Vulnerabilities News

A new cybersecurity advisory from the Multi-State Information Sharing and Analysis Center (MS-ISAC) is alerting organizations to multiple vulnerabilities affecting Fortinet products, some of which could allow attackers to execute arbitrary code on impacted systems. The advisory, identified as MS-ISAC Advisory 2026-003, was issued on January 13, 2026, and applies to a wide range of enterprise, government, and education-focused technologies.  Among the affected solutions are FortiSandbox, FortiWeb, and FortiVoice, along with FortiOS, FortiClientEMS, FortiSwitchManager, FortiProxy, FortiFone, FortiSIEM, and FortiSASE. FortiOS, Fortinet’s proprietary operating system, is particularly notable because it is used across multiple product lines, meaning vulnerabilities within it can have cascading effects.  FortiSandbox, which performs advanced threat detection by analyzing suspicious files and network traffic for zero-day malware and ransomware, is impacted by a server-side request forgery vulnerability. FortiWeb, a web application firewall designed to protect applications and APIs from attacks such as SQL injection and cross-site scripting, may also be indirectly affected through its reliance on FortiOS. FortiVoice, a unified communications platform that supports voice, chat, conferencing, and fax services, is impacted by a filesystem-related vulnerability that could allow file deletion under certain conditions.  Technical Details of MS-ISAC Advisory  MS-ISAC reports that the most severe vulnerabilities could allow arbitrary code execution within the context of affected service accounts. If those service accounts are configured with elevated privileges, an attacker could install programs, alter or delete data, or create new accounts with full user rights. Systems that enforce least-privilege access models may experience reduced impact.  One of the most critical issues is a heap-based buffer overflow vulnerability (CWE-122) in the cw_acd daemon used by FortiOS and FortiSwitchManager. Identified as CVE-2025-25249, this flaw could allow a remote, unauthenticated attacker to execute arbitrary code or commands through specially crafted requests. Another high-severity vulnerability affects FortiSIEM, where an OS command injection flaw (CWE-78) tracked as CVE-2025-64155 could allow unauthenticated attackers to execute unauthorized commands via crafted TCP requests.  Lower-severity vulnerabilities were also documented. These include a path traversal vulnerability in FortiVoice (CVE-2025-58693), an SQL injection flaw in FortiClientEMS (CVE-2025-59922), an SSRF vulnerability in FortiSandbox (CVE-2025-67685), and an information disclosure issue in the FortiFone web portal (CVE-2025-47855).  Affected Versions, Risk Ratings, and Mitigation Guidance  The advisory lists a wide range of affected versions. FortiVoice versions 7.2.0 through 7.2.2 and 7.0.0 through 7.0.7 are impacted, while FortiSandbox versions 5.0.0 through 5.0.4 and all versions of 4.4, 4.2, and 4.0 are also affected. FortiOS versions from 6.4.0 through 7.6.3 are included, alongside multiple releases of FortiClientEMS, FortiSwitchManager, FortiSIEM, FortiFone, and FortiSASE.  MS-ISAC assesses the risk as high for large and medium government organizations and businesses, medium for small government entities and small businesses, and low for home users. At the time of issuance, there were no reports of active exploitation in the wild.  To reduce risk, MS-ISAC recommends applying Fortinet’s stable channel updates as soon as possible following appropriate testing. Additional guidance includes maintaining a formal vulnerability management and remediation process, conducting regular automated patching and vulnerability scans, and performing periodic penetration testing.  Organizations are also advised to enforce least-privilege access, manage default and administrative accounts carefully, enable anti-exploitation protections, and segment networks to limit potential lateral movement. 

