Remote Code Execution

Cybersecurity News Security Advisory

Critical Vulnerability CVE-2026-4681 in Windchill & FlexPLM Exposes Systems to RCE

PTC has issued an urgent advisory regarding a critical Windchill and FlexPLM vulnerability that exposes affected systems to Remote Code Execution (RCE). The flaw, identified as CVE-2026-4681, has been classified as a code injection vulnerability (CWE-94) and carries a CVSS v3.1 base score of 10.0 and CVSS v4 score of 9.3. 

Vulnerability details:

The company says that it has not found any evidence that the vulnerability is being exploited against PTC customers. However, PTC published a set of specific indicators of compromise (IoCs) that include a user agent string and files.

The flaw affects a broad range of Windchill PDMLink and FlexPLM releases, specifically: 

  • Windchill PDMLink: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.2.0, 12.1.2.0, 13.0.2.0, 13.1.0.0, 13.1.1.0, 13.1.2.0, 13.1.3.0  
  • FlexPLM: 11.0 M030, 11.1 M020, 11.2.1.0, 12.0.0.0, 12.0.2.0, 12.0.3.0, 12.1.2.0, 12.1.3.0, 13.0.2.0, 13.0.3.0  
Description
  • The vulnerability is a Remote Code Execution (RCE) issue that may be exploited through deserialization of untrusted data
  • CVE-2026-4681 has been reported
  • At this time, there is no evidence of confirmed exploitation affecting PTC customers

Remediation: PTC is actively developing and releasing security patches for all supported Windchill versions to address the identified vulnerability

Immediate Mitigation Steps 

PTC has issued specific guidance to reduce the risk until official security patches are released. These steps include: 

For Apache HTTP Server 

  1. Create a new configuration file named 90-app-Windchill-Auth.conf under <APACHE_HOME>/conf/conf.d/.  
  2. Add the following directive: 

<LocationMatch “^.*servlet/(WindchillGW|WindchillAuthGW)/com.ptc.wvs.server.publish.Publish(?:;[^/]*)?/.*$”>
Require all denied 

  • Ensure this file is the last in the configuration sequence and restart the Apache server.  

For Microsoft IIS 

  1. Verify the presence of the URL Rewrite module; if absent, download and install from the IIS website.  
  2. Modify the web.config file to include the rewrite rule as the first tag in <system.webServer>.  
  3. Restart IIS using iisreset and confirm the rule is active in IIS Manager.  

PTC advises applying the same workaround steps to File Server or Replica Server configurations and notes that older Windchill releases may require adjusted procedures. 

Additional Protection Measures 

For organizations unable to immediately implement mitigations, PTC recommends temporarily shutting down Windchill or FlexPLM services or disconnecting systems from the public Internet. 

PTC has also committed to 24×7 customer support for all users affected by this critical vulnerability. For PTC cloud-hosted customer.

Indicators of Compromise 

Advisory for security Teams to monitor for specific signs that may indicate exploitation of the Windchill vulnerability or FlexPLM vulnerability: 

Network and User-Agent Patterns 

  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36  
  • Suspicious HTTP requests: run?p= .jsp?p=, run?c= .jsp?c=  

File System Indicators 

  • GW.class or payload.bin (SHA256: C818011CAFF82272F8CC50B670304748984350485383EBAD5206D507A4B44FF1)  
  • Any dpr_<8-hex-digits>.jsp file  
  • Other class files, including Gen.class, HTTPRequest.class, HTTPResponse.class, IXBCommonStreamer.class, IXBStreamer.class, MethodFeedback.class, MethodResult.class, WTContextUpdate.class, and their Java equivalents  

The presence of these files indicates that a potential attacker may have prepared the system for Remote Code Execution. 

Log and Error Patterns 

  • Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception  

PTC strongly urges customers to report any identified

Log and Error Patterns 

  • Messages referencing GW_READY_OK, ClassNotFoundException for GW Windchill, or HTTP Gateway Exception  
  • PTC strongly urges customers to report any new identified IOCs immediately and initiate security response plans. 
  • This particular vulnerability highlights the importance of proactive security monitoring and rapid mitigation in enterprise software environments.
  • By following the recommended steps, organizations can reduce the risk of Remote Code Execution and protect their data

Source: https://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-critical-vulnerability?srsltid=AfmBOooLDdBNS2lOeRasqrbyOfjfVKyhJH6Z_wfzqO93k3cqVQcSueEv

Security Advisory

Critical Fluent Bit Vulnerabilities Allow RCE & Cloud Infrastructure at Risk 

Summary : Fluent Bit is a widely used opensource tool for collecting and forwarding logs in cloud and containers like Kubernetes environments. A chain of 5 critical vulnerabilities discovered by Oligo Security team and findings reveal that attackers can misuse via Remote code execution putting cloud and container at risk.

