Vulnerabilities News

Vulnerabilities – The Cyber Express Trending Cybersecurity News, Updates, Magazine and More.

  • Critical Notepad++ Bugs Could Lead to Code Execution, Patch Available
    by Ashish Khaitan on July 17, 2026 at 8:41 am

    The latest Notepad++ vulnerabilities addressed in version 8.9.7 include several high-impact security flaws that could expose Windows systems to arbitrary code execution, file overwrite attacks, memory corruption, and authentication bypass.   Among the most critical issues is a PowerShell command injection vulnerability in the installer, alongside fixes for CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233. The release also delivers stability improvements and feature enhancements for one of the most widely used text editors on Windows.  PowerShell Command Injection Tops the List of Notepad++ Vulnerabilities  The most severe Notepad++ vulnerability involves improper handling of PowerShell commands during installation. According to the developers, the installer has been updated to improve the robustness of PowerShell command processing, reducing the risk of command injection and unauthorized command execution. If exploited, the flaw could allow attackers to manipulate the installation process and execute arbitrary PowerShell commands. In practical scenarios, a compromised installer distributed through spoofed download sources or social engineering campaigns could enable malware deployment during installation, potentially leading to complete system compromise without the user’s knowledge. CVE-2026-52886, CVE-2026-54758, and CVE-2026-57233 Address Critical Risks In addition to the installer flaw, the update resolves several other security issues across different components. CVE-2026-54758 addresses a stack buffer overflow in the expandNppEnvironmentStrs function that could result in memory corruption and potentially remote code execution. Meanwhile, CVE-2026-57233 fixes a Zip Slip path traversal vulnerability in the WinGUp updater, preventing attackers from overwriting arbitrary files during the update extraction process.  Another patched issue, CVE-2026-52886, fixes a session handling flaw where manipulated session.xml entries could bypass path validation through the backupFilePath starts_with check. The release also resolves an unassigned vulnerability affecting the macro system, where shortcuts.xml allowed macro execution without proper HMAC verification, creating an integrity bypass that could enable unauthorized macro execution.  Collectively, these Notepad++ vulnerabilities demonstrate how installers, local configuration files, session management, update mechanisms, and macro validation can become attack vectors if not adequately protected.  Notepad++ v8.9.7 Brings Stability Improvements Alongside Security Fixes  Beyond addressing Notepad++ vulnerabilities, version 8.9.7 introduces several usability and stability improvements. Users can now retain the expand and collapse state within “Folder as Workspace,” while Incremental Search has been enhanced with count and nth-position indicators. The update also fixes crashes, user interface glitches, high-DPI scaling issues, symbolic link freezes, file handling inconsistencies, and search performance problems. Additionally, bundled components have been updated to Scintilla 5.6.4, Lexilla 5.5.1, and pugixml 1.16.  The Notepad++ team recommends that users update to version 8.9.7 as soon as possible, particularly in enterprise and development environments where the editor processes untrusted files or operates within automated workflows. Although the auto-updater is expected to roll out the release within two weeks, provided no regressions are detected, manual installation is recommended for immediate protection.   Developers are also encouraged to verify download sources, as keeping software updated and installing packages only from trusted locations remains an essential safeguard against exploitation of CVE-2026-52886, CVE-2026-54758, CVE-2026-57233, and other Notepad++ vulnerabilities. 

  • Zoom Patches Critical Windows Flaw Enabling Account Takeover
    by Ashish Khaitan on July 17, 2026 at 5:41 am

