< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 15 of 35

CISA Adds FileZen Command Injection CVE to KEV Catalog

⚠️ CISA added CVE-2026-25108, a FileZen OS command injection vulnerability affecting Soliton Systems K.K., to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. Command injection is a frequent and high-risk vector that can enable remote code execution and system compromise. Under BOD 22-01 federal agencies must remediate KEV entries by required deadlines; CISA strongly urges all organizations to prioritize remediation, apply vendor fixes or mitigations, and monitor for related activity.
read more →

InSAT MasterSCADA BUK-TS: Critical RCE Vulnerabilities

⚠️ CISA reports two critical remote code execution vulnerabilities in InSAT MasterSCADA BUK-TS (all versions). CVE-2026-21410 enables SQL injection via the main web interface, and CVE-2026-22553 allows OS command injection through the MMadmServ interface. Both CVEs have CVSS v3.1 base scores of 9.8. CISA recommends minimizing network exposure, isolating control systems behind firewalls, using secure remote access, and contacting the vendor for guidance.
read more →

CISA: Patched Roundcube Flaws Now Seen in Active Attacks

⚠️ CISA has added two recently patched Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to remediate affected systems within three weeks. The critical remote code execution bug CVE-2025-49113 and a separate XSS issue CVE-2025-68461 affect Roundcube 1.5.x and 1.6.x; vendor fixes (1.6.12 and 1.5.12) have been released. Shodan still enumerates tens of thousands of exposed instances, and organizations are urged to update, audit logs, and mitigate immediately.
read more →

Attackers Exploit Ivanti EPMM Zero-Days in Active Campaign

🔴 Palo Alto Networks' Unit 42 warns that threat actors are actively exploiting two critical zero-day vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — in Ivanti Endpoint Manager Mobile (EPMM). Both flaws allow unauthenticated remote code execution, enabling attackers to seize MDM appliances and install web shells, cryptominers, or persistent backdoors that can survive initial patching. Unit 42 says more than 4,400 EPMM instances are internet-exposed, proof-of-concept exploits are public, and multiple sectors and countries have been targeted.
read more →

CISA: BeyondTrust RCE Now Exploited in Ransomware Attacks

🔒 CISA warns that CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access, is being actively exploited in ransomware attacks. The issue is an OS command injection reachable via specially crafted client requests and was added to the Known Exploited Vulnerabilities catalog on February 13. BeyondTrust reports the cloud (SaaS) was auto-patched on February 2; self-hosted customers must enable updates or install Remote Support 25.3.2 or Privileged Remote Access 25.1.1 and later.
read more →

Critical Pre-auth RCE in BeyondTrust Remote Support

🚨 On Feb. 6, 2026, BeyondTrust published an advisory for CVE-2026-1731, a critical pre-auth remote code execution vulnerability affecting BeyondTrust Remote Support and some Privileged Remote Access deployments. The flaw allows unauthenticated attackers to inject shell commands via the WebSocket remoteVersion field during the handshake, resulting in OS command execution as the site user. Unit 42 observed active exploitation that included web shells, C2 traffic, account tampering and data theft. Immediate patching for self-hosted appliances and engagement of incident response if compromise is suspected are recommended.
read more →

Critical RCE in Grandstream GXP1600 VoIP Phones Exposed

🛡️ A critical stack-buffer overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote attackers to gain root and silently eavesdrop. Tracked as CVE-2026-2329 (CVSS 9.3), the issue affects six GXP1600 models running firmware before 1.0.7.81 and stems from an unauthenticated web API that fails to validate colon-delimited input. Rapid7 developed a Metasploit module to demonstrate the exploit; Grandstream issued firmware 1.0.7.81 on February 3 to address the vulnerability—apply updates immediately.
read more →

EnOcean SmartServer IoT: Remote Code Execution Risk

🔒A pair of vulnerabilities in EnOcean SmartServer IoT firmware (<=4.60.009) can be exploited via crafted LON IP-852 management messages to execute arbitrary OS commands or trigger memory corruption. CVE-2026-20761 (command injection) carries a CVSS 3.1 score of 8.1 and permits remote command execution; CVE-2026-22885 is an out-of-bounds read (CVSS 3.1 score 3.7) that can leak memory. EnOcean advises updating to SmartServer 4.6 Update 2 (v4.60.023) or later, and CISA recommends isolating devices, avoiding internet exposure, using secure remote access, and monitoring for suspicious activity.
read more →

Chinese APT Exploited Dell RecoverPoint Zero-Day Flaw

🔒 Researchers report a China-linked APT exploited a previously unknown vulnerability in Dell RecoverPoint for Virtual Machines (CVE-2026-22769) to achieve unauthenticated root command execution by leveraging hardcoded Apache Tomcat Manager credentials. Google’s Mandiant traced compromises to UNC6201, which deployed web shells and backdoors including BRICKSTORM and the newer GRIMBOLT. Dell released a patch (6.0.3.1 HF1) and a remediation script; customers are urged to upgrade and isolate appliances behind segmented networks.
read more →