Microsoft’s Patch Tuesday January 2026 update includes fixes for one actively-exploited zero day vulnerability and eight additional high-risk flaws. In all, the Patch Tuesday January 2026 update includes fixes for 112 Microsoft CVEs and three non-Microsoft CVEs, doubling December’s 57 vulnerabilities. The actively exploited zero day is CVE-2026-20805, a 5.5-rated Information Disclosure vulnerability affecting Desktop Window Manager (DWM). The vulnerability find is credited to Microsoft’s own Threat Intelligence Center and Security Response Center (MSRC). Microsoft says of the vulnerability, “Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager allows an authorized attacker to disclose information locally.” CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after Microsoft’s announcement. Other vendors issuing updates this week include Fortinet, SAP, ServiceNow, and Adobe, among others. Patch Tuesday January 2026 High-Risk Vulnerabilities Microsoft judged eight vulnerabilities as “exploitation more likely.” They include: CVE-2026-20816, a 7.8-rated Windows Installer Elevation of Privilege vulnerability credited to a DCIT security researcher. The time-of-check time-of-use (toctou) race condition in Windows Installer could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20817, a 7.8-severity Windows Error Reporting Service Elevation of Privilege vulnerability. Microsoft notes that “Improper handling of insufficient permissions or privileges in Windows Error Reporting allows an authorized attacker to elevate privileges locally,” potentially leading to SYSTEM privileges. GMO Cybersecurity was credited with the find. CVE-2026-20820 is a 7.8-rated Windows Common Log File System (CLFS) Driver Elevation of Privilege vulnerability. The heap-based buffer overflow in Windows Common Log File System Driver could allow an authorized attacker to elevate privileges locally and attain SYSTEM privileges. CVE-2026-20840 is 7.8-severity Windows NTFS Remote Code Execution vulnerability credited to Sergey Tarasov of Positive Technologies. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. CVE-2026-20843 is another 7.8-rated flaw, a Windows Routing and Remote Access Service (RRAS) Elevation of Privilege vulnerability. Improper access control in Windows Routing and Remote Access Service (RRAS) could allow an authorized attacker to elevate privileges locally, potentially gaining SYSTEM privileges. CVE-2026-20860 is also rated 7.8, a Windows Ancillary Function Driver for WinSock Elevation of Privilege vulnerability credited to DEVCORE. The type confusion vulnerability in Windows Ancillary Function Driver for WinSock could allow an authorized attacker to elevate privileges locally. CVE-2026-20871, a Desktop Windows Manager Elevation of Privilege vulnerability, is also rated 7.8 and is credited to the Trend Zero Day Initiative. The use after free vulnerability in Desktop Windows Manager could allow an authorized attacker to elevate privileges locally. CVE-2026-20922 is also rated 7.8, a Windows NTFS Remote Code Execution vulnerability also credited to Tarasov. The heap-based buffer overflow vulnerability in Windows NTFS could allow an authorized attacker to execute code locally. Highest-Rated Vulnerabilities in the Patch Tuesday Update The highest-rated vulnerabilities in the report – three 8.8-severity flaws – were judged to be at lower risk of attack by Microsoft. They include: CVE-2026-20947, a Microsoft SharePoint Server Remote Code Execution/SQL Injection vulnerability CVE-2026-20963, a Microsoft SharePoint Remote Code Execution/Deserialization of Untrusted Data vulnerability CVE-2026-20868, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution/Heap-based Buffer Overflow vulnerability  

A 16-year-old Microsoft PowerPoint flaw and a new maximum-severity HPE vulnerability are the latest additions to CISA’s Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-37164 is a 10.0-rated Code Injection vulnerability in Hewlett Packard Enterprise’s OneView IT infrastructure management software, while CVE-2009-0556 is a 9.3-severity Code Injection vulnerability present in Microsoft Office PowerPoint 2000 SP3, 2002 SP3, and 2003 SP3, and PowerPoint in Microsoft Office 2004 for Mac. Per standard practice, CISA didn’t provide any details on how the PowerPoint and HPE vulnerabilities are being exploited, but it’s not unusual for the agency to add older vulnerabilities to the CISA KEV catalog. CISA added a 2007 Microsoft Excel vulnerability to the KEV catalog last year, while the oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups. The PowerPoint and HPE vulnerabilities are the first to be added to the KEV catalog in 2026, following 245 vulnerabilities added in 2025. CISA KEV Addition Follows CVE-2025-37164 PoC CISA’s addition of CVE-2025-37164 to the KEV catalog follows a Proof of Concept (PoC) exploit published by Rapid7 on Dec. 19. HPE notes that CVE-2025-37164 could allow a remote unauthenticated user to perform remote code execution. The company acknowledged Nguyen Quoc Khanh