All news with #vulnerability disclosure tag

⚠️ Check Point researchers disclosed critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code that allow remote code execution and theft of Anthropic API keys via malicious repository-level configuration files. The flaws can be triggered simply by cloning and opening an untrusted project; built-in mechanisms such as Hooks, MCP integrations, and environment variables may be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent. Stolen keys can expose shared workspaces, modify or delete resources, and generate unauthorized costs, underscoring a shift in the AI supply chain threat model.

⚠️CISA has added two Cisco SD‑WAN vulnerabilities (CVE‑2022‑20775 and CVE‑2026‑20127) to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These affect Cisco Catalyst SD‑WAN components and include a path traversal and an authentication bypass that can enable unauthorized access. Under BOD 22‑01, FCEB agencies must remediate by required due dates; CISA urges all organizations to prioritize timely mitigation.

🔒 SolarWinds has released updates to address four critical vulnerabilities in its Serv-U file transfer software, each rated 9.1 on the CVSS scale. The flaws include a broken access control that can create a system admin (CVE-2025-40538), two type confusion bugs (CVE-2025-40539 and CVE-2025-40540), and an IDOR (CVE-2025-40541) — all capable of enabling remote code execution when exploited with administrative privileges. The issues affect Serv-U 15.5 and are fixed in Serv-U 15.5.4. SolarWinds warns Windows deployments carry medium risk because services often run under less-privileged accounts by default, and while no active exploitation has been reported, similar past defects were abused by threat actors such as Storm-0322.

🔒 Amazon Relational Database Service (Amazon RDS) Custom for SQL Server now supports the latest General Distribution Release (GDR) updates, including SQL Server 2022 Cumulative Update and KB5072936 (16.00.4230.2.v1). These GDRs address vulnerabilities described in CVE-2026-20803 and are recommended for production environments. You can apply the updates via the RDS Management Console, AWS SDK, or CLI, and consult the Amazon RDS Custom User Guide for upgrade procedures and best practices.

⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.

⚠️ Researchers discovered that a compromised npm publish token allowed an attacker to push a modified release of the widely used Cline CLI that added a malicious postinstall script to fetch and run the AI agent OpenClaw. Aside from that new script, package contents and the CLI binary matched the legitimate prior release, making the change easy to miss. The malicious publish was live on the registry for about eight hours on February 17 before it was deprecated and corrected; developers who installed during that window are advised to update Cline and remove OpenClaw if it was not intentionally installed.

⚠️ CISA has added two RoundCube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-49113 (deserialization of untrusted data) and CVE-2025-68461 (cross-site scripting). These issues are tied to observed active exploitation and present significant risk to enterprise networks. Under BOD 22-01, Federal agencies must remediate cataloged CVEs by their due dates; CISA also urges all organizations to prioritize timely remediation as part of routine vulnerability management.

🛡️ A critical stack-buffer overflow in Grandstream GXP1600 VoIP phones allows unauthenticated remote attackers to gain root and silently eavesdrop. Tracked as CVE-2026-2329 (CVSS 9.3), the issue affects six GXP1600 models running firmware before 1.0.7.81 and stems from an unauthenticated web API that fails to validate colon-delimited input. Rapid7 developed a Metasploit module to demonstrate the exploit; Grandstream issued firmware 1.0.7.81 on February 3 to address the vulnerability—apply updates immediately.

🔐 CISA has directed Federal Civilian Executive Branch agencies to apply fixes within three days for a maximum-severity hardcoded-credential flaw in Dell RecoverPoint (CVE-2026-22769) after active exploitation was observed since mid-2024. Researchers at Mandiant and the Google Threat Intelligence Group link the activity to UNC6201, which deploys multiple payloads including a new Grimbolt backdoor. CISA added the issue to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01 guidance, urging mitigations or product discontinuation if patches are unavailable.

🛡️ This ThreatsDay round-up highlights critical developments including a patched OpenSSL CMS stack buffer overflow (CVE-2025-15467), multiple Foxit/Apryse PDF engine vulnerabilities, and a Microsoft 365 Copilot DLP bypass that allowed summarization of confidential drafts and Sent Items until a Feb 3, 2026 fix. The bulletin also details LockBit 5.0's cross-platform evolution, macOS social-engineering and stealer campaigns, widespread RMM abuse, and active exploitation of Ivanti EPMM flaws. Defenders should prioritize patching, audit cloud and RMM exposures, rotate credentials, and avoid using LLMs to generate secrets.