Critical RCE in Grandstream GXP1600 VoIP Phones Exposed

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.
read more →

Critical Flaws in Four Popular VS Code Extensions Reported

⚠️ OX Security researchers disclosed multiple high-severity vulnerabilities in four widely used VS Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — collectively installed more than 125 million times. The flaws can enable local-file exfiltration, arbitrary JavaScript execution, and settings-based code execution; three remain unpatched while Microsoft fixed an XSS-style issue in Live Preview in version 0.4.16 (September 2025). Researchers advise disabling or uninstalling non-essential or untrusted extensions, avoiding untrusted configurations, keeping extensions updated, and hardening local networks and firewalls.
read more →

Critical VS Code Extension Flaws Expose 128M Installs

🔒 OX Security disclosed critical and high-severity vulnerabilities in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Three CVEs were published; Microsoft privately patched Live Preview. The flaws also affected AI-powered IDEs Cursor and Windsurf, and OX Security said three maintainers did not respond to notifications. Researchers urge immediate updates, disabling unused extensions, and avoiding untrusted sites while localhost servers run.
read more →

Critical zero-day in Dell RecoverPoint for VMs, exploited

🔒 A maximum-severity vulnerability (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines has been exploited as a zero-day by a suspected China-nexus cluster tracked as UNC6201 since mid-2024. The flaw is a hard-coded Apache Tomcat Manager admin credential that allows unauthenticated attackers to upload a web shell (SLAYSTYLE) and deploy native backdoors (BRICKSTORM, later GRIMBOLT) for root access and persistence. Dell urges customers to upgrade to 6.0.3.1 HF1 (or follow staged upgrades from 5.3 SP4 P1) and to isolate RecoverPoint appliances on trusted, segmented networks until patched.
read more →

Critical Flaws in Popular VSCode Extensions Expose Devs

⚠️ Ox Security disclosed high- to critical-severity vulnerabilities in widely used VSCode extensions that could enable local file theft and remote code execution. Affected extensions include Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and a one-click XSS in Microsoft Live Preview (pre-0.4.16). The researchers say they attempted disclosure from June 2025 but received no responses from maintainers. Users are advised to avoid running localhost servers, opening untrusted HTML, pasting untrusted settings, and to remove unnecessary extensions.
read more →

Critical Ivanti EPMM RCE Zero-Days Actively Exploited

🚨 Unit 42 reports two critical zero-day RCEs in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 — are being actively weaponized. Both flaws arise from unsafe legacy bash script usage invoked via Apache RewriteMap and permit unauthenticated command execution through specially crafted HTTP GET requests. Observed activity includes reverse shells, JSP web shells, deployment of monitoring agents/cryptominers, and follow-on persistence. Apply vendor RPM patches immediately, hunt for web shells and backdoors, and engage incident response if compromise is suspected.
read more →

Siemens Simcenter Femap and Nastran File Parsing Flaws

⚠️ Siemens has published updates for Simcenter Femap and Simcenter Nastran addressing multiple file‑parsing vulnerabilities in NDB and XDB formats. If a user opens a specially crafted malicious file, affected versions may crash or allow an attacker to achieve arbitrary code execution. Siemens rates the issues as high severity and recommends updating to V2512 or later and avoiding untrusted NDB/XDB files.
read more →

Exploit Reported for New Chrome Zero-Day in CSS Engine

⚠️ Google warns IT administrators that an exploit for a newly disclosed Chrome zero-day (CVE-2026-2441) is active in the wild. The issue is a use-after-free bug in the browser's CSS engine that can allow remote code execution in the renderer sandbox when a user visits a crafted page. Patches are available — update to 145.0.7632.75/76 on Windows/Mac or 144.0.7559.75 on Linux — and Google is limiting technical details until most users are updated. Administrators should prioritize deploying the fixes and monitor browser versions and endpoints closely.
read more →

CISA orders federal agencies to patch BeyondTrust bug

🔒 CISA has ordered federal agencies to secure on‑premises BeyondTrust Remote Support and Privileged Remote Access instances within three days after disclosure of a critical remote code execution flaw (CVE-2026-1731) that is being actively exploited. The OS command injection allows unauthenticated attackers to run system commands and could lead to data exfiltration or service disruption. BeyondTrust patched SaaS instances on Feb 2; on‑premise customers must install fixes manually.
read more →

Google Issues Patch for In-the-Wild Chrome Zero-Day

🔒 Google has released an urgent security update for Chrome to address CVE-2026-2441, a high-severity zero-day affecting desktop builds on Windows, macOS and Linux. The flaw, rooted in a CSS processing issue, can allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Google confirmed an exploit is already in the wild and credited researcher Shaheen Fazim for reporting the bug on February 11; the company issued the patch on February 13.
read more →

Critical BeyondTrust RS Flaw Being Exploited in Wild

🔒 Researchers warn a critical pre-authentication command injection (CVE-2026-1731) in BeyondTrust Remote Support is being actively exploited to compromise self-hosted deployments, including legacy Bomgar B-series appliances. Attackers have deployed renamed SimpleHelp binaries, created domain accounts and escalated privileges to perform lateral movement. Patches are available, but end-of-life appliances and required version upgrades complicate remediation while a public proof-of-concept has accelerated exploitation.
read more →