All news with #remote code execution tag

⚠️An input validation vulnerability in the Scheduler feature of Siemens Ruggedcom Rox devices allows an authenticated remote attacker to inject OS commands via the device's Web UI. Successful exploitation can execute arbitrary commands with root privileges on the underlying operating system. Siemens has released updates and recommends upgrading to V2.17.1 or later; CISA urges operators to apply the patch and implement network protections such as firewalls, isolation, and secure remote access.

🚨 Siemens reports that Ruggedcom Rox devices prior to V2.17.1 contain numerous third‑party vulnerabilities and has released updated firmware; customers are urged to update immediately. The issues include uncontrolled recursion, integer underflow/overflow, multiple stack- and heap-based buffer overflows, use‑after‑free, improper input validation and path traversal, among others. Affected components include Das U‑Boot, QEMU emulation modules, Python email parsing, linux‑pam and other supporting libraries. Apply the vendor updates to mitigate risks such as denial of service, boot bypass or potential code execution.

⚠️ Simcenter Femap contains a heap-based buffer overflow in the Datakit library that can be triggered by specially crafted IPT files, causing memory corruption during parsing. If a user opens a malicious IPT file, an attacker could achieve remote code execution in the context of the running process. Siemens has released V2512.0003 or later to address the issue and recommends immediate updating; the flaw is tracked as CWE-122. CISA republished the vendor advisory to increase visibility and urges reducing network exposure and following Siemens' industrial security guidance.

🔒 Fortinet released Patch Tuesday updates addressing two critical remote code execution vulnerabilities: FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083), both rated 9.1. The flaws permit unauthenticated attackers to execute arbitrary commands; Fortinet advises upgrading FortiAuthenticator to 6.5.7/6.6.9/8.0.3 and FortiSandbox to 4.4.9 or 5.0.2. Both issues were found internally and have not yet been observed exploited in the wild, but Fortinet RCEs have been weaponized previously. Administrators should prioritize immediate patching and monitor credentials and logs.

⚠️ A critical user-after-free flaw in Exim (CVE-2026-45185) affects GnuTLS builds prior to 4.99.3 and can be triggered during TLS shutdown while processing BDAT chunked SMTP. The vulnerability allows an unauthenticated remote attacker to achieve arbitrary code execution and access mail data. OpenSSL-based builds are not affected. Administrators should apply Exim v4.99.3 updates immediately via their package managers.

🔒 Microsoft released its May Patch Tuesday fixing 120 CVEs, including 17 critical flaws. The update addresses 14 RCEs, two elevation of privilege bugs and one information disclosure issue, with the majority of fixes covering EoP and RCE types. Microsoft credited its WARP team and an agentic AI system, MDASH, with discovering 16 of the issues. Administrators are urged to prioritize high-risk fixes such as CVE-2026-41089.

🔒 Microsoft’s May Patch Tuesday addresses 118 vulnerabilities, including critical Windows Server flaws in Netlogon (CVE-2026-41089) and the DNS Client (CVE-2026-41096), plus a severe RCE in Microsoft Dynamics 365 On-Premises. Cloud services such as Azure and Microsoft Teams have already been updated, but on-prem and endpoint administrators must prioritize OS and application patches. Analysts recommend additional protections like network segmentation, access restrictions, and monitoring. Also note a mandatory Secure Boot certificate rotation before June 26 and multiple high‑risk SAP and Oracle updates.

🔒 Microsoft released its May 2026 Patch Tuesday update addressing 137 vulnerabilities, of which 31 are rated critical. Microsoft reports no observed active exploitation in the wild, though several critical RCE and local code-execution flaws affect Windows services, Office, Azure, SharePoint, and mobile Office. Talos has published new Snort 2 and Snort 3 rule sets to detect many exploitation attempts and recommends immediate patching and signature updates.

🔒 Fortinet issued security updates to address two critical remote code execution flaws affecting FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083). The FortiAuthenticator issue was fixed in versions 6.5.7, 6.6.9 and 8.0.3, while FortiSandbox and its cloud/PaaS WEB UI received patches for a missing authorization weakness. Fortinet noted the cloud IDaaS service is not impacted and there are no reports of active exploitation.

🔔 Today's May 2026 Patch Tuesday from Microsoft delivers security updates addressing 120 distinct vulnerabilities, including 17 rated Critical. The release corrects multiple remote code execution, elevation-of-privilege, information disclosure, denial-of-service, spoofing, and security feature bypass flaws across Windows, Office, SharePoint, and developer tools. Notable patches close dangerous RCE vectors in Microsoft Office (Word, Excel, PowerPoint) that can be exploited via malicious attachments or the preview pane, and key fixes include Windows GDI EMF parsing, SharePoint server RCE, and a Windows DNS Client RCE. Administrators are strongly advised to prioritize and deploy updates promptly to reduce exposure.

