All news with #remote code execution tag

🔒 Veeam has released a patch addressing four vulnerabilities in Backup & Replication v13 that let users with Backup Admin, Backup Operator, or Tape Operator roles exceed intended privileges. The most severe, CVE-2025-59470 (CVSS 9.0), can enable remote code execution as the Postgres user; others permit file writes as root or RCE via malicious configuration files. Veeam recommends immediate installation of version 13.0.1.1071; the vendor says core backup data remains immutable and intact.

⚠️ Researchers at Cyera disclosed a critical vulnerability in n8n (CVE-2026-21858) that allows unauthenticated attackers to read arbitrary local files via content-type parsing confusion and then recreate session cookies to assume any user’s identity. Exploitation can yield administrator privileges and remote code execution through the Execute Command node. The bug was patched in version 1.121.0 on Nov. 18; administrators should update immediately.

⚠️ A maximum-severity vulnerability (CVE-2026-21858, 10/10) lets unauthenticated remote attackers fully compromise self-hosted n8n instances by exploiting a content-type parsing flaw in webhook/form handling. Cyera reports more than 100,000 vulnerable servers. The bug allows attackers to control file metadata in req.body.files, enabling arbitrary file reads, secret exfiltration, session forgery and potential command execution. n8n recommends updating to 1.121.0 and restricting public webhook endpoints.

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.

⚠️ A maximum-severity flaw, CVE-2026-21858 (Ni8mare), in n8n allows unauthenticated remote attackers to read local files, forge administrator sessions, and achieve remote code execution by exploiting a Content-Type parsing confusion that can override req.body.files. The bug affects releases up to and including 1.65.0 and was fixed in 1.121.0 (released November 18, 2025). Operators should upgrade immediately, avoid exposing n8n publicly, and restrict or disable public webhooks and form endpoints until patched.

⚠️ Veeam released security updates for Backup & Replication to fix multiple vulnerabilities, including a remote code execution bug tracked as CVE-2025-59470. The flaw affects version 13.0.1.180 and earlier 13 builds and can allow users with Backup or Tape Operator roles to execute code as the postgres user. On January 6 Veeam published 13.0.1.1071 to patch CVE-2025-59470 plus a high (CVE-2025-55125) and a medium (CVE-2025-59468) issue. Administrators are advised to apply updates and follow Veeam's security guidelines to limit privileged-role exposure.

🔒 n8n has warned of a maximum-severity remote code execution flaw, CVE-2026-21877, rated 10.0 under CVSS. Under certain conditions an authenticated user may cause untrusted code to be executed by the service, potentially allowing full compromise of affected instances. Both self-hosted and n8n Cloud deployments running versions >= 0.123.0 and < 1.121.3 are impacted; the issue is fixed in 1.121.3 (released November 2025). Administrators should upgrade immediately or, if that is not possible, disable the Git node and restrict access for untrusted users.

🔒 Veeam has released security updates for Veeam Backup & Replication to address a critical remote code execution flaw tracked as CVE-2025-59470 (CVSS 9.0) that could allow a Backup or Tape Operator to run code as the postgres user via a crafted interval or order parameter. The vendor also fixed three additional vulnerabilities that permit escalation to root or file writes by privileged backup roles. All 13.x builds up to 13.0.1.180 are affected and the fixes are included in 13.0.1.1071; customers are advised to apply updates and follow role-hardening guidance promptly.

⚠️A critical remote code execution flaw, CVE-2026-0625, is being actively exploited in legacy D-Link DSL gateway routers via a command-injection weakness in the dnscfg.cgi endpoint. Improper sanitization of DNS configuration parameters allows unauthenticated attackers to execute arbitrary shell commands and modify DNS settings. D-Link says it is investigating affected firmware variants and will publish an updated model list after a firmware-level review. Owners of end-of-life devices should retire or replace impacted hardware immediately.

⚠An unauthenticated command injection (CVE-2026-0625) in dnscfg.cgi allows remote shell execution on multiple legacy D-Link DSL gateway routers. VulnCheck reported the issue to D-Link after The Shadowserver Foundation observed an exploitation attempt on a honeypot on December 15. Confirmed affected models (DSL-526B, DSL-2640B, DSL-2740R, DSL-2780B) are End-of-Life and will not receive patches. D-Link advises retiring affected devices or isolating them in segmented non-critical networks and applying restrictive security settings.

