All news with #remote code execution tag

🔒 Fortinet issued patches for a critical FortiSIEM vulnerability (CVE-2025-64155, CVSS 9.4) that permits unauthenticated OS command injection and remote code execution via the phMonitor service on TCP port 7900. The flaw enables argument injection leading to arbitrary file writes as admin and a cron-triggered escalation to root. Affected releases span 6.7–7.4 with fixed builds; 7.5 and FortiSIEM Cloud are not impacted. Apply vendor updates or restrict access to port 7900 as a temporary mitigation.

🔒Microsoft released its January 2026 Patch Tuesday updates addressing 114 vulnerabilities, including three zero-day flaws and one actively exploited issue. The bulletin patches an actively exploited Desktop Window Manager information disclosure (CVE-2026-20805), renews expiring Secure Boot certificates, and removes legacy Agere modem drivers (agrsm64.sys, agrsm.sys). Eight vulnerabilities are rated Critical, including six remote code execution flaws. Administrators should prioritize these cumulative updates and apply them promptly to reduce exposure.

🔒 Microsoft released its January 2026 security updates addressing 112 vulnerabilities across Windows and Office, including eight marked critical. One important issue, CVE-2026-20805, was observed exploited in the wild. Critical flaws include RCEs in LSASS, Word, Excel and Office, plus EoP in the Windows Graphics component and VBS Enclave. Cisco Talos published Snort rules to detect exploitation attempts (Snort 2: 65498, 65499, 65663–65676; Snort 3: 301344, 301368–301374).

⚠️ CISA has added a high-severity flaw in Gogs to its Known Exploited Vulnerabilities list after active attacks were observed. Tracked as CVE-2025-8110 (CVSS v4.0 8.7), the issue stems from improper handling of symbolic links in the PutContents API and allows authenticated users to overwrite files outside repositories, potentially enabling remote code execution. Wiz reported hundreds of compromises and Censys shows over 1,600 exposed instances; no official patch is yet available, so administrators should apply immediate mitigations such as disabling open registration and restricting access.

🔒 Three widely used open-source AI/ML Python libraries — NVIDIA NeMo, Salesforce uni2TS, and Apple ml-flextok — were found vulnerable to remote code execution when model metadata was treated as executable configuration. The root cause is unsafe use of configuration-driven instantiation (for example Hydra's instantiate()) that accepts attacker-controlled _target_ values. Vendors released patches and CVE notices; users should apply fixes, restrict allowed targets, and avoid loading models from untrusted sources.

⚠️ CISA has added CVE-2025-8110 to its Known Exploited Vulnerabilities catalog after reports of active exploitation targeting Gogs. The high-severity (CVSS 8.7) flaw is a path traversal in the repository file editor's PutContents API that mishandles symbolic links and can lead to remote code execution. There is not yet an official upstream patch, though GitHub pull requests show fixes have been merged and maintainers say new images will include the correction once built. Until patched, users should disable default open-registration, restrict server access behind VPNs or allow-lists, and apply other access controls; FCEB agencies must implement mitigations by Feb 2, 2026.

🔔 Microsoft released its January 2026 Patch Tuesday addressing 114 vulnerabilities, including three zero-days and several Critical flaws. Notable fixes include an actively exploited information-disclosure issue in Windows Desktop Window Manager (CVE-2026-20805) and publicly disclosed zero-days in Agere Soft Modem and Secure Boot. The release also remediates multiple Critical RCE and elevation-of-privilege issues across Windows and Microsoft Office. Organizations should prioritize testing and deployment and apply compensating controls where immediate patching is impractical.

⚠️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch a high-severity remote code execution flaw in Gogs tracked as CVE-2025-8110. The issue is a path traversal weakness in the PutContents API that lets authenticated attackers overwrite files outside repositories via symbolic links, enabling arbitrary command execution. Patches released last week add symlink-aware path validation; agencies must remediate by February 2, 2026. Administrators are advised to disable default open registration and restrict server access.

⚠️ A maximum-severity flaw dubbed Ni8mare (CVE-2026-21858) affects n8n and can allow unauthenticated remote attackers to take control of local instances by exploiting improper input validation in Form Submission triggers. Researchers say the bug enables secret exfiltration, session forgery, file injection, and command execution. Administrators should upgrade to n8n 1.121.0 immediately or restrict public webhook/form endpoints as a temporary mitigation.

