Weekly Threat Landscape Digest – Week 3

1) Actively Exploited Vulnerability in Legacy D-Link Routers (CVE-2026-0625)

A critical vulnerability affecting legacy D-Link DSL gateway routers is being actively exploited in the wild. The flaw allows unauthenticated attackers to execute arbitrary commands through the dnscfg.cgi endpoint, enabling full control over router configuration and DNS settings. Successful exploitation may result in DNS hijacking and persistent compromise of all connected devices downstream.

Key Details

• CVE: CVE-2026-0625
• Severity: Critical (CVSS v3.1: 9.3)
• Type: Command Injection / Remote Code Execution
• Attack Requirement: No authentication, no user interaction
• Exploitation: Observed under active exploitation

Technical Summary
The issue is caused by improper input validation in the dnscfg.cgi endpoint. An attacker can send a crafted request to inject and execute system commands, and modify DNS settings remotely. This provides attackers with persistent control over network traffic behavior.

Impact

• Unauthenticated remote code execution on vulnerable routers
• Unauthorized modification of DNS settings (DNS hijacking / DNSChanger behavior)
• Potential redirection, interception, or blocking of downstream traffic
• Increased risk of credential theft and compromise of connected endpoints

Affected Products (Legacy DSL Gateway Models)

• DSL-2640B – firmware <= 1.07
• DSL-2740R – firmware < 1.17
• DSL-2780B – firmware <= 1.01.14
• DSL-526B – firmware <= 2.01

Recommendations

• Replace legacy and end-of-life routers with supported models that receive security updates
• Monitor DNS configurations for unauthorized or unexpected changes
• Ensure firmware is updated on supported devices
• Review downstream endpoints for suspicious activity and indicators of redirection-based compromise
• Follow vendor advisories and guidance for affected models

Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-0625

2) Critical Vulnerability in React Router and Remix Server Components (CVE-2025-61686)

A critical vulnerability in React Router and Remix server-side components could allow unauthorized server file access due to improper session storage handling, especially in applications using createFileSessionStorage() with unsigned cookies. Additional high-severity issues include multiple SSR XSS vulnerabilities and redirect weaknesses that may enable client-side code execution, phishing, and session abuse.

Key Details

• CVE: CVE-2025-61686
• Severity: Critical (CVSS: 9.1)
• Component: createFileSessionStorage()
• Risk: Unauthorized file access (path traversal / file manipulation)

Affected Versions

• react-router/node: 7.0.0 to 7.9.3
• @remix-run/node: up to 2.17.1
• @remix-run/deno: up to 2.17.1

Fixed Versions

• react-router/node: 7.9.4 or later
• @remix-run/node / @remix-run/deno: 2.17.2 or later

Recommendations

• Upgrade React Router and Remix packages to the patched versions immediately
• Avoid unsigned cookies for file-based session storage
• Review SSR handling to reduce risk from XSS and unsafe redirects

Reference
https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw

4) Security Updates – Google Chrome (Multiple CVEs)

Google has released security updates for Chrome addressing multiple vulnerabilities, including several high-severity flaws in core components such as the V8 JavaScript engine and Blink rendering engine. Successful exploitation may allow attackers to achieve remote code execution when a user visits a malicious website.

Key Details

• High Severity CVEs:
  • CVE-2026-0899 – Out-of-bounds memory access in V8
  • CVE-2026-0900 – Inappropriate implementation in V8
  • CVE-2026-0901 – Inappropriate implementation in Blink

Impact

• Arbitrary code execution in the context of the browser
• Security restriction bypass
• Potential user deception through incorrect security UI indicators

Fixed Versions

• Windows/Mac: Chrome 144.0.7559.59/60
• Linux: Chrome 144.0.7559.59
• Android: Chrome 144.0.7559.59
• iOS: Chrome Stable 144.0.7559.85

Recommendations

• Update Google Chrome to the latest available stable version across all devices
• Prioritize enterprise endpoints and high-risk user groups (admins, finance, SOC users)

Reference
https://chromereleases.googleblog.com/2026/01/stable-channel-update-fordesktop_13.html

5) Microsoft January 2026 Patch Tuesday Security Updates (Multiple CVEs)

Microsoft’s January 2026 Patch Tuesday addresses 112–115 vulnerabilities across Windows, Microsoft Office, and related components. The release includes multiple critical flaws and three zero-day vulnerabilities, including CVE-2026-20805, which is confirmed as actively exploited in the wild.

