< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 22 of 35

New Command Injection in Legacy D-Link DSL Routers

⚠An unauthenticated command injection (CVE-2026-0625) in dnscfg.cgi allows remote shell execution on multiple legacy D-Link DSL gateway routers. VulnCheck reported the issue to D-Link after The Shadowserver Foundation observed an exploitation attempt on a honeypot on December 15. Confirmed affected models (DSL-526B, DSL-2640B, DSL-2740R, DSL-2780B) are End-of-Life and will not receive patches. D-Link advises retiring affected devices or isolating them in segmented non-critical networks and applying restrictive security settings.
read more →

High-severity Open WebUI flaw lets models inject code

⚠️Security researchers disclosed a high-severity vulnerability in Open WebUI (CVE-2025-64496) that allows external model servers connected via the Direct Connections feature to stream server-sent events that execute JavaScript in the browser. Malicious code can read long-lived JSON Web Tokens stored in localStorage to take over accounts and access workspaces, documents, chats, and embedded API keys. With elevated workspace.tools permissions, attackers can escalate to remote code execution on backend servers. Organizations should patch to v0.6.35 immediately.
read more →

Critical n8n CVE-2025-68668: Python Code Node RCE Exploit

⚠️ A critical sandbox bypass, CVE-2025-68668 (CVSS 9.9), has been disclosed in n8n, allowing an authenticated user with workflow create/modify permissions to execute arbitrary OS commands on the host running n8n. The flaw resides in the Python Code Node that uses Pyodide and affects n8n versions 1.0.0 up to, but not including, 2.0.0. The issue is resolved in n8n 2.0.0, which makes the task-runner native Python implementation the default. Short-term mitigations include disabling the Code Node, disabling Python in the Code Node, or enabling the task-runner Python sandbox via environment variables.
read more →

Critical AdonisJS bodyparser Path Traversal Risks File Write

🚨 Maintainers of @adonisjs/bodyparser urge immediate updates after disclosure of CVE-2026-21440, a critical path traversal flaw that can enable attackers to write arbitrary files via unsanitized multipart filenames. The vulnerability stems from MultipartFile.move(location, options) defaulting to client-supplied names when the options.name is omitted. Exploitation requires a reachable upload endpoint and can lead to file overwrite and possible RCE depending on deployment, filesystem permissions, and overwrite settings.
read more →

CSA warns of critical RCE in SmarterMail email server

⚠️ The Cyber Security Agency of Singapore (CSA) has warned of a maximum-severity vulnerability, CVE-2025-52691 (CVSS 10.0), in SmarterTools SmarterMail that permits unauthenticated arbitrary file uploads and could enable remote code execution. The flaw affects builds 9406 and earlier and was fixed in Build 9413 (Oct 9, 2025); CSA recommends updating to Build 9483 (Dec 18, 2025). While no active exploitation has been reported, administrators should apply the vendor update promptly to mitigate the risk of web shells or malicious binaries being deployed and executed with SmarterMail service privileges.
read more →

Patch Tuesday 2025: Microsoft's Most Concerning Bugs

🛡️Microsoft addressed 1,246 CVEs in 2025, including 158 critical flaws and 41 zero‑days, highlighting an increasingly aggressive threat landscape and the use of AI by attackers to accelerate exploitation. Experts warned that several lower‑scored but actively abused bugs—such as ToolShell (CVE-2025-53770), CVE-2025-24993, and CVE-2025-30377—enabled remote code execution or privilege escalation in practice. Recommended actions include immediate remediation of highest‑risk items, automated triage to free analysts, and contextual prioritization using SSVC rather than relying solely on raw CVSS scores.
read more →

React2Shell: Critical RCE in React Server Components

⚠️ React 19 was hit by React2Shell, a critical unauthenticated RCE in React Server Components. The flaw allows arbitrary code execution on servers via crafted requests and affects default React and Next.js deployments. Multiple vendors, including Google and AWS, reported active exploitation within hours; patches are available. Defenders should validate exposure beyond version checks and hunt for backdoors, tunneling, and unexpected child processes.
read more →

High-severity MongoDB zlib flaw risks memory leakage

⚠ MongoDB has issued an urgent advisory for CVE-2025-14847 after researchers identified a high-severity bug in zlib-compressed protocol headers that can cause mismatched length fields. The flaw allows unauthenticated attackers to read uninitialized heap memory and could be chained to execute arbitrary code and gain control of a server. MongoDB recommends immediate upgrades to patched releases and, if unable to update, disabling zlib compression as a temporary mitigation.
read more →

CISA Flags Exploited Digiever NVR Flaw; Urges Mitigation

⚠️ CISA has added a vulnerability affecting Digiever DS-2105 Pro network video recorders to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Tracked as CVE-2023-52163 (CVSS 8.8), the issue is a post-authentication command injection via time_tzsetup.cgi that can enable remote code execution. The device is end-of-life and unpatched; vendors and researchers note attacks delivering botnets like Mirai and ShadowV2. Users are advised to avoid exposing affected NVRs to the internet, change default credentials, apply compensating controls, and follow agency guidance ahead of the January 12, 2025 FCEB mitigation deadline.
read more →

MongoDB warns admins to patch critical RCE bug immediately

🔔 MongoDB warned IT administrators to immediately apply fixes for a high-severity remote code execution vulnerability tracked as CVE-2025-14847. The flaw is caused by improper handling of a zlib compressed protocol header length, enabling unauthenticated attackers to execute arbitrary code in low-complexity attacks. MongoDB lists numerous affected releases and recommends upgrading to fixed versions such as 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, and 4.4.30. If an immediate upgrade is not possible, administrators should disable zlib compression by starting mongod or mongos with networkMessageCompressors or net.compression.compressors options that omit zlib.
read more →