for reporting the issue. HPE has released a security hotfix for any version of HPE OneView from 5.20 through version 10.20, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage. While the HPE advisory says all versions through v10.20 are affected, the Rapid7 PoC notes that “Based on our analysis, we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis.” Rapid7 also released a Metasploit module for CVE-2025-37164. CVE-2009-0556 PowerPoint Flaw First Attacked in 2009 The Microsoft PowerPoint flaw could allow remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption. The National Vulnerability Database (NVD) notes that CVE-2009-0556 was initially exploited in the wild in April 2009 by Exploit:Win32/Apptom.gen. Microsoft’s May 2009 security bulletin notes that an attacker who successfully exploited the remote code execution vulnerability “could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” The vulnerability triggers memory corruption when PowerPoint reads an invalid index value in a maliciously crafted PowerPoint file, which could allow an attacker to execute arbitrary code. Microsoft notes that “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”  

Cybersecurity researchers have disclosed a new critical flaw in the popular workflow automation platform n8n that could allow unauthenticated attackers to fully compromise vulnerable systems. The issue, tracked as CVE-2026-21858 and assigned a maximum CVSS score of 10.0, is being described as one of the most severe n8n vulnerabilities reported to date.  The n8n vulnerability was discovered and responsibly disclosed by security researcher Dor Attias on November 9, 2025. n8n later confirmed the issue in a security advisory, warning that attackers could access files on the underlying server through certain form-based workflows.  According to n8n, “A vulnerability in n8n allows an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker.” The company noted that the flaw could expose sensitive data and potentially enable further compromise depending on configuration and usage.  CVE-2026-21858 is a Content-Type confusion bug tied to how the n8n webhook processes incoming HTTP requests. The webhook parses requests differently based on the Content-Type header, creating a gap that attackers can exploit to manipulate file-handling behavior.  How the n8n Webhook Content-Type Confusion Is Exploited  The vulnerability stems from how n8n handles form submissions. When a request is processed, the platform uses parseRequestBody() to determine whether to invoke a file upload parser or a regular body parser. If multipart/form-data is specified, uploaded files are parsed and stored in req.body.files.  However, researchers found that certain file-handling functions are executed without verifying the Content-Type header. As a result, attackers can override req.body.files even when no file upload is present.  “Since this function is called without verifying the content type is ‘multipart/form-data,’ we control the entire req.body.files object,” Attias explained. This allows an attacker to copy any local file from the server instead of an uploaded file, exposing sensitive system data to downstream workflow nodes.  n8n Vulnerability Enables Admin Bypass and Remote Code Execution  The impact of CVE-2026-21858 extends beyond arbitrary file reads. Researchers demonstrated how attackers could escalate the flaw into a full system compromise. By abusing the n8n vulnerability, a threat actor could read the internal SQLite database at /home/node/.n8n/database.sqlite, extract administrator credentials, and then retrieve encryption secrets from /home/node/.n8n/config.  Using this information, attackers could forge a valid admin session cookie, bypass authentication, and gain full administrative access. From there, they could create a malicious workflow containing an “Execute Command” node, achieving remote code execution on the host system.  Cyera warned that the centralized nature of n8n significantly amplifies the risk. “A compromised n8n instance doesn’t just mean losing one system; it means handing attackers the keys to everything,” the company said, citing stored API credentials, OAuth tokens, and database connections as high-value targets.  Patch Status and Mitigations for CVE-2026-21858  The n8n vulnerability affects all versions up to and including 1.65.0 and was patched in version 1.121.0, released on November 18, 2025. Users are strongly urged to upgrade to a fixed or newer release, such as versions 1.123.10, 2.1.5, 2.2.4, or 2.3.0.  As additional mitigations, administrators are advised to avoid exposing n8n instances to the internet, enforce authentications for all Forms, and restrict or disable publicly accessible n8n webhook and form endpoints until patches can be applied.  The disclosure of CVE-2026-21858 follows several other critical issues in n8n, including CVE-2025-68668 and CVE-2025-68613, highlighting the need for rigorous security controls around automation platforms that manage sensitive integrations and credentials. 