Key Highlights

• Total fixes: 112–115 vulnerabilities
• Critical: 8
• Important: 104–106
• Zero-days: 3 (1 exploited, 2 publicly disclosed)
• Actively Exploited: CVE-2026-20805 (Desktop Window Manager Information Disclosure)

Notable Zero-Day Vulnerabilities

• CVE-2026-20805: Desktop Window Manager (DWM) Information Disclosure (Exploited in the wild)
• CVE-2023-31096: Agere Soft Modem Driver Elevation of Privilege (SYSTEM privileges)
• CVE-2026-21265: Secure Boot Certificate Expiration Bypass (Secure Boot bypass risk if unpatched)

Critical Vulnerabilities (Examples)

• Windows LSASS RCE: CVE-2026-20854 (network-based impact)
• Microsoft Word/Office/Excel RCE: Multiple document-based vulnerabilities including CVE-2026-20944, CVE-2026-20952/20953, CVE-2026-20955/20957

Recommendations

• Deploy January 2026 cumulative updates across all Windows and Office systems immediately
• Prioritize patching for CVE-2026-20805 due to confirmed exploitation
• Validate Secure Boot protection and ensure systems are updated to avoid long-term bypass risks

Reference
https://msrc.microsoft.com/update-guide/releaseNote/2026-jan

6) SAP January 2026 Security Updates (17 Security Notes)

SAP has released its January 2026 security patch package containing 17 security notes addressing vulnerabilities across enterprise SAP environments. This release includes multiple HotNews items with critical severity (up to CVSS 9.9) impacting SAP S/4HANA, HANA Database, NetWeaver, Wily Introscope, and other application components.

Key Highlights

• Total SAP Notes: 17
• HotNews (Critical): 4
• High Severity: 4
• Medium Severity: 7
• Low Severity: 2

Critical Vulnerabilities (HotNews)

• CVE-2026-0501 (CVSS 9.9): SQL Injection – SAP S/4HANA Financials (General Ledger)
• CVE-2026-0500 (CVSS 9.6): Remote Code Execution – SAP Wily Introscope Enterprise Manager
• CVE-2026-0498 (CVSS 9.1): Code Injection – SAP S/4HANA (Private Cloud & On-Prem)
• CVE-2026-0491 (CVSS 9.1): Code Injection – SAP Landscape Transformation

High Severity Vulnerabilities

• CVE-2026-0492 (CVSS 8.8): Privilege Escalation – SAP HANA Database
• CVE-2026-0507 (CVSS 8.4): OS Command Injection – SAP NetWeaver RFCSDK / ABAP Kernel
• CVE-2026-0506 (CVSS 8.1): Missing Authorization Check – SAP NetWeaver AS ABAP
• Multiple CVEs (CVSS 8.1): SAP Fiori App (Intercompany Balance Reconciliation)

Recommendations

• Prioritize patching all Critical/HotNews and High severity SAP Notes immediately
• Apply remaining patches during approved maintenance windows
• Review SAP RBAC and authorization controls for impacted modules

Reference
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january2026.html

7) High-Severity XXE Vulnerability in Apache Struts 2 (CVE-2025-68493)

A high-severity vulnerability has been identified in the XWork component of Apache Struts 2, caused by improper validation during XML configuration parsing. Successful exploitation could allow XML External Entity (XXE) injection, potentially leading to sensitive file disclosure, SSRF, or denial-of-service conditions.

Key Details

• CVE: CVE-2025-68493
• Severity: High (CVSS: 8.1)
• Component: XWork (core Struts framework component)
• Type: XML External Entity (XXE) Injection

Affected Versions

• Struts 2.0.0 to 2.3.37 (EOL)
• Struts 2.5.0 to 2.5.33 (EOL)
• Struts 6.0.0 to 6.1.0

Fixed Version

• Struts 6.1.1

Impact

• Read sensitive server files
• Access internal network resources (SSRF)
• Denial of Service (DoS) conditions

Recommendations

• Upgrade Apache Struts to 6.1.1 or later immediately
• Apply temporary mitigations if upgrade is not possible (as per Apache advisory)

Reference
https://cwiki.apache.org/confluence/display/WW/S2-069

8) Critical SQL Injection Vulnerability in Advantech Products (CVE-2025-52694)

A critical SQL Injection vulnerability has been identified in multiple Advantech IoT products, which could allow unauthenticated attackers to execute arbitrary SQL commands remotely. Successful exploitation may lead to sensitive data theft, unauthorized configuration changes, and full compromise of connected IoT infrastructure, especially for systems exposed to the internet.

Key Details

• CVE: CVE-2025-52694
• Severity: Critical (CVSS: 10.0)
• Type: SQL Injection
• Access Required: No authentication

Affected Products

• IoTSuite SaaSComposer: Versions prior to 3.4.15
• IoTSuite Growth Linux docker: Versions prior to V2.0.2
• IoTSuite Starter Linux docker: Versions prior to V2.0.2
• IoT Edge Linux docker: Versions prior to V2.0.2
• IoT Edge Windows: Versions prior to V2.0.2

Impact

• Unauthorized database access and data exfiltration
• System configuration modification
• Potential full control of connected IoT devices

Recommendations

• Apply available patches/updates immediately through Advantech official channels
• Restrict internet exposure of IoT management interfaces until remediation is complete
• Monitor network/database logs for SQL injection patterns and abnormal activity
• Enforce strong access controls and network segmentation for IoT environments

Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-52694

9) High-Severity DoS Vulnerability in Palo Alto Networks PAN-OS / Prisma Access (CVE-2026-0227)

Palo Alto Networks has disclosed a high-severity denial-of-service (DoS) vulnerability affecting PAN-OS firewalls and Prisma Access deployments where GlobalProtect Gateway or Portal is enabled. An unauthenticated attacker may repeatedly trigger the issue to force the firewall into maintenance mode, resulting in full service disruption and loss of availability.

Key Details

• CVE: CVE-2026-0227
• Severity: High (CVSS: 8.7)
• Type: Denial of Service (DoS)
• Attack Requirement: No authentication required
• Condition: GlobalProtect Gateway/Portal must be enabled

Impact

• Firewall enters maintenance mode
• Complete disruption of firewall services and remote access connectivity
• Availability impact to perimeter security controls and user access

Affected Versions (Examples)

• PAN-OS 12.1 (earlier than 12.1.3-h3 / 12.1.4)
• PAN-OS 11.2 (earlier than 11.2.4-h15 / 11.2.7-h8 / 11.2.10-h2)
• PAN-OS 11.1 (earlier than 11.1.4-h27 / 11.1.6-h23 / 11.1.10-h9 / 11.1.13)
• PAN-OS 10.2 (earlier than 10.2.18-h1 and listed hotfix baselines)
• PAN-OS 10.1 (earlier than 10.1.14-h20)
• Prisma Access 11.2 (earlier than 11.2.7-h8)
• Prisma Access 10.2 (earlier than 10.2.10-h29)

Recommendations

• Upgrade affected systems to the latest fixed/hotfix version provided by Palo Alto Networks
• Prioritize upgrades where GlobalProtect is exposed externally
• Reduce exposure where possible until patching is completed (restrict portal/gateway access to trusted IPs/VPN users)

Reference
https://security.paloaltonetworks.com/CVE-2026-0227

10) Critical Vulnerability in HPE Telco Service Orchestrator (CVE-2025-68615)

A critical vulnerability has been identified in HPE Telco Service Orchestrator, which could allow a remote attacker to trigger a buffer overflow and potentially achieve full system compromise. Successful exploitation may result in arbitrary code execution, data corruption, or service disruption.

Key Details

• CVE: CVE-2025-68615
• Severity: Critical (CVSS v3.1: 9.8)
• Type: Buffer Overflow
• Impact: Remote code execution, sensitive data exposure, service disruption

Affected Versions

• HPE Telco Service Orchestrator: All versions prior to v4.2.12

Fixed Version

• HPE Telco Service Orchestrator: v4.2.12 or later

Recommendations

• Upgrade immediately to v4.2.12+
• Review service exposure and restrict access to trusted networks until patching is completed
• Monitor for abnormal service crashes or suspicious execution behavior

Reference
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04993en_us&docLocale=en_US

11) Multiple Vulnerabilities in Trend Micro Apex Central (CVE-2025-69258 / 69259 / 69260)

Trend Micro has released a critical security update for Trend Micro Apex Central (on-premise) to address multiple high and critical vulnerabilities. The most severe issue could allow unauthenticated remote code execution with SYSTEM-level privileges, while other flaws may result in denial-of-service (DoS).

Key Details

• Product: Trend Micro Apex Central (On-Premise / Windows)
• Most Critical CVE: CVE-2025-69258 (CVSS: 9.8) – Remote Code Execution (SYSTEM)
• Other CVEs:
  • CVE-2025-69259 (CVSS: 7.5) – Denial of Service
  • CVE-2025-69260 (CVSS: 7.5) – Denial of Service

Affected Versions

• All Apex Central versions below Build 7190

Fixed Version

• Apex Central Critical Patch Build 7190 or later

Recommendations

• Upgrade Apex Central to Build 7190+ immediately
• Prioritize systems exposed to untrusted networks
• Monitor for abnormal service crashes, suspicious DLL loading, and unusual remote activity

Reference
https://success.trendmicro.com/en-US/solution/KA-0022071

12) Critical Unauthenticated Privilege Escalation in Modular DS WordPress Plugin (CVE-2026-23550)

A critical unauthenticated privilege escalation vulnerability has been identified in the Modular DS WordPress plugin, allowing remote attackers to gain full administrator (wp-admin) access on vulnerable WordPress websites. The issue is actively exploited in the wild and has been used to create persistent malicious admin accounts.

Key Details

• CVE: CVE-2026-23550
• Severity: Critical (CVSS v3.1: 10.0)
• Type: Unauthenticated Privilege Escalation → Admin Takeover
• Exploitation: Confirmed active exploitation in the wild
• Affected Plugin Versions: Modular DS 2.5.1 and below
• Fixed Version: Modular DS 2.5.2 or later
• Estimated Exposure: 40,000+ WordPress sites

Known Malicious IPs

• 45.11.89[.]19
• 185.196.0[.]11

Recommendations

• Upgrade Modular DS plugin to v2.5.2+ immediately
• Audit WordPress admin accounts and remove suspicious/unauthorized users
• Review authentication logs for unknown logins and privilege changes

Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-23550

13) Adobe January 2026 Security Updates (25 Vulnerabilities Across 11 Products)

Adobe has released January 2026 security updates addressing 25 vulnerabilities across 11 products, including multiple critical arbitrary code execution flaws. The most severe vulnerability impacts Adobe ColdFusion, where a vulnerable dependency may allow remote code execution through malicious content. While active exploitation has not been reported, Adobe has rated ColdFusion updates as high priority, requiring urgent remediation.

Key Highlights

• Total vulnerabilities fixed: 25
• Products impacted: 11
• Primary risk: Remote Code Execution (RCE), memory corruption, and denial-of-service

Most Critical Issue (ColdFusion – Priority 1)

• CVE: CVE-2025-66516 (CVSS: 10.0)
• Impact: RCE, SSRF, information disclosure, DoS
• Affected: ColdFusion 2025 Update 5 and earlier, ColdFusion 2023 Update 17 and earlier
• Fixed: ColdFusion 2025 Update 6, ColdFusion 2023 Update 18

Other Notable Products Receiving Critical Fixes

• Dreamweaver (multiple RCE-related issues)
• InDesign, Illustrator, InCopy, Bridge (memory corruption leading to code execution)
• Substance 3D suite (multiple out-of-bounds and use-after-free flaws)

Recommendations

• Apply all Adobe January 2026 security updates immediately
• Prioritize patching in this order:
  1. ColdFusion (Priority 1)
  2. Critical RCE client-side products (Dreamweaver, InDesign, Illustrator, etc.)
  3. Remaining products during scheduled maintenance

Reference
https://helpx.adobe.com/security.html

14) Critical and High-Severity Vulnerabilities in ManageEngine Identity & Privileged Access Products

Multiple security vulnerabilities have been identified in ManageEngine products used for identity management and privileged access control. The issues impact ADSelfService Plus and privileged access tools including PAM360, Password Manager Pro, and Access Manager Plus, potentially leading to application compromise or unauthorized access if affected systems are reachable from the product server.

Key Vulnerabilities

• CVE-2025-11250 (Critical): ADSelfService Plus
  • Affected: Builds 6518 and earlier
  • Fixed: Build 6519
• CVE-2025-11669 (High): Unauthorized Access in privileged access products
  • PAM360: up to build 8201 (Fixed: 8202)
  • Password Manager Pro: up to build 13220 (Fixed: 13221)
  • Access Manager Plus: up to build 4400 (Fixed: 4401)
  • Note: Exploitable when managed resources are network-accessible from the product server

Recommendations

• Upgrade affected ManageEngine products immediately to the fixed builds
• Restrict network exposure and ensure only trusted systems can access these management servers
• Review privileged access configurations and monitor for unauthorized access attempts

References
https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-11250.html
https://www.manageengine.com/privileged-access-management/advisory/cve-2025-11669.html

15) Multiple High-Severity Vulnerabilities in HPE Aruba Networking Instant On Devices

HPE Aruba Networking has released security updates addressing multiple high-severity vulnerabilities in its Instant On product line. The issues could allow attackers to expose internal network configuration details or trigger denial-of-service (DoS) conditions, potentially disrupting wireless access and network availability.

Key Vulnerabilities

• CVE-2025-37165 (CVSS 7.5 | High): Exposure of VLAN and internal network configuration details due to router-mode configuration behavior
• CVE-2025-37166 (CVSS 7.5 | High): Crafted network packets may cause access points to become non-responsive, potentially requiring manual hard reset
• CVE-2023-52340 (High) / CVE-2022-48839 (Med-High): OS kernel packet processing vulnerabilities that may lead to DoS or memory corruption

Affected Products

• HPE Networking Instant On devices running software version 3.3.1.0 and below

Fixed Version

• HPE Networking Instant On software version 3.3.2.0 and above

Recommendations

• Upgrade Instant On devices to 3.3.2.0 or later as soon as possible
• Monitor for abnormal device resets, packet floods, and unexpected access point unresponsiveness
• Restrict management exposure and segment wireless infrastructure where applicable

Reference
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US#hpesbnw04988-rev-1-hpe-networking-instant-on-multi-0 

16) Critical Vulnerability in Moxa Industrial Ethernet Switches (CVE-2023-38408)

A critical vulnerability has been identified in Moxa industrial Ethernet switches that use the OpenSSH component. The issue impacts the PKCS#11 functionality in ssh-agent and may allow remote attackers to achieve arbitrary code execution under specific conditions, increasing risk for OT environments where these switches are deployed.

Key Details

• CVE: CVE-2023-38408
• Severity: Critical (CVSS: 9.8)
• Component: OpenSSH ssh-agent (PKCS#11 functionality)
• Risk: Remote Code Execution (RCE) via unsafe module loading behavior

Affected Products / Versions

• EDS-G4000 Series
• EDS-4008 / 4009 / 4012 / 4014 Series
• EDS-G4008 / G4012 / G4014 Series (Firmware v4.1 and earlier)
• RKS-G4000 Series
• RKS-G4028 / G4028-L3 Series (Firmware v5.0 and earlier)

Fixed Versions

• EDS Series: Upgrade to firmware v4.1.58
• RKS Series: Upgrade to firmware v5.0.4

Recommendations

• Apply vendor firmware updates immediately
• Restrict access to OT switches and allow management only from trusted networks
• Avoid exposing OT devices directly to the internet and disable unnecessary services/ports
• Monitor device logs and network traffic for suspicious remote activity

Reference
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-256261-cve-2023-38408-openssh-vulnerability-in-ethernet-switches

17) Multiple Critical and High-Severity Vulnerabilities in Fortinet Products (FortiSIEM / FortiFone / FortiOS / FortiSwitchManager / FortiSASE)

Fortinet has disclosed multiple critical and high-severity vulnerabilities impacting several products, including unauthenticated remote command execution, sensitive configuration disclosure, and a heap-based buffer overflow that may lead to remote code execution. These issues pose increased risk to internet-facing deployments and require immediate patching.

Key Vulnerabilities

1) FortiSIEM – Unauthenticated Remote Command Injection

• CVE: CVE-2025-64155
• Severity: Critical (CVSS: 9.4)
• Impact: Unauthenticated remote execution of OS commands
• Affected: FortiSIEM Super/Worker nodes (Collector nodes not impacted)
• Mitigation: Upgrade to fixed releases (7.4.1+, 7.3.5+, 7.2.7+, 7.1.9+)
• Workaround: Restrict access to phMonitor port TCP/7900

2) FortiFone Web Portal – Unauthenticated Configuration Disclosure

• CVE: CVE-2025-47855
• Severity: Critical (CVSS: 9.3)
• Impact: Unauthenticated access to local configuration information
• Affected: FortiFone 7.0.0–7.0.1, 3.0.13–3.0.23
• Fixed: 7.0.2+ and 3.0.24+

3) FortiOS / FortiSwitchManager / FortiSASE – Heap Buffer Overflow (cw_acd daemon)

• CVE: CVE-2025-25249
• Severity: High (CVSS: 7.4)
• Impact: Potential unauthenticated remote code execution
• Fixed Versions:
  • FortiOS: 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+
  • FortiSwitchManager: 7.2.7+, 7.0.6+
  • FortiSASE: fixed in newer releases (upgrade/migrate as advised)

Recommendations

• Upgrade all affected Fortinet products to vendor-recommended fixed versions immediately
• Prioritize remediation for internet-facing systems and critical security infrastructure
• Validate upgrade paths using Fortinet’s Upgrade Tool and monitor for suspicious activity

References
https://fortiguard.fortinet.com/psirt/FG-IR-25-772
https://fortiguard.fortinet.com/psirt/FG-IR-25-260
https://fortiguard.fortinet.com/psirt/FG-IR-25-084

18) Critical Privilege Escalation in ServiceNow AI Platform (CVE-2025-12420)

ServiceNow has addressed a critical privilege escalation vulnerability in its AI Platform that could have allowed an unauthenticated attacker to impersonate legitimate users and perform actions with their privileges. The issue is linked to flawed authentication and account-linking logic, potentially enabling bypass of MFA and SSO protections in affected implementations.

Key Details

• CVE: CVE-2025-12420
• Severity: Critical (CVSS: 9.8)
• Class: Execution with Unnecessary Privileges (CWE-250)
• Affected Platform: ServiceNow AI Platform
• Affected Components:
  • Now Assist AI Agents
  • Virtual Agent API

Fixed Versions

• Now Assist AI Agents (sn_aia):
  • 5.1.18 or later
  • 5.2.19 or later
• Virtual Agent API (sn_va_as_service):
  • 3.15.2 or later
  • 4.0.4 or later

Recommendations

• Confirm installed versions of Now Assist AI Agents and Virtual Agent API
• Apply the fixed releases immediately if running vulnerable builds
• Review authentication and account-linking activity for abnormal access patterns

Reference
https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2587329

19) Security Updates – NVIDIA Nsight Graphics (CVE-2025-33206)

NVIDIA has released security updates to address a high-severity vulnerability in NVIDIA Nsight Graphics for Linux. The issue is a command injection flaw that could allow attackers to execute arbitrary commands, potentially resulting in remote code execution under certain conditions.

Key Details

• CVE: CVE-2025-33206
• Severity: High (CVSS: 7.8)
• Type: OS Command Injection (CWE-78)
• Product: NVIDIA Nsight Graphics (Linux)

Affected Versions

• All versions prior to Nsight Graphics 2025.5

Fixed Version

• Nsight Graphics 2025.5 or later

Impact

• Arbitrary command execution
• Possible privilege escalation
• Data tampering or service disruption

Recommendations

• Upgrade NVIDIA Nsight Graphics to 2025.5+ immediately
• Restrict access to developer/debug tooling on production Linux systems where possible
• Monitor systems for unusual command execution activity

Reference
https://nvidia.custhelp.com/app/answers/detail/a_id/5738

20) Critical Path Traversal in AdonisJS Multipart File Uploads (CVE-2026-21440)

A critical path traversal vulnerability has been identified in the AdonisJS ecosystem within the @adonisjs/bodyparser npm package used for multipart file uploads. The flaw could allow a remote, unauthenticated attacker to write arbitrary files to unintended locations on the server. In certain deployments, this may be escalated to remote code execution by overwriting executable or configuration files.

Key Details

• CVE: CVE-2026-21440
• Severity: Critical (CVSS: 9.2)
• Package: @adonisjs/bodyparser
• Function: MultipartFile.move(location, options)
• Type: Path Traversal (CWE-22)
• Access Required: No authentication, no user interaction

Affected Versions

• <= 10.1.1
• <= 11.0.0-next.5

Fixed Versions

• 10.1.2
• 11.0.0-next.6

Exploitation Conditions

• Exposed file upload endpoint with multipart enabled
• Application trusts client-provided filenames
• MultipartFile.move() used without secure/explicit options

Recommendations

• Upgrade @adonisjs/bodyparser to the fixed versions immediately
• Audit all file upload endpoints and validate/sanitize filenames
• Review historical uploads for suspicious filename patterns and unexpected file locations

Reference
https://github.com/adonisjs/core/security/advisories/GHSA-gvq6-hvvp-h34h

21) Actively Exploited Zero-Day RCE Vulnerability in Gogs (CVE-2025-8110)

An actively exploited zero-day vulnerability has been identified in Gogs, a widely used self-hosted Git service. The issue allows authenticated users to achieve remote code execution (RCE) by abusing symbolic links to bypass a previous security fix. Large-scale exploitation has been observed, with hundreds of publicly exposed instances reportedly compromised.

Key Details

• CVE: CVE-2025-8110
• Severity: High (CVSS-BT: 8.7)
• Type: Symbolic-link bypass leading to Remote Code Execution
• Access Required: Authenticated user access (higher risk if open registration is enabled)
• Exploitation Status: Actively exploited in the wild

Technical Summary

• CVE-2025-8110 bypasses a previous RCE fix for CVE-2024-55947 involving the PutContents API.
• The original flaw allowed path traversal to write files outside the repository directory.
• The patch did not properly handle symbolic links inside repositories, enabling attackers to write/modify unintended files and escalate to RCE.

