< ciso
brief />
Tag Banner

All news with #server side request forgery tag

18 articles

SonicWall SMA 1000 Zero‑Days Prompt Urgent Patches

🛡️ SonicWall warned of active exploitation of two zero‑day vulnerabilities affecting Secure Mobile Access (SMA) 1000 series appliances, including an SSRF that scores 10.0 and a post‑auth code injection allowing command execution. Patches are available in platform hotfix builds 12.4.3‑03453, 12.5.0‑02835 and later; customers are urged to apply fixes and perform forensic checks for specific IoCs. CISA added both flaws to its KEV catalog and set a July 17, 2026 deadline for federal agencies.
read more →

Cisco Unified CM SSRF Flaw Now Being Exploited

🛡️ Threat actors are actively exploiting a critical vulnerability in Cisco Unified Communications Manager and its SME edition, tracked as CVE-2026-20230 (CVSS 8.6). The flaw stems from improper input validation in handling specific HTTP requests, enabling unauthenticated SSRF and arbitrary file writes that could lead to root escalation. Exploitation requires the WebDialer service to be enabled (disabled by default); Cisco has released patches in 14SU6 and 15SU5 and recommends disabling WebDialer if immediate patching is not possible.
read more →

Cisco fixes UC Manager file-write to root escalation

🔒 Cisco patched a server-side request forgery in Unified Communications Manager tracked as CVE-2026-20230 that allows unauthenticated network attackers to write files to the underlying OS and then escalate to root. Proof-of-concept exploit code is public and Cisco's PSIRT has not observed in-the-wild use yet. The flaw requires the WebDialer service to be running; WebDialer is off by default but exposes systems where it is enabled. Patching is recommended (14SU6 for the 14 train; interim COP or disable WebDialer until 15SU5 for the 15 train).
read more →

ThreatsDay bulletin: escalating cyber intrusion trends

🛡️ Cisco patched a high-severity SSRF in Unified Communications Manager, while Russia reported large-scale mobile spyware targeting officials and ongoing investigations. Threat actors continue to distribute VIP Keylogger via layered social engineering and JavaScript loaders, and DriveSurge operates a widespread malware delivery network using ClickFix and FakeUpdates. U.S. sanctions hit major Iranian crypto exchanges; RMM and trusted tools are increasingly abused for persistence and privilege escalation.
read more →

Cisco warns of critical Unified CM flaw

🔒 Cisco released updates for a critical Unified Communications Manager (Unified CM) vulnerability (CVE-2026-20230) that can be exploited via SSRF to gain root privileges. The issue affects systems with the WebDialer service enabled, which is disabled by default, and Cisco notes public proof-of-concept exploit code is available. Administrators should apply patched versions 14SU6 or 15SU5 or temporarily disable the WebDialer service as a mitigation.
read more →

LMDeploy SSRF Vulnerability (CVE-2026-33626) Exploited Rapid

🔒 A high-severity SSRF vulnerability in LMDeploy (CVE-2026-33626, CVSS 7.5) was exploited in the wild within 13 hours of disclosure. The flaw in the vision-language module's load_image() function allows fetching arbitrary URLs without validating internal addresses, enabling access to cloud metadata and internal services. Security researchers and Sysdig observed targeted port scanning, API enumeration, and out-of-band DNS callbacks, highlighting rapid weaponization of AI-infrastructure bugs.
read more →

Researchers Reveal Six New High-Risk OpenClaw Flaws

🔒OpenClaw has patched six vulnerabilities disclosed by Endor Labs, including SSRF, missing webhook authentication and a path traversal issue that range from moderate to high severity. The set includes CVE-2026-26322 (Gateway SSRF, CVSS 7.6), CVE-2026-26319 (Telnyx webhook auth bypass, CVSS 7.5) and several GitHub Security Advisories such as GHSA-56f2-hvwg-5743. Endor warns that agent frameworks’ multi-layered architectures mean vulnerabilities can span files and components, requiring data-flow analysis and layered validation to mitigate exploitation. SecurityScorecard also flagged many publicly exposed OpenClaw instances, raising enterprise risk.
read more →

CISA Alerts on Five-Year-Old GitLab SSRF Exploitation

⚠️ CISA has ordered federal agencies to patch a five-year-old GitLab SSRF vulnerability (CVE-2021-39935) that is currently being exploited in attacks. GitLab issued a fix for the server-side request forgery bug in December 2021 after it was found that unauthenticated users could reach the CI Lint API when user registration was restricted. Under BOD 22-01, affected Federal Civilian Executive Branch agencies must remediate by February 24, 2026, and CISA urges all organizations to prioritize mitigation. Shodan currently identifies over 49,000 internet-exposed GitLab instances, many reachable on default ports.
read more →