    Zoom has released security updates to fix CVE-2026-53412, a critical Improper Input Validation vulnerability affecting its Windows software, which could allow attackers to take over user accounts via network access. The flaw primarily impacts the Zoom Desktop Client and other Windows-based Zoom products, prompting the company to urge users to install the latest updates. According to Zoom, CVE-2026-53412 carries a CVSS score of 9.8 and is tracked under security bulletin ZSB-26014. The company stated, “Improper Input Validation in Zoom Desktop Client for Windows and Zoom VDI Client for Windows may allow an unauthenticated user to conduct an account takeover via network access.” The vulnerability is rated Critical with the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. CVE-2026-53412 Affects Zoom Desktop Client for Windows  The Improper Input Validation issue impacts Zoom Workplace for Windows before version 7.0.0 and Zoom Workplace VDI Client for Windows before versions 7.0.10, 6.6.15, and 6.5.18, depending on the software branch. Zoom advised users to remain protected by installing the latest software updates available through its download portal. The advisory credits Zoom Offensive Security for reporting the vulnerability. It also includes a revision history showing that version 1.0 of the bulletin was published on July 14, 2026, while version 1.1, released on July 15, 2026, removed Meeting SDK for Windows from the list of affected products.  Three Additional High-Severity Vulnerabilities Addressed  Alongside CVE-2026-53412, Zoom resolved three high-severity Windows vulnerabilities.  CVE-2026-53411 received a CVSS score of 7.8 and involves an Improper Input Validation flaw in the Zoom Workplace VDI Plugin for Windows before version 6.6.14. The issue could allow an authenticated local user to escalate privileges.  CVE-2026-53410, with a CVSS score of 7.0, is a time-of-check to time-of-use (TOCTOU) race condition affecting the installation and uninstallation process of certain Zoom Windows clients. The flaw could enable an authenticated local user to gain elevated privileges.   It affects Zoom Workplace for Windows before version 7.0.5, Zoom Workplace VDI Client for Windows before versions 6.5.17 and 6.6.14, Zoom Workplace VDI Plugin for Windows before versions 6.5.17 and 6.6.14, Zoom Rooms for Windows before version 7.0.5, and Remote Control for Zoom Contact Center for Windows before version 7.0.0.  The fourth issue, CVE-2026-53409, carries a CVSS score of 7.8 and is an improper privilege management vulnerability affecting Zoom Rooms for Windows before version 7.1.0. It could allow an authenticated local user to escalate privileges through local access.  At the time of publication, there is no evidence that CVE-2026-53412 or the other disclosed vulnerabilities are being actively exploited in real-world attacks. Nevertheless, Zoom recommends users update affected Windows applications as soon as possible to mitigate potential security risks associated with the Zoom Desktop Client and related software.

  • Google Rolls Out Chrome 151 Beta and Early Stable Updates
    by Ashish Khaitan on July 16, 2026 at 7:02 am

    Google released a series of Chrome 151 updates on Wednesday, July 15, 2026, covering desktop, Android, and iOS platforms, while ChromeOS devices began receiving their latest Chrome Beta update a day earlier. The latest Desktop Update introduces new Beta and Early Stable builds for Windows, Mac, and Linux, alongside stability and performance improvements across multiple platforms.  Chrome Beta and Desktop Update Reach Version 151.0.7922.34  The latest Chrome Beta Desktop Update has been released for Windows, Mac and Linux, updating the Beta channel to version 151.0.7922.34. Google said a partial list of changes is available through the project’s Git log.   Users interested in moving between release channels can do so through the available switching options, while any newly discovered issues can be reported by filing a bug. The company also pointed users to its community help forum for troubleshooting and discussions about common issues.  Google also introduced an Early Stable Desktop Update, rolling out Chrome 151 versions 151.0.7922.34 and 151.0.7922.35 to a small percentage of Windows and Mac users. According to the company, a complete list of changes for the build is available in the release log, with additional information provided for its Early Stable rollout process. Chrome 151 Expands Across Android and iOS  On Android, Chrome 151 (151.0.7922.29) entered an Early Stable rollout for a limited number of users and is expected to reach more devices through Google Play over the following days. Google stated that the release focuses on stability and performance improvements, with complete technical changes documented in the Git log.  The Chrome Beta release for Android, also carrying version 151.0.7922.29, is already available through Google Play. Google said users can review a partial list of changes in the Git log, while information about new features is available on the Chromium blog alongside updates covering the web platform. For iPhone and iPad users, Chrome Stable 151 (151.0.7922.25) is scheduled to appear on the App Store within hours of the announcement. Similar to the Android release, the update delivers stability and performance improvements. Meanwhile, Chrome Beta 151 (151.0.7922.26) for iOS is expected to reach the App Store over the next few days, with Google publishing a partial change log for the release.  ChromeOS Beta Update Also Released  Ahead of the broader Chrome 151 announcements, Google began rolling out a Chrome Beta update for ChromeOS and ChromeOS Flex on Tuesday, July 14, 2026. The Beta channel is being upgraded to OS version 16733.19.0, paired with browser version 151.0.7922.23, for most supported ChromeOS devices.  Google encouraged users across all releases to report newly identified bugs through its official reporting system, submit feedback directly through Chrome, or seek assistance via its ChromeOS and Chromebook community forums. The company also reminded users that instructions for switching release channels remain available for those interested in testing future Chrome Beta and Desktop Update builds. 

  • CISA Adds SonicWall SMA1000 Vulnerabilities to KEV Catalog Following Active Exploitation
    by Ashish Khaitan on July 15, 2026 at 9:25 am

    Security researchers have identified two critical vulnerabilities, CVE-2026-15409 and CVE-2026-15410, affecting SonicWall SMA1000 Series appliances. The flaws are already being exploited in the wild, prompting urgent warnings from SonicWall and CISA. Successful exploitation could result in Remote Code Execution, bypass of security restrictions, and broader compromise of affected systems.  The vulnerabilities impact SonicWall SMA1000 models 6210, 7210, and 8200v running versions 12.4.3-03245, 12.4.3-03387, 12.4.3-03434 (platform-hotfix), 12.5.0-02283, 12.5.0-02624, and 12.5.0-02800 (platform-hotfix).  CVE-2026-15409 and CVE-2026-15410 Explained  CVE-2026-15409 is a server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface. According to SonicWall, an unauthenticated remote attacker could force the appliance to send requests to unintended locations. The flaw carries a CVSS v3 score of 10.0 with the vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H and is mapped to CWE-918.  CVE-2026-15410 is a post-authentication code injection vulnerability in the SMA1000 Appliance Management Console (AMC). Under specific conditions, a remote authenticated attacker with administrator privileges could execute arbitrary operating system commands, enabling Remote Code Execution. The vulnerability has a CVSS score of 7.2, uses the vector CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, and is associated with CWE-94.  Active Exploitation and Impact  SonicWall confirmed that CVE-2026-15409 and CVE-2026-15410 are being actively exploited. The advisory states, “SonicWall PSIRT has investigated multiple cases indicating the active exploitation of the vulnerabilities described in this advisory. Customers are strongly urged to upgrade to the hotfix release as soon as possible to remediate these vulnerabilities.”  The vulnerabilities may allow Remote Code Execution and bypass of security restrictions, increasing the risk of unauthorized system access.  Fixed Versions and Detection Guidance  SonicWall has released fixes in 12.4.3-03453 (platform-hotfix) and later, and 12.5.0-02835 (platform-hotfix) and later. The company noted that these issues do not affect SSL-VPN running on SonicWall firewalls or the SMA 100 Series product line.  Administrators are advised to inspect extraweb_access.log for HTTP 200 requests to /api/login or /api/logout, suspicious /wsproxy requests returning HTTP 101, ctrl-service.log entries indicating hotfix rollbacks with path traversal names, and unauthorized /api/login or /api/logout routes in /var/lib/unit/conf.json.  If indicators of compromise are found, SonicWall recommends re-imaging hardware appliances or redeploying virtual appliances, changing user and administrator passwords, and resetting TOTP tokens after performing a forensic investigation.  The advisory, SNWLID-2026-0008, was first published and last updated on July 14, 2026. The vulnerabilities were internally discovered by Adam Babis of SonicWall PSIRT, while Sean Koessel and Steven Adair of Volexity were credited in Version 1.1 for helping identify an additional indicator of compromise during the investigation. On the same day, CISA added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. 

  • Microsoft’s Largest Patch Tuesday Fixes 622 Vulnerabilities, Two Under Active Attack
    by Ashish Khaitan on July 15, 2026 at 8:57 am

    Microsoft Patch Tuesday July 2026 delivered the company’s largest security update to date, addressing 622 Microsoft CVEs, more than tripling the roughly 200 vulnerabilities patched in June. Among the fixes are two zero-day vulnerabilities—CVE-2026-56164 and CVE-2026-56155—that Microsoft confirmed are being actively exploited, making them the highest-priority updates in this month’s release.  According to Microsoft’s July 2026 Security Updates, the release includes patches across multiple product families. Windows accounts for the largest share with 416 vulnerabilities, followed by Office with 82, Microsoft Edge with 46, Developer Tools with 27, SharePoint Server with 17, Azure with 11, SQL Server with eight, Defender and Exchange Server with five each, and four additional updates categorized under Other. Microsoft also republished 428 non-Microsoft Chromium CVEs.  Microsoft Patch Tuesday July 2026 Highlights Exploited Vulnerabilities  The two most significant flaws in Microsoft Patch Tuesday July 2026 are CVE-2026-56164 and CVE-2026-56155, both elevation-of-privilege vulnerabilities affecting critical enterprise infrastructure.  CVE-2026-56164 impacts on-premises Microsoft SharePoint Server and allows an unauthenticated attacker to elevate privileges remotely over the network without requiring credentials or user interaction. Microsoft said the vulnerability was discovered by Mandiant incident responders and Google’s FLARE team, suggesting it was identified during investigations into active attacks. However, the company has not disclosed how the flaw was exploited or who was responsible.  Microsoft also noted that enabling the Antimalware Scan Interface (AMSI) in Full Mode can help reduce the attack risk. The update arrives on the same day that SharePoint Server 2016 and SharePoint Server 2019 reach the end of extended support. Unlike Windows Server and SQL Server, these products do not have a paid Extended Security Updates (ESU) program. SharePoint has remained a frequent target since the ToolShell attack chain affected unpatched servers in 2025.  The Second Vulnerability (CVE-2026-56155) The second actively exploited vulnerability, CVE-2026-56155, affects Active Directory Federation Services (AD FS). Microsoft said the flaw enables an authenticated attacker to elevate privileges locally because of weak access controls. The company’s Detection and Response Team (DART) reported the issue. While Microsoft has not disclosed the exact privileges attackers gained or how the vulnerability was used, AD FS plays a critical role by issuing authentication tokens across enterprise environments, increasing the potential impact of a successful attack.  Beyond these two zero-days, Microsoft identified CVE-2026-50661, a Windows BitLocker Security Feature Bypass vulnerability, as publicly known.  As of publication, neither CVE-2026-56164 nor CVE-2026-56155 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. However, Microsoft has already classified both as exploited through its own exploitability assessment. The company also assigned the SharePoint flaw a relatively low severity rating, highlighting that active exploitation should take precedence over severity scores when prioritizing remediation. 

  • RabbitMQ Vulnerability Exposes OAuth Secrets to Attackers
    by Ashish Khaitan on July 14, 2026 at 5:49 am

    A newly disclosed RabbitMQ vulnerability, tracked as CVE-2026-5721, has raised concerns among enterprise users after researchers revealed that the flaw could allow unauthenticated attackers to retrieve a broker’s confidential OAuth client secret. The successful exploitation could enable attackers to impersonate the broker, obtain administrator-level access, and potentially take control of the messaging infrastructure.  CVE-2026-5721 Allows Exposure of OAuth Client Secrets  RabbitMQ, a widely used open source message broker that enables asynchronous communication by routing, buffering, and distributing messages between applications, is affected by the issue. The CVE-2026-5721 flaw carries a CVSS severity score of 8.7 and stems from an exposed management endpoint that returns the OAuth client secret without requiring authentication.  The RabbitMQ vulnerability originates from an obsolete endpoint in the platform’s management web interface. It can be exploited when administrators configure the broker with a confidential password for identity provider authentication.   The risk is particularly significant in deployments using OAuth 2.0 or OpenID Connect identity providers such as Auth0, Azure AD/Entra ID, Keycloak, or UAA, where confidential client secrets are commonly configured. In such environments, attackers exploiting CVE-2026-5721 could obtain administrator tokens and gain control over users, queues, messages, and broker configurations.  Which RabbitMQ Deployments Are at Risk?  However, systems without a configured client secret are not vulnerable because there is no credential to expose. Likewise, RabbitMQ deployments that do not use the management plugin are unaffected by this RabbitMQ vulnerability.  Cybersecurity firm Miggo warned that the highest risk exists when the management interface is accessible from untrusted networks. The risk is sharpest wherever the management port is reachable by an untrusted network: cloud or multi-tenant setups, or a management UI accidentally exposed to the internet,” the company said.  The CVE-2026-5721 flaw was introduced in RabbitMQ version 3.13.0 in early 2024. It has since been patched in versions 4.3.0, 4.2.6, 4.1.11, 4.0.20, and 3.13.15.  Patches Also Address a Second Security Flaw  The security updates also fix CVE-2026-57221, a medium-severity vulnerability with a CVSS score of 5.3. This authorization issue allows any authenticated user to enumerate queues and exchanges while viewing related statistics. According to Miggo, attackers could use the flaw to map an organization’s virtual host, infer business activity, and collect intelligence for future attacks, particularly in multi-tenant environments where multiple teams or applications share the same virtual host.  To reduce exposure to the RabbitMQ vulnerability, organizations are advised to update affected deployments immediately, restrict access to vulnerable systems if patching cannot be performed, prevent public exposure of the management interface, implement network segmentation, and rotate OAuth client secrets.   Although there is currently no evidence that CVE-2026-5721 has been exploited in the wild, Miggo noted, “Neither of these RabbitMQ bugs is exotic. They sat in the codebase for over two years. They are precisely the kind of quiet, systemic inconsistency that hides in mature, widely deployed software: the kind a human reviewer reads past, and a single-pass tool fails to compare against everything around it.” 

