< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 14 of 35

ClawJacked vulnerability lets websites hijack OpenClaw

🔒 Security researchers disclosed a high-severity ClawJacked vulnerability in OpenClaw that allowed a malicious website to silently brute-force a locally running gateway and take control. Oasis Security reported the issue and OpenClaw released a fix in version 2026.2.26 on February 26. The update hardens WebSocket checks, removes unsafe localhost exemptions, and closes avenues for silent device pairing and credential theft. Administrators should update immediately.
read more →

Critical Juniper PTX Router Flaw Lets Attackers Gain Root

🔒 Juniper PTX core routers running Junos OS Evolved contain a critical vulnerability that can allow an unauthenticated, network-based attacker to execute code as root. The flaw is in the On-Box Anomaly detection framework, which is enabled by default and should not be externally reachable. Juniper says it is unaware of any active exploitation and urges installation of 25.4R1-S1-EVO, while recommending ACLs or firewall filters and the alternative command request pfe anomalies disable as temporary mitigations.
read more →

Over 900 FreePBX Instances Remain Infected with Web Shells

⚠ The Shadowserver Foundation reports that more than 900 FreePBX instances remain infected with web shells after exploitation of the CVE-2025-64328 post-auth command injection flaw. The vulnerability (CVSS 8.6) affects versions >=17.0.2.36 and was fixed in 17.0.3; recommended mitigations include restricting access to the Administration Control Panel, updating the filestore module, and applying available updates. Fortinet links active exploitation since December 2025 to the INJ3CTOR3 actor delivering an EncystPHP web shell that enables arbitrary shell execution as the asterisk user and can initiate outbound call activity via compromised PBX instances.
read more →

Trend Micro patches critical Apex One RCE flaws for Windows

⚠️ Trend Micro has released patches for two critical Apex One management console vulnerabilities (CVE-2025-71210 and CVE-2025-71211) that enable path traversal leading to remote code execution on Windows systems. The fixes are included in SaaS updates and Critical Patch Build 14136, which also addresses high-severity agent issues on Windows and macOS. Exploitation requires access to the management console, so externally exposed consoles should apply source restrictions and other access controls. Customers are urged to install updates promptly to reduce risk.
read more →

Critical Juniper PTX Flaw Enables Full Router Takeover

🚨 A critical privilege escalation vulnerability in Junos OS Evolved on PTX Series routers (CVE-2026-21902) can allow unauthenticated remote code execution as root by exposing the On-Box Anomaly Detection framework on an externally accessible port. Because the service runs as root and is enabled by default, an attacker with network access could fully compromise affected devices. Juniper released fixes in 25.4R1-S1-EVO, 25.4R2-EVO and 26.2R1-EVO, and recommends applying updates, restricting access with firewall filters or ACLs, or disabling the service using request pfe anomalies disable.
read more →

Yokogawa CENTUM VP Vnet/IP Vulnerabilities and Patch

🔒 Yokogawa has issued patches for multiple Vnet/IP vulnerabilities affecting CENTUM VP R6 and R7 interface packages that could allow denial-of-service or, in one case, arbitrary code execution. Affected packages (VP6C3300 and VP7C3300) at or below R1.07.00 are vulnerable; the flaws are tracked as CVE-2025-1924 and CVE-2025-48019 through CVE-2025-48023. CISA reports CVSS scores up to 6.9 (MEDIUM) and recommends applying vendor patch R1.08.00 and following advisory YSAR-26-0002 for implementation guidance.
read more →

Copeland XWEB/XWEB Pro Multiple Critical Vulnerabilities

⚠️ Copeland has released patches addressing numerous severe vulnerabilities in XWEB and XWEB Pro appliances that may allow authentication bypass, remote code execution, denial-of-service, path traversal, and memory corruption. Affected firmware includes XWEB 300D PRO, 500D PRO, and 500B PRO running version 1.12.1 or earlier. Several issues are rated high or critical, including one pre-authentication vulnerability with a CVSS v3.1 score of 10.0. Administrators should apply vendor updates immediately and minimize device exposure on untrusted networks.
read more →

Johnson Controls Frick Quantum HD: Critical Vulnerabilities

⚠️ Johnson Controls Frick Controls Quantum HD (versions <= 10.22) contains multiple critical vulnerabilities that can allow pre‑authentication remote code execution, code injection, information disclosure, and denial of service. CISA catalogs six CVEs, including four critical code/OS injection issues (CVSS 9.1), a high severity path traversal (CVSS 7.5), and a medium severity plaintext credential issue (CVSS 6.2). The vendor designates versions 10.22–11 as legacy and recommends upgrading to Quantum HD Unity version 12 or higher, applying the vendor hardening guidance, and following network isolation and access best practices.
read more →

Fake Next.js Interview Repos Deliver JavaScript Backdoor

⚠️ A coordinated campaign impersonating Next.js job interview materials uses malicious repositories to achieve remote code execution on developers' machines. Repositories trigger payloads via VS Code workspace opening, npm dev server startup, or backend initialization, downloading and executing an in-memory JavaScript backdoor. The staged malware profiles hosts, registers with a C2 infrastructure, and supports file enumeration and staged exfiltration. Microsoft advises enforcing VS Code Workspace Trust, reducing secrets on endpoints, and using short-lived, least-privilege tokens.
read more →

Claude Code Flaws Enable Remote Execution and Key Theft

⚠️ Check Point Research disclosed multiple critical vulnerabilities in Anthropic's Claude Code that can enable remote code execution and exfiltration of API credentials when users open untrusted repositories. The issues involve project hooks, the Model Context Protocol, and environment variables that may trigger arbitrary shell commands and redirect authenticated API traffic. Anthropic released patches; administrators should update promptly, avoid opening untrusted projects, and rotate any keys that may have been exposed.
read more →

OpenClaw: Supply-Chain Risks and Underground Chatter

🔍 OpenClaw is an AI-driven automation framework with a modular skills marketplace that lets agents run user-installed plugins to manage mail, schedules, and system tasks. Security researchers disclosed multiple critical flaws — including one-click RCE (CVE-2026-25253), token/OAuth abuse, prompt-injection pathways, and absent sandboxing — and documented dozens of poisoned skills on ClawHub. Flare's telemetry shows significant chatter across research and fringe channels but limited evidence of mass criminal operationalization; the immediate confirmed threat is supply-chain abuse where malicious skills execute with agent-level privileges and exfiltrate credentials and sessions.
read more →

Zyxel Issues Patch for Critical UPnP RCE Affecting Routers

🔐 Zyxel has released updates for a critical UPnP command-injection flaw tracked as CVE-2025-13942 that can allow unauthenticated remote attackers to execute operating system commands on affected routers, CPEs, ONTs, and extenders. Successful exploitation requires both UPnP and WAN access to be enabled; WAN access is disabled by default on these devices. Zyxel also patched two high-severity post-authentication command-injection bugs (CVE-2025-13943, CVE-2026-1459) and strongly urges administrators to apply firmware updates promptly.
read more →

Critical Claude Code Flaws Expose RCE and Key Theft

⚠️ Check Point researchers disclosed critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code that allow remote code execution and theft of Anthropic API keys via malicious repository-level configuration files. The flaws can be triggered simply by cloning and opening an untrusted project; built-in mechanisms such as Hooks, MCP integrations, and environment variables may be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent. Stolen keys can expose shared workspaces, modify or delete resources, and generate unauthorized costs, underscoring a shift in the AI supply chain threat model.
read more →

Job-themed repo lures target developers with backdoors

🛡️ Microsoft warns that a coordinated campaign is using job-themed repositories—often posing as Next.js projects or technical assessments—to infect developer systems with multi-stage backdoors. Attackers embed workspace automation, build scripts, or server startup hooks so simply opening or building a project can load remote JavaScript and execute in memory. Microsoft advises containing affected endpoints, tracing process trees, hunting for repeated polling to attacker infrastructure, enforcing VS Code Workspace Trust, applying attack surface reduction, enabling cloud reputation checks, and tightening developer trust boundaries.
read more →

