Gargi - Intrucept

Python Regression & Email Header- Ubuntu Security Updates Patch Now

Summary: USN-8018-1 fixed vulnerabilities in python3. That update introduced regressions. The patches for CVE-2025-15366 and CVE-2025-15367 caused behavior regressions in IMAP and POP3 handling, which upstream chose to avoid by not backporting them.

OEM	Python
Severity	Medium
CVSS Score	6.5
CVEs	CVE-2026-0865, CVE-2025-15366, CVE-2025-15367
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Python is a widely used high-level programming language that powers many enterprise applications, automation frameworks, DevOps pipelines, web platforms and email-processing services. Many Linux distributions – Ubuntu provide Python runtime packages as core system components.

Ubuntu released USN-8018-2 to address regressions introduced in the previous security update USN-8018-1. The earlier update attempted to fix vulnerabilities related to email header parsing and input validation but unintentionally introduced compatibility issues affecting IMAP, POP3, and WSGI header processing.

The new advisory prioritizes the fix for CVE-2026-0865, while also addressing issues related to CVE-2025-15366 and CVE-2025-15367.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
WSGI Header Parsing Regression Vulnerability	CVE-2026-0865	Python	Medium	6.5	Updated Python packages
Email Header Injection Vulnerability	CVE-2025-15366	Python	Medium	5.9	Updated Python packages
Improper Email Header Parsing Vulnerability	CVE-2025-15367	Python	Medium	5.9	Updated Python packages

Technical Summary

These vulnerabilities affect multiple Python versions distributed within Ubuntu systems.

The original security update introduced patches intended to address email header parsing vulnerabilities. However, those fixes resulted in unintended behavioural regressions.

The CVE-2026-0865 patch incorrectly rejected horizontal tab characters in WSGI headers, potentially causing web applications relying on Python frameworks to malfunction.

Additionally, patches for CVE-2025-15366 and CVE-2025-15367 affected IMAP and POP3 email processing behavior, which allow upstream developers to avoid backporting those changes due to compatibility concerns.

Ubuntu released updated packages to resolve these regressions while maintaining protection against the underlying vulnerabilities.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2026-0865	Python (multiple Ubuntu packages)	Incorrect rejection of horizontal tabs in WSGI headers after patch	Web application compatibility issues
CVE-2025-15366	Python email parsing library	Improper parsing allowing email header injection	Email spoofing or message manipulation
CVE-2025-15367	Python email processing modules	Improper validation of message headers	Header manipulation in email processing

Affected Packages

The following Python packages are affected –

python3.4 python3.5 python3.6 python3.7 python3.8

python3.10 python3.12 python3.13 python3.14

Remediation:

Apply the latest Ubuntu security updates immediately-

Fixed Package Versions

Ubuntu Release	Fixed Package Version
Ubuntu 25.10	python3.13 – 3.13.7-1ubuntu0.4 / python3.14 – 3.14.0-1ubuntu0.3
Ubuntu 24.04 LTS	python3.12 – 3.12.3-1ubuntu0.12
Ubuntu 22.04 LTS	python3.10 – 3.10.12-1 22.04.15
Ubuntu 20.04 LTS	python3.8 – 3.8.10-0ubuntu1 20.04.18
Ubuntu 18.04 LTS	Updated ESM packages
Ubuntu 16.04 LTS	Updated ESM packages
Ubuntu 14.04 LTS	Updated ESM packages

If immediate patching is not possible, apply the following temporary mitigations-

Restrict access to email-processing services where Python handles inbound messages.

Validate and sanitize email headers within application logic.

Monitor logs for abnormal IMAP/POP3 parsing errors.

Test Python-based web applications to detect WSGI header parsing issues.

You can follow the recommendations below as a best practice-

Maintain regular patch management for system packages.

Monitor Python runtime libraries for security advisories.

Implement secure email validation mechanisms within applications.

Use application security testing tools to detect input-validation weaknesses.

Monitor logs for abnormal email header patterns or parsing failures.

Conclusion:
The vulnerabilities addressed in USN-8018-2 highlight the risks associated with improper email header parsing and regression issues in widely used programming libraries such as Python. The primary concern, CVE-2026-0865, affects WSGI header handling and could disrupt web applications, while CVE-2025-15366 and CVE-2025-15367 relate to email header parsing weaknesses.

Organizations using Python-based applications or email processing services should prioritize updating affected Ubuntu packages to ensure both security and application stability.

References:

USN-8018-2: Python regression | Ubuntu security notices | Ubuntu

https://www.suse.com/security/cve/CVE-2026-0865.html

2 Cyber security Vulnerabilities Affecting Hikvision & Rockwell Automation-CVSS 9.8 Flaws

CISA emphasized the urgency of addressing these vulnerabilities

ExifTool Vulnerability Capitalizes on Image’s Metadata-Exploiting macOS with Shell Commands

ExifTool that allows malicious image files to execute code on macOS systems discovered by Kaspersky’s Global Research and Analysis Team (GReAT) about the critical vulnerability.

