CVE Updates (January 26 – February 1, 2026)

Vuln Recap Editor,

Here are the CVE updates for the week of January 26th through February 1st.

🔴 Critical Severity Vulnerabilities

SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability (CISA KEV) | CVE-2025-52691

Description:
CVE-2025-52691 reveals a critical vulnerability in the SmarterMail server that lets unauthenticated attackers upload arbitrary files. Because the system improperly validates and controls file uploads, attackers can place files in unintended directories, including those that the system might execute.

Potential Impacts

  • Remote Code Execution: Attackers may run arbitrary code on the mail server, possibly gaining full system control.
  • Data Breach: Unauthorized parties could access emails, attachments, and credentials.
  • Service Disruption: Critical files might be modified or deleted, causing mail outages.
  • Lateral Movement: A compromised mail server can serve as a pivot to attack other internal systems.

Mitigation Recommendations

  • Apply Vendor Patches Immediately: Update the mail server software as soon as patches become available.
  • Restrict File Upload Paths: Enforce server-side validation to store uploads only in safe, non-executable directories.
  • Disable Unnecessary Services: Turn off unused features to reduce attack surfaces.
  • Use Web Application Firewall (WAF): Deploy rules that detect and block suspicious file uploads.
  • Harden File Permissions: Run mail services with least privileges and restrict write access to sensitive directories.
  • Monitor for Indicators of Compromise: Regularly check for unexpected files in web roots, temp folders, or mail paths.

SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability (CISA KEV) | CVE-2026-23760

Description:
CVE-2026-23760 affects SmarterMail versions before build 9511. It involves a critical authentication bypass in the password reset API. The vulnerable force-reset-password endpoint accepts unauthenticated requests without verifying current passwords or requiring reset tokens for system administrators. As a result, attackers can reset administrator passwords and take full control without prior authentication.

Potential Impacts

  • Full Administrative Account Takeover: Attackers can gain complete control by resetting admin credentials.
  • Remote Code Execution: Abuse of administrative features might enable arbitrary OS command execution.
  • Data Exposure: Attackers gain unauthorized access to mailboxes, stored emails, credentials, and configurations.
  • Service Disruption: Modifications to settings or account deletions may disrupt mail services.
  • Infrastructure Compromise: The mail server could serve as a foothold for lateral network attacks.

Mitigation Recommendations

  • Upgrade Immediately: Update SmarterMail to build 9511 or later where this vulnerability is fixed.
  • Restrict API Access: Use firewall rules, VPN-only access, or IP allowlisting to limit admin API access.
  • Monitor Authentication Logs: Watch for unexpected password resets or admin logins from unknown IPs.
  • Enable Multi-Factor Authentication (MFA): Add extra protection for all administrator accounts.
  • Harden Server Permissions: Run SmarterMail service accounts with minimal privileges.
  • Incident Response: If exploitation is suspected, rotate all admin credentials and check for unauthorized changes or web shells.

GNU InetUtils Argument Injection Vulnerability (CISA KEV) | CVE-2026-24061

Description:
CVE-2026-24061 targets GNU Inetutils telnetd (up to version 2.7) and enables remote authentication bypass. Attackers exploit improper environment variable handling, specifically in the USER variable (e.g., supplying -f root). Because telnetd mishandles this input, remote attackers can log in as root without valid credentials.

Potential Impacts

  • Authentication Bypass: Attackers gain unauthorized access without valid login.
  • Root-Level Access: Exploitation results in direct root shell access.
  • Full System Compromise: Attackers may run commands, install malware, or alter system settings.
  • Lateral Movement: A compromised host can serve as a pivot point within internal networks.

Mitigation Recommendations

  • Upgrade Immediately: Update GNU Inetutils to a patched version beyond 2.7 once released.
  • Disable Telnet: Replace Telnet with SSH where possible, as Telnet transmits credentials in plaintext.
  • Restrict Network Exposure: If Telnet remains enabled, control access with firewalls or network segmentation.
  • Monitor Suspicious Logins: Review authentication logs for unexpected root access or abnormal sessions.
  • Apply Least Privilege: Ensure services don’t run with unnecessary elevated privileges.

Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability (CISA KEV) | CVE-2026-2485

Description:
CVE-2026-2485 impacts several Fortinet products using FortiCloud Single Sign-On (SSO). Improper validation of authentication context allows attackers with a valid FortiCloud account and registered device to authenticate to other customers’ devices when SSO is enabled. Affected products include FortiAnalyzer, FortiManager, FortiOS, FortiProxy, and FortiWeb across various versions.

Potential Impacts

  • Cross-Tenant Account Access: Attackers may gain unauthorized admin access to other organizations’ devices.
  • Configuration Exposure: Sensitive configurations, policies, logs, and credentials might be accessed.
  • Security Infrastructure Compromise: Unauthorized access could disrupt firewall rules, proxies, and monitoring.
  • Pivot for Further Attacks: Compromised platforms can deploy malicious configs or weaken defenses.

Mitigation Recommendations

  • Upgrade Immediately: Apply latest firmware updates for all affected products.
  • Disable FortiCloud SSO if Not Needed: Temporarily disable SSO until patches are applied.
  • Restrict Management Access: Limit admin interfaces to trusted IPs or management networks.
  • Monitor Authentication Logs: Check for unusual SSO logins or unknown account activity.
  • Enforce MFA: Enable multi-factor authentication on all admin and FortiCloud accounts.

Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (CISA KEV) | CVE-2026-1281

Description:
CVE-2026-1281 allows remote code injection in Ivanti Endpoint Manager Mobile. Attackers can inject and run arbitrary code without authentication, potentially gaining full control over the app and host system.

Potential Impacts

  • Remote Code Execution: Attackers run system commands on EPMM server.
  • Full System Compromise: Malware installation, backdoors, or lateral movement possible.
  • Data Breach: Exposure of sensitive enterprise mobility data and credentials.
  • Service Disruption: Configuration changes or ransomware deployment may cause downtime.

Mitigation Recommendations

  • Apply Security Updates: Upgrade to latest patched EPMM version immediately.
  • Restrict Network Exposure: Limit EPMM access to trusted IPs or VPN.
  • Monitor for Suspicious Activity: Review logs for unusual requests or admin actions.
  • Use Network Security Controls: Deploy IDS/IPS and WAF to detect exploitation.
  • Conduct Post-Patch Review: Verify system integrity and check for prior compromises.

🟠 High Severity Vulnerabilities

Linux Kernel Integer Overflow Vulnerability (CISA KEV) | CVE-2018-14634: This flaw exists in the Linux kernel’s create_elf_tables() function. Because the function mishandles memory calculations, a local user can trigger an integer overflow. As a result, the attacker may corrupt memory and escalate privileges.

Microsoft Office Security Feature Bypass Vulnerability (CISA KEV) | CVE-2026-21509: Microsoft Office Security Feature Bypass Vulnerability (CISA KEV) | CVE-2026-21509
Microsoft Office improperly trusts certain input during security checks. Therefore, attackers can craft files that bypass built-in protections. Consequently, users who open the file may unknowingly expose their systems.

10-Strike Bandwidth Monitor Buffer Overflow and Remote Code Execution Vulnerability | CVE-2020-37043: Version 3.9 of 10-Strike Bandwidth Monitor contains a buffer overflow in the registration key handler. Because the program fails to enforce input limits, attackers can execute arbitrary code remotely.

🟡 Medium Severity Vulnerabilities

Crystal Shard http-protection IP Spoofing Vulnerability | CVE-2020-37056: Crystal Shard http-protection trusts client-supplied IP headers. Therefore, attackers can forge headers such as X-Forwarded-For to bypass IP-based restrictions.

Navigate CMS Cross-Site Request Forgery (CSRF) Leading to Malicious File Upload | CVE-2020-37054: Navigate CMS fails to verify request authenticity during extension uploads. As a result, attackers can trick administrators into uploading malicious files.

Sistem Informasi Pengumuman Kelulusan Online Cross-Site Request Forgery (CSRF) Vulnerability in Admin User Creation | CVE-2020-37046: This application lacks CSRF protection in its admin creation endpoint. Consequently, attackers can force administrators to create unauthorized accounts.

Orchard Core RC1 Persistent Cross-Site Scripting (XSS) Vulnerability | CVE-2020-37019: Orchard Core fails to sanitize blog post input. Therefore, attackers can inject persistent JavaScript that runs whenever users view a compromised page.

Post Views: 1
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *