All news with #remote code execution tag

⚠️ The Langflow open-source tool contains a critical vulnerability, CVE-2026-33017 (CVSS 9.3), that allows unauthenticated remote code execution via a POST endpoint that accepts attacker-supplied Python in the request payload. The flaw affects all versions up to and including 1.8.1 and is addressed in the development branch (1.9.0.dev8). Exploitation was observed within 20 hours of public disclosure; operators should apply updates, rotate secrets, and restrict access immediately.

⚠️ CISA has directed Federal Civilian Executive Branch agencies to patch CVE-2026-20131 in Cisco Secure Firewall Management Center by Sunday, March 22, citing active exploitation and maximum severity. Cisco says the web-based management interface suffers insecure deserialization that can allow an unauthenticated remote attacker to execute arbitrary Java code as root. The vendor published updates and warned there are no available workarounds; administrators should apply fixes immediately.

🔐 Sysdig reported that threat actors exploited a critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow within 20 hours of the advisory publication. The flaw, rated CVSS 9.3, allows execution of arbitrary Python via a single HTTP request and requires no credentials. Attackers built functional exploits from the advisory despite no public PoC, scanned broadly, and exfiltrated keys, database credentials and cloud secrets. Sysdig warns organizations must accelerate patching and rethink vulnerability programs.

⚠ Sansec has disclosed a critical file upload vulnerability dubbed PolyShell in Magento's REST API that can let unauthenticated attackers upload arbitrary executables and achieve remote code execution or account takeover. The flaw stems from how custom product options accept a base64-encoded file_info object and write files to pub/media/custom_options/quote/. Adobe applied a fix in the 2.4.9 pre-release (APSB25-94), but most production stores remain unpatched; operators should restrict and block access to the upload directory, verify nginx/Apache rules, scan for web shells, and consider a specialized WAF.

🔒 Researchers discovered nine critical vulnerabilities across several low-cost KVM-over-IP units, including Angeet/Yeeso, GL-iNet, Sipeed, and JetKVM. Flaws range from unauthenticated file uploads and command injection to weak firmware verification and exposed debugging interfaces, enabling pre-authentication root takeover on some devices. Eclypsium warns these inexpensive, Linux-based single-port KVMs are increasingly common in business and pose outsized risks if exposed directly to networks.

⚠ A newly disclosed vulnerability called PolyShell affects all Magento Open Source and Adobe Commerce version 2 installations, enabling unauthenticated code execution and potential account takeover. Adobe has issued a fix only in the 2.4.9 alpha, leaving production sites exposed. Sansec warns the exploit method is already circulating and urges admins to restrict access to pub/media/custom_options/, verify nginx/Apache rules, and scan for uploaded shells or backdoors.

⚠️ Security researchers at Dream Security disclosed a critical buffer overflow in GNU inetutils telnetd (CVE-2026-32746) that enables unauthenticated remote code execution as root during Telnet negotiation. The flaw originates in the SLC handler which writes into a fixed 108‑byte buffer without bounds checking, producing an arbitrary write. Dream notified maintainers on March 11 and a patch was prepared the next day; administrators should disable telnetd, restrict or block TCP/23, or migrate to SSH until updates are applied.

🔴 The Cybersecurity and Infrastructure Security Agency (CISA) warned that a critical deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2026-20963, is being exploited in the wild. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition and can allow unauthenticated remote code execution on unpatched servers. Microsoft patched the issue during January Patch Tuesday but has not labeled it as exploited; CISA added the vulnerability to its actively exploited catalog and ordered federal agencies to remediate by March 21.

🔒 AWS analysis reveals that the Interlock ransomware group has exploited CVE-2026-20131, a critical RCE in the web-based management interface of Cisco Secure Firewall Management Center (FMC), in active attacks since January 26. The flaw can permit an unauthenticated attacker to execute arbitrary Java code as root and carries a 10.0 CVSS score. AWS recommends applying Cisco patches, reviewing IoCs and hunting for PowerShell staging, custom Java/JavaScript RATs, memory-resident webshells and unauthorized ScreenConnect deployments.

⚠ CISA has urged federal agencies to apply patches for two actively exploited vulnerabilities affecting Synacor Zimbra Collaboration Suite and Microsoft Office SharePoint. Zimbra's Classic UI suffered a stored XSS (CVE-2025-66376) patched in versions 10.0.18 and 10.1.13 in November 2025, while SharePoint had a deserialization RCE (CVE-2026-20963) fixed in January 2026. CISA set FCEB patching deadlines and reported no public attribution or scale; separately, Amazon detailed exploitation of a Cisco firewall-management zero-day (CVE-2026-20131) by the Interlock ransomware group.

