All news with #vulnerability disclosure tag

🛡️ This ThreatsDay round-up highlights critical developments including a patched OpenSSL CMS stack buffer overflow (CVE-2025-15467), multiple Foxit/Apryse PDF engine vulnerabilities, and a Microsoft 365 Copilot DLP bypass that allowed summarization of confidential drafts and Sent Items until a Feb 3, 2026 fix. The bulletin also details LockBit 5.0's cross-platform evolution, macOS social-engineering and stealer campaigns, widespread RMM abuse, and active exploitation of Ivanti EPMM flaws. Defenders should prioritize patching, audit cloud and RMM exposures, rotate credentials, and avoid using LLMs to generate secrets.

🔍 Endor Labs found six high-to-critical flaws in the open-source AI agent framework OpenClaw, including SSRF paths, missing webhook verification, authentication bypasses, and a path traversal in browser uploads. The team used an AI-driven SAST engine to trace attacker-controlled data flows and produced working proof-of-concept exploits that confirmed real-world exploitability. OpenClaw maintainers were notified and have published patches and security advisories addressing the issues.

🛡️ An unauthenticated attacker can exploit a path traversal vulnerability in Valmet DNA Engineering Web Tools (CVE-2025-15577) by manipulating the web maintenance services URL to obtain arbitrary file read access. The issue is an instance of Improper Limitation of a Pathname to a Restricted Directory (CWE-22) and is rated CVSS 3.1 8.6 (High). Valmet has released a fix and recommends customers contact their automation customer service for remediation assistance. CISA advises reducing internet exposure for control system devices, isolating networks behind firewalls, and applying defense-in-depth controls.

⚠ The PUSR USR-W610 Wi‑Fi router contains multiple vulnerabilities that can disable authentication, expose credentials in transit and in the UI, and permit deauthentication-based denial-of-service. Affected firmware versions are <= 3.1.1.0; the most severe issue carries a CVSSv3 base score up to 9.8. The vendor has declared the product end-of-life and does not plan to issue patches. CISA advises minimizing network exposure, isolating affected devices behind firewalls, and using secure remote-access methods while applying other compensating controls.

🛡️ The Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller contains an authentication vulnerability tracked as CVE-2026-24790 that permits remote influence of the underlying PLC without proper safeguards. Successful exploitation could cause over- or under-odorization events, impacting safety and process control. CISA rates this issue High (CVSS 3.1 8.2) and recommends contacting Welker, minimizing network exposure, isolating control networks, and using secure remote-access methods such as updated VPNs.

🔒 Researchers at OX Security discovered four vulnerabilities in popular IDE extensions that enable local file access, arbitrary code execution and data exfiltration. Affected platforms include Microsoft Visual Studio Code and forks Cursor and Windsurf, with the vulnerable extensions collectively downloaded over 128 million times. Three of the issues were assigned CVEs after disclosure; one Live Preview flaw was quietly fixed by Microsoft.

🔒OpenClaw has patched six vulnerabilities disclosed by Endor Labs, including SSRF, missing webhook authentication and a path traversal issue that range from moderate to high severity. The set includes CVE-2026-26322 (Gateway SSRF, CVSS 7.6), CVE-2026-26319 (Telnyx webhook auth bypass, CVSS 7.5) and several GitHub Security Advisories such as GHSA-56f2-hvwg-5743. Endor warns that agent frameworks’ multi-layered architectures mean vulnerabilities can span files and components, requiring data-flow analysis and layered validation to mitigate exploitation. SecurityScorecard also flagged many publicly exposed OpenClaw instances, raising enterprise risk.

🔒 CISA has issued an advisory for a critical Honeywell CCTV vulnerability tracked as CVE-2026-1670. An unauthenticated API endpoint can be abused to change the account recovery email, enabling account takeover and unauthorized access to camera feeds. The advisory lists several mid-range models; Honeywell users should contact support and limit network exposure until vendor guidance or patches are available.

⚠️ Researchers disclosed an unauthenticated stack-based buffer overflow (CVE-2026-2329) in Grandstream GXP1600-series VoIP phones that can yield remote code execution as root. The flaw lies in the web API endpoint /cgi-bin/api.values.get, where a malformed colon-delimited "request" parameter overruns a 64-byte stack buffer. Affected models include GXP1610/1615/1620/1625/1628/1630; Grandstream released firmware 1.0.7.81 to fix the issue. Rapid7 published a Metasploit module demonstrating exploitation and post-exploitation risks such as credential theft and SIP proxy hijacking.