A serious and unpatched security flaw has been disclosed in the TOTOLINK EX200 wireless range extender. The vulnerability, tracked as CVE-2025-65606, allows a remote authenticated attacker to gain full system control by abusing a flaw in the device’s firmware-upload mechanism. The issue was publicly disclosed by the CERT Coordination Center (CERT/CC) on January 6, 2026, and currently has no available fix.  According to CERT/CC, CVE-2025-65606 is rooted in improper error handling within the firmware-upload logic of the TOTOLINK EX200. When the extender processes certain malformed firmware files, the upload handler can enter what CERT/CC described as an “abnormal error state.” This condition causes the device to start a telnet service running with root privileges.  Firmware Upload Error Triggers Root-Level Telnet Access  What makes this behavior especially dangerous is that the telnet service launched under these circumstances does not require authentication. The interface, which is normally disabled and not intended to be exposed, becomes an unintended remote administration channel. CERT/CC summarized the issue clearly, stating: “An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.”  The vulnerability was discovered and responsibly reported by security researcher Leandro Kogan, who was credited by CERT/CC for identifying the flaw. The advisory was authored by Timur Snoke and published as Vulnerability Note VU#295169, with both the original release date and last revision listed as January 6, 2026.  Exploitation Requirements and Potential Impact of CVE-2025-65606  While exploitation of CVE-2025-65606 does require the attacker to already be authenticated to the web management interface of the TOTOLINK EX200, the resulting impact is severe. Access to the firmware-upload functionality is enough to trigger the vulnerability. Once the malformed firmware file is processed and the device enters the abnormal error state, the unauthenticated root-level telnet service becomes available.  From that point forward, an attacker gains unrestricted control of the device. CERT/CC warned that successful exploitation could lead to configuration manipulation, arbitrary command execution, or the establishment of persistent access on the network. Because the TOTOLINK EX200 functions as a network extender, compromise of the device may also enable lateral movement or broader network attacks.  CERT/CC emphasized that the unintended telnet interface increases the attack surface of the device. The advisory notes that this behavior could be leveraged to hijack susceptible devices, allowing attackers to maintain long-term control without relying on the original web authentication mechanism.  No Patch Available as Device Reaches End of Life  One of the most concerning aspects of CVE-2025-65606 is the absence of a vendor-provided fix. CERT/CC confirmed that TOTOLINK has not released any updates addressing the vulnerability, and the TOTOLINK EX200 is no longer actively maintained. Vendor status information was listed as “Unknown,” and the product has reached end-of-life.  Publicly available information shows that the last firmware update for the TOTOLINK EX200 was released in February 2023, nearly three years before the vulnerability was disclosed. As a result, users cannot rely on an official patch to remediate the issue.  In the absence of a fix, CERT/CC recommends several mitigation steps. These include restricting administrative access to trusted networks, preventing unauthorized users from accessing the management interface, and actively monitoring unexpected telnet activity. However, the advisory makes it clear that these measures are temporary protection rather than permanent solutions.  CERT/CC ultimately advises users to plan for replacing the TOTOLINK EX200 with a supported and actively maintained model. Given the severity of CVE-2025-65606 and the lack of ongoing vendor support, continued use of the device poses a sustained security risk.  Additional metadata associated with CVE-2025-65606 shows that the CVE was made public on January 6, 2026, with the first publication and last update occurring the same day at 14:49 UTC. The document revision is listed as version 1. 

A newly disclosed n8n vulnerability has been confirmed to allow authenticated users to execute arbitrary system commands on affected servers. The issue, tracked as CVE-2025-68668, has been assigned a CVSS score of 9.9, placing it firmly in the critical severity range. The flaw impacts the open-source workflow automation platform n8n and affects a broad range of deployed versions.  n8n is commonly used to design and run automated workflows that connect applications, services, and scripts. Due to its role in handling sensitive integrations and credentials, security vulnerabilities within the platform can have significant consequences.   Sandbox Bypass in the Python Code Node  The n8n vulnerability affects all versions from 1.0.0 up to, but not including, 2.0.0. According to the advisory, an authenticated user who has permission to create or modify workflows can exploit the issue to execute arbitrary operating system commands on the host running n8n. The vulnerability has been categorized as a protection mechanism failure.  The root cause lies in a sandbox bypass within the Python Code Node, which uses Pyodide to execute Python code. The advisory describes the issue clearly: “A sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process.”  While the attacker does not automatically gain higher privileges than the n8n service itself, the ability to run system commands at that level may still allow for data access, lateral movement, or further compromise depending on how the instance is deployed. The flaw was published under GHSA-62r4-hw23-cc8v, with security researcher csuermann credited for the report. The affected package is the n8n npm package, and the issue remained present until it was fully addressed in version 2.0.0.  Patch Details and Security Improvements  The CVE-2025-68668 issue has been resolved in n8n version 2.0.0, which is now listed as the patched release. However, security improvements related to this issue were introduced earlier. In n8n version 1.111.0, the project added a task runner–based native Python implementation as an optional feature. This implementation was designed to provide a stronger isolation model than the Pyodide-based sandbox used by the Python Code Node.  To enable this more secure execution environment in affected versions, administrators must configure the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables. With the release of n8n 2.0.0, this task runner–based Python sandbox became the default behavior, effectively mitigating the sandbox bypass that made CVE-2025-68668 exploitable.  The introduction of this default setting marks an architectural change aimed at reducing the attack surface associated with executing Python code inside workflows. It also reflects a broader shift toward isolating potentially dangerous operations more rigorously within automation platforms.  Mitigations, Workarounds, and Broader Context for CVE-2025-68668  For organizations that cannot immediately upgrade, n8n has outlined several workarounds to limit exposure to the n8n vulnerability. One option is to completely disable the Code Node by setting the environment variable NODES_EXCLUDE to [“n8n-nodes-base.code”].   Another mitigation is to disable Python support in the Code Node entirely by setting N8N_PYTHON_ENABLED=false, a configuration option introduced in n8n version 1.104.0. Administrators can also proactively enable the task runner–based Python sandbox using N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER.  The disclosure of CVE-2025-68668 follows another recently addressed critical flaw, CVE-2025-68613, which also carried a CVSS score of 9.9 and could lead to arbitrary code execution under certain conditions.  

After stabilizing in 2024, the growth of known exploited vulnerabilities accelerated in 2025. That was one conclusion from Cyble’s analysis of CISA’s Known Exploited Vulnerability (KEV) catalog data from 2025. After growing at roughly 21% in 2023, with 187 vulnerabilities added to the CISA KEV catalog that year, growth slowed to about 17% in 2024, with 185 vulnerabilities added. Growth in exploited vulnerabilities reaccelerated in 2025, with 245 vulnerabilities added to the KEV database, for a roughly 20% growth rate. The KEV catalog ended 2025 with 1,484 software and hardware flaws at high risk of attack. The 245 flaws added in 2025 is also more than 30% above the trend of 185 to 187 vulnerabilities added the previous two years. Cyble also examined vulnerabilities exploited by ransomware groups, the vendors and projects with the most KEV additions (and several that actually improved), and the most common exploited software weaknesses (CWEs). Older Vulnerabilities Added to CISA KEV Also Grew Older vulnerabilities added to the CISA KEV catalog also grew in 2025, Cyble said. After adding an average of 65 older vulnerabilities to the KEV catalog in 2023 and 2024, CISA added 94 vulnerabilities from 2024 and earlier to the catalog in 2025, an increase of nearly 45% from the 2023-2024 average. The oldest vulnerability added to the KEV catalog last year was CVE-2007-0671, a Microsoft Office Excel Remote Code Execution vulnerability. The oldest vulnerability in the catalog remains CVE-2002-0367, a privilege escalation