All news with #remote code execution tag

⚠️ Palo Alto Networks disclosed that threat actors attempted and later succeeded in exploiting a critical buffer overflow, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal, enabling unauthenticated remote code execution as root. Unit 42 linked activity to a suspected state-sponsored cluster tracked as CL-STA-1132, noting shellcode was injected into an nginx worker. Customers are advised to restrict access to trusted zones or disable the portal if unused, and to apply fixes expected to begin rolling out on May 13, 2026.

🔒 Palo Alto Networks warned of a critical buffer overflow in PAN-OS affecting the User-ID Authentication Portal (CVE-2026-0300) that can allow unauthenticated attackers to execute code as root on exposed PA- and VM-Series firewalls. The vendor says only portals reachable from untrusted IPs are at risk; Prisma Access, Cloud NGFW and Panorama are not impacted. Customers are advised to restrict portal access, disable the Captive Portal if unused, disable Response Pages on untrusted interfaces, and apply mitigations until patched builds roll out in May.

🔴 Palo Alto Networks warns that suspected state‑sponsored actors have exploited a critical PAN‑OS zero‑day (CVE-2026-0300) in the User‑ID Authentication Portal, enabling unauthenticated remote code execution as root on exposed PA‑ and VM‑Series firewalls. Unit 42 says initial probing began April 9, with successful exploitation occurring about a week later; attackers cleaned logs and deployed tunneling tools. Palo Alto notes Cloud NGFW and Panorama are not affected and will issue patches starting May 13; administrators should restrict or disable the authentication portal until updates are applied.

⚠️ Multiple critical vulnerabilities have been disclosed in the vm2 Node.js library that allow untrusted code to break out of sandboxes and execute arbitrary host commands. The defects include numerous sandbox escapes, code injection vectors, and an allowlist bypass, with several issues rated CVSS 9.8–10.0. Affected releases span multiple 3.9.x–3.11.x builds; maintainers recommend upgrading to v3.11.2 and auditing any vm2-based sandbox deployments. The project lead has acknowledged that further bypasses are likely as research continues.

🔒 Unit 42 details exploitation of a buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that permits unauthenticated remote code execution as root on affected PA‑Series and VM‑Series firewalls. Observed adversary activity included shellcode injection into an nginx worker, rapid log and evidence cleanup, and deployment of tunneling tools such as EarthWorm and ReverseSocks5. Immediate mitigations are to restrict or disable the portal, apply vendor guidance, and enable available threat signatures and protections.

🚨 A critical vulnerability in the Node.js sandbox library vm2 (CVE-2026-26956) can be exploited to escape the sandbox and execute arbitrary code on the host. The issue has been confirmed in vm2 3.10.4 on Node.js 25 (tested on 25.6.1) when WebAssembly exception handling and JSTag support are enabled. A proof-of-concept exploit is public; users should upgrade to vm2 3.10.5 or later (latest 3.11.2) immediately.

🔴 Palo Alto Networks warns that a critical unpatched PAN-OS zero-day, CVE-2026-0300, is being actively exploited against the User-ID Authentication Portal (Captive Portal). The flaw is a buffer overflow that can allow unauthenticated attackers to execute arbitrary code as root on Internet-exposed PA-Series and VM-Series firewalls. Palo Alto classifies the bug at the highest severity and advises restricting or disabling the portal until a patch is available. Security telemetry from Shadowserver shows over 5,800 PAN-OS VM-series instances exposed online, increasing urgency for mitigations.

⚠️ Palo Alto Networks has warned of a critical buffer overflow (CVE-2026-0300) in the User-ID Authentication Portal component of PAN-OS, allowing unauthenticated remote code execution as root. The flaw carries a CVSS of 9.3 when the portal is internet-accessible (8.7 for internal-only access). Palo Alto reports limited in-the-wild exploitation targeting publicly accessible portals; fixes are scheduled to begin May 13, 2026. Administrators should restrict or disable the portal until patches are applied.

