< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 19 of 35

Patches Issued for Critical Microsoft Office Zero-Day

🔒 Microsoft warns administrators of a critical Office security-bypass zero-day, CVE-2026-21509, that is being actively exploited. The flaw leverages legacy OLE document support to bypass protections similar to Office macros, enabling code execution when a user opens a malicious file. Microsoft has released fixes — automatic for Office 2021 and later, and separate updates for Office 2016 and 2019 — and notes affected applications must be restarted for patches to take effect.
read more →

Pyodide Sandbox Escape Enables RCE in Grist-Core SaaS

⚠️A critical sandbox escape in Pyodide used by Grist-Core allows remote code execution from a single malicious spreadsheet formula. Discovered by Cyera Research Labs and rated CVSS 9.1, the flaw leverages Python's object model, ctypes and exposed Emscripten runtime hooks to traverse from cell data into host runtimes. Grist patched the issue in v1.7.9 by running Pyodide under Deno and adding permission-based isolation; operators should upgrade promptly and treat formula execution as a privileged capability.
read more →

Critical sandbox escape in vm2 Node.js library patched

⚠️ A critical sandbox-escape vulnerability (CVE-2026-22709) was discovered in the vm2 Node.js sandbox library that allows untrusted code to break out of the sandbox and execute commands on the host. The flaw stems from improper sanitization of Promise.prototype.then and Promise.prototype.catch callbacks for asynchronous code, enabling trivial exploitation. Maintainer Patrik Šimek issued sequential fixes in 3.10.1 and 3.10.2 and says 3.10.3 addresses disclosed issues; users should upgrade immediately.
read more →

6,000+ SmarterMail Servers Exposed to Hijacking Attacks

🔒 Shadowserver has identified over 6,000 internet-exposed SmarterMail servers likely vulnerable to a critical authentication bypass that enables unauthenticated attackers to hijack administrator accounts. The issue was reported to SmarterTools on January 8 and patched in build 9511 on January 15; it was later assigned CVE-2026-23760. A permissive force-reset-password endpoint accepts anonymous requests and fails to verify the existing password or a reset token, allowing an attacker who knows an administrator username to reset credentials and achieve full administrative compromise and potential remote code execution. Organizations should confirm they have applied the vendor update or recommended mitigations and audit logs for unauthorized resets or other indicators of compromise.
read more →

Johnson Controls Metasys: Critical Remote SQL RCE Alert

⚠️ CISA and Johnson Controls disclose CVE-2025-26385, a critical remote SQL execution vulnerability in Metasys components with a CVSS v3.1 base score of 10.0. An attacker could execute SQL remotely, potentially altering or destroying data in affected products including ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls provides a patch (GIV-165989) via the License Portal and recommends applying the Metasys Release 14 Hardening Guide, segmenting installations, and closing TCP port 1433 as immediate mitigations. CISA notes there is no known public exploitation of this vulnerability at this time.
read more →

Critical 'Cellbreak' Pyodide Sandbox Escape in Grist

⚠️ A critical sandbox escape in Grist-Core allows malicious spreadsheet formulas to execute OS commands or host JavaScript via Pyodide, collapsing the boundary between cell logic and host execution. The flaw, tracked as CVE-2026-24002 and dubbed Cellbreak, has CVSS 9.1 and was fixed in Grist 1.7.9 (Jan 9, 2026). Operators should update immediately or set GRIST_SANDBOX_FLAVOR to "gvisor" as a temporary mitigation.
read more →

CISA Flags Critical VMware vCenter RCE as Actively Exploited

🚨 CISA has added a critical VMware vCenter Server remote code execution flaw (CVE-2024-37079) to its catalog of vulnerabilities exploited in the wild and ordered federal civilian agencies to secure affected systems within three weeks. Patched in June 2024, the issue stems from a heap overflow in the DCERPC implementation of vCenter Server that can be exploited via a specially crafted network packet without credentials or user interaction. Broadcom confirms in-the-wild exploitation and urges immediate patching to the latest vCenter Server and Cloud Foundation releases; no mitigations are available.
read more →

CISA Adds Actively Exploited VMware vCenter Flaw Patch Urged

⚠️ CISA has added CVE-2024-37079, a critical heap overflow in Broadcom VMware vCenter's DCE/RPC implementation, to its Known Exploited Vulnerabilities catalog citing evidence of active exploitation. The flaw (CVSS 9.8) can enable remote code execution via a crafted network packet; Broadcom released fixes in June 2024 alongside CVE-2024-37080, with related patches issued in September 2024. Broadcom confirms in‑the‑wild abuse and Federal civilian agencies must update to the latest vCenter release by February 13, 2026.
read more →

Trivial Telnet Auth Bypass Enables Complete Device Takeover

🔓 A trivial authentication bypass in the inetutils telnet server (CVE-2026-24061) lets attackers gain root by abusing the USER environment variable. Telnetd forwards the USER value to /usr/bin/login, so sending USER='-f root' with telnet's -a/--login option causes an automatic root login (e.g., USER='-f root' telnet -a [host_ip]). The flaw has existed for about 11 years, so many legacy and IoT devices are likely affected. Apply the vendor/distribution patch immediately or disable Telnet and restrict access to whitelisted IPs.
read more →

Critical GNU InetUtils telnetd Flaw Allows Root Login

🔐 A critical vulnerability in GNU InetUtils telnetd (CVE-2026-24061) enables remote attackers to bypass authentication and gain root access by supplying a crafted USER environment string. The flaw, present in releases 1.9.3 through 2.7, occurs because telnetd forwards an unvalidated USER value to /usr/bin/login, which interprets "-f root" as an authentication bypass. Administrators should apply patches or disable telnetd until updates are installed.
read more →

Actively Exploited Cisco UC RCE Flaw Requires Patching

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.
read more →

SmarterMail authentication bypass patched, now exploited

🔒 Researchers report an authentication bypass in SmarterTools SmarterMail (tracked as WT-2026-0001) being actively exploited days after a Jan 15, 2026 patch (Build 9511). An unauthenticated HTTP request to the /api/v1/auth/force-reset-password endpoint can set an IsSysAdmin flag and reset any administrator password if the attacker knows the admin username. The same privileged path enables SYSTEM-level remote code execution via the product's Volume Mount Command feature. watchTowr Labs went public after community reports showed the endpoint was used to change an admin password on Jan 17, indicating rapid patch reversal by attackers.
read more →

Cisco Fixes Actively Exploited Zero-Day in Unified CM, Webex

🔒 Cisco released patches for a critical, actively exploited vulnerability tracked as CVE-2026-20045 that affects multiple Unified Communications products and Webex Calling Dedicated Instance. The flaw (CVSS 8.2) allows unauthenticated remote attackers to execute arbitrary commands via crafted HTTP requests against the web-based management interface. Cisco urged customers to upgrade to fixed releases or apply published patch files; there are no workarounds. The U.S. CISA has added the issue to its KEV catalog with a remediation deadline of February 11, 2026.
read more →

Cisco fixes critical Unified Communications RCE zero-day

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.
read more →

CERT/CC warns binary-parser flaw enables JS execution

🛡️ The CERT/CC has warned of a code-injection vulnerability in the binary-parser npm library (CVE-2026-1245) that can permit execution of arbitrary JavaScript when parser source is dynamically generated at runtime. The flaw arises from unsanitized, attacker-controlled values — such as parser field names and encoding parameters — being embedded into code compiled with the Function constructor. Applications that accept untrusted parser definitions are at risk; static, hard-coded parsers are not affected. Users should upgrade to binary-parser 2.3.0 and avoid passing user-controlled values into parser definitions.
read more →

DPRK-linked Actors Abuse VS Code Tasks to Deliver Backdoor

🚨 Jamf Threat Labs and other researchers observed DPRK-linked actors using malicious Visual Studio Code project repositories to deliver a multi-stage backdoor enabling remote code execution. The campaign abuses VS Code task configuration files (runOn: folderOpen) to fetch obfuscated JavaScript from Vercel and deploy implants named BeaverTail and InvisibleFerret. Targets are lured to clone and open repository-based job assessments, and on macOS the chain uses nohup/curl to run Node.js payloads that persist beyond the IDE.
read more →

Prompt Injection Bugs in Anthropic's Official MCP Git Server

🚨 Cybersecurity researchers have identified three prompt-injection vulnerabilities in Anthropic's reference Git server implementation, mcp-server-git, affecting default installations and all releases before 8 December 2025. The flaws let attackers manipulate what an AI assistant reads—such as a README, issue text or a webpage—to cause unintended actions without credentials or system access. Exploits can enable code execution when combined with a filesystem MCP server, delete arbitrary files, or load sensitive files into a model's context. Anthropic accepted the reports in September and issued patches in December 2025; affected users are urged to update immediately.
read more →

Three MCP Git Server Flaws Enable File Access and RCE

⚠️ A trio of vulnerabilities in mcp-server-git, the official MCP Git server maintained by Anthropic, can be chained to read or delete arbitrary files and, in certain scenarios, achieve remote code execution. Cyata researcher Yarden Porat showed these issues are exploitable via prompt injection when an AI assistant ingests attacker-controlled content such as a malicious README or poisoned issue text. Fixes were released in 2025.9.25 and 2025.12.18; users should update the Python package promptly to mitigate risk.
read more →

CODESYS Runtime Vulnerabilities Affecting Schneider Electric

⚠️ Schneider Electric warns that multiple vulnerabilities in the CODESYS Runtime System V3 communication server affect many Schneider products and third-party devices embedding CODESYS. Exploitable issues include denial-of-service and, in some configurations, remote code execution; several CVEs carry CVSS scores up to 8.8. Schneider has published patches and mitigations for many affected product families; operators should apply vendor updates and follow immediate network and access controls to reduce exposure.
read more →

Python libraries for Hugging Face models enable RCE

⚠️ Researchers at Palo Alto Networks' Unit 42 disclosed critical weaknesses in the NeMo, Uni2TS and FlexTok Python libraries used with Hugging Face models, where malicious code can be hidden in model metadata and executed automatically when a manipulated file is loaded. The root cause is the use of Hydra's instantiate(), which accepts arbitrary callables and arguments and can therefore permit remote code execution if metadata is untrusted. Vendors including NVIDIA, Salesforce and the maintainers of FlexTok have issued fixes and CVE assignments; users should upgrade affected libraries and audit models before loading.
read more →