⚠️Security researchers disclosed a high-severity vulnerability in Open WebUI (CVE-2025-64496) that allows external model servers connected via the Direct Connections feature to stream server-sent events that execute JavaScript in the browser. Malicious code can read long-lived JSON Web Tokens stored in localStorage to take over accounts and access workspaces, documents, chats, and embedded API keys. With elevated workspace.tools permissions, attackers can escalate to remote code execution on backend servers. Organizations should patch to v0.6.35 immediately.

⚠️ A critical sandbox bypass, CVE-2025-68668 (CVSS 9.9), has been disclosed in n8n, allowing an authenticated user with workflow create/modify permissions to execute arbitrary OS commands on the host running n8n. The flaw resides in the Python Code Node that uses Pyodide and affects n8n versions 1.0.0 up to, but not including, 2.0.0. The issue is resolved in n8n 2.0.0, which makes the task-runner native Python implementation the default. Short-term mitigations include disabling the Code Node, disabling Python in the Code Node, or enabling the task-runner Python sandbox via environment variables.

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.

⚠️ The Cyber Security Agency of Singapore (CSA) has warned of a maximum-severity vulnerability, CVE-2025-52691 (CVSS 10.0), in SmarterTools SmarterMail that permits unauthenticated arbitrary file uploads and could enable remote code execution. The flaw affects builds 9406 and earlier and was fixed in Build 9413 (Oct 9, 2025); CSA recommends updating to Build 9483 (Dec 18, 2025). While no active exploitation has been reported, administrators should apply the vendor update promptly to mitigate the risk of web shells or malicious binaries being deployed and executed with SmarterMail service privileges.

🛡️Microsoft addressed 1,246 CVEs in 2025, including 158 critical flaws and 41 zero‑days, highlighting an increasingly aggressive threat landscape and the use of AI by attackers to accelerate exploitation. Experts warned that several lower‑scored but actively abused bugs—such as ToolShell (CVE-2025-53770), CVE-2025-24993, and CVE-2025-30377—enabled remote code execution or privilege escalation in practice. Recommended actions include immediate remediation of highest‑risk items, automated triage to free analysts, and contextual prioritization using SSVC rather than relying solely on raw CVSS scores.

⚠️ React 19 was hit by React2Shell, a critical unauthenticated RCE in React Server Components. The flaw allows arbitrary code execution on servers via crafted requests and affects default React and Next.js deployments. Multiple vendors, including Google and AWS, reported active exploitation within hours; patches are available. Defenders should validate exposure beyond version checks and hunt for backdoors, tunneling, and unexpected child processes.

⚠ MongoDB has issued an urgent advisory for CVE-2025-14847 after researchers identified a high-severity bug in zlib-compressed protocol headers that can cause mismatched length fields. The flaw allows unauthenticated attackers to read uninitialized heap memory and could be chained to execute arbitrary code and gain control of a server. MongoDB recommends immediate upgrades to patched releases and, if unable to update, disabling zlib compression as a temporary mitigation.

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.

🔔 MongoDB warned IT administrators to immediately apply fixes for a high-severity remote code execution vulnerability tracked as CVE-2025-14847. The flaw is caused by improper handling of a zlib compressed protocol header length, enabling unauthenticated attackers to execute arbitrary code in low-complexity attacks. MongoDB lists numerous affected releases and recommends upgrading to fixed versions such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. If an immediate upgrade is not possible, administrators should disable zlib compression by starting mongod or mongos with networkMessageCompressors or net.compression.compressors options that omit zlib.

⚠️ MongoDB warns administrators to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) in the Server's zlib implementation that may return uninitialized heap memory to unauthenticated remote actors. The issue can be exploited in low-complexity, no-interaction attacks. MongoDB strongly recommends upgrading to a fixed release right away; if you cannot, disable zlib compression by omitting it from networkMessageCompressors or net.compression.compressors when starting mongod or mongos.