RCE

Apache ActiveMQ Vulnerability CVE-2026-34197 Exploited in the Wild

CVE-2026-34197, an Apache ActiveMQ flaw

Vulnerable ABAP Program Patched by SAP in April Security Updates

SAP security patch day saw the release of 19 new security notes on April 14th. There is 1 update to previously released security note. The update addresses several severe flaws, including critical SQL injection, denial of service (DoS) and code injection vulnerabilities.

Vulnerability Details:

[CVE-2026-27681] SQL Injection vulnerability in SAP Business Planning and Consolidation and SAP Business Warehouse is most critical with CVSS score 9.9. This flaw may allow attackers to run arbitrary database queries, potentially compromising sensitive information and system integrity.

SAP also released a security note that addresses a high-severity missing authorization check in ERP and S/4 HANA. Tracked as CVE-2026-34256, is missing authorization check in SAP ERP and SAP S/4 HANA. With a CVSS score of 7.1, this vulnerability could enable unauthorized users to perform restricted actions in both private cloud and on‑premise deployments

Further it could be exploited to execute an ABAP program and rewrite existing eight‑character executable programs.

[CVE-2025-64775] Denial of Service Vulnerability in SAP BusinessObjects Business Intelligence Platform, the criticality is medium

[CVE-2026-34264] Information Disclosure vulnerability in SAP Human Capital Management for SAP S/4HANA, medium criticality

Key inputs:

Of the remaining security notes, 16 (15 new and 1 updated) deal with medium-severity vulnerabilities that could lead to information disclosure.

The vulnerabilities may trigger denial-of-service (DoS), XSS attacks, code injection, redirection to malicious content or code execution in the victim’s browser.

Patching:

The flaws were patched in BusinessObjects, Business Analytics, Content Management, S/4HANA, Supplier Relationship Management, NetWeaver, HANA Cockpit and HANA Database Explorer, Material Master Application and S4CORE.

The two remaining notes address low-severity code injection bugs in NetWeaver and Landscape Transformation.

Refer to

Dec 2025 Security Advisory SAP Security Patch Released, Critical RCE Fixed & DoS Vulnerabilities

Conclusion: SAP strongly recommends that the customer visits the support portal and applies patches on priority to protect their SAP landscape.

Sources: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2026.html

Sources: https://www.securityweek.com/sap-patches-critical-abap-vulnerability/

CISCO Vulnerability Allows RCE in its Smart Software Manager on-Premise

CVE-2026-20160, Vulnerability in CISCO’s smart software manager may allows attackers to gain complete control over the affected system without needing authentication which is gaining prior access to exploit the system. The CVSS severity score of 9.8 out of 10, indicating its high risk level.

Authentication and access controls play a crucial role in web application and system security. What can happen?

Data theft
System compromise
Privilege escalation

CISCO’s Smart Software Manager Flaw

In this case the vulnerability exposure allowed unauthorized access, as attackers do not need login credentials when a hacker can execute arbitrary commands on the operating system. Further escalating by creating crafted request to the service’s API. The vulnerability impacted certain versions of the Cisco SSM On-Prem environments, particularly software releases from 9-202502 to 9-202510.

Remediation for organizations

Organizations can prevent authentication bypass through regular patching, multi-factor authentication, encryption, and strong password policies.

The vulnerability did not impact CISCO’s smart software newly released version 9-202601 includes a patch that fixes the flaw.

Cisco advises to upgrade to version 9-202601 immediately, as there are no current workarounds or temporary mitigations to block potential attacks.

For IT teams notes include devices meet the necessary memory and hardware specifications before proceeding with the update.

Key findings from CVE-2026-20160 Vulnerability

The vulnerability was discovered internally by Cisco’s Technical Assistance Center (TAC) team and they found no immediate exploitations in the wild

With the disclosure can motivate hackers to reverse-engineer the patch and search for vulnerable systems. Following Cisco’s guidelines and maintaining up-to-date security measures will be essential in mitigating risks associated and stop any kind of data breaches.

Conclusion:

Research shows that, making timely patching critical for authentication security is essential and failing to do that can lead to data breaches.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Cisco strongly recommends that customers upgrade to the fixed software indicated in this advisory.

Sources: Cisco Smart Software Manager On-Prem Arbitrary Command Execution Vulnerability

Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE

PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:

Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0

Description

The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
CVE-2026-4681 has been reported
- CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
  - CVSS v3.1 Base Score: 10.0 (Critical)
  - CVSS v4 Base Score: 9.3 (Critical)
At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:

For Apache HTTP Server

Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.
Add the following directive:

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied

Ensure this file is the last in the configuration sequence and restart the Apache server.

For Microsoft IIS

Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.
Restart IIS using iisreset and confirm the rule is active in IIS Manager.

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.

Additional Protection Measures

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:

Network and User-Agent Patterns

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=

File System Indicators

GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
Any dpr_<8-hex-digits>.jsp file
Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any identified

Log and Error Patterns

Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception

PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans.

This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.

By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data

Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv

Microsoft Releases Tuesday Patch-March 2026; Fixed 83 Flaws

Microsoft Tuesday Patch March 2026 fixes 83 Vulnerabilities Including 2 Actively Exploited Zero-Days

SolarWinds Serv-U15.5.4 Rocked by Critical RCE Vulnerabilities; Patch Now

Summary : SolarWinds has fixed four critical vulnerabilities in its popular Serv-U file transfer solution, which is used by businesses and organizations of all sizes. vulnerabilities impact SolarWinds Serv-U Managed File Transfer, a platform frequently deployed as an internet-facing FTP/FTPS/SFTP gateway or as an internal file exchange service handling sensitive data.

OEM	SolarWinds
Severity	Critical
CVSS Score	9.1
CVEs	CVE-2025-40538, CVE-2025-40539, CVE-2025-40540, CVE-2025-40541
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

SolarWinds stated that there are no confirmed reports of active exploitation at this time. However, given previous Serv-U vulnerabilities were exploited by advanced threat actors.

SolarWinds Serv-U

is a secure file transfer server used by organizations to manage FTP, FTPS, SFTP, and HTTP/S file transfers across enterprise environments. It is commonly deployed on Windows and Linux servers to securely exchange sensitive business data.

SolarWinds fixed four critical remote code execution vulnerabilities in Serv-U 15.5. These vulnerabilities could allow an attacker with administrative privileges to execute arbitrary native code as root on the affected server.

Vulnerability Name	CVE ID	Product Affected	Severity	CVSS Score	Fixed Version
Broken Access Control Remote Code Execution Vulnerability	CVE-2025-40538	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40539	Serv-U	Critical	9.1	Serv-U 15.5.4
Type Confusion Remote Code Execution Vulnerability	CVE-2025-40540	Serv-U	Critical	9.1	Serv-U 15.5.4
Insecure Direct Object Reference (IDOR) Remote Code Execution Vulnerability	CVE-2025-40541	Serv-U	Critical	9.1	Serv-U 15.5.4

Technical Summary

These critical vulnerabilities affect SolarWinds Serv-U version 15.5 and arise from weaknesses such as improper access control checks, type confusion errors, and insecure object reference handling.

If exploited, they may allow an attacker to run arbitrary native code with root-level privileges on the affected server.

Successful exploitation requires administrative access. Once obtained, an attacker could create unauthorized administrator accounts, and execute malicious code, potentially resulting in complete system compromise and further movement across the network.

SolarWinds strongly advises upgrading to Serv-U version 15.5.4 to address these security risks.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-40538	Serv-U 15.5	Improper access control enabling admin creation and root-level code execution	Admin account creation, full system compromise
CVE-2025-40539	Serv-U 15.5	Type confusion enabling arbitrary native code execution as root	Arbitrary native code execution
CVE-2025-40540	Serv-U 15.5	Type confusion leading to root-level native code execution	Root-level execution
CVE-2025-40541	Serv-U 15.5	IDOR enabling unauthorized access and root-level code execution	Remote code execution as root

Potential Consequences

Full server takeover

Privilege escalation

Lateral movement within enterprise network

Data exfiltration

Malware or backdoor deployment

Remediation:

Upgrade immediately to Serv-U product with below mentioning fixed version-

Serv-U 15.5.4

If immediate patching is not possible, apply the following temporary mitigations-

Restrict Serv-U administrative access to trusted IP ranges.

Enforce MFA for all Serv-U admin accounts.

Ensure services run with least privilege.

Conduct audit of newly created administrative accounts.

You can follow the recommendations below as a best practice-

Enforce strict administrative access controls.

Monitor logs for unauthorized privilege escalation.

Implement network segmentation for file transfer servers.

Apply regular patch management and vulnerability scanning.

Conclusion:
These four newly disclosed vulnerabilities in SolarWinds Serv-U represent critical remote code execution risks. Although exploitation has not been confirmed, Serv-U’s history of targeted attacks increases the urgency for patching.

Organizations should treat this as a priority patching event and immediately upgrade to Serv-U 15.5.4 to prevent potential root-level compromise.

References:

Serv-U 15.5.4 release notes

SolarWinds Patches 4 Critical Serv-U 15.5 Flaws Allowing Root Code Execution

Chrome Security Updates by Google Released For Actively Exploited Zero-Day 2026

Chrome update released to patch a zero-day vulnerability that has been exploited in the wild.

Critical Flaw Identified in Fortinet Product ‘FortiClientEMS’; Security Updates Released

Fortinet released security updates for CVE-2026-2164

Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw is classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests.

Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.

Technical Details

With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management.

The flaws affect the following versions –

FortiClientEMS 7.2 (Not affected)
FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
FortiClientEMS 8.0 (Not affected)

The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface.

Reason for the flaw or vulnerability to appear is caused by improper neutralization of user-supplied input in SQL queries. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI.

This resulted in the execution of arbitrary SQL statements, leading to unauthorized access, data exfiltration, privilege escalation and remote code execution (RCE) on any primary system.

Remediation

Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system.

In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts.
Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface.
Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise.
Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.

There is currently no evidence of exploitation in the wild but the flaw has been termed a high-priority issue for all organizations using the affected product version, reason the attack surface is vulnerable.

Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.

Conclusion:

The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.

In the past similar Fortinet SQL injection and remote code execution vulnerabilities were found in Fortinet products and was targeted by cybercriminals and state-sponsored actors for financial benefits.

Sources: FortiClientEMS CVE-2026-21643: Critical Unauthenticated SQL Injection Vulnerability Allows Remote Code Execution

Critical Solar Winds Vulnerabilities being Exploited by Threat Actors

Critical Ivanti EPMM Attacks Exploited RCE; Security Updates Released

Ivanti has disclosed two critical code injection vulnerabilities in its Endpoint Manager Mobile (EPMM) product that enable unauthenticated remote code execution and have been exploited in zero-day attacks.