All articles tagged with #rce
F5 Networks reclassified the BIG-IP APM vulnerability CVE-2025-53521 from a DoS issue to a critical remote code execution flaw, with attackers exploiting unpatched systems to deploy webshells. CISA has ordered federal agencies to patch, and F5 issued mitigations and indicators of compromise as online exposure of BIG-IP instances remains high. Patch now and review disks, logs, and terminal history for signs of intrusion.
Researchers analyze CVE-2026-32746, a pre-auth RCE in GNU inetutils Telnetd via a LINEMODE SLC buffer overflow. The issue stems from overflowing a small slcbuf when processing SLC triplets during LINEMODE negotiation, with exploitation heavily dependent on OS and architecture (64-bit vs 32-bit); while a reliable full RCE wasn't achieved across tested targets, a heap leak and an arbitrary-free primitive were demonstrated, potentially enabling code execution under favorable libc conditions. The vulnerability affects inetutils Telnetd and many forks across major distros (Ubuntu, Debian, FreeBSD, NetBSD, macOS, etc.), and patches have not been widely released at publication time. Detection strategies include probing for LINEMODE support and non-invasive overflow checks; watchTowr provides a detection artifact generator. Patch urgently, but note there is no universal fixed version yet; users should build from fixed commits or apply vendor mitigations.
Security researchers LayerX revealed a zero-click remote code execution flaw in Claude Desktop Extensions (DXT) that leverages the Model Context Protocol to chain untrusted data from Google Calendar into a privileged local executor. An attacker can trigger the payload via a malicious calendar event with no user interaction, potentially compromising the host with the user’s privileges. The issue affects over 10,000 active Claude users and more than 50 DXT extensions; Anthropic has reportedly not fixed it yet, citing the architecture of MCP autonomy. Mitigations include disconnecting high-privilege local extensions from untrusted data sources and awaiting a patch or architectural changes to MCP. This serves as a warning about the security risks of AI agents autonomously bridging data to local systems.
Researchers detail WT-2026-0001 in SmarterMail, a pre-authentication admin password-reset bypass that can be triggered by calling a force-reset-password API with IsSysAdmin set to true, enabling admin access without verifying OldPassword and potentially yielding remote code execution via the Volume Mount feature. A PoC shows a JSON payload including IsSysAdmin, Username, and NewPassword. SmarterTools released patch 9511 on Jan 15, 2026 to fix the flaw, but exploitation was observed shortly after the patch, highlighting urgent need to upgrade. The patched flow enforces admin verification and old-password checks, mitigating this bypass; the report also notes the ongoing risk and how attackers monitor patches to exploit high-value targets.
MongoDB has issued an urgent warning to patch a severe remote code execution vulnerability (CVE-2025-14847) affecting multiple versions of its database software. The flaw, due to improper handling of length parameters, allows unauthenticated attackers to execute arbitrary code. Admins are advised to upgrade to patched versions immediately or disable zlib compression to mitigate the risk. The vulnerability has been actively exploited in the past, emphasizing the need for prompt action.
Cisco has issued a warning about a high-severity, actively exploited vulnerability in IOS and IOS XE Software (CVE-2025-20352) that affects SNMP protocols, allowing remote attackers with certain credentials to execute arbitrary code or cause a denial-of-service. The flaw, rooted in a stack overflow, has been patched in Cisco IOS XE Software Release 17.15.4a, but mitigation involves restricting SNMP access to trusted users and monitoring SNMP activity.
Threat actors exploited a zero-day vulnerability in legacy Sitecore systems (CVE-2025-53690) involving a ViewState deserialization flaw caused by reused sample ASP.NET machine keys, leading to remote code execution and deployment of reconnaissance malware WeepSteel. The attack involved multi-stage exploits including privilege escalation and persistence techniques. Sitecore recommends immediate replacement and encryption of static machine keys to mitigate the vulnerability.
Cybersecurity researchers disclosed a high-severity vulnerability (CVE-2025-54136) in the AI code editor Cursor that allows remote code execution through malicious MCP file swaps, which has been addressed in version 1.3 by requiring repeated user approval for configuration changes. The flaw exposes significant risks in AI development environments, especially as AI tools become more integrated into workflows, and is part of broader concerns about AI security vulnerabilities and attack vectors.
New security flaws in Citrix Virtual Apps and Desktop could allow unauthenticated remote code execution (RCE) due to misconfigured MSMQ permissions and the use of BinaryFormatter for deserialization. The vulnerabilities, CVE-2024-8068 and CVE-2024-8069, require attackers to be authenticated users within the same Windows Active Directory domain. Citrix has released patches for affected versions, and Microsoft advises against using BinaryFormatter due to its security risks.
CISA confirms active exploitation of a critical remote code execution (RCE) bug (CVE-2024-21762) in Fortinet's FortiOS operating system, urging immediate patching or SSL VPN disabling to mitigate risks. Fortinet's confusing disclosure process regarding other RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in FortiSIEM was clarified, emphasizing the need to secure all Fortinet devices due to the high likelihood of exploitation by malicious actors for cyber espionage and ransomware attacks.
Approximately 45,000 Jenkins servers are vulnerable to a critical remote code execution (RCE) flaw, CVE-2024-23897, due to a feature that allows attackers to read arbitrary files on the Jenkins controller's file system. Multiple public proof-of-concept exploits are in circulation, dramatically elevating the risk for unpatched Jenkins servers. The exposure heatmap indicates a massive attack surface, with most vulnerable instances in China and the United States. Administrators are urged to apply security updates immediately or consult the Jenkins security bulletin for mitigation recommendations and potential workarounds.
Multiple proof-of-concept exploits have been released for a critical Jenkins vulnerability, allowing unauthenticated attackers to read arbitrary files and execute arbitrary CLI commands. SonarSource researchers discovered two flaws, one enabling data access and the other allowing arbitrary command execution. Jenkins has released fixes for the flaws, but researchers have already reproduced attack scenarios and created working PoC exploits, with reports of hackers actively exploiting the vulnerabilities in the wild.
Jenkins has resolved nine security flaws, including a critical bug (CVE-2024-23897) that could lead to remote code execution (RCE) through its built-in command line interface (CLI). Attackers could exploit this vulnerability to read arbitrary files on the Jenkins controller file system, potentially leading to various attacks. The flaw has been fixed in Jenkins 2.442, LTS 2.426.3, and a short-term workaround is recommended until the patch can be applied. This comes after Jenkins addressed severe security vulnerabilities last year.
More than 600 IP addresses are launching thousands of exploit attempts against a critical bug in out-of-date versions of Atlassian Confluence Data Center and Server, which can allow unauthenticated remote code execution (RCE) attacks. Despite Atlassian urging customers to update immediately, over 11,000 instances remain exposed on the internet, with more than 39,000 RCE attempts seen since January 19. Organizations with vulnerable instances are advised to assume a breach, patch, and take precautions, as this follows a string of critical flaws that have plagued the company in recent months.
Hackers are actively exploiting a critical remote code execution vulnerability, CVE-2023-22527, in outdated versions of Atlassian Confluence servers, with over 39,000 exploitation attempts recorded. The flaw allows unauthenticated remote attackers to execute code and affects versions 8.0.x to 8.5.3. Atlassian has released fixes for affected versions and advises administrators to update to secure versions released after December 5, 2023, while also recommending thorough system cleanup for potentially compromised instances.