All news with #remote code execution tag

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.

🔒 Researchers at Pillar Security recorded over 35,000 attack sessions in a 40-day window revealing a large-scale operation they call Bizarre Bazaar, an instance of LLMjacking that monetizes exposed LLM endpoints. The campaign targets misconfigured self-hosted models, unauthenticated APIs (notably Ollama on port 11434 and OpenAI-compatible services on port 8000), and publicly accessible MCP servers. Compromised endpoints are used for cryptocurrency mining, reselling API access through a marketplace dubbed silver[.]inc, data exfiltration, and lateral movement into internal systems.

⚠️ Researchers disclosed two high-severity eval-injection vulnerabilities in n8n that can bypass sandboxing and enable remote code execution. JFrog Security Research identified CVE-2026-1470 (JavaScript eval, CVSS 9.9) and CVE-2026-0863 (Python eval, CVSS 8.5), which can compromise instances even in internal execution mode. Users should update to the patched releases listed by the vendor without delay.

🔒 Microsoft warns administrators of a critical Office security-bypass zero-day, CVE-2026-21509, that is being actively exploited. The flaw leverages legacy OLE document support to bypass protections similar to Office macros, enabling code execution when a user opens a malicious file. Microsoft has released fixes — automatic for Office 2021 and later, and separate updates for Office 2016 and 2019 — and notes affected applications must be restarted for patches to take effect.

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.

⚠️ CISA and Johnson Controls disclose CVE-2025-26385, a critical remote SQL execution vulnerability in Metasys components with a CVSS v3.1 base score of 10.0. An attacker could execute SQL remotely, potentially altering or destroying data in affected products including ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls provides a patch (GIV-165989) via the License Portal and recommends applying the Metasys Release 14 Hardening Guide, segmenting installations, and closing TCP port 1433 as immediate mitigations. CISA notes there is no known public exploitation of this vulnerability at this time.

⚠️ A critical sandbox escape in Grist-Core allows malicious spreadsheet formulas to execute OS commands or host JavaScript via Pyodide, collapsing the boundary between cell logic and host execution. The flaw, tracked as CVE-2026-24002 and dubbed Cellbreak, has CVSS 9.1 and was fixed in Grist 1.7.9 (Jan 9, 2026). Operators should update immediately or set GRIST_SANDBOX_FLAVOR to "gvisor" as a temporary mitigation.

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.