Attackers

Security Advisory

CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise

CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system.  The CVSS severity score of 9.8 out of 10, indicating its high risk level.

Authentication and access controls play a crucial role in web application and system security. What can happen?

  • Data theft
  • System compromise
  • Privilege escalation

CISCO’s Smart Software Manager Flaw

In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.

Remediation for organizations

Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.

The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.

Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.

For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update. 

Key findings from CVE-2026-20160 Vulnerability

The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild

With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems.  Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.

Conclusion:

Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

Cybersecurity News Security Advisory

Enterprise Security at Risk as Critical Flaw Found in OpenAI’s Codex

Codex Enabled GitHub Token Theft

Continue Reading
Blogs Cybersecurity News

Scanners Turn Attack Vector as TrivyScanner Hijacked via GitHub Actions Tags

Attackers Targeted SSH keys, Cloud Tokens & API secrets in CI/CD Pipelines; Highlights Securing CI/CD Pipelines

In latest vulnerability discovery Aqua Security revealed HackerBot-claw bot hijacked 75 of 76 GitHub Actions tags for its Trivy vulnerability scanner. The HackerBot-claw first distributed credential-stealing malware through the widely used security tool for the second time in a one month.

Malicious code rode alongside legitimate scans, targeting SSH keys, cloud tokens and API secrets in CI/CD pipelines. Security researcher Paul McCarty was the first to warn publicly that Trivy version 0.69.4 had been backdoored, with malicious container images and GitHub releases published to users.

Attack module on Trivy

When it comes to workflow it has been observed that more then 10,000 GitHub workflow files rely on trivy-action. Attackers can leverage this pipeline and pull versions during the attack window which are affected and carry sensitive credentials exfiltrated.

Attackers compromised the GitHub Action by modifying its code and retroactively updating version tags to reference a malicious commit. This permitted data used in CI/CD workflows to be printed in GitHub Actions build logs and finally leaking credentials.

A self-propagating npm worm compromised 47 packages, extending the blast radius into the broader JavaScript ecosystem.

Aqua Security disclosed in a GitHub Discussion that the incident stemmed from incomplete containment of an earlier March 1 breach involving a hackerbot-claw bot.

  • Attackers swapped the entrypoint.sh in Trivy’s GitHub Actions with a 204-line script that prepended credential-stealing code before the legitimate scanner.
  • Lines 4 through 105 contained the infostealer payload, while lines 106 through 204 ran Trivy as normal.
  • This made difficult  to detect during routine scans.

TeamPCP preserved normal scan functionality to avoid triggering CI/CD failures as detection now will require cryptographic verification of commit signatures .

For defenders, traditional CI/CD monitoring, which watches for build failures or unexpected output, can no longer catch supply-chain compromises that deliberately maintain normal behavior.

Organizations relying on Trivy or similar open-source security tools are facing attacks from the very scanners meant to protect their pipelines can become the attack vector. Only cryptographic provenance checks can distinguish legitimate releases from poisoned ones.

As per security researchers once inside a pipeline, the malicious script scanned memory regions of the GitHub Actions Runner.

Github Compromise

The attack appears to have been accomplished via the compromise of the cx-plugins-releases (GitHub ID 225848595) service account, as that is the identity involved in publishing the malicious tags. 

Credentials exfiltrated during the initial incident were used last week in a new supply chain attack that targeted not only the Trivy package but also trivy-action and setup-trivy, Trivy’s maintainers have confirmed in a March 21 advisory.

Key Findings b Wiz Research

  • According to Wiz, the attack appears to have been carried out via the compromise of the “cx-plugins-releases” service account, with the attackers with malicious container images and GitHub releases published to users.
  • The second stage extension is activated and the malicious payload checks whether the victim has credentials from cloud service providers such as GitHub, AWS, Google Cloud, and Microsoft Azure.
  • When credentials if they are detected, it proceeds to fetch a next-stage payload from the same domain (“checkmarx[.]zone”).