🔒 The Interlock ransomware gang exploited a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026. Cisco released a patch for CVE-2026-20131 on March 4, warning it allowed unauthenticated attackers to execute arbitrary Java code as root on unpatched devices. Amazon's threat team reported Interlock had been exploiting the vulnerability for 36 days prior to public disclosure.

🔒 Eclypsium researchers disclosed nine vulnerabilities in low-cost IP KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaws can allow unauthenticated attackers to gain root or execute arbitrary code and operate at BIOS/UEFI levels, enabling keystroke injection, booting from removable media, and persistence beyond OS defenses. Some vendors have issued firmware fixes, but critical issues in Angeet ES3 remain unpatched. Administrators should apply available updates, isolate KVMs, and enforce stronger access controls.

🚨 A critical out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler of GNU InetUtils telnetd (CVE-2026-32746) enables unauthenticated remote attackers to achieve remote code execution as root. Discovered by Dream on March 11, 2026, the flaw affects releases through 2.7 and carries a CVSS score of 9.8. Exploitation can succeed during the initial Telnet handshake with a single connection to port 23; no credentials or user interaction are required. A patch is expected by April 1, 2026; until then, disable Telnet, avoid running telnetd as root, and block port 23.

⚠️ Proofpoint researchers disclosed CursorJack, a technique that abuses Cursor's Model Context Protocol (MCP) deeplinks to embed installation configurations that can lead to local code execution or the installation of remote malicious servers. Exploitation requires a user to click a crafted deeplink and approve an installation prompt; success depends on system configuration and user privileges, and no zero‑click vector was observed. Proofpoint published a proof‑of‑concept, notified Cursor, and recommends verifying MCP sources, tightening permission controls, and improving visibility into installation parameters to mitigate social‑engineering risks.

🔒 Schneider Electric disclosed a hard‑coded credentials vulnerability in EcoStruxure IT Data Center Expert (DCE) that can lead to information disclosure and remote compromise when the SOCKS Proxy feature is enabled. Exploitation requires administrative access plus knowledge of PostgreSQL credentials; SOCKS Proxy is disabled by default. The issue is tracked as CVE‑2025‑13957 with a CVSS v3.1 base score of 7.2. Administrators should apply vendor updates or implement interim mitigations per the vendor handbook.

🔒 The Siemens SICAM SIAPP SDK contains multiple vulnerabilities that could allow disruption of customer-developed SIAPP components or their simulation environment. Identified impacts include denial of service, stack-based overflows, command injection enabling remote code execution, and unauthorized file deletion. These issues are exploitable primarily when the API is used improperly or when hardening measures are not applied. Siemens has released v2.1.7 to address the flaws and strongly recommends updating, validating updates prior to deployment, and supervising patch rollouts.

⚠️ Schneider Electric has disclosed a critical vulnerability affecting SCADAPack x70 RTUs (including SCADAPack 47xi, 47x, and 57x) that communicates over Modbus TCP. Exploitation could allow remote code execution, denial of service, and loss of confidentiality or integrity. Known affected products include SCADAPack 57x and RemoteConnect versions prior to R3.4.2; vendor fixes are available in RemoteConnect R3.4.2 and SCADAPack firmware 9.12.2. If immediate patching is not possible, implement network segmentation, enable the RTU firewall service, disable the logic debug service, and follow the SCADAPack security guidelines.

⚠️ CISA warned federal agencies to secure Wing FTP Server instances after adding CVE-2025-47813 to its catalog of actively exploited vulnerabilities. The flaw allows low-privileged actors to trigger error messages that expose the full local installation path and can be chained with an already-exploited RCE (CVE-2025-47812). The vendor released fixes in Wing FTP Server v7.4.4 in May 2025; organizations should apply updates or vendor mitigations immediately.

🔧 Microsoft released an out-of-band hotpatch (KB5084597) for Windows 11 to address remote code execution flaws in the Routing and Remote Access Service (RRAS) management tool. The update patches CVE-2026-25172, CVE-2026-25173, and CVE-2026-26111 and aligns with fixes shipped in the March 2026 Patch Tuesday release. The hotpatch performs in-memory patching so eligible Enterprise devices enrolled in the hotpatch program via Windows Autopatch receive cumulative fixes without a restart. It applies to Windows 11 25H2, 24H2, and Enterprise LTSC 2024 systems used for remote server management.

🔴 Google has released emergency patches addressing two actively exploited Chrome zero-day vulnerabilities, CVE-2026-3909 and CVE-2026-3910. The flaws affect Chromium-based browsers before version 146.0.7680.75, enabling out-of-bounds memory access and remote code execution via crafted web pages. Administrators should enable automatic updates, apply fixes immediately, monitor for outdated clients, and consider browser isolation to reduce exposure.