  • CISA Warns of Actively Exploited Joomla Zero-Day Vulnerabilities
    by Ashish Khaitan on July 13, 2026 at 8:47 am

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-48939 and CVE-2026-56291 to its Known Exploited Vulnerabilities (KEV) catalog after reports confirmed active zero-day attacks targeting the iCagenda and Balbooa extensions for Joomla. Both flaws carry the maximum CVSS severity score of 10.0 and can allow attackers to upload malicious files that ultimately lead to remote code execution.  CVE-2026-48939 in iCagenda and CVE-2026-56291 in Balbooa Actively Exploited  According to the cloud-based website management platform, mySites.guru, CVE-2026-48939 has been exploited in automated attacks since June 15, 2026. The vulnerability affects the iCagenda Joomla extension through its “Submit an Event” feature, enabling attackers to upload arbitrary PHP files and execute malicious code.  “We first saw it in a client’s access log: an automated scanner identifying itself as ‘icagenda-batch/1.0’ grabbed a token, posted a malicious upload to the submit endpoint, then fetched the planted shell at the exact path the component writes attachments to,” mySites.guru said.  The flaw impacts iCagenda versions 4.0.7 and earlier in the 4.x branch, along with legacy 3.x releases from 3.2.1 through 3.9.14. Developer JoomliC addressed CVE-2026-48939 in versions 4.0.8 and 3.9.15. Administrators are advised to inspect the “images/icagenda/frontend/attachments/” directory for suspicious PHP files and remove any unauthorized uploads.  mySites.guru also reported active exploitation of CVE-2026-56291, which affects Balbooa Forms versions up to and including 2.4.0. The issue was patched in version 2.4.1.  “Up to and including version 2.4.0, its frontend attachment upload had a serious flaw: it accepted a file from any anonymous visitor, with no login, no CSRF token, and no check on the file type,” the company said. “An attacker could upload a PHP file into a public folder and then run it, which is unauthenticated remote code execution, the worst outcome a web flaw can have.”  Discovered on July 8, 2026, during an attack against one of its customers, CVE-2026-56291 prompted mySites.guru to recommend checking the default “images/baforms/uploads” directory for non-image or non-document files, reviewing Joomla administrator accounts for suspicious additions, and auditing recently modified PHP files across affected websites.  Broader CMS Exploitation Campaign Raises Concerns  Following the addition of CVE-2026-48939 and CVE-2026-56291 to the KEV catalog, Federal Civilian Executive Branch agencies have until July 13, 2026, to apply available patches.  Separately, the Australian Cyber Security Centre (ACSC) warned of a global campaign targeting vulnerable CMS platforms and plugins, including iCagenda, Balbooa, Sneeit Framework (CVE-2025-6389), WPBookit (CVE-2025-7852), Gravity Forms (CVE-2025-12352), Craft CMS (CVE-2025-32432), Ninja Forms (CVE-2026-0740), MaxSite CMS (CVE-2026-3395), Breeze Cache (CVE-2026-3844), WavePlayer (CVE-2025-12057), MetInfo CMS (CVE-2026-29014), and Joomla JCE (CVE-2026-48907).  As part of this campaign, malicious cyber actors are actively scanning websites for opportunities to deploy web shells,” ACSC said, adding that attackers are exploiting vulnerabilities enabling unauthenticated file uploads, remote code execution, server-side request forgery, and deserialization. The agency further warned that “advances in AI are accelerating the speed and scale of cyber operations, reducing the time between vulnerability disclosure and exploitation.” 