“The payload attempts execution via npx, bunx, pnpx, or yarn dlx. This covers major JavaScript package managers,” Wiz researchers Rami McCarthy, James Haughom, and Benjamin Read said. “The retrieved package contains a comprehensive credential stealer.

Harvested credentials are then encrypted, using the keys as elsewhere in this campaign, and exfiltrated to ‘checkmarx[.]zone/vsx’ as tpcp.tar.gz.”

Conclusion: Aqua Security urged affected users to “treat all pipeline secrets as compromised and rotate immediately.” 

Organizations that ran any version of trivy-action, setup-trivy, or Trivy v0.69.4 during the attack window should audit their CI/CD logs for unexpected network connections to scan.aquasecurtiy[.]org and check whether any tpcp-docs repositories were created under their GitHub accounts.

With three major tag-hijacking incidents in 12 months, Wiz security researcher Rami McCarthy recommended that organizations “pin GitHub Actions to full SHA hashes, not version tags.”

Sources: Trivy Breached Twice in a Month via GitHub Actions

Cybersecurity News Security Advisory

CVE-2026-33409-Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session

Parse Server Authentication Bypass via partial authData; Successful exploitation Lead to Creating Valid User Session

Continue Reading
Cybersecurity News

CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.

Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.

“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.

Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list

The primary reason after evaluation by threat researcher’s were –

FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.

  • The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
  • Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
  • For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands

Why CISA added FileZen CVE-2026-25108 to its KEV

  • The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
  • What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
  • Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
  • This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)

JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.

Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.

The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:

  • Run unauthorized commands on the server
  • Manipulate files or processes
  • Establish persistence
  • Access sensitive transferred data
  • Use the compromised FileZen environment as a pivot point into internal systems

Technical Analysis of CVE-2026-25108

OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.

Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform

Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.

As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.

CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.




Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen

Security Advisory

Chrome Security Updates by Google Released For Actively Exploited Zero-Day 2026

Chrome update released to patch a zero-day vulnerability that has been exploited in the wild.

Continue Reading
Cybersecurity News Security Advisory

Critical Flaw Identified in Fortinet Product ‘FortiClientEMS’; Security Updates Released

Fortinet released security updates for CVE-2026-2164

Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw is classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests.

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

Technical Details

With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management.

The flaws affect the following versions –

  • FortiClientEMS 7.2 (Not affected)
  • FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
  • FortiClientEMS 8.0 (Not affected)

The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface.

Reason for the flaw or vulnerability to appear is caused by improper neutralization of user-supplied input in SQL queries. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI.

This resulted in the execution of arbitrary SQL statements, leading to unauthorized access, data exfiltration, privilege escalation and remote code execution (RCE) on any primary system.

Remediation

Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system.

  • In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts.
  • Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface.
  • Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise.
  • Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.

There is currently no evidence of exploitation in the wild but the flaw has been termed a high-priority issue for all organizations using the affected product version, reason the attack surface is vulnerable.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.

Conclusion:

The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.

In the past similar Fortinet SQL injection and remote code execution vulnerabilities were found in Fortinet products and was targeted by cybercriminals and state-sponsored actors for financial benefits.

Sources: FortiClientEMS CVE-2026-21643: Critical Unauthenticated SQL Injection Vulnerability Allows Remote Code Execution

Blogs Security Advisory

Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability

VMware ESXi VMware vulnerabilities

Continue Reading
Security Advisory

Critical Solar Winds Vulnerabilities being Exploited by Threat Actors

Critical Solar Winds Vulnerabilities being Exploited by Threat Actors

Continue Reading
Cybersecurity News

Microsoft 0-Day Vulnerability Targeted by APT28 Hacking Group Infiltrating Sensitive Networks

APT28 attack executes when victims open malicious documents in Microsoft Office:

Continue Reading
Scroll to top