SolarWinds Issues Patch for Four Critical Serv-U Flaws

🔒 SolarWinds has released updates to address four critical vulnerabilities in its Serv-U file transfer software, each rated 9.1 on the CVSS scale. The flaws include a broken access control that can create a system admin (CVE-2025-40538), two type confusion bugs (CVE-2025-40539 and CVE-2025-40540), and an IDOR (CVE-2025-40541) — all capable of enabling remote code execution when exploited with administrative privileges. The issues affect Serv-U 15.5 and are fixed in Serv-U 15.5.4. SolarWinds warns Windows deployments carry medium risk because services often run under less-privileged accounts by default, and while no active exploitation has been reported, similar past defects were abused by threat actors such as Storm-0322.
read more →

Critical Serv-U RCE Flaws Extend SolarWinds Risk Profile

⚠ SolarWinds has issued four critical patches for its Serv-U managed file transfer server to remediate remote code execution and broken access-control vulnerabilities that can lead to root or other privileged account takeover. The most severe, CVE-2025-40538, can create system admin users and execute arbitrary code, while CVE-2025-40539 and CVE-2025-40540 are type confusion flaws and CVE-2025-40541 is another broken access-control issue. Organizations should treat this as a high-urgency patch event: update immediately, verify internet exposure, check logs for signs of compromise, and rotate associated credentials.
read more →

VMware patches Aria Operations command injection flaw

🔒Recent patches from VMware address several high- and medium-risk vulnerabilities in Aria Operations, Cloud Foundation, and Telco Cloud products. The most serious, CVE-2026-22719, is an unauthenticated command injection that could lead to remote code execution but requires support-assisted product migration to be exploitable, so it is rated high rather than critical. Broadcom recommends upgrading to Aria Operations 8.18.6 and applying corresponding updates for VMware Cloud Foundation and Telco Cloud components to mitigate these issues.
read more →

Developer-Targeting Campaign via Malicious Next.js Repos

⚠️ Microsoft Defender researchers discovered a coordinated developer-targeting campaign that used malicious repositories disguised as legitimate Next.js projects and recruiting assessments to achieve remote code execution. The malicious repositories employed multiple execution paths — editor automation, dev-server assets, and backend startup loaders — that all retrieved attacker-controlled JavaScript at runtime. The activity staged a lightweight registration bootstrap (Stage 1) before escalating to a persistent operator-controlled controller (Stage 2), enabling in-memory tasking, discovery, and staged exfiltration.
read more →

Critical SolarWinds Serv-U Flaws Allow Root Access

🔒 SolarWinds has released Serv-U 15.5.4 to patch four critical remote-code-execution vulnerabilities, including CVE-2025-40538, that can allow attackers with elevated privileges to create administrative accounts and execute arbitrary code as root on vulnerable Windows and Linux servers. The update also fixes two type-confusion bugs and an IDOR that can be chained to achieve root code execution. Organizations should apply 15.5.4 immediately, verify administrator account integrity, and review access logs for signs of unauthorized admin activity; Shodan shows over 12,000 Internet-exposed Serv-U instances.
read more →

Schneider Electric EBO Vulnerabilities and Patches Released

🔒 Schneider Electric has released patches for multiple vulnerabilities in EcoStruxure Building Operation Workstation and WebStation that could disclose local files, enable execution of unintended code, or cause denial-of-service. Affected 6.x and 7.0.x builds should be updated to the vendor-supplied patch builds immediately to mitigate exposure. The issues are tracked as CVE-2026-1227 (XXE) and CVE-2026-1226 (code generation/control). If immediate patching is not possible, implement recommended mitigations — network segmentation, strict access controls, MFA for EBO 7.0+, monitoring, and adherence to EBO hardening guidance — to reduce operational risk.
read more →