  • Ubiquiti Fixes Critical CVE-2026-50746 and Multiple UniFi OS Vulnerability Flaws
    by Ashish Khaitan on July 10, 2026 at 7:12 am

    Ubiquiti has released security updates to address several critical security flaws, led by CVE-2026-50746, a maximum-severity UniFi OS vulnerability with a CVSS score of 10.0. Published in Security Advisory Bulletin 066 on July 2, 2026, the update resolves 25 vulnerabilities affecting UniFi OS and multiple applications, including UniFi Connect, Talk, Access, Protect, and Network.  CVE-2026-50746 Tops List of Critical UniFi OS Vulnerability Patches  The most severe issue, CVE-2026-50746, affects UniFi Connect Application versions 3.4.16 and earlier. The software is used to manage commercial building operations, including smart LED lighting systems and electric vehicle chargers, from a centralized interface.  According to Ubiquiti, “A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.”  The advisory recommends upgrading the UniFi Connect Application to version 3.4.20 or later. The flaw carries a CVSS v3.1 score of 10.0 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H and was reported by Duc Anh Nguyen (@heckintosh_).  Additional UniFi OS vulnerability fixes  Alongside CVE-2026-50746, Ubiquiti patched six additional critical vulnerabilities on Thursday. These include CVE-2026-50747 and CVE-2026-50748, affecting UniFi Talk and UniFi Access, respectively, both carrying CVSS scores of 9.9. The company also fixed CVE-2026-54402, a command injection flaw in UniFi OS; CVE-2026-55115, an SSRF vulnerability in UniFi Protect; and CVE-2026-55116, an improper access control issue that allowed unauthorized changes to affected devices. Each requires software updates to the latest supported releases.  The advisory also addresses several high-severity vulnerabilities, including CVE-2026-54401 (SSRF), CVE-2026-54403 (path traversal), CVE-2026-54404 (SQL injection), and multiple authentication bypass, privilege escalation, denial-of-service, path traversal, SQL injection, CORS, and improper access control flaws affecting UniFi OS, UniFi Network, UniFi Protect, UniFi Talk, UniFi Access, and UniFi Protect Floodlight.  Notably, Ubiquiti warned that CVE-2026-54403 can be chained with other vulnerabilities to remove the requirement for low-privileged access, increasing its exploitation potential.  Affected products include UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, Cloud Key devices, UNVR systems, ENVR platforms, UCG appliances, EF-Core, and multiple UNAS storage products running vulnerable software versions.  Ubiquiti advises customers to update UniFi OS devices to version 5.1.19 or later, where applicable, and to upgrade UniFi Talk to version 5.2.2, UniFi Access to version 4.2.29, UniFi Protect to version 7.1.83, and UniFi Network to version 10.4.57. Prompt installation of these updates is recommended to mitigate the risks associated with CVE-2026-50746 and the broader UniFi OS vulnerability disclosures. 

  • CERT Warns of Unpatched Tenda Firmware Backdoor Allowing Admin Access
    by Ashish Khaitan on July 9, 2026 at 7:13 am

    The CERT Coordination Center (CERT/CC) has disclosed a critical security issue affecting multiple Tenda networking devices. Tracked as CVE-2026-11405, the vulnerability stems from an undocumented backdoor in Tenda firmware that allows unauthenticated attackers to gain administrative access to a device’s web management interface. The flaw remains unpatched, prompting CERT to recommend immediate mitigation measures for affected users.  According to CERT, the vulnerability impacts multiple Tenda routers, switches, and other networking products. Security researchers discovered the issue within the login function of the device’s web server binary, where the authentication process contains logic that can be exploited to bypass normal login requirements.  CVE-2026-11405 Backdoor Enables Authentication Bypass  The CERT advisory explains that the authentication mechanism behaves unexpectedly after a failed login attempt. Instead of rejecting the request, the firmware retrieves a password stored in the device’s configuration.  It then compares only the password supplied by the user against the stored plaintext password. If the passwords match, the system grants administrator-level access without verifying the username.  “The associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface,” CERT/CC explained.  Because of this behavior, CVE-2026-11405 allows attackers to bypass authentication entirely if they know or obtain the configured password.  CERT Recommends Mitigations as No Patch Is Available  Successful exploitation of CVE-2026-11405 could enable attackers to modify device configurations, change network settings, and disable security features. CERT warns that these capabilities could ultimately result in the compromise of a local network. The organization also stated that it was unable to coordinate disclosure of the vulnerability with Tenda, and no security update has been released to address the flaw. Until a patch becomes available, CERT advises users to disable remote web management to block unauthorized external access. It also recommends changing the default LAN IP address to reduce the likelihood of devices being identified by automated scanning tools. CERT Also Discloses Unpatched HP Printer Flaw  On Tuesday, CERT/CC disclosed another unpatched vulnerability affecting HP DeskJet 2800 series printers running firmware versions up to TBP1CN2612AR. The issue, tracked as CVE-2026-13753, is a missing authorization flaw that exposes sensitive administrative information. According to CERT, attackers can send unauthenticated GET requests to multiple backend API endpoints, which return administrator configuration data without validating authentication or session state. The exposed information includes the Wi-Fi Direct SSID, plaintext passphrase, unique printer serial numbers, service IDs, and administrative password state details. CERT/CC summarized the risk, stating, “This vulnerability allows unauthenticated access to the printer’s webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users.”