Severity Critical 
CVSS Score 9.1  
CVEs CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities are CVE-2025-12977  CVE-2025-12970, CVE-2025-12969, CVE-2025-12978 , CVE-2025-12972. The vulnerabilities allow attackers to bypass authentication, manipulate log routing, achieve remote code execution, potentially leading to full compromise of cloud and Kubernetes environments using Fluent Bit for logging and observability.

Organizations relying on Fluent Bit must upgrade to the fixed versions and harden configurations to prevent remote takeover and log tampering. 

                      Vulnerability Name CVE ID Product Affected Severity CVSS Score Fixed Version 
​Fluent Bit Tag_Key Input Validation Bypass CVE-2025-12977 Fluent Bit Critical 9.1 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Docker Input Stack Buffer Overflow CVE-2025-12970 Fluent Bit High 8.8 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Forward Input Authentication Bypass CVE-2025-12969 Fluent Bit Medium 6.5 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit Tag Spoofing via Partial Tag_Key Match CVE-2025-12978 Fluent Bit Medium 5.4 v4.0.12+ , v4.1.1+ , v4.2.0+ 
Fluent Bit File Output Path Traversal CVE-2025-12972 Fluent Bit Medium 5.3 v4.0.12+ , v4.1.1+ , v4.2.0+ 

Technical Summary 

Fluent Bit vulnerabilities center around unsafe handling of tags and inputs, enabling attackers to manipulate routing, file paths and memory in ways that directly impact host systems and downstream security tooling.

These flaws can allow path traversal and arbitrary file writes, which in many real-world setups may escalate to remote code execution and persistent node compromise.

Additional vulnerabilities include stack buffer overflows and missing authentication checks that let attackers crash agents, execute code and inject false telemetry into trusted logging pipelines. 

Source: Oligo.security 

CVE ID Vulnerability Details Impact 
CVE-2025-12977 Improper input validation allows injection of control chars, newlines, and path traversal sequences in tag values. Log corruption and output injection. 
CVE-2025-12970 Stack buffer overflow on container name copy due to lack of length check. Crash or RCE. 
CVE-2025-12969 Authentication bypass disables user-based auth, allowing unauthenticated log injection. Unauthorized log injection. 
CVE-2025-12978 Partial string comparison on Tag_Key lets attacker spoof tags by guessing first char. Manipulation of log routing and filtering. 
CVE-2025-12972 Path traversal via unsanitized tags causes arbitrary file write and possible remote code execution. Arbitrary file write and RCE. 

Remediation

  • Upgrade all Fluent Bit deployments to v4.2.0 / v4.1.1 / v4.0.12  or latest version. 

Here are some recommendations below  

  • Avoid using dynamic or untrusted tags in configuration for routing or file naming. 
  • Always set explicit fixed Path or File parameters in out_file outputs to prevent path traversal. 
  • Ensure forward inputs use both Shared_Key and Security.Users for proper authentication enforcement. 
  • Limit network access to Fluent Bit instances to trusted sources only. 
  • Run Fluent Bit with least privilege and restrict filesystem and configuration file write permissions. 
  • Monitor logs and telemetry for abnormal tag values or unexpected log routing changes. 

Conclusion: 
The Fluent Bit vulnerabilities enable attackers to hide activity, corrupt evidence and even gain direct control of cloud workloads.

This puts cloud systems at risk because security teams may not see the real activity happening inside their environment.

Organizations using Fluent Bit should patch immediately, restrict network access and enforcing strong authentication and least‑privilege deployment as urgent priorities to reduce the risk of remote takeover and systemic observability compromise. 

References

Security Advisory

Critical Remote Code Execution in Nokia WaveSuite NOC 

Summary : Security Advisory: Two command injection vulnerabilities have been found in Nokia’s WaveSuite Network Operations Center (WS-NOC), a key tool used to manage telecom and enterprise networks.

