FISA

  Apple on Tuesday released its first round of  Background Security Improvements  to address a security flaw in WebKit that affects iOS, iPadOS, and macOS. The vulnerability, tracked as  CVE-2026-20643  (CVSS score: N/A), has been described as a cross-origin issue in WebKit's Navigation API that could be exploited to bypass the same-origin policy when processing maliciously crafted web content. The flaw affects iOS 26.3.1, iPadOS 26.3.1, macOS 26.3.1, and macOS 26.3.2. It has been addressed with improved input validation in iOS 26.3.1 (a), iPadOS 26.3.1 (a), macOS 26.3.1 (a), and macOS 26.3.2 (a). Security researcher Thomas Espach has been credited with discovering and reporting the shortcoming. Apple  notes  that Background Security Improvements are meant for delivering lightweight security releases for components such as the Safari browser, WebKit framework stack, and other system libraries through smaller, ongoing security patches rather than issuin...

  Cybersecurity researchers have disclosed a critical security flaw impacting the GNU InetUtils telnet daemon (telnetd) that could be exploited by an unauthenticated remote attacker to execute arbitrary code with elevated privileges. The vulnerability, tracked as  CVE-2026-32746 , carries a CVSS score of 9.8 out of 10.0. It has been described as a case of out-of-bounds write in the LINEMODE Set Local Characters (SLC) suboption handler that results in a buffer overflow, ultimately paving the way for code execution. Israeli cybersecurity company Dream, which discovered and reported the flaw on March 11, 2026, said it affects all versions of the Telnet service implementation through 2.7. A fix for the vulnerability is expected to be available no later than April 1, 2026. "An unauthenticated remote attacker can exploit this by sending a specially crafted message during the initial connection handshake — before any login prompt appears," Dream  said  in an alert. "Success...

  Microsoft on Tuesday released patches for a set of  84 new security vulnerabilities  affecting various software components, including two that have been listed as publicly known. Of these, eight are rated Critical, and 76 are rated Important in severity. Forty-six of the patched vulnerabilities relate to privilege escalation, followed by 18 remote code execution, 10 information disclosure, four spoofing, four denial-of-service, and two security feature bypass flaws. The fixes are in addition to  10 vulnerabilities  that have been addressed in its Chromium-based Edge browser since the release of the February 2026 Patch Tuesday update. The two publicly disclosed zero-days are  CVE-2026-26127  (CVSS score: 7.5), a denial-of-service vulnerability in .NET, and  CVE-2026-21262  (CVSS score: 8.8), an elevation of privilege vulnerability in SQL Server. The vulnerability with the highest CVSS score in this month's update is a critical remote co...

 A critical vulnerability in Microsoft Entra ID has been uncovered, allowing attackers to escalate privileges to the Global Administrator role by abusing built-in first-party applications and federated domain configurations. The flaw affects organizations running hybrid Active Directory environments with federated domains , opening a stealthy path to full tenant compromise. Discovery and Impact The vulnerability, discovered by Datadog security researchers and reported to the Microsoft Security Response Center (MSRC) in January 2025 , enables privilege escalation through the misuse of the Office 365 Exchange Online service principal (Client ID: 00000002-0000-0ff1-ce00-000000000000 ). Attackers with Cloud Application Administrator , Application Administrator , or Application.ReadWrite.All permissions can hijack the Exchange Online service principal’s Domain.ReadWrite.All permission. This allows them to: Add a new federated domain to the tenant. Forge SAML tokens as any ...

New research reveals two attack vectors that bypass web security and exploit fundamental flaws in HTTP/2 implementations In a groundbreaking revelation at the Network and Distributed System Security (NDSS) Symposium 2025 , researchers from Tsinghua University have uncovered a critical vulnerability in the HTTP/2 protocol that could allow attackers to bypass traditional web security protections and execute arbitrary cross-site scripting (XSS) attacks on major websites. What’s the Vulnerability? The vulnerability centers around two new attack techniques—dubbed "CrossPUSH" and "CrossSXG" —that exploit weaknesses in two key features of the HTTP/2 protocol: Server Push and Signed HTTP Exchanges (SXG) . These attacks allow malicious actors to bypass the Same-Origin Policy (SOP) , a security mechanism designed to keep malicious scripts from accessing sensitive data across different domains. By taking advantage of shared TLS certificates and manipulating HTTP/2 au...

Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. "In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations," cybersecurity firm Rapid7  disclosed  in a report published Wednesday. "Based on the ransom note and available evidence, we attribute the activity to the HelloKitty ransomware family, whose source code was leaked on a forum in early October." The intrusions are said to involve the exploitation of  CVE-2023-46604 , a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It's worth noting that the  vulnerability  carries a CVSS score of 10.0, indicating maximum severity. It has been  addressed  in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.1...

  Researchers Find 34 Windows Drivers Vulnerable to Full Device Takeover Nov 02, 2023   As many as 34 unique vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers could be exploited by non-privileged threat actors to gain full control of the devices and execute arbitrary code on the underlying systems. "By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate [operating system] privileges," Takahiro Haruyama, a senior threat researcher at VMware Carbon Black, said. The research expands on previous studies, such as ScrewedDrivers and POPKORN that utilized symbolic execution for automating the discovery of vulnerable drivers. It specifically focuses on drivers that contain firmware access through port I/O and memory-mapped I/O. The names of some of the vulnerable drivers include AODDriver.sys, ComputerZ.sys, dellbios.sys, GEDevDrv.sys, GtcKmdfBs.sys, IoAccess.sys, kerneld.amd64, ...

Patches have been released to address two new security vulnerabilities in  Apache Superset  that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs  CVE-2023-39265  and  CVE-2023-37941 , which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset's metadata database. Outside of these weaknesses, the latest version of Superset also remediates a separate improper REST API permission issue ( CVE-2023-36388 ) that allows for low-privilege users to carry out server-side request forgery ( SSRF ) attacks. "Superset by design allows privileged users to connect to arbitrary databases and execute arbitrary SQL queries against those databases using the powerful SQLLab interface," Horizon3.ai's Naveen Sunkavally said in a technical write-up. "If Superset can be tricked into connecting to its own metadata database, an attacker can directly read or write a...