Open Claw Vulnerabilities Reflect AI Agents Operate with High privilege
Open Claw Vulnerabilities Reflect How AI Agents Operate with High privilege
Continue ReadingVulnerabilites
Trellix Source Code Breach, Raise Incident Response Protocol Concern
Trellix Source Code Breach exposes vulnerabilites
Continue Reading
CISA added FileZen CVE-2026-25108 to its KEV Catalog; Patch Now
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog, that is being exploited in the wild.
Findings from CISA also confirmed about the flaw, that it affects Soliton Systems K.K. FileZen, a file transfer product. It has been included in KEV, sensing urgency for organizations still running vulnerable versions of the product.
“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request,” CISA said.
Key Findings from FileZen CVE-2026-25108 vulnerability added in CISA’s KEV list
The primary reason after evaluation by threat researcher’s were –
FileZen CVE-2026-25108 is an OS command injection vulnerability. According to NVD, when the FileZen Antivirus Check Option is enabled, a logged-in user can send a specially crafted HTTP request and execute arbitrary operating system commands. In such scenario an attacker with valid access could potentially run commands on the underlying server, creating serious risk to confidentiality, integrity, and availability.
- The vulnerability carries a CVSS v4 score of 8.7 (High) from JPCERT/CC, and NVD also lists a CVSS v3.1 score of 8.8 (High).
- Being a high-severity, actively exploited flaw tied to direct command execution and class of bug occurs when an application improperly handles input that ends up being interpreted by the operating system as a command.
- For attackers it becomes easy to manipulate server behavior and potentially execute arbitrary commands
Why CISA added FileZen CVE-2026-25108 to its KEV
- The vulnerability is not unauthenticated and any exploitation by attackers will requires a user to be logged in and it’s still not safe.
- What we witnessed in case of many real-world attacks always begins with stolen credentials or weak passwords or previously compromised accounts of less privileged.
- Any availability of any valid account could escalate the flaw like FileZen CVE-2026-25108 can pave way for an deeper compromise in future.
- This is exactly why CISA’s KEV addition matters so much. A KEV listing means the issue has moved beyond theoretical risk and into confirmed real-world exploitation.
Impact of the Vulnerability as assessed by vendor JVN (Japan Vulnerability Notes)
JVN states that if a user logs in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Soliton similarly says there is a possibility that a remote third party could execute arbitrary OS commands within FileZen.
The practical impact of that can be severe. Depending on server configuration and user privileges, successful exploitation could allow an attacker to:
- Run unauthorized commands on the server
- Manipulate files or processes
- Establish persistence
- Access sensitive transferred data
- Use the compromised FileZen environment as a pivot point into internal systems
Technical Analysis of CVE-2026-25108
OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.
Remediation & understanding why it is essential to integrate with threat intelligence monitoring platform
Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. When vendor platform Soliton indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update.
As per vendor’s suggestion a resetting of password for all users if an organization suspects a compromise. Integration with cyber threat intelligence platform will provide early warning indicators of exploitation as cyber threat intelligence platforms collect data from various sources to provide early warning indicators of exploitation.
CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. This mandate specifically applies to federal agencies, it serves as a stark reminder for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.
Sources; CVE-2026-25108 CISA Confirms Active Exploitation of FileZen
Threat Landscape Expands in Supply Chain Due to Ransomware Attacks
How Ransomware Supply Chain Attacks Works
Continue Reading
Critical Flaw Identified in Fortinet Product ‘FortiClientEMS’; Security Updates Released
Fortinet released security updates for CVE-2026-2164
Fortinet has recently addressed a critical security vulnerability, identified as CVE-2026-21643, in its FortiClientEMS product. This flaw is classified as a SQL injection vulnerability, enables unauthenticated remote attackers to execute arbitrary code or system commands on affected systems by sending specially crafted HTTP requests.
Fortinet has released security updates to address a critical flaw impacting FortiClientEMS that could lead to the execution of arbitrary code on susceptible systems.
Technical Details
With a CVSS v3.1 base score of 9.1, this vulnerability is considered critical and poses a significant risk to organizations relying on FortiClientEMS for endpoint management.
The flaws affect the following versions –
- FortiClientEMS 7.2 (Not affected)
- FortiClientEMS 7.4.4 (Upgrade to 7.4.5 or above)
- FortiClientEMS 8.0 (Not affected)
The vulnerability, CVE-2026-21643, resides in the FortiClientEMS administrative web interface.
Reason for the flaw or vulnerability to appear is caused by improper neutralization of user-supplied input in SQL queries. The flaw allows an unauthenticated attacker to send specially crafted HTTP requests to the FortiClientEMS GUI.
This resulted in the execution of arbitrary SQL statements, leading to unauthorized access, data exfiltration, privilege escalation and remote code execution (RCE) on any primary system.
Remediation
Immediate patching is strongly recommended to prevent potential exploitation, as the vulnerability allows attackers to bypass authentication and gain full control over the targeted system.
- In addition to patching, organizations should implement the following best practices to reduce exposure and detect potential exploitation attempts.
- Administrators should review web server and application logs for unusual or unauthorized HTTP requests targeting the FortiClientEMS administrative interface.
- Monitoring for unexpected creation of administrative accounts or the execution of system commands originating from the FortiClientEMS host can help identify compromise.
