< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 18 of 35

Hackers Exploit React Native Metro Bug to Breach Systems

🔓 Security researchers warn that attackers are exploiting the critical CVE-2025-11953 flaw in the React Native Metro server to drop malicious Windows and Linux payloads. The issue abuses the development-only /open-url HTTP endpoint, which accepts POST requests and can pass a user-supplied URL unsanitized to the system open() call. JFrog disclosed the bug and it was fixed in @react-native-community/cli-server-api v20.0.0+, but active exploitation (Metro4Shell) has been observed delivering base64 PowerShell stagers and UPX-packed binaries.
read more →

APT28 Exploits Microsoft Office CVE-2026-21509 in Attacks

🔎 The Russia-linked threat actor APT28 has been observed exploiting CVE-2026-21509 in targeted Microsoft Office document attacks as part of Operation Neusploit. Zscaler ThreatLabz reported activity beginning on January 29, 2026, using localized lures and server-side geofilters to deliver malicious DLLs only to intended victims in Ukraine, Slovakia, and Romania. The exploit chains employ RTF/Word files that drop two distinct loaders: a C++ email stealer named MiniDoor and a more elaborate PixyNetLoader, which uses steganography and COM hijacking to deploy a Covenant Grunt implant. The campaign demonstrates focused espionage objectives, targeted evasion, and persistent C2 capabilities.
read more →

OpenClaw token flaw enables one-click remote RCE exploit

🔒 A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw allowed a crafted link or webpage to exfiltrate a stored gateway token and enable one-click remote code execution. The Control UI trusted the gatewayUrl query parameter and auto-connected on load while the server failed to validate WebSocket Origin headers. The issue was patched in v2026.1.29 (Jan 30, 2026); users should upgrade immediately.
read more →

Fancy Bear Exploits Microsoft Office CVE-2026-21509

🔒 CERT-UA reports that Russian-linked group Fancy Bear leveraged CVE-2026-21509 in Microsoft Office to target Ukrainian and EU organizations. Malicious Word documents downloaded a disguised LNK file over WebDAV, which deployed a DLL and an image containing shellcode. The campaign used COM hijacking and a scheduled task to restart explorer.exe and load a malicious EhStoreShell.dll, ultimately launching the Covenant C2 framework. Microsoft has published updates and service-side mitigations; affected customers should apply patches and the recommended registry changes.
read more →

NationStates Confirms Data Breach, Temporarily Shuts Site

🔒 NationStates has confirmed a data breach after taking its browser-based game offline following a player-reported vulnerability that resulted in remote code execution on the production server. The attacker exploited a double-parsing and input sanitization flaw in the Dispatch Search feature to copy application code and user data, including email addresses, MD5 password hashes, login IPs, and browser User-Agent strings. NationStates says telegram contents were likely partially exposed, is wiping and rebuilding the production environment, has reported the incident to authorities, and expects service to be restored within two to five days.
read more →

Ivanti patches two critical EPMM RCE flaws under attack

🔒 Ivanti released stand‑alone RPM patches for Endpoint Manager Mobile (EPMM) to fix two unauthenticated code‑injection vulnerabilities, CVE-2026-1281 and CVE-2026-1340, each rated 9.8 by CVSS. The flaws affect EPMM’s In‑House Application Distribution and Android File Transfer Configuration features and are already being exploited in a limited number of customer environments. Administrators must manually install version-specific RPMs; Ivanti says a permanent fix will arrive in the 12.8.0.0 release.
read more →

SmarterMail Patches Critical Unauthenticated RCE, NTLM Fix

⚠️ SmarterTools released builds addressing critical vulnerabilities in SmarterMail, including an unauthenticated remote code execution flaw (CVE-2026-24423) rated CVSS 9.3. The flaw in the ConnectToHub API allowed an attacker to direct SmarterMail to a malicious HTTP server that serves OS commands, which the application could execute; this was fixed in Build 9511 on January 15, 2026. A separate NTLM-related path coercion issue (CVE-2026-25067, CVSS 6.9) that could force outbound SMB authentication and enable NTLM relay was patched in Build 9518 (January 22, 2026). Administrators should update immediately.
read more →