MongoDB urges immediate patch for high-severity zlib flaw

⚠️ MongoDB warns administrators to immediately patch a high-severity memory-read vulnerability (CVE-2025-14847) in the Server's zlib implementation that may return uninitialized heap memory to unauthenticated remote actors. The issue can be exploited in low-complexity, no-interaction attacks. MongoDB strongly recommends upgrading to a fixed release right away; if you cannot, disable zlib compression by omitting it from networkMessageCompressors or net.compression.compressors when starting mongod or mongos.
read more →

Critical n8n RCE Flaw (CVE-2025-68613) Requires Patch

🔴 A critical vulnerability in the n8n workflow automation platform (CVE-2025-68613, CVSS 9.9) allows expressions supplied by authenticated users to be evaluated in an execution context that is not sufficiently isolated from the runtime. An attacker able to create or edit workflows could abuse this behavior to execute arbitrary code with the privileges of the n8n process, risking full instance compromise, data exposure, and workflow tampering. The flaw affects versions from 0.211.0 up to, but not including, 1.120.4 and has been patched in 1.120.4, 1.121.1, and 1.122.0; apply these updates or restrict workflow editing and harden deployments.
read more →

Revisiting CVE-2025-50165: Windows Imaging Component Flaw

🛡️ ESET researchers re-examine CVE-2025-50165, a critical Windows Imaging Component vulnerability that can lead to remote code execution when a specially crafted JPG is re-encoded. Their analysis identifies uninitialized precision-specific function pointers in WindowsCodecs.dll (libjpeg-turbo based) as the root cause and reproduces the crash with 12‑ and 16‑bit JPEG samples. ESET concludes exploitation is technically challenging and unlikely in the wild, requiring re-encoding, an address leak and heap manipulation; patches in updated builds initialize and validate these pointers.
read more →

RCE Flaw Exposes Over 115,000 WatchGuard Firewalls

⚠️WatchGuard released patches for a critical remote code execution vulnerability, CVE-2025-14733, affecting Firebox devices running Fireware OS 11.x, 12.x and 2025.1 up to 2025.1.3. The flaw permits unauthenticated attackers to execute arbitrary code on devices configured for IKEv2 VPN, and may also be reachable via certain Branch Office VPN setups. Shadowserver reported more than 115,000 exposed instances online. CISA added the issue to its KEV catalog and ordered federal agencies to patch under BOD 22-01.
read more →

WatchGuard fixes critical Fireware IKEv2 exploit in the wild

🔒 WatchGuard has released updates to remediate a critical vulnerability (CVE-2025-14733, CVSS 9.3) in Fireware OS that enables remote unauthenticated code execution via an out-of-bounds write in the iked process. The flaw impacts IKEv2 mobile user VPNs and branch office VPNs configured with dynamic gateway peers, and the vendor reports observed exploitation attempts in the wild. WatchGuard published fixed releases, IoCs, and temporary mitigations; administrators should apply updates immediately.
read more →

WatchGuard Warns of Actively Exploited RCE in Firebox

🔒 WatchGuard has issued an urgent advisory for a critical remote code execution vulnerability (CVE-2025-14733) affecting Firebox appliances running Fireware OS 11.x, 12.x and 2025.1 releases. The flaw enables unauthenticated attackers to execute code via an out-of-bounds write when IKEv2 VPN is enabled. WatchGuard reports active exploitation in the wild and provides a temporary workaround for Branch Office VPN configurations where immediate patching is not possible. Administrators are urged to apply vendor updates and review provided indicators of compromise.
read more →

React2Shell: Pre-auth RCE Exposes Front-End Risk in Enterprise

🚨 React2Shell (CVE-2025-55182) is a critical pre-authentication remote code execution flaw affecting React Server Components, Next.js and related frameworks. Exploitable with a single crafted HTTP request that targets the Flight protocol, the bug lets attackers inject and execute arbitrary server-side components, enabling backdoors, crypto miners and ransomware deployment. Researchers at S-RM and the Microsoft Defender team warn default configurations are vulnerable and note some early patches were incomplete; organizations should urgently verify fully patched versions and run forensic checks.
read more →

HPE OneView RCE Vulnerability Demands Immediate Patch

🔴 HPE has issued an urgent advisory for HPE OneView after disclosure of a maximum-severity remote code execution flaw, CVE-2025-37164, that can be triggered by unauthenticated remote actors. The vulnerability affects OneView versions 5.20 through 10.20 and requires an immediate security hotfix. HPE provides separate hotfixes for the virtual appliance and for HPE Synergy Composer; administrators should apply the fixes promptly and, until remediation, restrict management-interface access to trusted administrative networks.
read more →

HPE OneView Critical RCE Flaw Rated CVSS 10.0, Patch

🚨 HPE has released patches for a critical remote code execution vulnerability in OneView Software, tracked as CVE-2025-37164 with a CVSS score of 10.0. The flaw affects all versions prior to 11.00; HPE published version 11.00 and hotfixes for 5.20–10.20 to mitigate it. Administrators should apply the update or hotfix promptly; certain hotfixes must be reapplied after specific upgrades or Synergy Composer reimaging.
read more →

Schneider Electric: WSUS Vulnerability in Foxboro DCS

⚠️ Schneider Electric warns that a Microsoft WSUS vulnerability (CVE-2025-59287, CWE-502) impacts EcoStruxure™ Foxboro DCS Advisor and may allow remote code execution with system-level privileges (CVSS 3.1 9.8). Microsoft fixes (KB5070882, KB5070884) are available via WSUS and may require a reboot to complete installation. Apply the patches promptly, verify installation with Schneider Electric Global Customer Support, and follow recommended network isolation and access-control measures to reduce exposure.
read more →