#rce

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated root command injection. An attacker can exploit the Backup-Restore feature via the /api/upload endpoint to execute arbitrary system commands as root. The issue arises due to improper input validation in upload.js, where user-supplied input is passed to ChildProcess.exec() without adequate sanitization, allowing command injection via the filename parameter.

The ABB Cylon FLXeon BAS controller is vulnerable to authenticated root command execution via the cmds API. An authenticated attacker can execute arbitrary system commands with root privileges.

The ABB Cylon FLXeon (BACnet) controller suffers from an unauthenticated remote code execution vulnerability with root privileges. Input passed through the login.js script for the password JSON parameter allows out-of-band command injection.

Cybersecurity researchers have disclosed a critical security flaw in the Lightning AI Studio development platform that, if successfully exploited, could allow for remote code execution. The vulnerability, rated a CVSS score of 9.4, enables "attackers to potentially execute arbitrary commands with root privileges" by exploiting a hidden URL parameter, application security firm Noma said in a

Three security flaws have been disclosed in the open-source PHP package Voyager that could be exploited by an attacker to achieve one-click remote code execution on affected instances. "When an authenticated Voyager user clicks on a malicious link, attackers can execute arbitrary code on the server," Sonar researcher Yaniv Nizry said in a write-up published earlier this week. The

While Microsoft has boosted the security of Windows Print Spooler in the three years since the disclosure of the PrintNightmare vulnerability, the service remains a spooky threat that organizations cannot afford to ignore.

A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject

Advanced phishing campaign targets Poland and Germany, delivering Agent Tesla, Snake Keylogger and newly identified TorNet backdoor via…

About Remote Code Execution – 7-Zip (CVE-2025-0411) vulnerability. 7-Zip is a popular, free, open-source archiver widely used by organizations as a standard tool for managing archives. The vulnerability is a bypass of the Mark-of-the-Web mechanism. 🔹 If you download and run a suspicious executable file on Windows, Microsoft Defender’s SmartScreen will block it from executing […]

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Electric RemoteConnect and SCADAPack x70 Utilities Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: RemoteConnect: All versions SCADAPackTM x70 Utilities: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 A deserialization of untrusted data vulnerability exists that could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file. CVE-2024-12703 has been assigned to this vulnerability. A CVSS v3 ...