< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 21 of 35

Weekly Recap: Automation, Exploits, and Rapid Escalation

🔐 This week's recap highlights how small oversights and automation conveniences have become widespread attack vectors, enabling rapid, large-scale compromise. Key incidents include a maximum-severity RCE in n8n (Ni8mare, CVE-2026-21858) affecting self-hosted instances, the 2M-device Kimwolf Android botnet, and malicious Chrome extensions that exfiltrated AI conversations. The report catalogs numerous trending CVEs and active campaigns, emphasizing that familiar tools and exposed services are the biggest risks today.
read more →

Trend Micro Patches Critical Flaws in Apex Central

🛡️ Trend Micro has released a security update for Apex Central after vulnerability management vendor Tenable identified multiple serious flaws affecting all on-premises builds earlier than 7190. The most severe is a 9.8-rated LoadLibraryEX issue that can allow an unauthenticated attacker to force the server to load and execute an attacker-controlled DLL as SYSTEM. Two additional high-severity, unauthenticated flaws can cause denial-of-service. Trend Micro urges customers to apply build 7190 and review remote access controls immediately.
read more →

Chinese-linked actors exploit VMware ESXi via SonicWall VPN

🔍 Huntress says Chinese-speaking threat actors used a compromised SonicWall VPN appliance in December 2025 to deploy a multi-stage exploit against VMware ESXi, leveraging three zero-day vulnerabilities disclosed by Broadcom in March 2025 (CVE-2025-22224/22225/22226). The toolkit includes an orchestrator dubbed MAESTRO, an unsigned kernel driver loaded via KDU, and a VSOCK-based ELF backdoor called VSOCKpuppet. The attack chain enabled VM-to-hypervisor escapes, remote control of ESXi hosts over VSOCK port 10000, and file transfer capabilities from guest VMs, all of which were halted by Huntress before a suspected ransomware stage could complete.
read more →

Critical Ni8mare RCE in n8n threatens 100,000 servers

⚠️ Security researchers at Cyera disclosed a critical vulnerability dubbed Ni8mare in the workflow automation platform n8n, enabling remote code execution and potential full environment compromise. The flaw, tracked as CVE-2026-21858, carries a CVSS score of 10.0 and impacts roughly 100,000 servers. The root cause is a Content-Type confusion in webhook processing that lets attackers overwrite internal variables, read arbitrary files and inject malicious payloads. n8n released a patched build (1.121.0); administrators should upgrade immediately and rotate any exposed credentials and tokens.
read more →

CISA Flags Critical RCE in HPE OneView Under Attack

⚠️ CISA has added a max-severity remote code execution flaw in HPE OneView (CVE-2025-37164) to its Known Exploited Vulnerabilities catalog after HPE published an advisory and a patch. The vulnerability allows unauthenticated attackers to execute arbitrary commands via a publicly reachable REST API endpoint and carries a CVSS score of 10.0. Organizations face a narrow window to carefully patch management-plane deployments to avoid both exploitation and unintended operational disruption.
read more →

Trend Micro fixes critical RCE in Apex Central console

🔒Trend Micro has released a patch for a critical remote code execution vulnerability (CVE-2025-69258) affecting Apex Central on-premises consoles. A LoadLibraryEX weakness could allow unauthenticated attackers to inject malicious DLLs into MsgReceiver.exe (listening on TCP port 20001) and execute code as SYSTEM without user interaction. Tenable reported the flaw, published technical details and proof-of-concept code, and Trend Micro issued Critical Patch Build 7190 — which also addresses two related DoS flaws — urging customers to apply updates and review remote access and perimeter security.
read more →