🔍 Endor Labs found six high-to-critical flaws in the open-source AI agent framework OpenClaw, including SSRF paths, missing webhook verification, authentication bypasses, and a path traversal in browser uploads. The team used an AI-driven SAST engine to trace attacker-controlled data flows and produced working proof-of-concept exploits that confirmed real-world exploitability. OpenClaw maintainers were notified and have published patches and security advisories addressing the issues.

🛡️ The Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller contains an authentication vulnerability tracked as CVE-2026-24790 that permits remote influence of the underlying PLC without proper safeguards. Successful exploitation could cause over- or under-odorization events, impacting safety and process control. CISA rates this issue High (CVSS 3.1 8.2) and recommends contacting Welker, minimizing network exposure, isolating control networks, and using secure remote-access methods such as updated VPNs.

⚠ The PUSR USR-W610 Wi‑Fi router contains multiple vulnerabilities that can disable authentication, expose credentials in transit and in the UI, and permit deauthentication-based denial-of-service. Affected firmware versions are <= 3.1.1.0; the most severe issue carries a CVSSv3 base score up to 9.8. The vendor has declared the product end-of-life and does not plan to issue patches. CISA advises minimizing network exposure, isolating affected devices behind firewalls, and using secure remote-access methods while applying other compensating controls.

🛡️ An unauthenticated attacker can exploit a path traversal vulnerability in Valmet DNA Engineering Web Tools (CVE-2025-15577) by manipulating the web maintenance services URL to obtain arbitrary file read access. The issue is an instance of Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and is rated CVSS 3.1 8.6 (High). Valmet has released a fix and recommends customers contact their automation customer service for remediation assistance. CISA advises reducing internet exposure for control system devices, isolating networks behind firewalls, and applying defense-in-depth controls.

🔒 Researchers at OX Security discovered four vulnerabilities in popular IDE extensions that enable local file access, arbitrary code execution and data exfiltration. Affected platforms include Microsoft Visual Studio Code and forks Cursor and Windsurf, with the vulnerable extensions collectively downloaded over 128 million times. Three of the issues were assigned CVEs after disclosure; one Live Preview flaw was quietly fixed by Microsoft.

🔒OpenClaw has patched six vulnerabilities disclosed by Endor Labs, including SSRF, missing webhook authentication and a path traversal issue that range from moderate to high severity. The set includes CVE-2026-26322 (Gateway SSRF, CVSS 7.6), CVE-2026-26319 (Telnyx webhook auth bypass, CVSS 7.5) and several GitHub Security Advisories such as GHSA-56f2-hvwg-5743. Endor warns that agent frameworks’ multi-layered architectures mean vulnerabilities can span files and components, requiring data-flow analysis and layered validation to mitigate exploitation. SecurityScorecard also flagged many publicly exposed OpenClaw instances, raising enterprise risk.

🔒 CISA has issued an advisory for a critical Honeywell CCTV vulnerability tracked as CVE-2026-1670. An unauthenticated API endpoint can be abused to change the account recovery email, enabling account takeover and unauthorized access to camera feeds. The advisory lists several mid-range models; Honeywell users should contact support and limit network exposure until vendor guidance or patches are available.

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.

🔍 This post details emulation-based analysis of the Socomec DIRIS M-70 gateway, where JTAG flash readout protection prevented full hardware debugging. The researcher emulated the Modbus processing thread with Unicorn, integrated AFL for coverage-guided fuzzing across hundreds of message types, and later adopted Qiling for built-in coverage and debugging. The effort uncovered multiple denial-of-service vulnerabilities and six CVEs, showing that a 'good enough' single-thread emulation approach can produce high-impact results.

🔔 CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The additions include CVE-2026-2441 (Chrome use-after-free), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar arbitrary file upload), and CVE-2008-0015 (Windows Video ActiveX overflow). Federal agencies are urged to remediate by March 10, 2026.