Chainlit vulnerabilities allow file reads, SSRF in cloud

🔒 Chainlit, a widely used open-source framework for building conversational AI, contained two high-severity flaws that enable arbitrary file reads and server-side request forgery without user interaction. Zafran Labs labeled the issues CVE-2026-22218 and CVE-2026-22219, which together can expose API keys, cloud credentials, source code, and internal services. The defects were fixed in v2.9.4; organizations should upgrade to 2.9.4 or later immediately and inspect for potential data exfiltration.
read more →

Chainlit flaws enable cloud key leaks and SSRF risks

⚠️ Chainlit, a widely used open-source framework for building conversational AI chatbots, contained high-severity vulnerabilities that can expose arbitrary files and permit server-side request forgery, enabling data theft and lateral movement within compromised environments. Zafran Security identified two primary issues: CVE-2026-22218 (arbitrary file read, CVSS 7.1) and CVE-2026-22219 (SSRF with SQLAlchemy, CVSS 8.3). Both were responsibly disclosed on November 23, 2025 and patched in Chainlit 2.9.4 on December 24, 2025. Administrators should upgrade, audit deployments for misuse, and rotate any potentially exposed credentials.
read more →

Chainlit Vulnerabilities Permit File Reads and SSRF Access

⚠️ Security researchers disclosed two critical vulnerabilities in the Python-based AI app framework Chainlit that allow unauthenticated attackers to read arbitrary server files and trigger SSRF requests. The flaws (CVE-2026-22218 and CVE-2026-22219), fixed in Chainlit 2.9.4, stem from an unvalidated custom Element type exposing path and URL properties. Exploits can leak environment variables, API keys, LLM prompts, and cloud credentials, enabling lateral movement and broader compromise.
read more →

Chainlit vulnerabilities expose files and enable SSRF

🔒 Chainlit, a widely used framework for building conversational AI applications, contained two server-side vulnerabilities (CVE-2026-22218 and CVE-2026-22219) that allow authenticated users to read arbitrary files and trigger SSRF in affected deployments. The flaws stem from insufficient validation of user-controlled properties in custom elements and SQLAlchemy-backed storage. Combined, they can expose environment variables, cached prompts, API keys and cloud metadata, enabling lateral movement beyond the app layer. Chainlit released 2.9.4 on 24 December 2025 and users are advised to apply the patch immediately; temporary WAF signatures were published as mitigation.
read more →

Oracle quietly patches E-Business Suite SSRF zero-day

🔒Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) after researchers confirmed the update blocks a pre-authentication SSRF used by a leaked ShinyHunters proof-of-concept. Oracle issued an out-of-band security update over the weekend and warned the flaw could allow access to sensitive resources. The vendor did not disclose that the issue was actively exploited or that a public exploit had been released, drawing criticism from researchers and customers.
read more →

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.
read more →

Oracle Quietly Fixes E-Business Suite SSRF Zero-Day

🔒 Oracle released an out-of-band security update addressing a pre-authentication SSRF vulnerability (CVE-2025-61884) in E-Business Suite after a proof-of-concept exploit was leaked by the ShinyHunters group. The update validates attacker-supplied return_url values with a strict regex to block injected CRLFs and other malformed inputs. Researchers from watchTowr Labs, and multiple customers, confirmed the patch closes the SSRF component that remained after Oracle's earlier Oct. 4 emergency updates. Customers should apply the update immediately or implement a temporary mod_security rule blocking access to /configurator/UiServlet.
read more →

Pandoc SSRF Exploited to Target AWS IMDS, Steal EC2 Keys

🔒 Wiz has observed in-the-wild exploitation attempts of CVE-2025-51591, an SSRF in Pandoc that renders iframe tags and can direct them at the AWS Instance Metadata Service (IMDS). Attackers submitted crafted HTML aiming to access 169.254.169.254 to exfiltrate temporary IAM metadata and EC2 credentials. Attempts seen from August and continuing for weeks were blocked where IMDSv2 was enforced. Administrators should mitigate by using Pandoc's -f html+raw_html or --sandbox options, enforce IMDSv2, and apply least-privilege roles.
read more →

Hitachi Energy Asset Suite: Multiple High-Risk Flaws

⚠️ Hitachi Energy has disclosed multiple high-severity vulnerabilities in Asset Suite, affecting versions 9.6.4.5 and earlier. The issues include SSRF, deserialization of untrusted data, cleartext password exposure, uncontrolled resource consumption, open redirect, and improper authentication that can lead to remote code execution. Customers should apply vendor-provided mitigations and upgrades immediately to reduce exposure.
read more →

Rockwell ThinManager SSRF Exposes NTLM Hashes Remotely

🔒 Rockwell Automation’s ThinManager contains a server-side request forgery (SSRF) vulnerability (CVE-2025-9065) affecting versions 13.0 through 14.0 that can expose the ThinServer service account NTLM hash. Authenticated attackers can trigger SMB authentication by specifying external SMB paths, causing NTLM challenge/response data to be leaked. Rockwell addressed the issue in ThinManager 14.1 and recommends upgrading; temporary mitigations include blocking NTLM over SMB, isolating control networks, and using secure remote access.
read more →