A new command injection vulnerability in OpenSSH, tracked as CVE-2025-61984, has been disclosed, which could allow an attacker to achieve remote code execution on a victim's machine. The vulnerability is a bypass of a previous fix for a similar issue (CVE-2023-51385) and exploits how the ProxyCommand feature interacts with the underlying system shell when handling
submitted by /u/dx7r__ [link] [comments]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution. "
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2014-6278 GNU Bash OS Command Injection Vulnerability CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability These types of vulnerabilities...
In late September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a public alert regarding the active exploitation of a critical command injection vulnerability tracked as CVE-2025-59689 in Libraesva Email Security Gateway (ESG) devices. This flaw has rapidly emerged as a favored target for threat actors due to its ease of exploitation and the
Western Digital has released firmware updates for multiple My Cloud NAS models to patch a critical-severity vulnerability that could be exploited remotely to execute arbitrary system commands.
Security researchers are observing a significant increase in internet-wide scans targeting the critical PAN-OS GlobalProtect vulnerability (CVE-2024-3400). Exploit attempts have surged as attackers seek to leverage an arbitrary file creation flaw to achieve OS command injection and ultimately full root code execution on vulnerable firewalls. Exploitation of Critical PAN-OS SSL VPN Flaw (CVE-2024-3400) Since late
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION : Exploitable remotely/low attack complexity Vendor : Megasys Enterprises Equipment : Telenium Online Web Application Vulnerability : OS Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the security context of the web application service...
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog , based on evidence of active exploitation. CVE-2021-21311 Adminer Server-Side Request Forgery Vulnerability CVE-2025-20352 Cisco IOS and IOS XE Stack-based Buffer Overflow Vulnerability CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability CVE-2025-32463 Sudo Inclusion of Functionality from...
A sophisticated botnet operation has emerged, employing a Loader-as-a-Service model to systematically weaponize internet-connected devices across the globe. The campaign exploits SOHO routers, IoT devices, and enterprise applications through command injection vulnerabilities in web interfaces, demonstrating an alarming evolution in cybercriminal tactics. The malicious infrastructure operates by targeting unsanitized POST parameters in network management fields
A critical, perfect 10.0 CVSS score vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution was actively exploited as a zero-day at least a week before the company released a patch. The vulnerability, tracked as CVE-2025-10035, is a command injection flaw that allows for unauthenticated remote code execution. Security firm watchTowr reported credible evidence of
Libraesva has issued an emergency patch for a significant command injection vulnerability in its Email Security Gateway (ESG) after confirming state-sponsored hackers exploited it. The flaw, identified as CVE-2025-59689, allowed attackers to execute arbitrary commands by sending a malicious email with a specially crafted compressed attachment. The company responded by deploying an automated fix to
Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689, carries a CVSS score of 6.1, indicating medium severity. "Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a
submitted by /u/digicat [link] [comments]
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION : Low attack complexity Vendor : Viessmann Equipment : Vitogate 300 Vulnerabilities : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Client-Side Enforcement of Server-Side Security 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to modify an intended OS command when it is sent to a downstream component, or allow an attacker to cause unexpected interactions...
A vulnerability has been discovered in GoAnywhere Managed File Transfer (MFT) which could allow for Command Injection. GoAnywhere Managed File Transfer (MFT) is an enterprise-level software solution for securely automating, managing, and tracking all organizational file transfers, whether server-to-server or person-to-person. Successful exploitation of this vulnerability could allow an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object,...
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks.
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.8 ATTENTION : Low Attack Complexity Vendor : Schneider Electric Equipment : Saitel DR RTU Vulnerabilities : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary shell commands on the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are...
View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION : Exploitable remotely Vendor : Westermo Network Technologies Equipment : WeOS 5 Vulnerability : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with administrative permissions to execute commands that would typically be inaccessible. This could allow the execution of commands with privileges beyond those...
arXiv:2509.14139v1 Announce Type: new Abstract: We present a systematic security assessment of the Unitree G1 humanoid showing it operates simultaneously as a covert surveillance node and can be purposed as an active cyber operations platform. Partial reverse engineering of Unitree's proprietary FMX encryption reveal a static Blowfish-ECB layer and a predictable LCG mask-enabled inspection of the system's otherwise sophisticated security architecture, the most mature we have observed in...