On April 13, 2026, the vulnerability identified as CVE-2026-21643 was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. This inclusion is not routine—it signals confirmed attacker activity and indicates that exploitation is no longer theoretical. Threat actors are already leveraging this weakness to target organizations, making immediate remediation critical.

Understanding the Vulnerability

The flaw exists in FortiClient Enterprise Management Server (EMS), a centralized platform used by organizations to manage endpoint security, enforce policies, and monitor device compliance. Because EMS sits at the core of endpoint control, any compromise can have far-reaching consequences across the entire network.

Technically, this issue is classified as a SQL injection vulnerability (CWE-89). It arises when user-supplied input is not properly validated before being processed by the backend database. Attackers can exploit this weakness by sending specially crafted HTTP requests that manipulate database queries and execute unintended commands.

What elevates the severity of this vulnerability is its unauthenticated nature. An attacker does not need valid credentials or prior access to the environment. If the EMS instance is exposed to the internet, it becomes a direct target. By simply interacting with the vulnerable interface, an attacker can execute arbitrary commands on the system.

Real-World Risk and Exploitation Impact

The ability to execute code remotely without authentication places this vulnerability in the highest risk category. Once exploited, attackers can gain control over the EMS server, which often acts as a central authority for endpoint devices within an organization.

This level of access can enable attackers to move laterally across the network, deploy malicious payloads, manipulate endpoint configurations, or establish persistent backdoors. In many environments, EMS servers are trusted systems, which makes them an ideal pivot point for deeper compromise.

Although there is no confirmed evidence yet linking this vulnerability to ransomware campaigns, the attack pattern aligns closely with how ransomware operators typically gain initial access. Vulnerabilities that allow remote execution without authentication are frequently weaponized early in attack chains.

Why Immediate Action Is Critical

CISA’s KEV listing is a clear indicator that organizations cannot afford delays. The window between public disclosure and widespread exploitation is often extremely short, and in this case, that window has already closed.

Organizations should treat this as an active incident risk rather than a routine patching task. Security teams are strongly advised to prioritize this vulnerability above regular update cycles and respond with urgency.

• Apply the latest Fortinet security patches immediately
• Review system and application logs for unusual or malformed HTTP requests
• Monitor for signs of unauthorized access or unexpected command execution
• Follow all mitigation guidance provided by Fortinet
• Disable or isolate affected systems if patching cannot be completed right away

Under Binding Operational Directive 22-01, U.S. federal agencies are required to remediate this vulnerability by April 16, 2026. This aggressive timeline reflects the severity of the threat and should serve as a benchmark for private organizations as well.

Final Thoughts

This vulnerability highlights a recurring issue in modern enterprise security—critical systems exposed to the internet without sufficient protection layers. When combined with an unauthenticated exploit, even a single overlooked patch can lead to full-scale compromise.

Organizations that rely on Fortinet EMS must act immediately, not only to patch the vulnerability but also to validate that their systems have not already been targeted. Proactive monitoring, rapid patching, and strict access controls remain essential in defending against threats of this nature.

In the current threat landscape, speed is not just an advantage—it is a necessity.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post CISA Alerts on Active Fortinet SQL Injection Exploit appeared first on First Hackers News.

Tracked as CVE-2025-53521, the flaw impacts the Access Policy Manager (APM) component and could allow remote code execution. While detailed technical information has not yet been fully disclosed, the nature of the vulnerability makes it particularly dangerous. BIG-IP devices often sit at the edge of networks, handling authentication, traffic management, and secure application delivery — making them a prime target for attackers seeking initial access.

CISA’s decision to add this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog is a clear indicator that organizations cannot afford to delay response. This is not a theoretical risk — threat actors are already leveraging it. Historically, similar vulnerabilities in BIG-IP systems have been quickly adopted by both financially motivated attackers and advanced threat groups because compromising these devices can provide deep visibility and control over network traffic.

Why This Vulnerability Matters

What makes this issue more concerning is the potential ease of exploitation. Even without full public disclosure, vulnerabilities that enable remote code execution are often rapidly weaponized. Once exploited, attackers can move laterally across the network, escalate privileges, and potentially access sensitive data.

Edge infrastructure like BIG-IP plays a critical role in enterprise environments. When such systems are compromised, they can act as a gateway for broader attacks. This aligns with a growing trend where attackers focus on perimeter devices rather than traditional endpoints, as these systems offer higher impact with less resistance.

Immediate Actions for Security Teams

Organizations using F5 BIG-IP products should treat this vulnerability as a high-priority security event and respond without delay.