🔒 Exim has issued emergency updates to fix CVE-2026-45185, dubbed Dead.Letter, a critical use-after-free in BDAT message body parsing that manifests when TLS is handled via GnuTLS. The flaw is triggered when a client sends a TLS close_notify during an active BDAT transfer and then follows up with a final cleartext byte on the same TCP connection, which can corrupt heap metadata and enable code execution. It affects Exim 4.97 through 4.99.2 built with USE_GNUTLS=yes and is fixed in 4.99.3; there are no mitigations, so administrators should apply the update immediately.

⚠ ABB reports a stack-based buffer overflow in AC500 V3 when parsing CMS (Auth)EnvelopedData with AEAD ciphers like AES-GCM. An oversized IV in ASN.1 parameters may be copied into a fixed-size stack buffer without length checks, allowing an out-of-bounds write before authentication. This can cause crashes, DoS, or potential RCE. ABB issued firmware 3.9.0 HF1 to correct the issue; no workaround exists.

🔒 SAP released its May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws affecting Commerce Cloud and S/4HANA. The most severe (CVE-2026-34263) is a missing authentication check in Commerce Cloud that can allow unauthenticated remote code execution via improper Spring Security configuration. The other critical (CVE-2026-34260) permits low-complexity SQL injection by attackers with basic privileges, risking sensitive data exposure and potential service crashes. SAP also patched one high and 11 medium-severity issues and reports no evidence of in-the-wild exploitation to date.

🔒 cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could enable privilege escalation, arbitrary code execution, and denial-of-service. The flaws are tracked as CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, with CVSS scores up to 8.8. Multiple release lines and the WP Squared build are patched, and a direct 110.0.114 update is available for CentOS 6/CloudLinux 6 users. Administrators are advised to apply updates promptly.

⚠️ Palo Alto Networks has confirmed a critical zero-day in PAN-OS's Captive Portal (CVE-2026-0300) that allows unauthenticated remote code execution as root on exposed PA and VM series firewalls. Reporting indicates suspected state-sponsored actors exploited the flaw for nearly a month. Palo Alto plans updates beginning May 13; customers should restrict or disable the portal until patches are available.

⚠️ Thirteen critical vulnerabilities have been disclosed in the vm2 JavaScript sandbox, including a full sandbox escape (CVE-2026-26956) that can allow attacker-controlled code to execute host commands under specific Node.js 25/WebAssembly conditions. Another high-risk issue (CVE-2026-44007) involves NodeVM nesting interacting with the legacy module resolver and was patched in 3.11.1. Developers should upgrade to vm2 3.11.2 immediately and consider interim mitigations such as avoiding Node 25 runtimes or disabling WebAssembly for untrusted sandboxes.

⚠️ Microsoft researchers disclosed critical vulnerabilities in Semantic Kernel that allow prompt injection to escalate into host-level remote code execution and arbitrary file writes. The team detailed two fixed issues — CVE-2026-26030 (unsafe eval-style filter in the In-Memory Vector Store) and CVE-2026-25592 (exposed DownloadFileAsync in SessionsPythonPlugin) — and provided mitigations. Operators should upgrade the Python package to 1.39.4+ and the .NET SDK to 1.71.0+, validate any model-influenced tool parameters as untrusted input, and hunt endpoint telemetry for post-exploitation indicators.

🛡️ Ivanti warns of a high-severity flaw, CVE-2026-6973 (CVSS 7.2), in Endpoint Manager Mobile (EPMM) that has been observed in limited active exploitation and permits remote code execution for remotely authenticated users with administrative access. The issue affects on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 and was released alongside patches for four additional vulnerabilities. CISA added CVE-2026-6973 to its KEV catalog with a May 10, 2026 remediation deadline; Ivanti advises applying updates and rotating credentials as appropriate.

🔒 Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.

🔒 A critical WebSocket vulnerability in Cline's Kanban server (CVSS 9.7) allows any webpage a developer visits to silently exfiltrate workspace data, inject terminal commands and terminate agent sessions. Disclosed by Oasis Security on May 7, it affects the Kanban npm package v0.1.59 and stems from missing origin validation and authentication on three local WebSocket endpoints. Updating to v0.1.66 and disabling the default bypass permissions flag are recommended mitigations.