OEM Nokia 
Severity Critical 
CVSS Score 9.0 
CVEs CVE-2025-24936, CVE-2025-24938   
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

These vulnerabilities allow attackers with limited access to run malicious commands on the system’s operating system. The vulnerabilities affect WS-NOC versions 23.6, 23.12, and 24.6. Nokia has released fixes in version 24.6 FP3 and newer. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Command Injection Vulnerability  CVE-2025-24936 Nokia WS-NOC  Critical  v24.6 FP3 & later 
​ Command Injection Vulnerability  CVE-2025-24938 Nokia WS-NOC  High  v24.6 FP3 & later 

Technical Summary 

The first vulnerability, CVE-2025-24936, CVSS- 9.0 due to the system doesn’t properly check parts of a web address (URL). The attacker with low privileged access can trick the system into running malicious commands, as if they were part of the system itself. As this flaw has been published, attackers can remotely target exposed or inadequately secured administrative pages. 

The second issue, with the CVE-2025-24938, CVSS- 8.4 affects to new user accounts are created through the web interface. In this case, with high privileged access – administrators can intentionally enter harmful commands because their input isn’t being filtered properly. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025- 24936 WS-NOC 23.6, 23.12, 24.6 Unfiltered URL input enables command injection by low-privileged users. Remote code execution 
CVE-2025- 24938 WS-NOC 23.6, 23.12, 24.6 Insufficient input validation during account creation enables command injection. Privilege escalation, Remote code execution 

Remediation

  • Immediate Action: Upgrade WS-NOC to version 24.6 FP3 or latest one to mitigate both vulnerabilities. 

Recommendations: 

  • Configuration Check: Restrict admin panel and WS-NOC access to trusted, internal networks only. 
  • Environment Hardening: Regularly audit user privileges, conduct input validation reviews, and deploy security monitoring for unusual command executions originating from the WS-NOC application. 

Conclusion: 

CVE-2025-24936 and CVE-2025-24938 are critical command injection vulnerabilities in Nokia WaveSuite NOC, which is used in telecom systems around the world. These vulnerabilities allow attackers to execute malicious commands with limited access. As these systems are part of critical infrastructure, prompt patching is essential to prevent potential remote attacks and network disruption. 

References

Security Advisory

Critical 0-Day RCE Vulnerability in Fortinet Products (CVE-2025-32756) Actively Exploited 

Summary :

A critical unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-32756, has been identified in multiple Fortinet products.

OEM Fortinet 
Severity Critical 
CVSS Score 9.8 
CVEs CVE-2025-32756 
POC Available Yes 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

The flaw is currently under active exploitation, allowing attackers to take full control of affected systems via a buffer overflow in the /remote/hostcheck_validate endpoint. A public PoC is available, significantly increasing the risk to unpatched devices. 

Vulnerability Name CVE ID Product Affected Severity 
Remote Code Execution Vulnerability  CVE-2025-32756 Fortinet Products  Critical 

Technical Summary 

CVE-2025-32756 is a critical unauthenticated Remote Code Execution (RCE) vulnerability affecting multiple Fortinet products. The vulnerability resides in the /remote/hostcheck_validate endpoint and is due to improper bounds checking when parsing the enc parameter of the AuthHash cookie.

This allows attackers to trigger a stack-based buffer overflow and execute arbitrary code remotely without requiring authentication. 

The exploit is publicly available as a Python script that sends a specially crafted HTTP POST request targeting the vulnerable endpoint. Upon successful exploitation, attackers can achieve full system control. Fortinet has confirmed that this vulnerability is being actively exploited in the wild, particularly targeting FortiVoice and other Fortinet appliances. 

CVE ID System Affected  Vulnerability Details Impact 
  CVE-2025-32756  FortiVoice, FortiMail, FortiNDR, FortiRecorder, FortiCamera Stack-based buffer overflow via enc parameter in AuthHash cookie. Exploit uses a crafted POST request to /remote/hostcheck_validate.   Remote Code Execution, Full device takeover, persistence, data theft, log erasure. 

