Authentication Bypass
Researcher to release exploit for full auth bypass on FortiWeb
A security researcher has released a partial proof of concept exploit for a vulnerability in the FortiWeb web application firewall that allows a remote attacker to bypass authentication. The flaw was reported responsibly to Fortinet and is now tracked as CVE-2025-52970. Fortinet released a fix on August 12. Security researcher Aviv Y named the vulnerability FortMajeure and describes it as […]
Mitel warns of critical MiVoice MX-ONE authentication bypass flaw
Mitel Networks has released security updates to patch a critical-severity authentication bypass vulnerability impacting its MiVoice MX-ONE enterprise communications platform. MX-ONE is the company’s SIP-based communications system, which can scale to support hundreds of thousands of users. The critical security flaw is due to an improper access control weakness discovered in the MiVoice MX-ONE Provisioning […]
Citrix warns of login issues after NetScaler auth bypass patch
Citrix warns that patching recently disclosed vulnerabilities that can be exploited to bypass authentication and launch denial-of-service attacks may also break login pages on NetScaler ADC and Gateway appliances. This happens because starting with NetScaler 14.1.47.46 and 13.1.59.19, the Content Security Policy (CSP) header, which mitigates risks associated with cross-site scripting (XSS), code injection, and […]
Over 1,200 Citrix servers unpatched against critical auth bypass flaw
Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers […]
Cisco warns of max severity RCE flaws in Identity Services Engine
Cisco has published a bulletin to warn about two critical, unauthenticated remote code execution (RCE) vulnerabilities affecting Cisco Identity Services Engine (ISE) and the Passive Identity Connector (ISE-PIC). The flaws, tracked under CVE-2025-20281 and CVE-2025-20282, are rated with max severity (CVSS score: 10.0). The first impacts ISE and ISE-PIC versions 3.4 and 3.3, while the second affects only […]
CISA: AMI MegaRAC bug enabling server hijacks exploited in attacks
CISA has confirmed that a maximum severity vulnerability in AMI’s MegaRAC Baseboard Management Controller (BMC) software is now actively exploited in attacks. The MegaRAC BMC firmware provides remote system management capabilities for troubleshooting servers without being physically present, and it’s used by several vendors (including HPE, Asus, and ASRock) that supply equipment to cloud service […]
Trend Micro fixes critical vulnerabilities in multiple products
Trend Micro has released security updates to address multiple critical-severity remote code execution and authentication bypass vulnerabilities that impact its Apex Central and Endpoint Encryption (TMEE) PolicyServer products. The security vendor underlines that it has seen no evidence of active exploitation in the wild for any of them. However, immediate application of the security updates […]
Critical Fortinet flaws now exploited in Qilin ransomware attacks
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely. Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the “Agenda” name and has since claimed responsibility for over 310 victims on its dark […]
Hewlett Packard Enterprise warns of critical StoreOnce auth bypass
Hewlett Packard Enterprise (HPE) has issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution. Among the flaws fixed this time is a critical severity (CVSS v3.1 score: 9.8) authentication bypass vulnerability tracked under CVE-2025-37093, three remote code execution bugs, two directory traversal problems, and a server-side request forgery issue. The […]
Unpatched critical bugs in Versa Concerto lead to auth bypass, RCE
Critical vulnerabilities in Versa Concerto that are still unpatched could allow remote attackers to bypass authentication and execute arbitrary code on affected systems. Three security issues, two of them critical, were publicly disclosed by researchers at the vulnerability management firm ProjectDiscovery after reporting them to the vendor and receiving no confirmation of the bugs being addressed. Versa […]