 and CVE-2025-71211) that enable path traversal leading to remote code execution on Windows systems. The fixes are included in SaaS updates and Critical Patch Build 14136, which also addresses high-severity agent issues on Windows and macOS. Exploitation requires access to the management console, so externally exposed consoles should apply source restrictions and other access controls. Customers are urged to install updates promptly to reduce risk.

🚨 A critical privilege escalation vulnerability in Junos OS Evolved on PTX Series routers (CVE-2026-21902) can allow unauthenticated remote code execution as root by exposing the On-Box Anomaly Detection framework on an externally accessible port. Because the service runs as root and is enabled by default, an attacker with network access could fully compromise affected devices. Juniper released fixes in 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO, and recommends applying updates, restricting access with firewall filters or ACLs, or disabling the service using request pfe anomalies disable.

🔒 Yokogawa has issued patches for multiple Vnet/IP vulnerabilities affecting CENTUM VP R6 and R7 interface packages that could allow denial-of-service or, in one case, arbitrary code execution. Affected packages (VP6C3300 and VP7C3300) at or below R1.07.00 are vulnerable; the flaws are tracked as CVE-2025-1924 and CVE-2025-48019 through CVE-2025-48023. CISA reports CVSS scores up to 6.9 (MEDIUM) and recommends applying vendor patch R1.08.00 and following advisory YSAR-26-0002 for implementation guidance.

⚠️ Copeland has released patches addressing numerous severe vulnerabilities in XWEB and XWEB Pro appliances that may allow authentication bypass, remote code execution, denial-of-service, path traversal, and memory corruption. Affected firmware includes XWEB 300D PRO, 500D PRO, and 500B PRO running version 1.12.1 or earlier. Several issues are rated high or critical, including one pre-authentication vulnerability with a CVSS v3.1 score of 10.0. Administrators should apply vendor updates immediately and minimize device exposure on untrusted networks.

⚠️ Johnson Controls Frick Controls Quantum HD (versions <= 10.22) contains multiple critical vulnerabilities that can allow pre‑authentication remote code execution, code injection, information disclosure, and denial of service. CISA catalogs six CVEs, including four critical code/OS injection issues (CVSS 9.1), a high severity path traversal (CVSS 7.5), and a medium severity plaintext credential issue (CVSS 6.2). The vendor designates versions 10.22–11 as legacy and recommends upgrading to Quantum HD Unity version 12 or higher, applying the vendor hardening guidance, and following network isolation and access best practices.

⚠️ A coordinated campaign impersonating Next.js job interview materials uses malicious repositories to achieve remote code execution on developers' machines. Repositories trigger payloads via VS Code workspace opening, npm dev server startup, or backend initialization, downloading and executing an in-memory JavaScript backdoor. The staged malware profiles hosts, registers with a C2 infrastructure, and supports file enumeration and staged exfiltration. Microsoft advises enforcing VS Code Workspace Trust, reducing secrets on endpoints, and using short-lived, least-privilege tokens.

⚠️ Check Point Research disclosed multiple critical vulnerabilities in Anthropic's Claude Code that can enable remote code execution and exfiltration of API credentials when users open untrusted repositories. The issues involve project hooks, the Model Context Protocol, and environment variables that may trigger arbitrary shell commands and redirect authenticated API traffic. Anthropic released patches; administrators should update promptly, avoid opening untrusted projects, and rotate any keys that may have been exposed.

🔍 OpenClaw is an AI-driven automation framework with a modular skills marketplace that lets agents run user-installed plugins to manage mail, schedules, and system tasks. Security researchers disclosed multiple critical flaws — including one-click RCE (CVE-2026-25253), token/OAuth abuse, prompt-injection pathways, and absent sandboxing — and documented dozens of poisoned skills on ClawHub. Flare's telemetry shows significant chatter across research and fringe channels but limited evidence of mass criminal operationalization; the immediate confirmed threat is supply-chain abuse where malicious skills execute with agent-level privileges and exfiltrate credentials and sessions.

🔐 Zyxel has released updates for a critical UPnP command-injection flaw tracked as CVE-2025-13942 that can allow unauthenticated remote attackers to execute operating system commands on affected routers, CPEs, ONTs, and extenders. Successful exploitation requires both UPnP and WAN access to be enabled; WAN access is disabled by default on these devices. Zyxel also patched two high-severity post-authentication command-injection bugs (CVE-2025-13943, CVE-2026-1459) and strongly urges administrators to apply firmware updates promptly.