Remediation

  • Update Immediately: Apply the latest security patches provided by Fortinet. 
  • FortiVoice: 7.2.1+ / 7.0.7+ / 6.4.11+ 
  • FortiMail: 7.6.3+ / 7.4.5+ / 7.2.8+ / 7.0.9+ 
  • FortiNDR: 7.6.1+ / 7.4.8+ / 7.2.5+ / 7.0.7+ 
  • FortiRecorder: 7.2.4+ / 7.0.6+ / 6.4.6+ 
  • FortiCamera: 2.1.4+ 
  • Disable Admin Interfaces (HTTP/HTTPS) as a temporary workaround 

Indicator of Compromise 

For a list of observed Indicators of Compromise (IOCs), including malicious IP addresses, backdoor file paths and payload hashes, refer to the table below:  

IP Addresses FileHash-MD5 
156.236.76.90 2c8834a52faee8d87cff7cd09c4fb946 
198.105.127.124 4410352e110f82eabc0bf160bec41d21 
218.187.69.244 489821c38f429a21e1ea821f8460e590 
218.187.69.59 ebce43017d2cb316ea45e08374de7315 
43.228.217.173 364929c45703a84347064e2d5de45bcd 
43.228.217.82   

Conclusion: 
CVE-2025-32756 poses a severe threat to Fortinet users, with confirmed in-the-wild exploitation and publicly available PoC.

Organizations must patch all affected systems immediately, audit for compromise indicators, and block known malicious IPs. The vulnerability’s high impact and ease of exploitation warrant urgent action to prevent widespread breaches and data loss. 

These activities suggest sophisticated threat actors are conducting comprehensive compromise operations rather than opportunistic attacks.

Security analysts have identified several IP addresses associated with the attacking threat actors, including 198.105.127.124, 43.228.217.173, 43.228.217.82, 156.236.76.90, 218.187.69.244, and 218.187.69.59.

References

Security Advisory

Linux Kernel Exploitation in ksmbd (CVE-2025-37899) Discovered with AI Assistance

Summary: A high-severity use-after-free vulnerability (CVE-2025-37899) has been discovered in the ksmbd component of the Linux kernel, which implements the SMB3 protocol for file sharing.

OEMLinux
SeverityHigh
CVSS ScoreN/A
CVEsCVE-2025-37899
Actively ExploitedNo
Exploited in WildNo
Advisory Version1.0

Overview

The vulnerability, confirmed on May 20, 2025 which was uncovered through AI-assisted code analysis using OpenAI’s o3 model. It affects multiple versions of the Linux kernel and may lead to arbitrary code execution with kernel privileges. As of now, no official fix is available, but Linux distributions including SUSE team are actively working on patches.

Vulnerability NameCVE IDProduct AffectedSeverity
​ksmbd use-after-free vulnerability  CVE-2025-37899Linux kernel  High

Technical Summary

The vulnerability lies in the ksmbd kernel server component responsible for SMB3 protocol handling.

A use-after-free bug occurs when one thread processes a logoff command and frees the sess->user object, while another thread bound to the same session attempts to access the same object simultaneously. This results in a race condition that can lead to memory corruption and potentially enable attackers to execute arbitrary code with kernel privileges.

CVE IDSystem AffectedVulnerability DetailsImpact
    CVE-2025-37899  Linux kernel (ksmbd)A race condition during handling of SMB2 LOGOFF commands. sess->user is freed in one thread while still being accessed in another, leading to a classic use-after-free vulnerability. The absence of synchronization around sess->user allows attackers to exploit the freed memory during concurrent SMB operations.  Kernel memory corruption, privilege escalation, remote code execution

Remediation:

  • Fix status: As of now, an official fix has not been released. Linux distributions, including SUSE, are actively developing and testing patches.

General Recommendations

  • Monitor your distribution’s security advisories and apply patches as soon as they are available.
  • Consider disabling or restricting ksmbd (in-kernel SMB3 server) if not explicitly required.
  • Use firewall rules to restrict access to SMB services to trusted networks.
  • Employ kernel hardening options (e.g. memory protections, SELinux/AppArmor policies).
  • Audit SMB traffic for signs of abnormal session setup and teardown behavior.

Conclusion:
CVE-2025-37899 highlights the increasing role of AI in modern vulnerability discovery and the complex nature of concurrency bugs in kernel components. While no fix is yet available, administrators should apply defense-in-depth strategies and watch for updates from their Linux vendors.

The discovery underscores the importance of rigorous code audits, especially in components exposed to network traffic and multithreaded processing.

References:

Scroll to top