• Apply vendor-provided patches or mitigation steps immediately
• If fixes are unavailable, restrict or temporarily disable affected services
• Continuously monitor logs for unusual administrative actions or configuration changes
• Enforce strict access controls and reduce unnecessary exposure
• Implement network segmentation to limit potential spread after compromise

In addition to these steps, security teams should remain vigilant for evolving attack techniques, as exploitation methods may become more sophisticated over time.

Final Thoughts

The rapid inclusion of CVE-2025-53521 in the KEV catalog highlights an ongoing shift in attacker strategy — targeting critical infrastructure components that sit at the heart of enterprise networks. Organizations must move beyond reactive security and adopt a proactive approach that prioritizes visibility, rapid patching, and strong access controls.

Delaying action in cases like this significantly increases the risk of widespread compromise. For organizations relying on BIG-IP systems, the message is clear: act fast, monitor closely, and assume attackers are already attempting to exploit this weakness.

The post Active Exploitation of F5 BIG-IP Vulnerability Raises Urgency appeared first on First Hackers News.

DarkSword iOS chain exposes serious Apple security risk

What makes this campaign especially dangerous is the way the vulnerabilities can be chained together to move from initial access to deep system control. Instead of relying on a typical malware download, the attack can begin when a victim simply opens malicious web content through Safari or an in-app browser. That first stage gives attackers a foothold, which can then be expanded through additional flaws that target kernel memory and shared system processes.

This multi-step technique is what gives the DarkSword iOS chain its strength. One flaw is used to trigger memory corruption through crafted web content, another allows direct interaction with kernel memory, and a third helps attackers manipulate memory shared between active processes. When combined, these weaknesses can give threat actors a powerful path to compromise the device at a much deeper level than a standard application-level attack.

The vulnerabilities linked to this activity include:

• CVE-2025-31277 — a memory corruption vulnerability triggered through malicious web content
• CVE-2025-43520 — a classic buffer overflow flaw that may allow writes to kernel memory
• CVE-2025-43510 — an improper locking issue that can affect shared memory between processes

The reach of this threat is broad because it affects multiple Apple platforms, including iPhone, iPad, Mac, Apple Watch, Apple TV, and Vision Pro devices. That wide impact makes the issue important not only for individual users but also for enterprises managing mixed Apple environments. A single unpatched device could become an entry point for a more serious compromise, especially in organizations that depend heavily on mobile access and Apple endpoints.

Another reason this warning stands out is the stealth of the attack path. Since the initial trigger can come from normal-looking web content, users may not realize anything suspicious has happened. There may be no obvious file download, no fake installer, and no immediate sign that the device has been targeted. That lowers the barrier for exploitation and increases the importance of rapid patching.

At this stage, there is no public confirmation that the DarkSword chain is being used in ransomware attacks. Still, the level of access these flaws can provide makes them highly attractive for advanced threat actors seeking persistence, surveillance, credential access, or follow-on compromise. In practical terms, this is the kind of exploit chain that can support much more than a one-off intrusion.

CISA has set an April 3, 2026 remediation deadline for federal agencies under Binding Operational Directive 22-01. While that formal requirement applies to government networks, the broader message is clear: organizations and individual users should not delay updates. Security teams should make sure Apple devices are running the latest available software, verify patch coverage across managed assets, and remove or isolate systems that cannot be updated quickly.

For defenders, the bigger lesson is that exploit chains like DarkSword show how modern attacks are no longer built around a single bug. They are built around combinations of weaknesses that, together, can bypass normal security assumptions. That is exactly why timely patching, asset visibility, and strong device management remain essential.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

The post DarkSword iOS Chain: CISA Warns of Exploited Apple Vulnerabilities appeared first on First Hackers News.

This is a strong signal for organizations to act immediately. Systems exposed to the internet, especially file transfer servers, are high-value targets because they often handle sensitive business data and provide a direct entry point into internal networks.

Technical Details and Mitigation Steps

The vulnerability, tracked as CVE-2025-47813, is an information disclosure issue caused by improper handling of user-supplied input. Specifically, when an attacker sends an unusually large value in the UID cookie, the server fails to handle the request securely and returns detailed error messages.

These error responses can unintentionally reveal internal system details such as file paths, configurations, or backend logic. While this does not directly allow code execution, it significantly lowers the barrier for attackers by giving them insight into how the system works, which can be used to plan targeted attacks or bypass protections.

Because this vulnerability is now listed in the KEV catalog, it is confirmed to be under active exploitation, increasing the urgency for remediation.

‍Follow Us on:Linkedin, Instagram, Facebook to get the latest security news!

Organizations should take the following actions without delay:

• Apply the latest security patches or updates provided by the vendor
• Review and follow infrastructure security guidance for exposed services
• Avoid processing untrusted input without proper validation and error handling
• Temporarily disable or restrict access to the server if patching is not possible

Federal agencies are expected to address this issue within a strict timeline, and private organizations are strongly advised to follow the same urgency.

Overall, even though this is categorized as an information disclosure flaw, its real risk lies in enabling deeper, more targeted attacks. Immediate patching, proper input handling, and limiting exposure are essential to reducing the attack surface.

The post CISA Alerts Active Exploitation of Wing FTP Vulnerability appeared first on First Hackers News.

The flaw, tracked as CVE-2025-61757, affects Oracle Identity Manager, a core component of Oracle Fusion Middleware. CISA has classified it as a “missing authentication for critical function” issue, which enables remote, unauthenticated attackers to access privileged functionality. Successful exploitation can lead to remote code execution (RCE) and full compromise of the identity platform.

Vulnerability Summary -CVE-2025-61757

Impact on Identity and Access Management Environments

Oracle Identity Manager—also known as Oracle Identity Governance—is widely deployed across enterprise and government environments to manage user accounts, credentials, and access rights.
Because identity platforms sit at the center of authentication workflows, a compromise can quickly escalate to domain-wide or cloud-wide access.

Security researchers from Searchlight Cyber’s Assetnote team discovered that several REST API endpoints in Oracle Identity Manager failed to enforce proper authentication.

By manipulating how the product handles URL patterns and filters, attackers can cause the system to treat protected endpoints as publicly accessible.

Once beyond the authentication boundary, attackers can reach functionality responsible for processing Groovy scripts. Although intended only for syntax validation, this feature can be abused to execute arbitrary code during compilation—effectively turning a logic flaw into a powerful pre-authentication RCE pathway.

This discovery follows an earlier major breach of Oracle Cloud’s login service in January, where attackers reportedly exploited a separate Oracle Access Manager vulnerability (CVE-2021-35587) to gain RCE and exfiltrate millions of records.

CVE-2025-61757 affects related identity components and, if unpatched, could have enabled similar exploitation against Oracle’s own infrastructure.

CISA warns that the vulnerability is particularly concerning due to its remote, unauthenticated attack vector. With many Oracle Identity Manager instances accessible over the internet, the exposure is significant.

The vulnerability was added to the KEV catalog on November 21, 2025.
Federal civilian agencies are required to apply Oracle’s patches, adhere to Binding Operational Directive BOD 22-01 for cloud services, or discontinue use of the affected product by December 12, 2025.

Recommended Actions for Organizations

• Apply the latest Oracle Critical Patch Update without delay
• Limit external exposure of identity and administrative services
• Review identity and access management configurations
• Monitor for suspicious access to REST APIs and script-processing features
• Strengthen logging and detection around identity infrastructure

The post CISA Alerts Organizations to Oracle Identity Manager RCE Attack appeared first on First Hackers News.

Details of the Vulnerabilities

CVE-2025-11371 (CVSS 7.5):
A flaw in Gladinet CentreStack and Triofox allows outside users to access files or folders that should be private. This can lead to the unintended leak of system files and sensitive data.

CVE-2025-48703 (CVSS 9.0):
A command injection vulnerability in Control Web Panel (formerly CentOS Web Panel) lets attackers run commands remotely without logging in. The flaw is found in the t_total parameter of the file manager’s changePerm request and can result in full remote code execution.

Evidence of Active Exploitation

Cybersecurity firm Huntress recently observed attack attempts that target CVE-2025-11371. Attackers used Base64-encoded payloads to send system commands like ipconfig /all to gather information from compromised systems.

Meanwhile, there are no confirmed public reports of active attacks using CVE-2025-48703. However, the flaw was disclosed responsibly by researcher Maxime Rinaudo in May 2025 and patched a month later in version 0.9.8.1205.

According to Rinaudo, “It allows a remote attacker who knows a valid username on a CWP instance to run commands on the server without authentication.”

CISA’s Warning and Deadline

Due to the confirmed exploitation, CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the required patches no later than November 25, 2025.
Organizations using Gladinet CentreStack, Triofox, or Control Web Panel should update immediately, review their systems for suspicious activity, and monitor logs for signs of intrusion.

Other Exploited WordPress Vulnerabilities

In related news, Wordfence recently warned of critical vulnerabilities being exploited in several WordPress plugins and themes.

• CVE-2025-11533 (CVSS 9.8) – A privilege escalation flaw in WP Freeio lets attackers gain admin rights during registration.
• CVE-2025-5397 (CVSS 9.8) – An authentication bypass in Noo JobMonster allows unauthenticated access to admin accounts when social login is enabled.
• CVE-2025-11833 (CVSS 9.8) – A flaw in Post SMTP lets attackers view email logs and reset admin passwords, potentially leading to full site takeover.

