< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 16 of 35

30-Year-Old Heap Overflow Fixed in libpng 1.6.55 Patch

⚠️ Developers patched a nearly 30-year-old heap buffer overflow in the libpng image library—fixed in libpng 1.6.55—that can crash applications processing crafted PNG files and, with careful heap grooming, enable information disclosure or remote code execution. The flaw exists in the png_set_quantize function when called without a histogram and with oversized palettes. A proof-of-concept is public; users and distributors should upgrade promptly.
read more →

CISA: Microsoft ConfigMgr RCE Patch Now Exploited in the Wild

⚠️ CISA has flagged a critical Microsoft Configuration Manager vulnerability (CVE-2024-43468) as actively exploited after Microsoft patched it in October 2024. The flaw is a SQL injection that can allow unauthenticated remote attackers to achieve remote code execution and run commands with elevated privileges on the server or site database. CISA ordered federal agencies to apply the patch or mitigations by March 5 under BOD 22-01 and urged all organizations to secure affected systems immediately.
read more →

CISA Adds Known-Exploited CVE for BeyondTrust RS/PRA

⚠️ CISA has added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation of an OS command injection vulnerability affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA). CISA emphasizes that command injection flaws are a frequent and dangerous attack vector that pose significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by the specified due date; CISA strongly urges all organizations to prioritize timely remediation and integrate these fixes into their vulnerability management processes.
read more →

Researchers Observe In-The-Wild Exploitation of BeyondTrust

🔴 watchTowr reported the first in-the-wild exploitation of a critical BeyondTrust vulnerability, CVE-2026-1731, with attackers abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. The flaw (CVSS 9.9) allows unauthenticated remote code execution by sending specially crafted requests and has been patched in Remote Support (BT26-02-RS, 25.3.2+) and Privileged Remote Access (BT26-02-PRA, 25.1.1+). The rapid weaponization highlights how quickly defenders must patch critical systems. CISA also added four actively exploited flaws to its KEV catalog and set federal remediation deadlines in February and March 2026.
read more →

Critical BeyondTrust RCE Now Exploited in Attacks Globally

🚨 A critical pre-authentication remote code execution vulnerability, CVE-2026-1731, in BeyondTrust Remote Support and Privileged Remote Access appliances is being actively exploited after a proof-of-concept was published. The flaw affects Remote Support ≤25.3.1 and Privileged Remote Access ≤24.3.4 and allows unauthenticated attackers to execute OS commands as the site user. BeyondTrust automatically patched SaaS instances on Feb 2, 2026; on-premises customers must install vendor updates immediately.
read more →

Critical RCE in WPvivid Backup Plugin Impacts 900k+

🔒 A critical vulnerability in the WPvivid Backup & Migration WordPress plugin (CVE-2026-1357, CVSS 9.8) allowed unauthenticated attackers to upload arbitrary files and achieve remote code execution. The flaw affected all versions up to 0.9.123 but, according to Defiant, only sites with the non-default receive backup from another site option enabled are critically exposed. WPVividPlugins released a patch in v0.9.124 on Jan 28; administrators should upgrade immediately.
read more →

Siemens COMOS: Multiple Vulnerabilities and Fixes Advisory

🔒 Siemens reports multiple vulnerabilities in COMOS across V10.4–V10.6 that could permit arbitrary code execution, cross-site scripting, denial-of-service, credential exposure, and TLS man-in-the-middle attacks. Siemens has published updates for several affected lines (notably V10.4.5 and V10.5.2) and is preparing additional fixes; some issues remain unpatched. Apply vendor updates where available, follow Siemens' countermeasures for unpatched versions, minimize network exposure of COMOS, and contact Siemens ProductCERT for assistance and timelines.
read more →

Airleader Master: Unrestricted Upload RCE (CVE-2026-1358)

🔒 Airleader GmbH's Airleader Master (<= 6.381) contains a critical file-upload vulnerability (CVE-2026-1358) that permits unauthenticated attackers to place dangerous files on high-privilege pages and potentially obtain remote code execution on the server. CISA assigns CVSS v3.1 9.8 (Critical). The vendor recommends upgrading to 6.386 or later and contacting Airleader for mitigation assistance. Operators should immediately reduce internet exposure and isolate control networks while planning patch deployment.
read more →

Siemens NX CGM File Parsing Vulnerabilities — Update

⚠️ Siemens NX contains multiple file-parsing vulnerabilities in its handling of CGM files that can cause application crashes or enable arbitrary code execution when a malicious file is opened. Siemens has released fixes and advises updating to V2512 or later. Do not open untrusted CGM files and apply vendor updates promptly. Follow CISA guidance on network isolation and secure remote access.
read more →

ThreatsDay Bulletin: Access Abuse and Quiet Persistence

📝 This week’s bulletin spotlights attackers favoring reliable tradecraft—misusing trusted tools and simple entry points while executing deliberate, long‑dwell post‑compromise activity. Microsoft fixed a Notepad Markdown command‑injection (CVE‑2026‑20841) and LayerX disclosed a 0‑click RCE risk in Claude Desktop Extensions. Emerging stealers (LTX, Marco), evolving loaders (GuLoader, RenEngine), and data‑theft ransomware trends raise operational risk. Defenders must detect misuse of legitimate access and anomalous in‑system behavior.
read more →

Apple Patches Exploited dyld Zero-Day Across Devices

🔒 Apple released updates for iOS, iPadOS, macOS Tahoe, tvOS, watchOS and visionOS to fix an actively exploited zero-day, tracked as CVE-2026-20700, a memory corruption flaw in dyld that can permit arbitrary code execution when an attacker has memory write capability. Google Threat Analysis Group (TAG) is credited with reporting the issue. Apple said the bug may have been used in extremely sophisticated targeted attacks and also issued related fixes for CVE-2025-14174 and CVE-2025-43529. Patches are available for supported recent devices and additional updates address vulnerabilities in older OS releases.
read more →