vulnerability in the Windows NT and Windows 2000 smss.exe debugging subsystem that has been known to be used by ransomware groups, Cyble said. CISA removed at least one vulnerability from the KEV catalog in 2025. CVE-2025-6264 is a Velociraptor Incorrect Default Permissions vulnerability that CISA determined had “insufficient evidence of exploitation,” Cyble noted. Vulnerabilities Targeted in Ransomware Attacks CISA marked 24 of the vulnerabilities added in 2025 as known to be exploited by ransomware groups, Cyble said. Those vulnerabilities include some well-known flaws such as CVE-2025-5777 (dubbed “CitrixBleed 2”) and Oracle E-Business Suite vulnerabilities targeted by the CL0P ransomware group. Vendors with multiple vulnerabilities targeted by ransomware groups included Fortinet, Ivanti, Microsoft, Mitel, Oracle and SonicWall. Projects and Vendors with the Most Exploited Vulnerabilities Microsoft once again led all vendors and projects in CISA KEV additions in 2025, with 39 vulnerabilities added to the database, up from 36 in 2024. Apple, Cisco, Google Chromium. Ivanti and Linux each had 7-9 vulnerabilities added to the KEV catalog. Several vendors and projects actually improved in 2025, with fewer vulnerabilities added than they had in 2024, “suggesting improved security controls,” Cyble said. Adobe, Android, Apache, Ivanti, Palo Alto Networks, and VMware were among those that saw a decline in KEV vulnerabilities. Most Common Software Weaknesses Eight software and hardware weaknesses (common weakness enumerations, or CWEs) were “particularly prominent among the 2025 KEV additions,” Cyble said, noting that the list is similar to the 2024 list. The most common CWEs in the 2025 CISA KEV additions were: CWE-78 – OS Command Injection – accounted for 18 of the 245 vulnerabilities. CWE-502 – Deserialization of Untrusted Data – was  a factor in 14 of the vulnerabilities. CWE-22 – Path Traversal – appeared 13 times. CWE-416 – Use After Free – was a flaw in 11 of the vulnerabilities. CWE-787 – Out-of-bounds Write – accounted for 10 of the vulnerabilities. CWE-79 – Cross-site Scripting – appeared 7 times. CWE-94 (Code Injection) and CWE-287 (Improper Authentication) appeared 6 times each.  

IBM has released security updates to address a critical IBM API Connect vulnerability that could allow remote attackers to bypass authentication controls and gain unauthorized access to affected applications. The flaw, tracked as CVE-2025-13915, carries a CVSS 3.1 score of 9.8, placing it among the most severe vulnerabilities disclosed in recent months. According to IBM, the IBM API Connect vulnerability impacts multiple versions of the platform and stems from an authentication bypass weakness that could be exploited remotely without any user interaction or prior privileges. Organizations running affected versions are being urged to apply fixes immediately to reduce exposure. CVE-2025-13915: IBM API Connect Authentication Bypass Explained The vulnerability has been classified under CWE-305: Authentication Bypass by Primary Weakness, indicating a failure in enforcing authentication checks under certain conditions. IBM said internal testing revealed that the flaw could allow an attacker to circumvent authentication mechanisms entirely. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) highlights the seriousness of the issue. The attack can be carried out over the network, requires low attack complexity, and does not depend on user interaction. If exploited, it could result in a complete compromise of confidentiality, integrity, and availability within the affected IBM API Connect environment. IBM warned that a successful attack could grant unauthorized access to API Connect applications, potentially exposing sensitive data and backend services managed through the platform. Affected IBM API Connect Versions The IBM API Connect vulnerability affects specific versions within the 10.x release series. IBM confirmed that the following product versions are impacted: IBM API Connect V10.0.8.0 through V10.0.8.5 IBM API Connect V10.0.11.0 API Connect is widely deployed in enterprise environments to manage APIs, control developer access, and secure integrations between internal and external services. As a result, vulnerabilities in the platform can have cascading effects across connected systems. IBM Releases Fixes for IBM API Connect Vulnerability To remediate CVE-2025-13915, IBM has issued interim fixes (iFixes) for all affected versions and strongly recommends that customers upgrade without delay. For the 10.0.8.x branch, fixes have been released for each affected sub-version, including 10.0.8.1, 10.0.8.2 (iFix1 and iFix2), 10.0.8.3, 10.0.8.4, and 10.0.8.5. IBM has also provided an interim fix for IBM API Connect V10.0.11.0. IBM emphasized that upgrading to the remediated versions is the most effective way to eliminate the authentication bypass risk associated with this vulnerability. Workarounds and Mitigations for Unpatched Systems For organizations unable to apply the fixes immediately, IBM has outlined a temporary mitigation to reduce risk. Administrators are advised to disable self-service sign-up on the Developer Portal, if that feature is enabled. While this measure does not fully address