Ivanti EPMM Zero-Days Allow Unauthenticated RCE, Patch Issued

⚠️ Ivanti has released security updates addressing two critical zero-day code-injection flaws in Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340 (both CVSS 9.8) — which enable unauthenticated remote code execution and have been observed in limited attacks. One of the defects, CVE-2026-1281, was added to CISA’s KEV catalog, imposing a Federal remediation deadline of February 1, 2026. A temporary RPM patch is available for affected 12.x releases but does not persist through upgrades; Ivanti plans a permanent fix in EPMM 12.8.0.0 due Q1 2026. Customers are urged to check Apache access logs using the provided regex, inspect administrative and configuration changes, and restore or rebuild compromised appliances if indicators of attack are found.
read more →

Ivanti warns of two critical EPMM zero-day flaws exploited

⚠ Ivanti disclosed two critical code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both rated 9.8 and observed in limited zero-day exploitation. The flaws allow unauthenticated remote arbitrary code execution and exposure of administrator, user, and managed-device data. Ivanti published RPM hotfixes to mitigate affected builds, advised immediate application, and warned hotfixes must be reapplied after upgrades until a permanent 12.8.0.0 fix is released in Q1 2026.
read more →

Critical RCE Bugs Allow n8n Sandbox Escapes, Patches

⚠️Two critical sandbox escape vulnerabilities in n8n allow authenticated users to achieve remote code execution on affected instances. JFrog researchers reported that flaws in the JavaScript expression engine and the Python Code node can bypass sandboxing protections, exposing workflow engines to host-level compromise. The JavaScript issue stems from a missed edge case in AST-based sanitization when expressions are passed to a Function constructor; the Python escape affects Internal execution mode. Both flaws carry high severity and have been patched—organizations should update to the specified releases and restrict who can create or edit workflows until upgrades are applied.
read more →

KiloView Encoder Series: Missing Auth (CVE-2026-1453)

⚠️ CISA warns of a critical Missing Authentication for Critical Function vulnerability (CVE-2026-1453) in KiloView Encoder Series devices that could let an unauthenticated attacker create or delete administrator accounts and gain full administrative control. Multiple E1, E1-s, E2, G1, P1, P2 and RE1 hardware and firmware builds are affected. No public exploitation has been reported to CISA, and KiloView has not engaged with CISA; users should minimize network exposure, ensure devices are not directly reachable from the Internet, and contact KiloView support for guidance.
read more →

SolarWinds Fixes Critical Web Help Desk Vulnerabilities

⚠️ SolarWinds has released updates for Web Help Desk to address multiple high‑severity vulnerabilities, including four critical flaws that can enable authentication bypass and remote code execution. Affected issues include deserialization and hard‑coded credential bugs tracked as CVE‑2025‑40536 through CVE‑2025‑40554. Rapid7 highlights that the deserialization flaws are particularly exploitable without authentication. SolarWinds fixed the issues in WHD 2026.1 and customers are urged to upgrade immediately.
read more →

SolarWinds WHD Critical RCE and Auth Bypass Flaws Revealed

⚠️ SolarWinds has issued emergency updates for Web Help Desk (WHD) to patch six vulnerabilities—four rated critical—that include unauthenticated data deserialization RCEs and authentication bypasses. Researchers from watchTowr and Horizon3.ai disclosed the flaws, which could let attackers execute commands, access protected functions, or leverage hardcoded credentials. Administrators should upgrade to WHD 2026.1 immediately and investigate any anomalous activity on affected servers.
read more →

