All news with #remote code execution tag

🔒 OX Security disclosed critical and high-severity vulnerabilities in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Three CVEs were published; Microsoft privately patched Live Preview. The flaws also affected AI-powered IDEs Cursor and Windsurf, and OX Security said three maintainers did not respond to notifications. Researchers urge immediate updates, disabling unused extensions, and avoiding untrusted sites while localhost servers run.

🔒 A maximum-severity vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus cluster tracked as UNC6201 since mid-2024. The flaw is a hard-coded Apache Tomcat Manager admin credential that allows unauthenticated attackers to upload a web shell (SLAYSTYLE) and deploy native backdoors (BRICKSTORM, later GRIMBOLT) for root access and persistence. Dell urges customers to upgrade to 6.0.3.1 HF1 (or follow staged upgrades from 5.3 SP4 P1) and to isolate RecoverPoint appliances on trusted, segmented networks until patched.

⚠️ Ox Security disclosed high- to critical-severity vulnerabilities in widely used VSCode extensions that could enable local file theft and remote code execution. Affected extensions include Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and a one-click XSS in Microsoft Live Preview (pre-0.4.16). The researchers say they attempted disclosure from June 2025 but received no responses from maintainers. Users are advised to avoid running localhost servers, opening untrusted HTML, pasting untrusted settings, and to remove unnecessary extensions.

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.

⚠️ Siemens has published updates for Simcenter Femap and Simcenter Nastran addressing multiple file‑parsing vulnerabilities in NDB and XDB formats. If a user opens a specially crafted malicious file, affected versions may crash or allow an attacker to achieve arbitrary code execution. Siemens rates the issues as high severity and recommends updating to V2512 or later and avoiding untrusted NDB/XDB files.

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.

🔒 Researchers warn a critical pre-authentication command injection (CVE-2026-1731) in BeyondTrust Remote Support is being actively exploited to compromise self-hosted deployments, including legacy Bomgar B-series appliances. Attackers have deployed renamed SimpleHelp binaries, created domain accounts and escalated privileges to perform lateral movement. Patches are available, but end-of-life appliances and required version upgrades complicate remediation while a public proof-of-concept has accelerated exploitation.

⚠️ Developers patched a nearly 30-year-old heap buffer overflow in the libpng image library—fixed in libpng 1.6.55—that can crash applications processing crafted PNG files and, with careful heap grooming, enable information disclosure or remote code execution. The flaw exists in the png_set_quantize function when called without a histogram and with oversized palettes. A proof-of-concept is public; users and distributors should upgrade promptly.

⚠️ CISA has flagged a critical Microsoft Configuration Manager vulnerability (CVE-2024-43468) as actively exploited after Microsoft patched it in October 2024. The flaw is a SQL injection that can allow unauthenticated remote attackers to achieve remote code execution and run commands with elevated privileges on the server or site database. CISA ordered federal agencies to apply the patch or mitigations by March 5 under BOD 22-01 and urged all organizations to secure affected systems immediately.

⚠️ CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation of an OS command injection vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA emphasizes that command injection flaws are a frequent and dangerous attack vector that pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and integrate these fixes into their vulnerability management processes.

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.

🚨 A critical pre-authentication remote code execution vulnerability, CVE-2026-1731, in BeyondTrust Remote Support and Privileged Remote Access appliances is being actively exploited after a proof-of-concept was published. The flaw affects Remote Support ≤25.3.1 and Privileged Remote Access ≤24.3.4 and allows unauthenticated attackers to execute OS commands as the site user. BeyondTrust automatically patched SaaS instances on Feb 2, 2026; on-premises customers must install vendor updates immediately.

🔒 A critical vulnerability in the WPvivid Backup & Migration WordPress plugin (CVE-2026-1357, CVSS 9.8) allowed unauthenticated attackers to upload arbitrary files and achieve remote code execution. The flaw affected all versions up to 0.9.123 but, according to Defiant, only sites with the non-default receive backup from another site option enabled are critically exposed. WPVividPlugins released a patch in v0.9.124 on Jan 28; administrators should upgrade immediately.

🔒 Siemens reports multiple vulnerabilities in COMOS across V10.4–V10.6 that could permit arbitrary code execution, cross-site scripting, denial-of-service, credential exposure, and TLS man-in-the-middle attacks. Siemens has published updates for several affected lines (notably V10.4.5 and V10.5.2) and is preparing additional fixes; some issues remain unpatched. Apply vendor updates where available, follow Siemens' countermeasures for unpatched versions, minimize network exposure of COMOS, and contact Siemens ProductCERT for assistance and timelines.

🔒 Airleader GmbH's Airleader Master (<= 6.381) contains a critical file-upload vulnerability (CVE-2026-1358) that permits unauthenticated attackers to place dangerous files on high-privilege pages and potentially obtain remote code execution on the server. CISA assigns CVSS v3.1 9.8 (Critical). The vendor recommends upgrading to 6.386 or later and contacting Airleader for mitigation assistance. Operators should immediately reduce internet exposure and isolate control networks while planning patch deployment.

⚠️ Siemens NX contains multiple file-parsing vulnerabilities in its handling of CGM files that can cause application crashes or enable arbitrary code execution when a malicious file is opened. Siemens has released fixes and advises updating to V2512 or later. Do not open untrusted CGM files and apply vendor updates promptly. Follow CISA guidance on network isolation and secure remote access.

📝 This week’s bulletin spotlights attackers favoring reliable tradecraft—misusing trusted tools and simple entry points while executing deliberate, long‑dwell post‑compromise activity. Microsoft fixed a Notepad Markdown command‑injection (CVE‑2026‑20841) and LayerX disclosed a 0‑click RCE risk in Claude Desktop Extensions. Emerging stealers (LTX, Marco), evolving loaders (GuLoader, RenEngine), and data‑theft ransomware trends raise operational risk. Defenders must detect misuse of legitimate access and anomalous in‑system behavior.

🔒 Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS and visionOS to fix an actively exploited zero-day, tracked as CVE-2026-20700, a memory corruption flaw in dyld that can permit arbitrary code execution when an attacker has memory write capability. Google Threat Analysis Group (TAG) is credited with reporting the issue. Apple said the bug may have been used in extremely sophisticated targeted attacks and also issued related fixes for CVE-2025-14174 and CVE-2025-43529. Patches are available for supported recent devices and additional updates address vulnerabilities in older OS releases.