the IBM API Connect authentication bypass vulnerability, IBM said it can help minimize exposure until patching is completed. The company cautioned that workarounds should only be used as a short-term solution. Why the IBM API Connect Vulnerability Matters Authentication bypass vulnerabilities are particularly dangerous because they undermine one of the most fundamental security controls in enterprise applications. In API-driven environments, such flaws can provide attackers with a direct path to sensitive services, data stores, and internal systems. The vulnerability was published in the National Vulnerability Database (NVD) on December 26, 2025, and last updated on December 31, 2025, with IBM listed as the CNA and source. Given the critical severity rating, security teams are expected to prioritize remediation and review API access logs for any signs of unauthorized activity. Organizations running affected versions of IBM API Connect are urged to assess their deployments immediately and apply the recommended fixes to prevent potential exploitation.

The Cyber Security Agency of Singapore (CSA) has issued a high-priority alert warning organizations and system administrators about a critical security vulnerability affecting SmarterMail, an enterprise email and collaboration platform developed by SmarterTools. The flaw, tracked as CVE-2025-52691, carries the highest possible severity rating and could allow attackers to execute arbitrary code remotely without authentication.  According to CSA, the vulnerability has been assigned a Common Vulnerability Scoring System (CVSS v3.1) score of 10.0, reflecting its potential for widespread and severe impact. The issue arises from an arbitrary file upload weakness that could be exploited by unauthenticated attackers to upload files to any directory on a vulnerable mail server.  “Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution,” CSA said in its advisory.  Technical Details and Potential Attack Scenarios for CVE-2025-52691  The vulnerability identified as CVE-2025-52691 affects SmarterMail versions Build 9406 and earlier. At its core, the flaw allows arbitrary file uploads, a class of vulnerability that can be especially dangerous in server-side applications. If a malicious file type is uploaded and automatically processed by the application environment, it may be interpreted as executable code.  CSA noted that this behavior could pave the way for remote code execution, particularly if an attacker uploads a script or binary file that the server is capable of executing. For example, malicious web shells or binaries could be placed on the server and run with the same privileges as the SmarterMail service itself.  In a hypothetical attack scenario outlined by CSA, a threat actor could leverage this weakness to establish persistent access to the mail server. From there, attackers could potentially exfiltrate sensitive data, deploy additional malware, or use the compromised system as a foothold to move laterally within an organization’s network. The absence of any authentication requirement lowers the barrier to exploitation.  Affected Versions and Recommended Mitigation  CSA confirmed that SmarterMail Build 9406 and earlier are vulnerable to exploitation. To mitigate the risk, SmarterTools has released security updates addressing the issue. The vulnerability was fixed in SmarterMail Build 9413, which was released on October 9, 2025.  “Users and administrators of affected product versions are advised to update to SmarterMail version Build 9413 immediately,” CSA stated in its bulletin.  While Build 9413 resolves CVE-2025-52691, CSA further recommends upgrading to the latest available release for improved security posture. As of the advisory, the most recent version is SmarterMail Build 9483, released on December 18, 2025. Although the agency noted that there is no indication of active exploitation in the wild, timely patching is advised to reduce exposure.  Discovery, Disclosure, and Broader Impact  CSA credited Chua Meng Han from the Centre for Strategic Infocomm Technologies (CSIT) for discovering and responsibly reporting the vulnerability. The agency also acknowledged SmarterTools Inc. for its cooperation during the coordinated disclosure and remediation process.  While CSA has not reported any confirmed in-the-wild exploitation of CVE-2025-52691, the agency made clear that unauthenticated remote code execution flaws pose a serious and immediate risk. Organizations running SmarterMail should treat this vulnerability as a high priority, apply the required updates without delay, and actively review systems for signs of unauthorized file uploads or suspicious activity.  To stay protected from vulnerabilities like CVE-2025-52691, organizations need continuous visibility into new cyber threats and real-world exploitation risks. Cyble helps security teams monitor critical vulnerabilities, track attacker activity, and prioritize remediation through AI-powered threat intelligence.  Gain early insight into high-risk vulnerabilities, attacker tactics, and exposed assets with Cyble’s AI-native threat intelligence platform.  Book a free demo to strengthen your vulnerability response and reduce risk before threats escalate. 

