#CommandInjection

‘NsaRescueAngel’ Backdoor Account Again Discovered in Zyxel Products

by

June 5, 2024 at 08:00AM Taiwan-based networking device manufacturer Zyxel warned of three critical-severity vulnerabilities in discontinued NAS products, allowing command injection and arbitrary code execution without authentication. Despite reaching the end of vulnerability support, patches were made available for impacted products NAS326 and NAS542. Exploitation could lead to persistent root access, requiring immediate firmware … Read more

TP-Link fixes critical RCE bug in popular C5400X gaming router

by

May 27, 2024 at 03:19PM The TP-Link Archer C5400X gaming router faced a critical security risk, enabling remote attackers to execute unauthorized commands. The flaw, tracked as CVE-2024-5035, was identified through static analysis and affected TCP ports 8888, 8889, and 8890. TP-Link has released a firmware update to address this vulnerability, advising all users to … Read more

Palo Alto Networks Warns of Exploited Firewall Vulnerability

by

April 12, 2024 at 07:36AM Palo Alto Networks warns of a severe OS command injection vulnerability (CVE-2024-3400) in PAN-OS GlobalProtect, allowing arbitrary code execution with root privileges on affected firewalls. Remediation patches are expected by the end of the week. Customers are advised to check and apply mitigations to prevent exploitation. Volexity is credited for … Read more

‘BatBadBut’ Command Injection Vulnerability Affects Multiple Programming Languages

by

April 12, 2024 at 07:36AM Multiple programming languages are affected by a serious vulnerability, ‘BatBadBut’, allowing command injection in Windows applications, due to improper escape of command arguments when executing batch files. The flaw, affecting languages’ runtimes, enables attackers to inject commands into Windows applications. Some affected languages have issued patches, but successful exploitation requires … Read more

Rust rustles up fix for 10/10 critical command injection bug on Windows

by

April 10, 2024 at 09:20AM A critical vulnerability CVE-2024-24576 in Rust’s standard library can lead to malicious command injections on Windows. Attackers can execute arbitrary shell commands by bypassing the escaping of arguments passed to the spawned process. The issue, also affecting other technologies, requires updating to Rust version 1.77.2 and raises concerns about application … Read more

Critical Rust flaw enables Windows command injection attacks

by

April 9, 2024 at 04:24PM A critical security vulnerability, tracked as CVE-2024-24576, allows threat actors to exploit Rust’s standard library to execute malicious commands on Windows systems. GitHub rates this flaw with a maximum CVSS base score of 10/10. The Rust security team faced challenges in resolving the issue, prompting an urge from the White … Read more

Critical Vulnerability in Progress Flowmon Allows Remote Access to Systems

by

April 4, 2024 at 08:30AM Progress Software has released patches for a critical vulnerability in its widely used network monitoring and security solution, Flowmon, which could allow remote, unauthenticated attackers to gain access to systems. Tracked as CVE-2024-2389 with the highest severity rating, the bug was fixed in versions 11.1.14 and 12.3.5. Users should update … Read more

QNAP vulnerability disclosure ends up an utter shambles

by

February 13, 2024 at 03:05PM QNAP has disclosed and patched two vulnerabilities, including a zero-day, affecting its NAS devices. The severity of the issues is disputed, with QNAP rating one as mid-level and Unit 42 as a critical threat. The vulnerabilities can lead to remote code execution and affect numerous devices, with specific patch recommendations … Read more

Major Security Flaws in Zyxel Firewalls, Access Points, NAS Devices

by

November 30, 2023 at 12:06PM Zyxel has issued patches for over 15 security vulnerabilities in its firewalls, access points, and NAS devices, mitigating risks of authentication bypass, command injection, and DoS attacks. Meeting Takeaways: 1. **Zyxel Security Update**: Zyxel has implemented patches for at least 15 security vulnerabilities. 2. **Types of Vulnerabilities Addressed**: – **Authentication … Read more

CISA Adds Three Security Flaws with Active Exploitation to KEV Catalog

by

November 17, 2023 at 01:06AM The U.S. CISA has added three security flaws to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The vulnerabilities include a Microsoft Windows security bypass, a Sophos command injection, and an unspecified Oracle vulnerability. A critical command injection bug has also been disclosed in FortiSIEM report server. … Read more