#remote-code-execution

#remote-code-execution

Ivanti has addressed five vulnerabilities in Endpoint Manager Mobile (EPMM). One of them, CVE-2026-6973, is being actively exploited by attackers with admin privileges. The Dutch NCSC has set the advisory to "high" priority and expects proof-of-concept code to appear soon, increasing the risk of widespread exploitation. Ivanti reports that the exploitation affected only a small number of users. Customers who already updated their login credentials in January are at significantly lower risk.

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.

[In] ShowDoc version before 2.8.7, an unrestricted and unauthenticated file upload issue is found and [an] attacker is able to upload a web shell and execute arbitrary code on server.

This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

A malicious unauthenticated actor may exploit this issue to execute arbitrary commands which may lead to remote code execution in VMware Aria Operations while support-assisted product migration is in progress. CISA added CVE-2026-22719 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, instructing federal agencies to address it by March 24.

The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port. With the ability to access and manipulate the service to execute code as root a remote attacker can take complete control of the device.

According to CISA, Gardyn products were affected by two critical and two high-severity vulnerabilities. One of the critical flaws, tracked as CVE-2025-29631, is a command injection issue that can be exploited to execute arbitrary OS commands on the targeted device. The second critical vulnerability, CVE-2025-1242, is related to the exposure of hardcoded admin credentials that can be used to gain full control of the Gardyn IoT Hub.

An attacker could exploit the flaw via crafted UPnP SOAP requests to execute OS commands on a vulnerable device. It is important to note that WAN access is disabled by default on these devices, and the attack can be carried out remotely only if both WAN access and the vulnerable UPnP function have been enabled.

The Microsoft Defender team says that the attacker created fake web app projects built with Next.js and disguised them as coding projects to share with developers during job interviews or technical assessments. The researchers initially identified a repository hosted on the Bitbucket cloud-based Git-based code hosting and collaboration service. However, they discovered multiple repositories that shared code structure, loader logic, and naming patterns.

Google credits security researcher Shaheen Fazim with reporting the exploit to Google. The dude's LinkedIn says he's a professional bug hunter, and I'd say he deserves the highest possible bug bounty for finding something that a government agency is saying "in CSS in Google Chrome before 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page."

CVE-2025-65717 (CVSS score: 9.1) - A vulnerability in Live Server that allows attackers to exfiltrate local files, tricking a developer into visiting a malicious website when the extension is running, causing JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control. (Remains unpatched)

Microsoft has fixed a serious security vulnerability affecting Markdown files in Notepad. In the company's Tuesday patch notes, Microsoft says a bad actor could carry out a remote code execution attack by tricking users "into clicking a malicious link inside a Markdown file opened in Notepad," as reported earlier by The Register. Clicking the link would "launch unverified protocols," allowing attackers to remotely load and execute malicious files on a victim's computer, according to the patch notes.

Claude Desktop Extensions, recently renamed MCP Bundles, are packaged applications that extend the capabilities of Claude Desktop using the Model Context Protocol, a standard way to give generative AI models access to other software and data. Stored as .dxt files (with Anthropic transitioning the format to .mcpb), they are ZIP archives that package a local MCP server alongside a manifest.json file describing the extension's capabilities.

LayerX researchers found that a single malicious Google Calendar event can trigger remote code execution on Claude Desktop systems, enabling silent takeover at scale. "If exploited by a bad actor, even a benign prompt ("take care of it"), coupled with a maliciously worded calendar event, is sufficient to trigger arbitrary local code execution that compromises the entire system," said LayerX researchers in their analysis.

Security experts have discovered tens of thousands of unsecured OpenClaw instances. The AI agents run vulnerable software versions and offer attackers access to systems. More than 12,000 instances are vulnerable to remote code execution. Researchers at SecurityScorecard have exposed a major security problem for the rapidly growing OpenClaw. Through internet scans, the team identified 28,663 unique IP addresses with exposed OpenClaw control panels spread across 76 countries.