🔍 This post details emulation-based analysis of the Socomec DIRIS M-70 gateway, where JTAG flash readout protection prevented full hardware debugging. The researcher emulated the Modbus processing thread with Unicorn, integrated AFL for coverage-guided fuzzing across hundreds of message types, and later adopted Qiling for built-in coverage and debugging. The effort uncovered multiple denial-of-service vulnerabilities and six CVEs, showing that a 'good enough' single-thread emulation approach can produce high-impact results.

🔔 CISA has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after observing active exploitation. The additions include CVE-2026-2441 (Chrome use-after-free), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar arbitrary file upload), and CVE-2008-0015 (Windows Video ActiveX overflow). Federal agencies are urged to remediate by March 10, 2026.

⚠️ Ox Security disclosed high- to critical-severity vulnerabilities in widely used VSCode extensions that could enable local file theft and remote code execution. Affected extensions include Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and a one-click XSS in Microsoft Live Preview (pre-0.4.16). The researchers say they attempted disclosure from June 2025 but received no responses from maintainers. Users are advised to avoid running localhost servers, opening untrusted HTML, pasting untrusted settings, and to remove unnecessary extensions.

🔒 CISA reports a critical vulnerability (CVE-2026-1670) in multiple Honeywell CCTV products that exposes an unauthenticated API endpoint allowing an attacker to change the forgot password recovery email. Successful exploitation can enable account takeover and unauthorized access to camera feeds, and the issue is scored CVSS v3.1 9.8 (CRITICAL). Affected firmware includes several 2MP and 25M IPC/PTZ variants. Honeywell recommends contacting support for patches; CISA urges reducing Internet exposure, segmenting networks, and using secure remote access.

⚠ A stack-based buffer overflow has been identified in Delta Electronics ASDA-Soft when parsing .par files, allowing an attacker to write data past a stack buffer and corrupt a structured exception handler (SEH). The issue affects versions <= 7.2.0.0 (CVE-2026-1361) and is assigned a CVSS v3.1 base score of 7.8 (High). Delta released fixed ASDA-Soft version 7.2.2.0 and published advisory Delta-PCSA-2026-00003; CISA reports no known public exploitation and notes the vulnerability is not remotely exploitable.

🔒 A new study from ETH Zurich and Università della Svizzera italiana shows that cloud-based password managers, including Bitwarden, Dashlane, and LastPass, can be vulnerable to password recovery and integrity attacks under a malicious-server model. Researchers identified 25 distinct attack variants ranging from metadata leakage and item swapping to full organizational vault compromise. Vendors have issued patches or mitigation roadmaps and say there is no evidence of in-the-wild exploitation.

🔐 A team of researchers from ETH Zurich and USI disclosed 27 successful attack scenarios against cloud-based password managers from Bitwarden, LastPass, Dashlane and 1Password, challenging vendors' zero-knowledge claims. The attacks exploit design and cryptographic flaws — including unauthenticated public keys, missing ciphertext integrity and KDF downgrades — enabling vault compromise, password recovery and mass takeover. Vendors report remediation is underway; users should verify fixes and follow advisories.

⚠️ Developers patched a nearly 30-year-old heap buffer overflow in the libpng image library—fixed in libpng 1.6.55—that can crash applications processing crafted PNG files and, with careful heap grooming, enable information disclosure or remote code execution. The flaw exists in the png_set_quantize function when called without a histogram and with oversized palettes. A proof-of-concept is public; users and distributors should upgrade promptly.

🔒 A critical vulnerability in the WPvivid Backup & Migration WordPress plugin (CVE-2026-1357, CVSS 9.8) allowed unauthenticated attackers to upload arbitrary files and achieve remote code execution. The flaw affected all versions up to 0.9.123 but, according to Defiant, only sites with the non-default receive backup from another site option enabled are critically exposed. WPVividPlugins released a patch in v0.9.124 on Jan 28; administrators should upgrade immediately.

⚠️ A PS/IGES Parasolid translator component in Siemens Solid Edge contains an out-of-bounds read when parsing specially crafted IGS files, which can crash the application or permit arbitrary code execution in the context of the running process. Siemens has released a patch; administrators should update to V226.00 Update 03 or later. The issue is tracked as CVE-2025-40936 with a CVSSv3.1 base score of 7.8 (High). Apply the vendor update and follow industrial security best practices to limit exposure.

🔒 Siemens reports a heap-based buffer overflow in the WIBU CodeMeter Runtime used by Desigo CC and SENTRON Powermanager products. The flaw (CVE-2023-38545) occurs during the SOCKS5 proxy handshake when curl mishandles hostnames longer than 255 bytes and can enable code execution in the context of the affected process. Siemens provides instructions to update the CodeMeter Runtime component and advises upgrading affected systems to V8.0 QU2 or later; follow the vendor's patching guidance promptly.