🔐 This week's recap highlights how small oversights and automation conveniences have become widespread attack vectors, enabling rapid, large-scale compromise. Key incidents include a maximum-severity RCE in n8n (Ni8mare, CVE-2026-21858) affecting self-hosted instances, the 2M-device Kimwolf Android botnet, and malicious Chrome extensions that exfiltrated AI conversations. The report catalogs numerous trending CVEs and active campaigns, emphasizing that familiar tools and exposed services are the biggest risks today.

🛡️ Trend Micro has released a security update for Apex Central after vulnerability management vendor Tenable identified multiple serious flaws affecting all on-premises builds earlier than 7190. The most severe is a 9.8-rated LoadLibraryEX issue that can allow an unauthenticated attacker to force the server to load and execute an attacker-controlled DLL as SYSTEM. Two additional high-severity, unauthenticated flaws can cause denial-of-service. Trend Micro urges customers to apply build 7190 and review remote access controls immediately.

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.

⚠️ Security researchers at Cyera disclosed a critical vulnerability dubbed Ni8mare in the workflow automation platform n8n, enabling remote code execution and potential full environment compromise. The flaw, tracked as CVE-2026-21858, carries a CVSS score of 10.0 and impacts roughly 100,000 servers. The root cause is a Content-Type confusion in webhook processing that lets attackers overwrite internal variables, read arbitrary files and inject malicious payloads. n8n released a patched build (1.121.0); administrators should upgrade immediately and rotate any exposed credentials and tokens.

⚠️ CISA has added a max-severity remote code execution flaw in HPE OneView (CVE-2025-37164) to its Known Exploited Vulnerabilities catalog after HPE published an advisory and a patch. The vulnerability allows unauthenticated attackers to execute arbitrary commands via a publicly reachable REST API endpoint and carries a CVSS score of 10.0. Organizations face a narrow window to carefully patch management-plane deployments to avoid both exploitation and unintended operational disruption.

🔒Trend Micro has released a patch for a critical remote code execution vulnerability (CVE-2025-69258) affecting Apex Central on-premises consoles. A LoadLibraryEX weakness could allow unauthenticated attackers to inject malicious DLLs into MsgReceiver.exe (listening on TCP port 20001) and execute code as SYSTEM without user interaction. Tenable reported the flaw, published technical details and proof-of-concept code, and Trend Micro issued Critical Patch Build 7190 — which also addresses two related DoS flaws — urging customers to apply updates and review remote access and perimeter security.

🔒 Trend Micro has released patches for on-prem Apex Central for Windows to fix multiple flaws, including a critical remote code execution (CVE-2025-69258, CVSS 9.8) that can allow an attacker to load a malicious DLL via LoadLibraryEX. Two additional denial-of-service issues (CVE-2025-69259 and CVE-2025-69260, both CVSS 7.5) were also addressed. Tenable reported the vulnerabilities and notes MsgReceiver.exe (listening on TCP port 20001) is implicated. Customers should apply updates and review remote access controls and perimeter defenses.

⚠️ Hitachi Energy has disclosed a critical remote code execution vulnerability in Asset Suite, caused by a Java deserialization flaw in the Jaspersoft library (CVE-2025-10492). The issue affects Asset Suite versions 9.7 and earlier and carries a CVSS v3.1 base score of 9.8 — allowing attackers to execute arbitrary code on vulnerable systems. Hitachi Energy advises upgrading to version 9.8 to remediate the defect. Until patched, administrators should restrict loading of external custom reports, segment networks, and deny internet exposure for control system devices.

🔴 Security researchers disclosed a critical vulnerability in the AI workflow automation platform n8n—dubbed “Ni8mare” (CVE-2026-21858)—with a CVSS score of 10.0 that allows remote, unauthenticated attackers to read files and potentially achieve code execution on local instances. The flaw arises from improper webhook parsing of the Content-Type header, letting adversaries control file metadata and local file paths. n8n has issued a patch; users should upgrade to 1.121.0 or later as there are no official workarounds.

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.

🚨 CISA has added a maximum-severity vulnerability in HPE OneView (CVE-2025-37164) to its catalog of flaws actively exploited in the wild. Reported by Nguyen Quoc Khanh (brocked200) and patched by HPE in mid-December, the bug affects all OneView releases before v11.00 and enables unauthenticated code-injection attacks leading to remote code execution. There are no known mitigations or workarounds; HPE and CISA urge immediate upgrades, and federal agencies must remediate by January 28 under BOD 22-01.