All news with #remote code execution tag

⚠️F5 Networks has reclassified a previously patched BIG-IP APM denial-of-service flaw (CVE-2025-53521) as a critical remote code execution vulnerability after evidence of active exploitation. Attackers are deploying webshells on unpatched devices that have access policies configured on virtual servers. F5 and CISA have published advisories and IOCs and are urging immediate patching, forensic checks of disks, logs, and terminal history, and adherence to incident-handling policies.

🔴 Threat intelligence firm Defused reports active exploitation of a critical SQL injection in Fortinet FortiClient EMS, tracked as CVE-2026-21643. The vulnerability lets unauthenticated attackers inject SQL via the HTTP 'Site' header to the EMS web GUI, enabling arbitrary code or command execution on unpatched systems. Fortinet fixed the issue in 7.4.5; administrators must upgrade immediately and block public access to EMS interfaces. Defused observed first exploitation four days after discovery and Shodan/Shadowserver data indicate many publicly exposed instances.

⚠️ CISA has added CVE-2025-53521 to its Known Exploited Vulnerabilities (KEV) list after evidence of active exploitation against F5 BIG-IP APM. The flaw, reclassified from a DoS to an RCE with a CVSS v4 score of 9.3, permits unauthenticated remote code execution when an APM access policy is configured on a virtual server. F5 published file, log, and traffic indicators and warned that webshells may run in memory. Organizations and FCEB agencies were directed to apply the vendor fixes by March 30, 2026.

🚨 Attackers weaponized a critical Langflow remote code execution flaw within hours of disclosure, prompting CISA to add CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. The issue stems from an unauthenticated build_public_tmp API endpoint that accepts workflow data and executes embedded Python code without sandboxing, enabling unauthenticated RCE on versions up to 1.8.2. Langflow released a fix in v1.9.0 and agencies are urged to patch by April 8, 2026.

⚠️ CISA has added CVE-2025-53521, a remote code execution vulnerability in F5 BIG-IP, to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The agency notes this class of flaw is a frequent attacker vector and poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV entries by assigned due dates. CISA strongly urges all organizations to prioritize timely remediation, apply vendor fixes or mitigations, and maintain active monitoring to reduce exposure.

🔴 CISA warns that a critical code-injection vulnerability, CVE-2026-33017, in the Langflow AI workflow framework is being actively exploited for remote code execution. The flaw impacts Langflow versions 1.8.1 and earlier and can be triggered with a single crafted HTTP request due to unsandboxed flow execution, allowing attackers to build public flows without authentication. Administrators should upgrade to Langflow 1.9.0, disable or restrict the vulnerable endpoint, rotate keys and secrets, and avoid exposing Langflow directly to the internet. CISA added the issue to its Known Exploited Vulnerabilities list and set an April 8 deadline for agencies covered by BOD 22-01.

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.

⚠ A critical Oracle WebLogic RCE (CVE-2026-21962, CVSS 10.0) was weaponized the same day public exploit code was released, a CloudSEK honeypot study found. The high-interaction honeypot, run between January 22 and February 3, 2026, recorded immediate automated scanning and exploitation attempts. Researchers also observed probes for older WebLogic flaws and widespread generic web reconnaissance. Organizations are urged to apply patches, restrict console access, deploy WAFs and monitor logs.

⚠️CISA reports a critical remote code execution vulnerability (CVE-2026-4681) affecting PTC Windchill and FlexPLM, with a CVSS v3.1 base score of 10.0. The issue stems from deserialization of untrusted data (CWE-94) and could allow unauthenticated attackers to run arbitrary code. PTC is developing a patch and advises immediate application of documented workarounds and updated Apache or IIS configurations to protect public, file, and replica servers.

🔔 Mass exploitation of the PolyShell vulnerability in Magento Open Source and Adobe Commerce began on March 19, with Sansec reporting attacks on 56.7% of vulnerable stores within days of public disclosure. The issue resides in Magento’s REST API, which accepts file uploads for custom cart options and can allow polyglot files to enable remote code execution or account takeover via stored XSS when server configurations permit. Adobe released a patch in 2.4.9-beta1 on March 10, 2026, but no stable production fix is yet available; Sansec has published IPs and IOCs and warns of a WebRTC-based payment skimmer used in some intrusions.

