< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 17 of 35

BeyondTrust warns of critical RCE in Remote Support

⚠️BeyondTrust has issued an urgent advisory for a critical pre-authentication remote code execution vulnerability tracked as CVE-2026-1731 affecting Remote Support (≤25.3.1) and Privileged Remote Access (≤24.3.4). The flaw is an OS command injection discovered by Harsh Jaiswal and the Hacktron AI team and can be exploited by unauthenticated attackers without user interaction. BeyondTrust says cloud systems were secured by February 2, 2026 and advises on‑premises customers to upgrade to RS 25.3.2 or PRA 25.1.1 immediately.
read more →

SecurityScorecard: 40,214 OpenClaw Instances Exposed

🔒SecurityScorecard warns that widespread misconfiguration of the AI assistant OpenClaw has left 40,214 agent instances — linked to 28,663 unique IP addresses — exposed to the public internet. The vendor reports 63% of observed deployments are vulnerable, including 12,812 instances exploitable via remote code execution, and has correlated hundreds with prior breaches and known CVEs. Exposures are concentrated in China, the US and Singapore and affect sectors such as information services, technology, manufacturing and telecommunications. Users are urged to limit access, adopt a zero trust posture, scrutinize agent logic, and defend against prompt injection and leaked API keys.
read more →

BeyondTrust Patches Critical Pre-Auth RCE in RS and PRA

🔒 BeyondTrust has released updates to address a critical pre-authentication remote code execution vulnerability affecting Remote Support and older Privileged Remote Access versions. The flaw, tracked as CVE-2026-1731, is an operating-system command injection rated 9.9 on the CVSS scale and allows unauthenticated attackers to execute OS commands in the context of the site user. Patches (BT26-02-RS and BT26-02-PRA) or upgrades to the fixed releases should be applied immediately, and self-hosted customers without automatic updates must apply the fix manually.
read more →

Active Exploitation of SolarWinds Web Help Desk Observed

⚠️ Microsoft Defender observed in-the-wild exploitation of internet-facing SolarWinds Web Help Desk, enabling unauthenticated remote code execution and arbitrary command execution within the application context. Post-exploitation behaviors included PowerShell using BITS to download payloads, installation of ManageEngine RMM components for interactive control, credential theft via DLL sideloading and LSASS access, and persistence through scheduled tasks and reverse SSH/RDP tunnels. Organizations should patch WHD, restrict public admin access, hunt for unauthorized RMM artifacts, and rotate exposed service and admin credentials.
read more →

Critical vulnerabilities found in n8n automation platform

🔒 Security researchers at Upwind disclosed six vulnerabilities in n8n, four rated critical (CVSS 9.4), that enable remote code execution, command injection, arbitrary file access and cross-site scripting. The flaws target how n8n sandboxes user processes and protect the host, making multi-user and shared deployments especially dangerous. Administrators and developers should update to the latest release, audit extensions, and treat web-exposed instances with heightened caution.
read more →

CISA: SmarterMail RCE Flaw Actively Exploited by Ransomware

⚠️ CISA warns that ransomware actors are actively exploiting CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools SmarterMail via the ConnectToHub API. SmarterTools released a fix on January 15 (Build 9511) and issued further updates through Build 9526 on January 30. Agencies must apply updates or stop using the product by February 26, 2026, under KEV and BOD 22-01 guidance.
read more →

Malicious Commands in GitHub Codespaces Enable RCE Risk

⚠️Orca Security researchers disclosed multiple attack vectors in GitHub Codespaces that can produce remote code execution simply by opening a malicious repository or pull request. By embedding commands in repository configuration files—specifically .vscode/tasks.json, .vscode/settings.json and .devcontainer/devcontainer.json—an attacker can execute code, exfiltrate tokens and access secrets without further user interaction. Microsoft confirmed the behavior is "by design" and points to trusted-repository controls to limit cross-environment impact.
read more →

Ilevia EVE X1 Server: Multiple Critical Vulnerabilities

⚠️ CISA warns of multiple high‑severity vulnerabilities in Ilevia EVE X1 Server (≤ 4.7.18.0), including pre‑auth path traversal, unauthenticated OS command injection, plaintext credential exposure in logs, and reflected XSS. Successful exploitation can allow arbitrary shell execution and disclosure of sensitive files on critical manufacturing systems. Ilevia and CISA recommend updating the Ilevia Manager, closing TCP/8080, enforcing strong credentials, applying network segmentation, and monitoring for unauthorized access.
read more →

Critical n8n Expression-Sandbox Bypass Enables RCE

⚠️A critical vulnerability (CVE-2026-25049, CVSS 9.4) in the n8n workflow automation platform can allow authenticated users with workflow edit rights to execute arbitrary system commands by abusing expression evaluation. The flaw bypasses prior fixes for CVE-2025-68613 and can be triggered by crafted expressions — including a single-line JavaScript destructuring payload — that escape the expression sandbox. Affected releases are <1.123.17 (fixed in 1.123.17) and <2.5.2 (fixed in 2.5.2). Operators should apply the updates immediately or, if patching is not possible, restrict workflow creation to trusted users and harden host and network privileges.
read more →

Attackers Abuse React2Shell to Hijack NGINX Traffic

🔒 Datadog Security Labs disclosed an active web-traffic hijacking campaign that leverages the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to inject malicious nginx configurations. Attackers use multi-stage shell scripts to create proxy_pass rules that route requests to attacker-controlled backends, focusing on Asian and government/education TLDs and Baota management panels. GreyNoise telemetry links the activity to two dominant IPs and over 1,000 unique sources.
read more →