Windows 11 Notepad flaw let Markdown links run code

🔒Microsoft fixed a remote code execution vulnerability in Windows 11 Notepad that allowed specially crafted Markdown links to launch local or remote programs without triggering Windows security dialogs. Tracked as CVE-2026-20841, the issue originated from Notepad's Markdown rendering treating certain file- and protocol-based links as clickable and unverified. Microsoft patched the flaw in the February 2026 Patch Tuesday updates and is distributing the Notepad update via the Microsoft Store; Notepad now displays a warning for non-http(s) links, though attackers could still try to social-engineer users into accepting prompts.
read more →

BeyondTrust patches critical unauthenticated RCE flaw

🔒 BeyondTrust has released emergency patches to address a critical unauthenticated remote code execution vulnerability in self-hosted instances of Remote Support and Privileged Remote Access. Tracked as CVE-2026-1731 and discovered in January by Hacktron AI, the flaw is rated 9.9/10. BeyondTrust published Patch BT26-02-RS for RS 21.3–25.3.1 and Patch BT26-02-PRA for PRA 22.1–24.x; PRA 25.1+ are not affected and SaaS tenants were patched server-side. Around 11,000 RS instances are internet-exposed, roughly 8,500 of which are on-premises and need immediate patching.
read more →

SolarWinds WHD Under Active Attack via January Zero‑Days

🔒 Analysis by Huntress shows SolarWinds Web Help Desk instances are being actively exploited through a chain of zero‑day and previously disclosed deserialization flaws from late 2025 and January. The incidents combine two January zero‑days—CVE-2025-40551 (deserialization RCE) and CVE-2025-40536 (authentication bypass)—with the earlier CVE-2025-26399. Organizations should urgently upgrade to WHD 2026.1, follow SolarWinds' release notes, reset service and admin credentials, and treat any unexpected Velociraptor, Cloudflared, or Zoho Assist activity and silent MSI installations as indicators of compromise.
read more →

OpenClaw AI Agent Exposed: Critical Vulnerabilities Revealed

🔒 OpenClaw (formerly Clawdbot/Moltbot) surged in popularity in January 2026 but contains numerous critical vulnerabilities that place local secrets and system integrity at risk. Researchers found many publicly accessible instances running without authentication, allowing theft of API keys, chat histories, and remote code execution. The agent’s default trust of localhost, an unmoderated skills catalog, and prompt-injection weaknesses enable credential theft and malicious plugin execution. The article recommends isolating deployments, using burner accounts and allowlists, and restricting OpenClaw to dedicated experimental hosts.
read more →

Fortinet Patches Critical SQL Injection in FortiClientEMS

⚠️ Fortinet has issued updates to remediate a critical SQL injection vulnerability (CVE-2026-21643) in FortiClientEMS that could allow unauthenticated attackers to execute arbitrary code via specially crafted HTTP requests. The flaw is rated CVSS 9.1 and affects FortiClientEMS 7.4.4; Fortinet advises upgrading to 7.4.5 or later. Gwendal Guégniaud is credited with reporting the issue, and users are urged to apply the fixes promptly.
read more →

Anthropic DXT's Privileged Design Enables Critical RCE

⚠️ LayerX Security published a report describing a critical zero-click RCE in Anthropic’s Claude Desktop Extensions (DXT) that can let a malicious Google Calendar invite trigger arbitrary local code execution when MCP connectors run with full system privileges. The researchers say DXT runs unsandboxed and can autonomously chain low-risk services to high-risk local executors without user consent. Anthropic says users explicitly grant MCP permissions and must configure the tool carefully, while security experts call the issue architectural and urge stricter deployment controls and sandboxing.
read more →

Threat actors exploit SolarWinds WHD to deploy Velociraptor

⚠️ Researchers report attackers exploiting critical SolarWinds Web Help Desk (WHD) remote code execution flaws (CVE-2025-40551 and CVE-2025-26399) to gain access to at least three organizations. After initial compromise the actor installed Zoho ManageEngine Assist and used Cloudflare tunnels alongside an outdated Velociraptor build as a command-and-control platform. The intruders disabled Defender and the Windows Firewall, deployed persistence mechanisms including scheduled tasks and SSH backdoors, and researchers advise upgrading WHD to 2026.1, removing public admin exposure, and rotating credentials.
read more →

Critical Zero-Click Flaw in Claude Desktop Extensions

⚠️LayerX disclosed a critical zero-click vulnerability affecting 50 Claude Desktop Extensions (DXT) that can result in remote code execution from a single crafted Google Calendar event. The flaw is possible because DXTs operate as unsandboxed MCP servers with full host privileges, allowing them to read files, run system commands and access credentials. LayerX rated the issue CVSS 10.0 and warned it could affect over 10,000 active users. Anthropic has declined to remediate, saying the scenario falls outside its current threat model.
read more →

SolarWinds Web Help Desk RCE Used in Multi‑Stage Attacks

🔒 Microsoft reported a multi-stage intrusion that exploited internet‑exposed SolarWinds Web Help Desk instances to gain unauthenticated remote code execution and lateral access. Exploitation spawned PowerShell which used BITS to download payloads, and attackers deployed legitimate Zoho ManageEngine components to maintain persistent remote control. They enumerated domain users, established reverse SSH and RDP persistence, performed DLL side‑loading to dump LSASS, and in at least one case executed a DCSync. Organizations are advised to patch WHD, remove unauthorized RMM tools, rotate service and admin credentials, and isolate compromised systems.
read more →