Cisco Released Emergency Patch for Vulnerabilities in its Firewall Products

Cisco Released Emergency Patch

Data Breach in LexisNexis Highlight Risk of Unpatched Application

LexisNexis Confirms Data Breach that leaked 2GB data

Google Chrome Patching 3 High Security Flaws Highlights Browser Security

Google Chrome emergency security update tracked as CVE-2026-2441; Highlights Browser Security

SolarWinds Serv-U15.5.4 Rocked by Critical RCE Vulnerabilities; Patch Now

Summary : SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes. vulnerabilities impact SolarWinds Serv-U Managed File Transfer, a platform frequently deployed as an internet-facing FTP/FTPS/SFTP gateway or as an internal file exchange service handling sensitive data.

OEM	SolarWinds
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

SolarWinds stated that there are no confirmed reports of active exploitation at this time. However, given previous Serv-U vulnerabilities were exploited by advanced threat actors.

SolarWinds Serv-U

is a secure file transfer server used by organizations to manage FTP, FTPS, SFTP, and HTTP/S file transfers across enterprise environments. It is commonly deployed on Windows and Linux servers to securely exchange sensitive business data.

SolarWinds fixed four critical remote code execution vulnerabilities in Serv-U 15.5. These vulnerabilities could allow an attacker with administrative privileges to execute arbitrary native code as root on the affected server.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Broken Access Control Remote Code Execution Vulnerability	CVE-2025-40538	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40539	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40540	Serv-U	Critical	9.1	Serv-U 15.5.4
Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability	CVE-2025-40541	Serv-U	Critical	9.1	Serv-U 15.5.4

Technical Summary

These critical vulnerabilities affect SolarWinds Serv-U version 15.5 and arise from weaknesses such as improper access control checks, type confusion errors, and insecure object reference handling.

If exploited, they may allow an attacker to run arbitrary native code with root-level privileges on the affected server.

Successful exploitation requires administrative access. Once obtained, an attacker could create unauthorized administrator accounts, and execute malicious code, potentially resulting in complete system compromise and further movement across the network.

SolarWinds strongly advises upgrading to Serv-U version 15.5.4 to address these security risks.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-40538	Serv-U 15.5	Improper access control enabling admin creation and root-level code execution	Admin account creation, full system compromise
CVE-2025-40539	Serv-U 15.5	Type confusion enabling arbitrary native code execution as root	Arbitrary native code execution
CVE-2025-40540	Serv-U 15.5	Type confusion leading to root-level native code execution	Root-level execution
CVE-2025-40541	Serv-U 15.5	IDOR enabling unauthorized access and root-level code execution	Remote code execution as root

Potential Consequences

Full server takeover

Privilege escalation

Lateral movement within enterprise network

Data exfiltration

Malware or backdoor deployment

Remediation:

Upgrade immediately to Serv-U product with below mentioning fixed version-

Serv-U 15.5.4

If immediate patching is not possible, apply the following temporary mitigations-

Restrict Serv-U administrative access to trusted IP ranges.

Enforce MFA for all Serv-U admin accounts.

Ensure services run with least privilege.

Conduct audit of newly created administrative accounts.

You can follow the recommendations below as a best practice-

Enforce strict administrative access controls.

Monitor logs for unauthorized privilege escalation.

Implement network segmentation for file transfer servers.

Apply regular patch management and vulnerability scanning.

Conclusion:
These four newly disclosed vulnerabilities in SolarWinds Serv-U represent critical remote code execution risks. Although exploitation has not been confirmed, Serv-U’s history of targeted attacks increases the urgency for patching.

Organizations should treat this as a priority patching event and immediately upgrade to Serv-U 15.5.4 to prevent potential root-level compromise.

References:

Serv-U 15.5.4 release notes

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

Critical Vulnerability in CISCO Catalyst SD-WAN Authentication Bypass 0-Day; Patch Now

Cisco SD-WAN Authentication Bypass Zero-Day

CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.

Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.

“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.

Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list

The primary reason after evaluation by threat researcher’s were –

FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.

The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands

Why CISA added FileZen CVE-2026-25108 to its KEV

The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.

This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.

Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)

JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.

Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.

The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:

Run unauthorized commands on the server
Manipulate files or processes
Establish persistence
Access sensitive transferred data
Use the compromised FileZen environment as a pivot point into internal systems

Technical Analysis of CVE-2026-25108

OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.

Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform

Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.

As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.

CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.

Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen

Cyber Breaches Disrupt Business Continuity; & Speak more about Balance Sheet

Cyber Breaches Disrupts Business Continuity Impacting the Balance sheet

Author: Gargi