Observed Exploitation Indicators

• Random 8-character repository and owner names
• Repositories created shortly before malware execution
• Automated exploitation patterns at scale

Recommendations

• Apply the latest Gogs patch immediately
• Treat previously internet-exposed instances as potentially compromised and conduct forensic review
• Audit repositories for suspicious symlinks referencing paths outside repositories
• Review .git/config and sensitive files for unauthorized modifications (including injected sshCommand)
• Rotate Gogs-related credentials (SSH keys, access tokens, service accounts) after patching
• Restrict repository creation and reduce exposure via VPN/IP allow-list until fully secured

References
https://nvd.nist.gov/vuln/detail/CVE-2025-8110
https://github.com/gogs/gogs/pull/8078

22) Security Updates – Progress Software LoadMaster / MOVEit WAF (CVE-2025-13444, CVE-2025-13447)

Progress Software has released security updates addressing two high-severity command injection vulnerabilities affecting LoadMaster load balancers and MOVEit Web Application Firewall (WAF). Successful exploitation could allow remote attackers to execute arbitrary system commands and potentially gain full control of affected appliances.

Key Vulnerabilities

• CVE-2025-13444 (CVSS: 8.4 | High)
  • Command injection via improper validation in UI/API related to the getcipherset command
• CVE-2025-13447 (CVSS: 8.4 | High)
  • Command injection affecting multiple UI/API admin commands (e.g., addapikey, delapikey, delcert, dmidecode, listapikeys, ssodomain)

Affected Products

• Progress LoadMaster (GA)
• Progress LoadMaster Long-Term Support Firmware (LTSF)
• Progress Multi-Tenant LoadMaster (Hypervisor / Manager Node)
• Progress MOVEit Web Application Firewall (WAF)

Fixed Versions

• LoadMaster GA: 7.2.62.2
• LoadMaster LTSF: 7.2.54.16
• Multi-Tenant LoadMaster Hypervisor: 7.1.35.15
• MOVEit WAF: 7.2.62.2

Recommendations

• Upgrade affected appliances to the fixed versions immediately
• Restrict administrative UI/API access to trusted IPs only until patching is completed
• Monitor for suspicious admin commands, API abuse, and abnormal process execution

References
https://nvd.nist.gov/vuln/detail/CVE-2025-13444
https://nvd.nist.gov/vuln/detail/CVE-2025-13447

23) Security Updates – Mozilla Firefox / Firefox ESR / Thunderbird (Multiple CVEs)

Mozilla has released security updates for Firefox, Firefox ESR, and Thunderbird to address multiple high-severity vulnerabilities. These issues could allow attackers to bypass security restrictions, escape browser sandboxes, or potentially execute arbitrary code through memory corruption and exploitation of graphics and IPC components.

Key Vulnerabilities (High Severity)

• CVE-2026-0877 – Mitigation bypass in DOM security component
• CVE-2026-0878 / 0879 / 0880 – Sandbox escape vulnerabilities in Graphics components (CanvasWebGL / integer overflow)
• CVE-2026-0881 – Sandbox escape in Messaging System component
• CVE-2026-0882 – Use-after-free in IPC component
• CVE-2026-0891 – Multiple memory safety issues addressed across supported releases

Impact

• Remote code execution (in certain exploitation chains)
• Sandbox escape and security restriction bypass
• Memory corruption, crashes, and potential data compromise

Fixed Versions

• Firefox 147
• Firefox ESR 115.32
• Firefox ESR 140.7
• Thunderbird 147
• Thunderbird 140.7

Recommendations

• Update Firefox and Thunderbird to the latest fixed versions immediately
• Prioritize endpoints used for privileged access and administrative activities

References
https://www.mozilla.org/en-US/security/advisories/mfsa2026-01/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-02/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-04/
https://www.mozilla.org/en-US/security/advisories/mfsa2026-05/