Critical vm2 Node.js sandbox vulnerability allows escape

⚠️ A critical vulnerability in vm2, a widely used Node.js sandboxing library, allows attackers to escape the sandbox and execute arbitrary code. Tracked as CVE-2026-22709, the flaw affects versions older than 3.10.2; users are urged to upgrade immediately. The issue stems from a bypass in Promise.prototype.then and Promise.prototype.catch callback sanitization, and the project maintainer warns that in-process sandboxing will remain a cat-and-mouse challenge. Where possible, combine vm2 with additional isolation, resource limits, and monitoring, or consider stronger isolation alternatives.
read more →

Critical sandbox escape flaws allow RCE in n8n instances

🔓 Two sandbox-escape vulnerabilities in the n8n workflow automation platform allow authenticated users to execute arbitrary code and potentially take full control of affected instances. JFrog researchers disclosed CVE-2026-1470, a JavaScript AST sandbox bypass that can resolve to Function and execute code in the main node, and CVE-2026-0863, a Python AST bypass that abuses format-string introspection and Python 3.10+ behavior to regain restricted builtins and run OS commands. CVE-2026-1470 was rated critical (9.9) because it grants execution in the main node; both issues affect self-hosted deployments while n8n Cloud has been mitigated. Fixes are available in specific 1.x and 2.x releases and users should upgrade immediately.
read more →

OpenSSL patches 12 vulnerabilities discovered by AISLE

🔒 A coordinated security update addressed 12 previously unknown vulnerabilities in OpenSSL, disclosed by AISLE through a coordinated process with project maintainers. The issues span multiple subsystems — from legacy CMS parsing to QUIC and post-quantum signature handling — and include a high-severity stack buffer overflow in CMS AuthEnvelopedData that could enable remote code execution under specific conditions. Remediation included fixes merged into releases and six additional issues resolved before reaching users.
read more →

Critical n8n Sandbox Flaws Allow Remote Code Execution

⚠️Two vulnerabilities in n8n sandboxing allow authenticated users to achieve remote code execution by bypassing JavaScript and Python sandbox controls. JFrog Security Research disclosed CVE-2026-1470 (CVSS 9.9) affecting the JavaScript expression engine and CVE-2026-0863 (CVSS 8.5) targeting Python execution in the Code node. Both issues exploit gaps in AST validation and require the ability to create or modify workflows, enabling attackers to access environment variables and run system-level commands. Users should upgrade immediately to the patched releases listed by the vendor.
read more →

SolarWinds Patches Critical Web Help Desk RCE and Bypass

🔒 SolarWinds released updates for Web Help Desk to address critical authentication bypass and remote code execution vulnerabilities, including CVE-2025-40551, CVE-2025-40552 and CVE-2025-40553. Reported by researchers at watchTowr and Horizon3.ai, the flaws allow unauthenticated attackers to bypass authentication and execute commands via deserialization and other vectors. Administrators should upgrade to Web Help Desk 2026.1 immediately to mitigate risk.
read more →

Hackers Hijack Exposed LLM Endpoints in Bizarre Bazaar

🔒 Researchers at Pillar Security recorded over 35,000 attack sessions in a 40-day window revealing a large-scale operation they call Bizarre Bazaar, an instance of LLMjacking that monetizes exposed LLM endpoints. The campaign targets misconfigured self-hosted models, unauthenticated APIs (notably Ollama on port 11434 and OpenAI-compatible services on port 8000), and publicly accessible MCP servers. Compromised endpoints are used for cryptocurrency mining, reselling API access through a marketplace dubbed silver[.]inc, data exfiltration, and lateral movement into internal systems.
read more →

Two High-Severity n8n Flaws Allow Remote Code Execution

⚠️ Researchers disclosed two high-severity eval-injection vulnerabilities in n8n that can bypass sandboxing and enable remote code execution. JFrog Security Research identified CVE-2026-1470 (JavaScript eval, CVSS 9.9) and CVE-2026-0863 (Python eval, CVSS 8.5), which can compromise instances even in internal execution mode. Users should update to the patched releases listed by the vendor without delay.
read more →