Microsoft Patches SharePoint RCE Flaw Enabling RCE Attacks
Microsoft SharePoint Remote Code Execution Vulnerability CVE-2026-45659 Patches Rolled out
Continue ReadingRemote Code Execution
Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE
PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3.
Vulnerability details:
The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.
The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically:
- Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0
- FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0
Description
- The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
- CVE-2026-4681 has been reported
- CWE – CWE-94: Improper Control of Generation of Code (‘Code Injection’) (4.19.1)
- Note that CVE.org only supports the latest CVSS scoring calculator (v4). Our Advisory also reflects the score of 10.0 based on the CVSS3.1 calculator.
- CVSS v3.1 Base Score: 10.0 (Critical)
- CVSS v4 Base Score: 9.3 (Critical)
- At this time, there is no evidence of confirmed exploitation affecting PTC customers
Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability
Immediate Mitigation Steps
PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include:
For Apache HTTP Server
- Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.
- Add the following directive:
<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied
- Ensure this file is the last in the configuration sequence and restart the Apache server.
For Microsoft IIS
- Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.
- Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.
- Restart IIS using iisreset and confirm the rule is active in IIS Manager.
PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures.
Additional Protection Measures
For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet.
PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.
Indicators of Compromise
Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability:
Network and User-Agent Patterns
- User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
- Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=
File System Indicators
- GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)
- Any dpr_<8-hex-digits>.jsp file
- Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents
The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution.
Log and Error Patterns
- Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception
PTC strongly urges customers to report any identified
Log and Error Patterns
- Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception
- PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans.
- This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.
- By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data
Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv
Critical Fluent Bit Vulnerabilities Allow RCE & Cloud Infrastructure at Risk
Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.
| Severity | Critical |
| CVSS Score | 9.1 |
| CVEs | CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities are CVE-2025-12977 CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.
Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score | Fixed Version |
| Fluent Bit Tag_Key Input Validation Bypass | CVE-2025-12977 | Fluent Bit | Critical | 9.1 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Docker Input Stack Buffer Overflow | CVE-2025-12970 | Fluent Bit | High | 8.8 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Forward Input Authentication Bypass | CVE-2025-12969 | Fluent Bit | Medium | 6.5 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit Tag Spoofing via Partial Tag_Key Match | CVE-2025-12978 | Fluent Bit | Medium | 5.4 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
| Fluent Bit File Output Path Traversal | CVE-2025-12972 | Fluent Bit | Medium | 5.3 | v4.0.12+ , v4.1.1+ , v4.2.0+ |
Technical Summary
Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.
These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.
Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines.
Source: Oligo.security
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-12977 | Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values. | Log corruption and output injection. |
| CVE-2025-12970 | Stack buffer overflow on container name copy due to lack of length check. | Crash or RCE. |
| CVE-2025-12969 | Authentication bypass disables user-based auth, allowing unauthenticated log injection. | Unauthorized log injection. |
| CVE-2025-12978 | Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char. | Manipulation of log routing and filtering. |
| CVE-2025-12972 | Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution. | Arbitrary file write and RCE. |
Remediation:
- Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12 or latest version.
Here are some recommendations below
- Avoid using dynamic or untrusted tags in configuration for routing or file naming.
- Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal.
- Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement.
- Limit network access to Fluent Bit instances to trusted sources only.
- Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions.
- Monitor logs and telemetry for abnormal tag values or unexpected log routing changes.
Conclusion:
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.
This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.
Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise.
References:
Critical Remote Code Execution in Nokia WaveSuite NOC
Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.
| OEM | Nokia |
| Severity | Critical |
| CVSS Score | 9.0 |
| CVEs | CVE-2025-24936, CVE-2025-24938 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Command Injection Vulnerability | CVE-2025-24936 | Nokia WS-NOC | Critical | v24.6 FP3 & later |
| Command Injection Vulnerability | CVE-2025-24938 | Nokia WS-NOC | High | v24.6 FP3 & later |
Technical Summary
The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages.
The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025- 24936 | WS-NOC 23.6, 23.12, 24.6 | Unfiltered URL input enables command injection by low-privileged users. | Remote code execution |
| CVE-2025- 24938 | WS-NOC 23.6, 23.12, 24.6 | Insufficient input validation during account creation enables command injection. | Privilege escalation, Remote code execution |
Remediation:
- Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities.
Recommendations:
- Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only.
- Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application.
Conclusion:
CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption.
References:
Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited
Summary :
A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.
| OEM | Fortinet |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-32756 |
| POC Available | Yes |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2025-32756 | Fortinet Products | Critical |
Technical Summary
CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.
This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication.
The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-32756 | FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera | Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate. | Remote Code Execution, Full device takeover, persistence, data theft, log erasure. |
Remediation:
- Update Immediately: Apply the latest security patches provided by Fortinet.
- FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+
- FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+
- FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+
- FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+
- FortiCamera: 2.1.4+
- Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround
Indicator of Compromise
For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:
| IP Addresses | FileHash-MD5 |
| 156.236.76.90 | 2c8834a52faee8d87cff7cd09c4fb946 |
| 198.105.127.124 | 4410352e110f82eabc0bf160bec41d21 |
| 218.187.69.244 | 489821c38f429a21e1ea821f8460e590 |
| 218.187.69.59 | ebce43017d2cb316ea45e08374de7315 |
| 43.228.217.173 | 364929c45703a84347064e2d5de45bcd |
| 43.228.217.82 |
Conclusion:
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.
Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss.
These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.
Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.
References:
Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance
Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.
| OEM | Linux |
| Severity | High |
| CVSS Score | N/A |
| CVEs | CVE-2025-37899 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| ksmbd use-after-free vulnerability | CVE-2025-37899 | Linux kernel | High |
Technical Summary
The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.
A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-37899 | Linux kernel (ksmbd) | A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations. | Kernel memory corruption, privilege escalation, remote code execution |
Remediation:
- Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.
General Recommendations
- Monitor your distribution’s security advisories and apply patches as soon as they are available.
- Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
- Use firewall rules to restrict access to SMB services to trusted networks.
- Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
- Audit SMB traffic for signs of abnormal session setup and teardown behavior.
Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.
The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.
References:
Recent Comments