Trend Micro Apex Central RCE CVE-2025-69258 Scores 9.8

🔒 Trend Micro has released patches for on-prem Apex Central for Windows to fix multiple flaws, including a critical remote code execution (CVE-2025-69258, CVSS 9.8) that can allow an attacker to load a malicious DLL via LoadLibraryEX. Two additional denial-of-service issues (CVE-2025-69259 and CVE-2025-69260, both CVSS 7.5) were also addressed. Tenable reported the vulnerabilities and notes MsgReceiver.exe (listening on TCP port 20001) is implicated. Customers should apply updates and review remote access controls and perimeter defenses.
read more →

Critical RCE in Hitachi Energy Asset Suite (Jasper)

⚠️ Hitachi Energy has disclosed a critical remote code execution vulnerability in Asset Suite, caused by a Java deserialization flaw in the Jaspersoft library (CVE-2025-10492). The issue affects Asset Suite versions 9.7 and earlier and carries a CVSS v3.1 base score of 9.8 — allowing attackers to execute arbitrary code on vulnerable systems. Hitachi Energy advises upgrading to version 9.8 to remediate the defect. Until patched, administrators should restrict loading of external custom reports, segment networks, and deny internet exposure for control system devices.
read more →

Maximum-severity Ni8mare bug enables n8n server takeover

🔴 Security researchers disclosed a critical vulnerability in the AI workflow automation platform n8n—dubbed “Ni8mare” (CVE-2026-21858)—with a CVSS score of 10.0 that allows remote, unauthenticated attackers to read files and potentially achieve code execution on local instances. The flaw arises from improper webhook parsing of the Content-Type header, letting adversaries control file metadata and local file paths. n8n has issued a patch; users should upgrade to 1.121.0 or later as there are no official workarounds.
read more →

Coolify patches 11 critical flaws enabling root compromise

🔒 Researchers disclosed 11 critical vulnerabilities in Coolify, an open-source self-hosting platform, including multiple authenticated command injections, remote code execution, container escape and an information disclosure of the root SSH private key. Several issues carry CVSS scores of 9.4–10.0 and allow attackers with low or moderate privileges to execute arbitrary commands as root or obtain persistent access. Operators should upgrade to patched releases or apply vendor mitigations immediately.
read more →

CISA Flags Critical HPE OneView Flaw as Actively Exploited

🚨 CISA has added a maximum-severity vulnerability in HPE OneView (CVE-2025-37164) to its catalog of flaws actively exploited in the wild. Reported by Nguyen Quoc Khanh (brocked200) and patched by HPE in mid-December, the bug affects all OneView releases before v11.00 and enables unauthenticated code-injection attacks leading to remote code execution. There are no known mitigations or workarounds; HPE and CISA urge immediate upgrades, and federal agencies must remediate by January 28 under BOD 22-01.
read more →

Critical Veeam Backup & Replication Flaws Require Patch

🔒 Veeam has released a patch addressing four vulnerabilities in Backup & Replication v13 that let users with Backup Admin, Backup Operator, or Tape Operator roles exceed intended privileges. The most severe, CVE-2025-59470 (CVSS 9.0), can enable remote code execution as the Postgres user; others permit file writes as root or RCE via malicious configuration files. Veeam recommends immediate installation of version 13.0.1.1071; the vendor says core backup data remains immutable and intact.
read more →

Critical RCE in n8n Enables Full Local Deployment Takeover

⚠️ Researchers at Cyera disclosed a critical vulnerability in n8n (CVE-2026-21858) that allows unauthenticated attackers to read arbitrary local files via content-type parsing confusion and then recreate session cookies to assume any user’s identity. Exploitation can yield administrator privileges and remote code execution through the Execute Command node. The bug was patched in version 1.121.0 on Nov. 18; administrators should update immediately.
read more →

Ni8mare: Critical RCE and data-exposure bug in n8n instances

⚠️ A maximum-severity vulnerability (CVE-2026-21858, 10/10) lets unauthenticated remote attackers fully compromise self-hosted n8n instances by exploiting a content-type parsing flaw in webhook/form handling. Cyera reports more than 100,000 vulnerable servers. The bug allows attackers to control file metadata in req.body.files, enabling arbitrary file reads, secret exfiltration, session forgery and potential command execution. n8n recommends updating to 1.121.0 and restricting public webhook endpoints.
read more →