Website owners should update these plugins immediately, use strong passwords, and check their sites for unauthorized users or malware.

The post CISA Adds Gladinet and Control Web Panel Flaws to Known Exploited Vulnerabilities List appeared first on First Hackers News.

The advisories warn of high-severity flaws, each with CVSS v4 scores between 8.5 and 8.7, posing serious risks of cyberattacks and unauthorized access to vital infrastructure across various sectors.

Key Takeaways

1. Leviton’s AcquiSuite and Energy Monitoring Hub are impacted by a high-severity cross-site scripting (XSS) vulnerability.
2. Panoramic Corporation’s Digital Imaging Software is susceptible to DLL hijacking, which could allow malicious code execution.
3. Johnson Controls’ C•CURE 9000 Site Server contains misconfigured default permissions, exposing executable directories to potential abuse.

Leviton XSS Vulnerability Detailed in CISA Advisory ICSA-25-198-01

CISA’s advisory ICSA-25-198-01 discloses a critical cross-site scripting (XSS) vulnerability in Leviton AcquiSuite Version A8810 and Energy Monitoring Hub Version A8812.

• Tracked as CVE-2025-6185, the flaw has a CVSS v4 score of 8.7, indicating high severity.
• The vulnerability, classified under CWE-79, allows attackers to embed malicious scripts into URL parameters, which execute in users’ browsers.
• Exploitation could result in theft of session tokens and remote control of services, despite requiring low attack complexity.
• The affected products are part of global communications infrastructure, increasing the potential impact.
• The issue was responsibly reported by security researcher notnotnotveg.

Crucially, Leviton has not engaged with CISA regarding mitigation efforts. As a result, affected users are advised to contact Leviton customer support directly for updates and potential patch information.

DLL Hijacking Vulnerability Threatens Healthcare Imaging Systems

CISA advisory ICSMA-25-198-01 warns of a critical CWE-427 uncontrolled search path element vulnerability in Panoramic Corporation’s Digital Imaging Software Version 9.1.2.7600.

• Tracked as CVE-2024-22774, the flaw holds a CVSS v4 score of 8.5 and allows DLL hijacking, enabling privilege escalation from a standard user to NT AUTHORITY\SYSTEM.
• Though local access is required, successful exploitation can result in full system compromise.
• This vulnerability poses a serious risk to healthcare and public health infrastructure, especially across North America.
• The underlying issue stems from an unsupported SDK component developed by Oy Ajat Ltd, which complicates patching and mitigation efforts.
• The flaw was responsibly disclosed by Damian Semon Jr. of Blue Team Alpha LLC.

Healthcare providers using this software should assess exposure and explore containment measures immediately due to the potential for widespread disruption.

Johnson Controls Access Control Flaw Impacts Multiple Critical Sectors

CISA’s advisory ICSA-24-191-05 Update B highlights a serious default permission misconfiguration in Johnson Controls’ Software House C•CURE 9000 Site Server Version 2.80 and earlier.

• Identified as CVE-2024-32861, the vulnerability holds a CVSS v4 score of 8.5 and affects systems running the optional C•CURE IQ Web and/or C•CURE Portal components.
• Categorized under CWE-276, the flaw arises from insufficient protection on executable directories, particularly affecting the C:\CouchDB\bin path.
• Under certain conditions, non-administrator users may have Full control or Write access, creating opportunities for privilege escalation or execution of malicious code.
• The issue affects a broad range of sectors globally, including critical manufacturing, commercial and government facilities, transportation, and energy systems.

Johnson Controls has issued mitigation guidance via a Product Security Advisory, urging administrators to remove Full control and Write permissions for non-admin users on affected directories to reduce the risk of exploitation.

Security Recommendations from CISA

CISA urges all organizations to adopt defense-in-depth strategies and network segmentation to reduce the risk of exploitation associated with these ICS vulnerabilities.

Key Mitigation Measures:

• Isolate control systems from direct internet access.
• Implement firewalls to separate business networks from control networks.
• Use secure VPNs for any necessary remote access.
• Conduct impact analysis and risk assessments before applying changes to ensure operational stability.
• Follow established incident response protocols and promptly report any suspicious activity.

Although no known public exploitation has been observed to date, the high CVSS scores and broad deployment of the affected products across critical infrastructure sectors demand immediate evaluation and remediation.

The post CISA Issues Three ICS Advisories Addressing Vulnerabilities and Exploitation Risks appeared first on First Hackers News.