A newly disclosed security issue in the Net-SNMP software suite has raised serious concerns for organizations that rely on the protocol to monitor and manage network infrastructure. The vulnerability, identified as CVE-2025-68615, affects a core component of Net-SNMP and could allow remote attackers to crash critical services or potentially gain deeper control over affected systems.  Net-SNMP is a widely used implementation of the Simple Network Management Protocol (SNMP), commonly deployed across enterprise and service provider environments. It is used to monitor and manage routers, switches, servers, and other network-connected devices. Because of its widespread adoption, vulnerabilities within Net-SNMP often have broad implications, and CVE-2025-68615 is no exception.  According to advisories published on GitHub, the flaw exists in the snmptrapd daemon, a background service responsible for receiving and processing SNMP trap messages. Trap messages are unsolicited alerts sent by devices to notify administrators of specific events. In the case of CVE-2025-68615, the daemon improperly handles incoming packets, creating an opportunity for exploitation.  Buffer Overflow in snmptrapd Enables Denial of Service (CVE-2025-68615)  The GitHub advisory explains that a threat actor can exploit this issue by sending a “specially crafted packet” to a vulnerable snmptrapd instance. When the daemon attempts to process the malformed data, a buffer overflow occurs. As described in the advisory, this condition causes the daemon to crash, resulting in a denial-of-service scenario.  The official description states: “A specially crafted packet to a net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash.” While a service crash is the most immediate effect, the underlying vulnerability presents a broader security risk.  CVE-2025-68615 has been assigned a Common Vulnerability Scoring System (CVSS) score of 9.8, classifying it as Critical. The CVSS metrics indicate a “High” impact on confidentiality, integrity, and availability. In security assessments, a buffer overflow with these ratings often implies that exploitation could extend beyond service disruption.  Experts caution that vulnerabilities like CVE-2025-68615 may allow attackers to execute arbitrary code remotely, potentially enabling full system compromise without authentication or user interaction. This risk is heightened by the fact that the snmptrapd daemon often runs with elevated privileges and is designed to accept network traffic.  Patch Availability and Recommended Mitigations  The vulnerability was discovered by buddurid, working in collaboration with the Trend Micro Zero Day Initiative. Following responsible disclosure, the Net-SNMP maintainers issued fixes and published details through a GitHub Security Advisory tracked as GHSA-4389-rwqf-q9gq. According to the advisory, all versions of Net-SNMP are affected. The issue has been resolved in Net SNMP versions 5.9.5 and 5.10.pre2, and administrators running the snmptrapd daemon are urged to upgrade immediately. The advisory notes: “Users of Net-SNMP’s snmptrapd should upgrade immediately to Net-SNMP 5.9.5 or 5.10.pre2.”  For organizations unable to deploy patches immediately, the advisory outlines limited workaround options. Network segmentation remains the primary defense. SNMP ports should never be exposed to the public internet, and firewall rules should block external access to the snmptrapd port. The advisory emphasizes that there is no mitigation other than upgrading or ensuring the service is properly firewalled.  As details continue to circulate on GitHub and through security channels, organizations using Net-SNMP are encouraged to review their deployments, confirm firewall configurations, and prioritize updates. Given the critical severity of CVE-2025-68615 and the essential role Net-SNMP plays in network monitoring, timely remediation is necessary to reduce the risk of service disruption or system compromise.