Open WebUI SSE Flaw Allows Malicious Model Server Takeover

⚠ Security researchers at Cato Networks disclosed CVE-2025-64496, a vulnerability in Open WebUI that lets external model servers inject JavaScript via Server-Sent Events (SSE) when the Direct Connections feature is enabled. An attacker controlling a malicious model endpoint can exfiltrate JSON Web Tokens (JWTs) from the browser, enabling account takeover and access to documents, chats, and embedded API keys. If the compromised account has Workspace Tools privileges, the session token can be used to execute authenticated Python code on the backend, leading to remote code execution. The flaw affects versions up to 0.6.34 and is fixed in 0.6.35; organizations are urged to update and implement HttpOnly cookies, strict CSPs, and ban dynamic code evaluation.
read more →

n8n Ni8mare: Critical unauthenticated RCE (CVE-2026-21858)

⚠️ A maximum-severity flaw, CVE-2026-21858 (Ni8mare), in n8n allows unauthenticated remote attackers to read local files, forge administrator sessions, and achieve remote code execution by exploiting a Content-Type parsing confusion that can override req.body.files. The bug affects releases up to and including 1.65.0 and was fixed in 1.121.0 (released November 18, 2025). Operators should upgrade immediately, avoid exposing n8n publicly, and restrict or disable public webhooks and form endpoints until patched.
read more →

New Veeam Backup & Replication RCE Vulnerabilities Exposed

⚠️ Veeam released security updates for Backup & Replication to fix multiple vulnerabilities, including a remote code execution bug tracked as CVE-2025-59470. The flaw affects version 13.0.1.180 and earlier 13 builds and can allow users with Backup or Tape Operator roles to execute code as the postgres user. On January 6 Veeam published 13.0.1.1071 to patch CVE-2025-59470 plus a high (CVE-2025-55125) and a medium (CVE-2025-59468) issue. Administrators are advised to apply updates and follow Veeam's security guidelines to limit privileged-role exposure.
read more →

n8n warns of CVE-2026-21877: CVSS 10.0 RCE in service

🔒 n8n has warned of a maximum-severity remote code execution flaw, CVE-2026-21877, rated 10.0 under CVSS. Under certain conditions an authenticated user may cause untrusted code to be executed by the service, potentially allowing full compromise of affected instances. Both self-hosted and n8n Cloud deployments running versions >= 0.123.0 and < 1.121.3 are impacted; the issue is fixed in 1.121.3 (released November 2025). Administrators should upgrade immediately or, if that is not possible, disable the Git node and restrict access for untrusted users.
read more →

Veeam patches critical RCE in Backup & Replication 13

🔒 Veeam has released security updates for Veeam Backup & Replication to address a critical remote code execution flaw tracked as CVE-2025-59470 (CVSS 9.0) that could allow a Backup or Tape Operator to run code as the postgres user via a crafted interval or order parameter. The vendor also fixed three additional vulnerabilities that permit escalation to root or file writes by privileged backup roles. All 13.x builds up to 13.0.1.180 are affected and the fixes are included in 13.0.1.1071; customers are advised to apply updates and follow role-hardening guidance promptly.
read more →

Critical RCE in Legacy D-Link DSL Routers Under Attack

⚠️A critical remote code execution flaw, CVE-2026-0625, is being actively exploited in legacy D-Link DSL gateway routers via a command-injection weakness in the dnscfg.cgi endpoint. Improper sanitization of DNS configuration parameters allows unauthenticated attackers to execute arbitrary shell commands and modify DNS settings. D-Link says it is investigating affected firmware variants and will publish an updated model list after a firmware-level review. Owners of end-of-life devices should retire or replace impacted hardware immediately.
read more →