- Restricting network access to the FortiClientEMS management interface to trusted IP addresses and enforcing strong authentication controls can further reduce the attack surface.
There is currently no evidence of exploitation in the wild but the flaw has been termed a high-priority issue for all organizations using the affected product version, reason the attack surface is vulnerable.
Fortinet has since acknowledged that the issue has been actively exploited by bad actors to create local admin accounts for persistence, make configuration changes granting VPN access to those accounts, and exfiltrate the firewall configurations.
Conclusion:
The vulnerability is not present in FortiClientEMS versions 7.2, 8.0, or FortiEMS Cloud. The issue has been resolved in FortiClientEMS version 7.4.5 and later.
In the past similar Fortinet SQL injection and remote code execution vulnerabilities were found in Fortinet products and was targeted by cybercriminals and state-sponsored actors for financial benefits.
Ransomware attackers Exploit VMware ESXi arbitrary-write vulnerability
VMware ESXi VMware vulnerabilities
Continue Reading
Securing IoT Devices From Hackers Eye in 2026
Securing IoT Devices
Continue Reading
Shai-Hulud’s ‘Second Coming’ npm Malware Infects Popular Developer Packages
Shai-Hulud malware campaign, npm Packages
Continue Reading
Indian Org’s to Hire more Dedicated Cyber security professional says Report ; Role of BISO to Gain Traction
BISO Analytics from Intrucept ‘A Unified platform to map Business risk with Cyber Risk
Continue Reading
Elastic Releases Critical Security Updates for Kibana & Elasticsearch
Security Advisory:
Elastic has released security updates for Kibana and Elasticsearch.
Addressed 5 vulnerabilities, including 3 high-severity Cross-Site Scripting (XSS) issues
This also include one sensitive data exposure flaw, and one credential leakage issue
| OEM | Elastic |
| Severity | High |
| CVSS Score | 8.7 |
| CVEs | CVE-2025-25009, CVE-2025-25017, CVE-2025-25018, CVE-2025-37727, CVE-2025-37728 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The most severe, CVE-2025-25009 (CVSS 8.7), affects Kibana’s case file upload functionality, potentially allowing attackers to execute arbitrary scripts. These vulnerabilities could allow data theft, session hijacking or privilege escalation in affected environments. Users & Administrators strongly advise to update to the patched versions immediately to mitigate risks.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stored XSS Vulnerability via Case File Upload Vulnerability | CVE-2025-25009 | Kibana | High | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Kibana Cross Site Scripting (XSS) Vulnerability | CVE-2025-25017 | Kibana | High | |
| Kibana Stored Cross Site Scripting (XSS) Vulnerability | CVE-2025-25018 | Kibana | High |
Technical Summary
Elastic’s latest security patches fix several vulnerabilities in Kibana and Elasticsearch. These vulnerabilities could let attackers inject malicious code or gain access to sensitive information.
This could result in stolen data, taken-over user sessions, or even gaining higher access levels in the system. Although no active exploits have been reported, users are strongly advised to update immediately for protection to ensure optimal security and stability .
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-25009 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS via malicious file uploads in case management, allowing JavaScript injection | Data Theft, Session Hijacking, Privilege Escalation |
| CVE-2025-25017 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.3, 9.0.x ≤ 9.0.6, 9.1.x ≤ 9.1.3) | XSS in Vega visualization engine due to improper neutralization of inputs, enabling script execution | Malicious Script Execution |
| CVE-2025-25018 | Kibana (7.x ≤ 7.17.29, 7.x ≤ 7.17.29, 8.x ≤ 8.18.7, 8.19.x ≤ 8.19.4, 9.0.x ≤ 9.0.7, 9.1.x ≤ 9.1.4) | Stored XSS in Kibana due to improper validation of specified type of input. | Session Compromise, Unauthorized Access |
Other Vulnerabilities
In addition to the three high-severity flaws, Elastic patched 2 other vulnerabilities in the same Security Announcements release.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Sensitive Data Exposure in Audit Logging | CVE-2025- 37727 | Elasticsearch | Medium | v8.18.8, v8.19.5, v9.0.8, v9.1.5 |
| Credential Leakage in CrowdStrike Connector | CVE-2025- 37728 | Kibana (CrowdStrike Connector) | Medium | v8.18.8 and higher |
Recommendations:
Update Kibana and Elasticsearch immediately to the following versions
- Kibana/Elasticsearch: v8.18.8, v8.19.5, v9.0.8, v9.1.5 or the latest version.
If unable to update immediately you can follow some workarounds below
- For the CVE-2025-25009, For versions >= 7.12 to < 9.0 users can set “discover:searchFieldsFromSource: true” in Advanced Settings and there are no workarounds for 9.0+.
- For the CVE-2025-25017, users can disable Vega visualizations but note that this will disable all Vega charts in Kibana.
- For the CVE-2025-37727, users can set “xpack.security.audit.logfile.events.emit_request_body” to “false”.
Conclusion:
The Elastic security update addresses severe vulnerabilities in Kibana and Elasticsearch, including high-severity XSS issues that could enable attackers to compromise dashboards, steal data, or escalate privileges.
Although no exploitation has been reported but these vulnerabilities need immediate patching. Immediate action is essential to maintain system integrity and protect sensitive data in monitoring and logging environments.
References: