< ciso
brief />
Tag Banner

All news with #remote code execution tag

691 articles · page 7 of 35

Critical Apache HTTP/2 Double-Free May Enable RCE Now

⚠ Apache Software Foundation released updates to address CVE-2026-23918, a high-severity (CVSS 8.8) double-free bug in mod_http2 that can cause denial-of-service and potentially remote code execution. The flaw impacts Apache HTTP Server 2.4.66 and is fixed in 2.4.67. Researchers provided an x86_64 proof-of-concept and warned the RCE path is practical on systems using APR with the mmap allocator. Administrators should upgrade or mitigate by disabling mod_http2 or using the prefork MPM until patched.
read more →

Critical PHP Code Injection in MetInfo CMS (CVE-2026-29014)

⚠️ New findings from VulnCheck and the NVD confirm that MetInfo CMS versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability (CVE-2026-29014, CVSS 9.8) that allows remote attackers to execute arbitrary code. The defect is located in /app/system/weixin/include/class/weixinreply.class.php and results from insufficient sanitization of Weixin API inputs. On non‑Windows hosts a preexisting /cache/weixin/ directory (created by the official WeChat plugin) is required for exploitation. MetInfo released patches on April 7, 2026, but active exploitation was observed beginning April 25 and escalated on May 1, with most activity originating from China and Hong Kong IPs.
read more →

AI-Assisted Analysis Uncovers Old Bugs in Databases

🔍 Researchers using AI-assisted analysis at Wiz's zeroday.cloud event disclosed multiple high-severity memory-safety flaws in PostgreSQL and MariaDB. Two PostgreSQL issues — including a heap overflow in the pgcrypto extension — date back more than 20 years and can enable remote code execution when fed attacker-controlled input. MariaDB's JSON schema validator also contains a heap overflow reachable by any authenticated SQL session, which under certain memory conditions can be escalated to code execution. Patches are available and maintainers strongly urge immediate upgrades.
read more →

Critical RCE in Weaver E-cology Actively Exploited

⚠️ A critical unauthenticated remote code execution flaw (CVE-2026-22679, CVSS 9.8) in Weaver (Fanwei) E-cology 10.0 (prior to 20260312) is being actively exploited in the wild. The vulnerability exists in the /papi/esearch/data/devops/dubboApi/debug/method endpoint, where attacker-controlled parameters can invoke command-execution helpers. Weaver released patches on 2026-03-12; administrators should apply those updates, restrict access to debug/management endpoints, and use published detection scripts to hunt for exposed or compromised instances.
read more →

Critical RCE in Weaver E-cology Exploited Since March

🔒 Researchers observed exploitation of a critical unauthenticated RCE (CVE-2026-22679) in Weaver E-cology 10.0 beginning in mid-March, days after the vendor released a patch and before public disclosure. Attackers abused an exposed debug API that allowed user-supplied parameters to reach backend RPC handlers and be executed as system commands, performing discovery and attempting PowerShell-based payloads and an MSI deployment. The vendor's update (build 20260312) removes the debug endpoint entirely, and administrators are urged to apply the update immediately.
read more →

Critical cPanel Flaw Hits Southeast Asian Government Sites

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.
read more →

ABB PCM600 Path Traversal Vulnerability (CVE-2018-1002208)

⚠️ A path traversal vulnerability in ABB PCM600 (CVE-2018-1002208) could allow an attacker to deliver specially crafted messages to a system node, resulting in insertion and execution of arbitrary code. Affected releases are PCM600 versions >=1.5 and <=2.13; ABB released a fix in PCM600 2.14 (note: RE_630 relays are incompatible with 2.14). CISA rates the issue CVSS 3.1 4.4 (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N), notes exploitation is not remotely trivial, and recommends applying the vendor update or, where immediate upgrade is impractical, applying system-level and network mitigations such as segmentation, firewalls, and updated VPNs.
read more →

ABB Ability Symphony Plus PostgreSQL Vulnerabilities

⚠️ ABB has reported critical vulnerabilities in Ability Symphony Plus (S+) Engineering tied to an embedded PostgreSQL component (version 13.11 and earlier) that could allow authenticated users on the S+ client/server network to execute arbitrary code. Affected S+ releases include 2.2 through 2.4 SP2; ABB released an update — S+ Engineering 2.4 SP2 RU1 (re-released December 2024) — to address the issues. CISA recommends network isolation and perimeter firewalling as primary mitigations; no product-specific workarounds exist and ABB reported no known exploitation at the time of the advisory.
read more →

Critical Authentication Bypass in ABB Edgenius Portal

🔒 CISA reports a critical authentication bypass in ABB Edgenius Management Portal (CVE-2025-10571) that permits an attacker with network access to send a specially crafted message to a system node and bypass authentication. Successful exploitation can allow arbitrary code execution, removal of installed applications, and modification of application configurations. ABB has released a fix in Ability Edgenius 3.2.2.0 and urges immediate upgrade; until patched, disabling the portal and reducing network exposure are recommended.
read more →

Critical RCE Vulnerability Discovered in Google Gemini CLI

🔒 Researchers disclosed a max-severity remote code execution (RCE) vulnerability in @google/gemini-cli and the associated GitHub Action that could load untrusted workspace configurations in headless CI environments. Google issued patches in 0.39.1, 0.40.0-preview.3 and updated the run-gemini-cli Action to 0.1.22, removing implicit workspace trust and enforcing tool allowlists. Teams that pin CLI versions are advised to upgrade and review workspace configurations immediately.
read more →

Google and Cursor Fix Critical RCE Flaws in Dev Tools

🔒 Google patched a maximum-severity remote code execution vulnerability in @google/gemini-cli and the google-github-actions/run-gemini-cli workflow that could allow attackers to run arbitrary commands on host systems. Novee Security reported the flaw, which carries a CVSS score of 10.0, and Google says the impact is limited to headless CI usage where workspace folders were auto-trusted. Affected versions include @google/gemini-cli prior to 0.39.1 (and preview releases) and run-gemini-cli prior to 0.1.22; users should update to the patched releases, explicitly set GEMINI_TRUST_WORKSPACE when inputs are trusted, or follow Google’s hardening guidance for untrusted inputs. Google also tightened allowlisting checks for --yolo mode to prevent auto-approved tool calls from bypassing restrictions.
read more →

Qinglong auth bypass flaws exploited for cryptomining

🚨 Researchers at Snyk warn that two authentication-bypass bugs in the open-source Qinglong task scheduler (affecting versions ≤2.20.1) have been chained to achieve remote code execution. The issues — CVE-2026-3965 and CVE-2026-4047 — stem from middleware authorization mismatches with Express.js routing, enabling unauthenticated access to admin endpoints. Active exploitation since early February has resulted in cryptominer deployments that run as a hidden '.fullgc' process and pull multiple binary variants from an external host. Users should apply the patched release and verify middleware authentication enforcement immediately.
read more →

GitHub fixes RCE that exposed millions of private repos

🛡️ GitHub patched a critical remote code execution bug, CVE-2026-3854, reported by Wiz on March 4, 2026, that could have allowed attackers to access millions of private repositories. The company reproduced the issue within 40 minutes and deployed a fix to GitHub.com in under two hours. The flaw affected GitHub.com and multiple Enterprise offerings and could be triggered by a single crafted git push that injects unsafe metadata fields. GitHub’s forensic review found no evidence of exploitation prior to the researcher disclosure, and patches for GitHub Enterprise Server releases are available now; administrators are urged to upgrade immediately.
read more →

Critical GitHub RCE Vulnerability Exposed Millions of Repos

🔓 GitHub patched a critical remote code execution flaw (CVE-2026-3854) that allowed authenticated users to inject commands via crafted git push operations. Discovered by Wiz, the issue abused an internal X-STAT component in GitHub’s server-side processing and earned one of the highest bug-bounty payouts. Cloud services were patched quickly and fixes for GitHub Enterprise Server versions 3.14.25 through 3.20.0 were released, but Wiz reported that 88% of Enterprise Server instances remained exposed at disclosure. Enterprise customers are urged to apply vendor patches immediately.
read more →

Critical GitHub RCE CVE-2026-3854 Can Be Triggered by Push

🔒 GitHub patched a critical command-injection vulnerability, CVE-2026-3854, that allowed an authenticated user with push access to achieve remote code execution via a single git push. Researchers at Wiz disclosed the issue on March 4, 2026, and GitHub deployed a fix to GitHub.com within two hours while releasing updates for GitHub Enterprise Server. The flaw resulted from insufficient sanitization of git push options incorporated into the internal X-Stat header, enabling injection of metadata fields to override execution controls. Administrators should apply the provided GHES updates immediately.
read more →

Critical Cursor IDE Bug Could Allow Remote Code Execution

⚠️ Security researchers disclosed a high-severity vulnerability in the Cursor AI-powered IDE that can lead to arbitrary code execution when its agent interacts with a malicious repository. Novee Security's analysis shows an attacker can embed a bare Git repository with a crafted hook and trigger it when the IDE autonomously runs Git operations. Cursor patched the flaw in version 2.5; there are no reports of active exploitation.
read more →

Critical CVE-2026-25874 in LeRobot Enables Remote RCE

⚠️ A critical vulnerability, CVE-2026-25874, was disclosed in Hugging Face's open-source robotics framework LeRobot, enabling unauthenticated remote code execution via unsafe deserialization with pickle.loads(). The flaw affects the async inference PolicyServer handling gRPC calls (SendPolicyInstructions, SendObservations, GetActions) over unauthenticated channels and has been validated against LeRobot 0.4.3. A patch is planned for version 0.6.0; operators should treat exposed instances as high-risk and apply mitigations such as enabling TLS, restricting network access, and eliminating pickle-based deserialization.
read more →

PhantomCore Exploits TrueConf Flaws to Breach Networks

🔒 A pro‑Ukrainian hacktivist group known as PhantomCore exploited a chain of vulnerabilities in TrueConf Server, using three flaws to achieve remote command execution and bypass authentication beginning in September 2025. Positive Technologies reported that although TrueConf released patches on August 27, 2025, the actors reproduced and weaponized the chain in the wild. Compromised servers were used as springboards for lateral movement, deploying PHP web shells, reverse shells and tunneled proxies, and for harvesting credentials with both bespoke and commodity tools.
read more →

Critical file upload flaw exploited in Breeze Cache

⚠️ Researchers warn that a critical vulnerability (CVE-2026-3844) in the Breeze Cache WordPress plugin allows unauthenticated attackers to upload arbitrary files via the fetch_gravatar_from_remote function. Exploitation can lead to remote code execution and complete site takeover, but successful attacks require the optional 'Host Files Locally - Gravatars' add-on to be enabled. Cloudways released a patch in version 2.4.5; administrators should update immediately or disable the add-on until patched.
read more →

Milesight Cameras: Multiple Critical and High Vulnerabilities

🔒 CISA warns of five vulnerabilities in Milesight camera firmware that can cause device crashes or permit remote code execution. The flaws affect numerous MS-, PM-, TS-, SC-, and SP-series models and include a CRITICAL use-of-default SSL private key (CVE-2026-32644) plus several HIGH-severity issues such as hard-coded credentials and a heap-based buffer overflow. Milesight has released firmware updates; operators should apply the latest PE/PC/PA builds and follow recommended network isolation and secure remote-access practices.
read more →