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.

⚠️ New findings from VulnCheck and the NVD confirm that MetInfo CMS versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability (CVE-2026-29014, CVSS 9.8) that allows remote attackers to execute arbitrary code. The defect is located in /app/system/weixin/include/class/weixinreply.class.php and results from insufficient sanitization of Weixin API inputs. On non‑Windows hosts a preexisting /cache/weixin/ directory (created by the official WeChat plugin) is required for exploitation. MetInfo released patches on April 7, 2026, but active exploitation was observed beginning April 25 and escalated on May 1, with most activity originating from China and Hong Kong IPs.

🔍 Researchers using AI-assisted analysis at Wiz's zeroday.cloud event disclosed multiple high-severity memory-safety flaws in PostgreSQL and MariaDB. Two PostgreSQL issues — including a heap overflow in the pgcrypto extension — date back more than 20 years and can enable remote code execution when fed attacker-controlled input. MariaDB's JSON schema validator also contains a heap overflow reachable by any authenticated SQL session, which under certain memory conditions can be escalated to code execution. Patches are available and maintainers strongly urge immediate upgrades.

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.

⚠️ A path traversal vulnerability in ABB PCM600 (CVE-2018-1002208) could allow an attacker to deliver specially crafted messages to a system node, resulting in insertion and execution of arbitrary code. Affected releases are PCM600 versions >=1.5 and <=2.13; ABB released a fix in PCM600 2.14 (note: RE_630 relays are incompatible with 2.14). CISA rates the issue CVSS 3.1 4.4 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N), notes exploitation is not remotely trivial, and recommends applying the vendor update or, where immediate upgrade is impractical, applying system-level and network mitigations such as segmentation, firewalls, and updated VPNs.

⚠️ ABB has reported critical vulnerabilities in Ability Symphony Plus (S+) Engineering tied to an embedded PostgreSQL component (version 13.11 and earlier) that could allow authenticated users on the S+ client/server network to execute arbitrary code. Affected S+ releases include 2.2 through 2.4 SP2; ABB released an update — S+ Engineering 2.4 SP2 RU1 (re-released December 2024) — to address the issues. CISA recommends network isolation and perimeter firewalling as primary mitigations; no product-specific workarounds exist and ABB reported no known exploitation at the time of the advisory.

🔒 CISA reports a critical authentication bypass in ABB Edgenius Management Portal (CVE-2025-10571) that permits an attacker with network access to send a specially crafted message to a system node and bypass authentication. Successful exploitation can allow arbitrary code execution, removal of installed applications, and modification of application configurations. ABB has released a fix in Ability Edgenius 3.2.2.0 and urges immediate upgrade; until patched, disabling the portal and reducing network exposure are recommended.

🔒 Researchers disclosed a max-severity remote code execution (RCE) vulnerability in @google/gemini-cli and the associated GitHub Action that could load untrusted workspace configurations in headless CI environments. Google issued patches in 0.39.1, 0.40.0-preview.3 and updated the run-gemini-cli Action to 0.1.22, removing implicit workspace trust and enforcing tool allowlists. Teams that pin CLI versions are advised to upgrade and review workspace configurations immediately.

🔒 Google patched a maximum-severity remote code execution vulnerability in @google/gemini-cli and the google-github-actions/run-gemini-cli workflow that could allow attackers to run arbitrary commands on host systems. Novee Security reported the flaw, which carries a CVSS score of 10.0, and Google says the impact is limited to headless CI usage where workspace folders were auto-trusted. Affected versions include @google/gemini-cli prior to 0.39.1 (and preview releases) and run-gemini-cli prior to 0.1.22; users should update to the patched releases, explicitly set GEMINI_TRUST_WORKSPACE when inputs are trusted, or follow Google’s hardening guidance for untrusted inputs. Google also tightened allowlisting checks for --yolo mode to prevent auto-approved tool calls from bypassing restrictions.

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.