🔒 TP-Link released firmware updates for its Archer NX200, NX210, NX500, and NX600 routers to fix multiple vulnerabilities, including a critical authentication bypass that can permit unauthenticated firmware uploads via certain HTTP CGI endpoints. The vendor additionally removed a hardcoded cryptographic key and patched two command injection flaws that require administrative access. TP-Link warned customers to install the latest firmware immediately to block potential attacks. Failure to update may leave devices susceptible to takeover or configuration manipulation.

⚠️ PTC has alerted customers to a critical vulnerability (CVE-2026-4681) in Windchill and FlexPLM that could enable remote code execution via deserialization of trusted data. German authorities (BKA) have taken emergency action to warn organizations, citing an imminent threat. Patches are under development, and PTC published an Apache/IIS rule mitigation that denies access to the affected servlet path without breaking functionality. The vendor also released IoCs and detection guidance; if mitigation is not possible, prioritize disconnecting internet-facing instances or shutting down the service.

🛡️ Pharos Controls Mosaic Show Controller firmware 2.15.3 contains a Missing Authentication for Critical Function vulnerability (CVE-2026-2417) that can allow an unauthenticated attacker to execute arbitrary commands with root privileges. The flaw has a CVSS v3.1 base score of 9.8 (Critical). Pharos Controls recommends upgrading to version 2.16 or later and isolating controllers from public networks.

🔒 Schneider Electric and ProLeiT disclosed several Redis-related vulnerabilities in Plant iT/Brewmaxx that could permit privilege escalation and, in some cases, remote code execution. The issues stem from embedded Redis 8.2.1 (and earlier) instances and include use-after-free, integer overflow, and code-injection vectors. Schneider and ProLeiT recommend installing patch ProLeiT-2025-001, disabling Redis eval commands, applying secure Redis configuration templates, and restarting patched systems while following recommended ICS cybersecurity practices.

🔒 Schneider Electric has disclosed a deserialization of untrusted data vulnerability (CVE-2026-1286) impacting EcoStruxure Foxboro DCS versions prior to CS 8.1. An authenticated administrative user who opens a malicious project file could compromise confidentiality and integrity and potentially achieve remote code execution on a workstation (CVSS 3.1: 6.5). Schneider released CS 8.1 which requires FX-V3 licenses and a reboot; standard upgrade procedures apply. Until patched, follow mitigations such as restricting files to trusted sources, enforcing least privilege, and isolating DCS networks.

🔒 This week’s recap highlights a major supply-chain compromise of Trivy, where attackers injected credential‑stealing malware into official releases and GitHub Actions, producing a self‑propagating worm called CanisterWorm that affected thousands of CI/CD workflows. Law enforcement dismantled several massive IoT botnets built from routers, cameras and DVRs, while high‑severity flaws — including a critical Langflow RCE and a Cisco FMC 0‑day exploited by Interlock ransomware — were weaponized within hours of disclosure.

🔒 CISA has directed all federal civilian agencies to urgently patch a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) — tracked as CVE-2026-20131 with a CVSS score of 10. Cisco released a fix on 4 March after reports that the Interlock ransomware group had been exploiting the flaw as a zero day. Agencies were given just three days after KEV listing to patch or discontinue use due to active ransomware campaigns.

🚨 Arctic Wolf reported exploitation of CVE-2025-32975 (CVSS 10.0), an authentication-bypass in Quest KACE Systems Management Appliance (SMA), against internet-exposed instances beginning the week of March 9, 2026. Attackers impersonated administrative users, executed remote commands to download Base64 payloads via curl from an external host, and created additional admin accounts using runkbot.exe. Observed post-compromise activity included Windows Registry modifications, credential harvesting with Mimikatz, reconnaissance, and RDP access to backup systems and domain controllers. Administrators should apply the May 2025 fixes and avoid exposing SMA directly to the internet.

🔒 Oracle has released fixes for a critical pre-authentication remote code execution flaw, CVE-2026-21992, affecting Oracle Identity Manager and Oracle Web Services Manager. The issue carries a CVSS score of 9.8 and is described by NVD as "easily exploitable" over HTTP by unauthenticated attackers. Oracle says the flaw can enable full takeover of vulnerable instances and urges customers to apply updates immediately.

🛡️ Oracle has released an out-of-schedule security update to fix a critical unauthenticated remote code execution vulnerability, tracked as CVE-2026-21992, that affects Oracle Identity Manager and Oracle Web Services Manager. Oracle says the flaw is low complexity, exploitable remotely over HTTP without authentication or user interaction. The company strongly recommends applying patches or mitigations immediately and notes fixes via the Security Alert program are limited to supported versions.