All news with #remote code execution tag

⚠️ Check Point researchers disclosed critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code that allow remote code execution and theft of Anthropic API keys via malicious repository-level configuration files. The flaws can be triggered simply by cloning and opening an untrusted project; built-in mechanisms such as Hooks, MCP integrations, and environment variables may be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent. Stolen keys can expose shared workspaces, modify or delete resources, and generate unauthorized costs, underscoring a shift in the AI supply chain threat model.

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.

🔒 SolarWinds has released updates to address four critical vulnerabilities in its Serv-U file transfer software, each rated 9.1 on the CVSS scale. The flaws include a broken access control that can create a system admin (CVE-2025-40538), two type confusion bugs (CVE-2025-40539 and CVE-2025-40540), and an IDOR (CVE-2025-40541) — all capable of enabling remote code execution when exploited with administrative privileges. The issues affect Serv-U 15.5 and are fixed in Serv-U 15.5.4. SolarWinds warns Windows deployments carry medium risk because services often run under less-privileged accounts by default, and while no active exploitation has been reported, similar past defects were abused by threat actors such as Storm-0322.

⚠ SolarWinds has issued four critical patches for its Serv-U managed file transfer server to remediate remote code execution and broken access-control vulnerabilities that can lead to root or other privileged account takeover. The most severe, CVE-2025-40538, can create system admin users and execute arbitrary code, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws and CVE-2025-40541 is another broken access-control issue. Organizations should treat this as a high-urgency patch event: update immediately, verify internet exposure, check logs for signs of compromise, and rotate associated credentials.

🔒Recent patches from VMware address several high- and medium-risk vulnerabilities in Aria Operations, Cloud Foundation, and Telco Cloud products. The most serious, CVE-2026-22719, is an unauthenticated command injection that could lead to remote code execution but requires support-assisted product migration to be exploitable, so it is rated high rather than critical. Broadcom recommends upgrading to Aria Operations 8.18.6 and applying corresponding updates for VMware Cloud Foundation and Telco Cloud components to mitigate these issues.

⚠️ Microsoft Defender researchers discovered a coordinated developer-targeting campaign that used malicious repositories disguised as legitimate Next.js projects and recruiting assessments to achieve remote code execution. The malicious repositories employed multiple execution paths — editor automation, dev-server assets, and backend startup loaders — that all retrieved attacker-controlled JavaScript at runtime. The activity staged a lightweight registration bootstrap (Stage 1) before escalating to a persistent operator-controlled controller (Stage 2), enabling in-memory tasking, discovery, and staged exfiltration.

🔒 SolarWinds has released Serv-U 15.5.4 to patch four critical remote-code-execution vulnerabilities, including CVE-2025-40538, that can allow attackers with elevated privileges to create administrative accounts and execute arbitrary code as root on vulnerable Windows and Linux servers. The update also fixes two type-confusion bugs and an IDOR that can be chained to achieve root code execution. Organizations should apply 15.5.4 immediately, verify administrator account integrity, and review access logs for signs of unauthorized admin activity; Shodan shows over 12,000 Internet-exposed Serv-U instances.

🔒 Schneider Electric has released patches for multiple vulnerabilities in EcoStruxure Building Operation Workstation and WebStation that could disclose local files, enable execution of unintended code, or cause denial-of-service. Affected 6.x and 7.0.x builds should be updated to the vendor-supplied patch builds immediately to mitigate exposure. The issues are tracked as CVE-2026-1227 (XXE) and CVE-2026-1226 (code generation/control). If immediate patching is not possible, implement recommended mitigations — network segmentation, strict access controls, MFA for EBO 7.0+, monitoring, and adherence to EBO hardening guidance — to reduce operational risk.

⚠️ CISA added CVE-2026-25108, a FileZen OS command injection vulnerability affecting Soliton Systems K.K., to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. Command injection is a frequent and high-risk vector that can enable remote code execution and system compromise. Under BOD 22-01 federal agencies must remediate KEV entries by required deadlines; CISA strongly urges all organizations to prioritize remediation, apply vendor fixes or mitigations, and monitor for related activity.

⚠️ CISA reports two critical remote code execution vulnerabilities in InSAT MasterSCADA BUK-TS (all versions). CVE-2026-21410 enables SQL injection via the main web interface, and CVE-2026-22553 allows OS command injection through the MMadmServ interface. Both CVEs have CVSS v3.1 base scores of 9.8. CISA recommends minimizing network exposure, isolating control systems behind firewalls, using secure remote access, and contacting the vendor for guidance.

⚠️ CISA has added two recently patched Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to remediate affected systems within three weeks. The critical remote code execution bug CVE-2025-49113 and a separate XSS issue CVE-2025-68461 affect Roundcube 1.5.x and 1.6.x; vendor fixes (1.6.12 and 1.5.12) have been released. Shodan still enumerates tens of thousands of exposed instances, and organizations are urged to update, audit logs, and mitigate immediately.

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.

🛡️ A critical stack-buffer overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote attackers to gain root and silently eavesdrop. Tracked as CVE-2026-2329 (CVSS 9.3), the issue affects six GXP1600 models running firmware before 1.0.7.81 and stems from an unauthenticated web API that fails to validate colon-delimited input. Rapid7 developed a Metasploit module to demonstrate the exploit; Grandstream issued firmware 1.0.7.81 on February 3 to address the vulnerability—apply updates immediately.

🔒A pair of vulnerabilities in EnOcean SmartServer IoT firmware (<=4.60.009) can be exploited via crafted LON IP-852 management messages to execute arbitrary OS commands or trigger memory corruption. CVE-2026-20761 (command injection) carries a CVSS 3.1 score of 8.1 and permits remote command execution; CVE-2026-22885 is an out-of-bounds read (CVSS 3.1 score 3.7) that can leak memory. EnOcean advises updating to SmartServer 4.6 Update 2 (v4.60.023) or later, and CISA recommends isolating devices, avoiding internet exposure, using secure remote access, and monitoring for suspicious activity.

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.

⚠️ OX Security researchers disclosed multiple high-severity vulnerabilities in four widely used VS Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — collectively installed more than 125 million times. The flaws can enable local-file exfiltration, arbitrary JavaScript execution, and settings-based code execution; three remain unpatched while Microsoft fixed an XSS-style issue in Live Preview in version 0.4.16 (September 2025). Researchers advise disabling or uninstalling non-essential or untrusted extensions, avoiding untrusted configurations, keeping extensions updated, and hardening local networks and firewalls.

🔒 OX Security disclosed critical and high-severity vulnerabilities in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Three CVEs were published; Microsoft privately patched Live Preview. The flaws also affected AI-powered IDEs Cursor and Windsurf, and OX Security said three maintainers did not respond to notifications. Researchers urge immediate updates, disabling unused extensions, and avoiding untrusted sites while localhost servers run.