Threat actors hijack web traffic via React2Shell exploit

⚠️ Researchers at Datadog Security Labs report threat actors are exploiting the React2Shell vulnerability (CVE-2025-55182) in React 19 to execute code on servers and then target NGINX instances managed with Boato Panel, focusing on several Asian TLDs and Chinese hosting. Attackers use automated, multi-stage toolkits to discover targets, persist, and write malicious NGINX configs that redirect traffic for cryptomining, credential phishing, or malware delivery. Defenses include prompt patching, locking down configuration files, maintaining configuration records, and monitoring NGINX advisories.
read more →

Threat Actors Hijack Web Traffic via React2Shell Exploit

⚠️ Researchers at Datadog Security Labs report that threat actors are exploiting the React2Shell vulnerability to compromise servers running NGINX managed via Boato Panel and to hijack web traffic. Attackers deploy multi-stage scripts that discover targets, establish persistence, and generate malicious configuration files to redirect users or deliver malware. The campaign targets primarily Asian domains and Chinese hosting infrastructure, and unpatched React server components remain at high risk.
read more →

Critical n8n Vulnerabilities Allow Remote Code Execution

🔒 Multiple critical vulnerabilities in the open-source workflow platform n8n (tracked as CVE-2026-25049) allow any authenticated user who can create or edit workflows to escape sandboxing and execute arbitrary code on the host server. Independent researchers at Pillar Security, Endor Labs and SecureLayer7 identified sanitization and AST-sandboxing bypasses — including a type-confusion issue and Function-constructor exploits — enabling access to Node.js globals, the filesystem, credentials and connected cloud accounts. n8n released fixes (notably 2.4.0, later 2.5.2 and 1.123.17) and recommends immediate patching, rotating the N8N_ENCRYPTION_KEY and stored credentials, and limiting workflow creation until environments are hardened.
read more →

SolarWinds Web Help Desk RCE Vulnerability Exploited

⚠️ The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-40551 — a critical remote code execution flaw in SolarWinds Web Help Desk — to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vendor patched multiple high-severity bugs on January 28 and assigned CVSS scores of 9.8. Administrators are urged to apply the vendor update to Web Help Desk 2026.1 immediately to mitigate unauthenticated deserialization and authentication-bypass risks.
read more →

CISA Flags Actively Exploited SolarWinds WHD Flaw Issue

⚠ CISA has added a critical SolarWinds Web Help Desk vulnerability, CVE-2025-40551, to its Known Exploited Vulnerabilities catalog and flagged it as actively exploited. The flaw is an untrusted data deserialization vulnerability that can enable remote code execution without authentication, allowing attackers to run commands on affected hosts. SolarWinds released patches in WHD version 2026.1 that also address several related high-severity CVEs. Federal Civilian Executive Branch agencies are required to remediate this flaw under BOD 22-01, with a February 6, 2026, deadline.
read more →

CISA: Critical SolarWinds Web Help Desk RCE Exploited

🔒 CISA has flagged a critical SolarWinds Web Help Desk vulnerability (CVE-2025-40551) as actively exploited and ordered federal agencies to patch within three days under BOD 22-01. The flaw is an untrusted data deserialization weakness that can enable unauthenticated remote command execution; SolarWinds released Web Help Desk 2026.1 on January 28 to address it. Administrators are urged to apply the patch immediately and verify affected systems.
read more →

Docker patches critical Ask Gordon AI 'DockerDash' flaw

🛡️ Researchers disclosed a critical prompt-injection flaw, codenamed DockerDash, that allowed malicious Docker image metadata to hijack the Ask Gordon AI assistant in Docker Desktop and the Docker CLI. The vulnerability, discovered by Noma Labs, could enable remote code execution or sensitive data exfiltration by treating unverified LABEL fields as executable instructions. Docker fixed the issue in Ask Gordon version 4.50.0 (November 2025). Administrators should upgrade and apply zero-trust validation to AI toolchains and MCP/Gateway integrations.
read more →

DockerDash: Metadata Flaw in Docker's Ask Gordon AI

⚠️ Noma Labs disclosed a critical vulnerability, dubbed DockerDash, in Docker's Ask Gordon AI assistant that allows unverified image metadata to be treated as executable instructions. The flaw exploits a trust failure in the Model Context Protocol (MCP) gateway: Ask Gordon reads Docker LABEL metadata, forwards the interpreted content to MCP, and MCP tools execute it without validation. Depending on deployment this can enable remote code execution (cloud/CLI) or large-scale data exfiltration and reconnaissance in Docker Desktop. Docker issued mitigations in Docker Desktop 4.50.0 and users are urged to upgrade.
read more →

Hackers Exploit Metro4Shell RCE in React Native CLI

🔒 VulnCheck observed active exploitation of CVE-2025-11953 (Metro4Shell), a critical RCE in the @react-native-community/cli Metro Development Server first seen on December 21, 2025. With a CVSS score of 9.8, the flaw enables unauthenticated remote command execution and was weaponized to deliver a Base64-encoded PowerShell loader that adds Microsoft Defender exclusions. The loader opens a raw TCP channel to 8.218.43.248:60124 to fetch and execute a Rust-based binary with anti-analysis checks; VulnCheck links the activity to multiple attacker IPs and describes it as operational exploitation.
read more →

Exploit of React Native Metro Bug Breaches Dev Systems

🚨 Researchers report attackers are exploiting CVE-2025-11953 in the React Native Metro server to deliver malicious, cross-platform payloads to developer machines. The vulnerability stems from the /open-url endpoint accepting POST data that is passed unsanitized to the system open() call, enabling command execution on Windows and arbitrary executable launches on Unix-like hosts. JFrog disclosed the flaw in early November and it was fixed in @react-native-community/cli-server-api 20.0.0 and later, but active exploitation tracked as 'Metro4Shell' has been observed delivering base64-encoded payloads for both Windows and Linux.
read more →