< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 11 of 35

PTC Windchill and FlexPLM Critical Remote Code Execution

⚠️CISA reports a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC Windchill and FlexPLM, with a CVSS v3.1 base score of 10.0. The issue stems from deserialization of untrusted data (CWE-94) and could allow unauthenticated attackers to run arbitrary code. PTC is developing a patch and advises immediate application of documented workarounds and updated Apache or IIS configurations to protect public, file, and replica servers.
read more →

PolyShell Exploits Hit 56% of Vulnerable Magento Stores

🔔 Mass exploitation of the PolyShell vulnerability in Magento Open Source and Adobe Commerce began on March 19, with Sansec reporting attacks on 56.7% of vulnerable stores within days of public disclosure. The issue resides in Magento’s REST API, which accepts file uploads for custom cart options and can allow polyglot files to enable remote code execution or account takeover via stored XSS when server configurations permit. Adobe released a patch in 2.4.9-beta1 on March 10, 2026, but no stable production fix is yet available; Sansec has published IPs and IOCs and warns of a WebRTC-based payment skimmer used in some intrusions.
read more →

TP-Link patches critical Archer NX router auth bypass

🔒 TP-Link released firmware updates for its Archer NX200, NX210, NX500, and NX600 routers to fix multiple vulnerabilities, including a critical authentication bypass that can permit unauthenticated firmware uploads via certain HTTP CGI endpoints. The vendor additionally removed a hardcoded cryptographic key and patched two command injection flaws that require administrative access. TP-Link warned customers to install the latest firmware immediately to block potential attacks. Failure to update may leave devices susceptible to takeover or configuration manipulation.
read more →

PTC warns of imminent RCE threat in Windchill, FlexPLM

⚠️ PTC has alerted customers to a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that could enable remote code execution via deserialization of trusted data. German authorities (BKA) have taken emergency action to warn organizations, citing an imminent threat. Patches are under development, and PTC published an Apache/IIS rule mitigation that denies access to the affected servlet path without breaking functionality. The vendor also released IoCs and detection guidance; if mitigation is not possible, prioritize disconnecting internet-facing instances or shutting down the service.
read more →

Pharos Controls Mosaic Show Controller Critical RCE

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.
read more →

Schneider Electric Plant iT/Brewmaxx: Critical Redis Flaws

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.
read more →

Schneider Electric Foxboro DCS Deserialization Flaw Patched

🔒 Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.
read more →

Weekly Cyber Recap: CI/CD Backdoor and Emerging Threats

🔒 This week’s recap highlights a major supply-chain compromise of Trivy, where attackers injected credential‑stealing malware into official releases and GitHub Actions, producing a self‑propagating worm called CanisterWorm that affected thousands of CI/CD workflows. Law enforcement dismantled several massive IoT botnets built from routers, cameras and DVRs, while high‑severity flaws — including a critical Langflow RCE and a Cisco FMC 0‑day exploited by Interlock ransomware — were weaponized within hours of disclosure.
read more →

CISA Orders US Agencies to Patch Critical Cisco FMC Flaw

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.
read more →

Attackers Exploit CVE-2025-32975 to Hijack KACE SMA

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.
read more →

Oracle patches critical RCE in Identity and Web Services

🔒 Oracle has released fixes for a critical pre-authentication remote code execution flaw, CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The issue carries a CVSS score of 9.8 and is described by NVD as "easily exploitable" over HTTP by unauthenticated attackers. Oracle says the flaw can enable full takeover of vulnerable instances and urges customers to apply updates immediately.
read more →

Oracle issues emergency patch for Identity Manager RCE

🛡️ Oracle has released an out-of-schedule security update to fix a critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21992, that affects Oracle Identity Manager and Oracle Web Services Manager. Oracle says the flaw is low complexity, exploitable remotely over HTTP without authentication or user interaction. The company strongly recommends applying patches or mitigations immediately and notes fixes via the Security Alert program are limited to supported versions.
read more →

Critical Langflow RCE (CVE-2026-33017) Exploited Fast

⚠️ The Langflow open-source tool contains a critical vulnerability, CVE-2026-33017 (CVSS 9.3), that allows unauthenticated remote code execution via a POST endpoint that accepts attacker-supplied Python in the request payload. The flaw affects all versions up to and including 1.8.1 and is addressed in the development branch (1.9.0.dev8). Exploitation was observed within 20 hours of public disclosure; operators should apply updates, rotate secrets, and restrict access immediately.
read more →

CISA Orders Feds to Patch Critical Cisco FMC Flaw by Sunday

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.
read more →

Hackers Exploit Critical Langflow RCE Within 20 Hours

🔐 Sysdig reported that threat actors exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow within 20 hours of the advisory publication. The flaw, rated CVSS 9.3, allows execution of arbitrary Python via a single HTTP request and requires no credentials. Attackers built functional exploits from the advisory despite no public PoC, scanned broadly, and exfiltrated keys, database credentials and cloud secrets. Sysdig warns organizations must accelerate patching and rethink vulnerability programs.
read more →

Magento 'PolyShell' REST API Flaw Affects 2.x Releases

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.
read more →

Low-cost KVM-over-IP Flaws Risk Remote Network Takeover

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.
read more →

PolyShell flaw allows unauthenticated RCE in Magento

⚠ A newly disclosed vulnerability called PolyShell affects all Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated code execution and potential account takeover. Adobe has issued a fix only in the 2.4.9 alpha, leaving production sites exposed. Sansec warns the exploit method is already circulating and urges admins to restrict access to pub/media/custom_options/, verify nginx/Apache rules, and scan for uploaded shells or backdoors.
read more →

Critical GNU inetutils Telnet RCE Allows Root Access

⚠️ Security researchers at Dream Security disclosed a critical buffer overflow in GNU inetutils telnetd (CVE-2026-32746) that enables unauthenticated remote code execution as root during Telnet negotiation. The flaw originates in the SLC handler which writes into a fixed 108‑byte buffer without bounds checking, producing an arbitrary write. Dream notified maintainers on March 11 and a patch was prepared the next day; administrators should disable telnetd, restrict or block TCP/23, or migrate to SSH until updates are applied.
read more →

Critical Microsoft SharePoint Flaw Now Exploited in Attacks

🔴 The Cybersecurity and Infrastructure Security Agency (CISA) warned that a critical deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2026-20963, is being exploited in the wild. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and can allow unauthenticated remote code execution on unpatched servers. Microsoft patched the issue during January Patch Tuesday but has not labeled it as exploited; CISA added the vulnerability to its actively exploited catalog and ordered federal agencies to remediate by March 21.
read more →