  • Wireshark 4.6.7 Fixes 12 Security Issues Across SSH, IEEE 802.11, Catapult DCT2000 and Other Protocols
    by Ashish Khaitan on July 9, 2026 at 6:18 am

    The latest Wireshark 4.6.7 maintenance release addresses twelve security vulnerabilities that could affect users analyzing network traffic. Since packet captures processed in Wireshark pass through numerous protocol dissectors, malformed packets or capture files can trigger unexpected software behavior. The update strengthens security by fixing issues across several protocol parsers, including Catapult DCT2000, SSH, IEEE 802.11, and other components involved in packet analysis.  Wireshark Security Fixes Cover Multiple Protocol Dissectors  Most of the twelve patched vulnerabilities involve software crashes caused by crafted packets or capture files. These flaws could force protocol dissectors to read beyond allocated memory or access invalid memory locations, causing Wireshark to terminate unexpectedly.  The affected components include dissectors for Catapult DCT2000, SSH, IEEE 802.11, Z39.50, and UMTS FP. Security updates also cover the pcapng capture file reader and the DBS Etherwatch file parser, reducing risks when opening specially crafted capture files.  Some vulnerabilities functioned differently from memory-related crashes. The FMP/NOTIFY dissector could enter a lengthy processing loop when handling specific inputs, while another advisory grouped several dissectors capable of becoming stuck in infinite loops. Additionally, the BLF file parser contained an information disclosure issue that could expose data beyond the intended memory boundaries in decoded output. Separate crash vulnerabilities were also resolved in the TLS ECH decryption path and the CiscoDump extcap helper.  Additional Bug Fixes Improve Wireshark Stability  Alongside the security updates, Wireshark 4.6.7 resolves sixteen non-security bugs affecting stability and usability.  One significant fix addresses a use-after-free issue in the Ethernet POWERLINK dissector that occurred during a profile-loading error. Another eliminates a heap-buffer-overflow in the Android Logcat parser.  The release also resolves several user-facing issues. Systems configured for Dutch were incorrectly displaying the Wireshark interface in German. An IPv6 ping generated by Debian and some other operating systems was mistakenly identified as HiPerConTracer traffic.  Developers also corrected a problem in the HEVC video dissector, where certain packets were incorrectly marked as malformed due to an improper bit offset advancement. Another fix prevents heap corruption that could crash the application when loading the most recent saved recent_common file.  Updated extcap Binary Location for Plugin Developers  The release also documents a packaging change introduced in Wireshark 4.6.0 that was previously left out of the official release notes. On UNIX-like systems, Wireshark now searches for extcap helper binaries in the libexec directory by default, such as /usr/libexec/wireshark/extcap. This location aligns with the standard placement for helper executables that do not require the multiarch handling used for shared libraries.  The bundled extcap utilities already use the updated directory, although third-party extcap packages may require adjustments to remain compatible. Developers can override the default search path by setting the WIRESHARK_EXTCAP_DIR environment variable. The documentation also notes that distributions without a libexec directory, including Alpine Linux, will continue using the previous binary location. 

Share Websitecyber
We are an ethical website cyber security team and we perform security assessments to protect our clients.