Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: authentication-bypass (8 articles)Clear

Curl's largest security release fixes 18 flaws, including a 25-year-old bug

The curl project shipped its largest-ever security release, version 8.21.0, fixing 18 vulnerabilities, among them a flaw that had gone unnoticed for 25 years. That bug (CVE-2026-8932) lets an application reuse an existing connection even after its client certificate or key changed, allowing an authentication bypass; it affects software built on the libcurl library rather than the command-line tool. Other fixes address credential confusion, memory-corruption bugs, and improper host validation. Most are rated medium or low, but libcurl is embedded in an enormous range of products, from IoT devices to CI/CD pipelines and cars, so the practical reach is large and easy to overlook.

Check
Identify where curl and especially the libcurl library are used across your applications, devices, containers, and build pipelines, since most exposure comes from embedded libcurl rather than the command-line tool.
Affected
Applications and devices built on libcurl before version 8.21.0 (CVE-2026-8932 and others); those using mutual TLS with changing client certificates face an authentication-bypass risk through connection reuse.
Fix
Update to curl and libcurl 8.21.0, rebuild and redeploy software that bundles libcurl, and prioritize systems using mutual TLS or handling credentials, including embedded and IoT devices that update slowly.

One unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)

Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.

Check
Inventory Quest KACE SMA instances reachable from the public internet, check their version against the May 2025 patched build, and review helpdesk tickets and asset records for sensitive material that would surface in a database dump.
Affected
Quest KACE Systems Management Appliance (SMA) instances at or below the pre-May 2025 patched version. CVSS 10.0 unauthenticated SSO impersonation. CISA KEV-listed since April 2026.
Fix
Apply Quest's May 2025 patched version immediately. Remove KACE SMA from direct internet exposure (place behind VPN or firewall), rotate KACE admin credentials, and audit for unauthorized accounts created via runkbot.exe.

Critical MOVEit Automation flaw lets attackers take over file-transfer servers without logging in - Cl0p hit MOVEit's sister product in 2023 and stole data from 62 million people (CVE-2026-4670)

Progress Software released emergency patches Sunday for two MOVEit Automation flaws. The worst, CVE-2026-4670 (CVSS 9.8), lets remote attackers reach the management interface without logging in - and from there take administrative control. Airbus researchers disclosed both flaws privately and Progress hasn't seen exploitation in the wild, but the comparison with MOVEit's history is uncomfortable: the Cl0p ransomware gang exploited MOVEit Transfer in 2023 to steal data from 2,100 organizations and 62 million individuals. Shodan shows 1,400+ MOVEit Automation instances exposed online, including a dozen linked to US local and state government agencies.

Check
Inventory MOVEit Automation instances and check the version under Web Admin > Help > About. Search firewall logs for inbound traffic to the service backend command port.
Affected
MOVEit Automation versions before 2025.1.5, 2025.0.9, and 2024.1.8. CVE-2026-4670 (CVSS 9.8, auth bypass) and CVE-2026-5174 (CVSS 7.7, privilege escalation). 1,400+ internet-exposed instances per Shodan, including state and local government agencies. Internet-reachable management interfaces face acute risk.
Fix
Upgrade to MOVEit Automation 2025.1.5, 2025.0.9, or 2024.1.8 using the full installer (the standard service installer does not patch the flaw). Restrict the management interface to internal networks only. Rotate every credential MOVEit holds for downstream destinations - cloud storage, SFTP servers, partner systems. Block external traffic to the service backend command port at the firewall.

SonicWall patches three SonicOS firewall flaws after CrowdStrike disclosed them - the worst lets attackers reach the management interface without logging in (CVE-2026-0204)

SonicWall released emergency firmware updates for Gen 6, Gen 7, and Gen 8 firewalls after CrowdStrike's research team disclosed three SonicOS flaws on April 29. The worst is CVE-2026-0204 (CVSS 8.0), a weak authentication bug in the management interface that lets an attacker on an adjacent network reach management functions without logging in - and from there change firewall rules, disable security protections, or open new holes. The other two are post-authentication: CVE-2026-0205 is a path traversal that breaks out of restricted directories, and CVE-2026-0206 is a buffer overflow that crashes the firewall. No public exploits yet.

Check
Patch every SonicWall Gen 6, Gen 7, and Gen 8 firewall to the latest firmware today, and confirm no SonicWall management interface or SSL-VPN is reachable from the public internet.
Affected
Gen 6 firewalls (TZ 300/400/500/600, NSA, SM, SOHO) running 6.5.5.1-6n or older. Gen 7 firewalls and NSv (TZ270-TZ670, NSa 2700-6700, NSsp, NSv on ESX/KVM/Hyper-V/AWS/Azure) running 7.0.1-5169 or 7.3.1-7013 or older. Gen 8 (TZ80-TZ680, NSa 2800-5800) running 8.1.0-8017 or older.
Fix
Upgrade to Gen 8 firmware 8.2.0-8009, Gen 7 firmware 7.3.2-7010, or Gen 6 6.5.5.2-28n. Until patched, disable HTTP and HTTPS firewall management on all interfaces, disable SSL-VPN, and restrict management to SSH only from trusted IPs. Take a full configuration backup before upgrading Gen 6 - downgrading from 6.5.5.2-28n deletes all LDAP users and resets MFA.

All cPanel and WHM versions had a critical authentication bypass that attackers may have been exploiting since February - emergency patches now released (CVE-2026-41940)

cPanel disclosed a critical authentication bypass on Monday affecting every cPanel and WHM version - including end-of-life builds. CVSS 9.8. The bug let unauthenticated attackers log in as administrators by abusing how the cPanel session daemon writes session files during login. Hosting providers including Namecheap, KnownHost, hosting.com, HostPapa, and InMotion took cPanel and WHM offline globally for hours while patches deployed. Researchers at watchTowr published a working proof-of-concept on April 29. KnownHost reports possible targeted exploitation as early as February 23, 2026 - more than two months before disclosure.

Check
If you run any cPanel or WHM server, confirm it's patched to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, or 11.136.0.5 today.
Affected
All cPanel and WHM versions before the April 28 emergency patch, plus end-of-life versions. CVE-2026-41940, CVSS 9.8. Successful exploitation grants root-equivalent access on the server, exposing every hosted website, database, email account, and customer data. KnownHost reports possible exploitation since February 23, 2026.
Fix
Run '/scripts/upcp --force' to pull the latest patched cPanel build immediately. Audit authentication logs for unusual successful logins between February 23 and April 28 - any login from an unfamiliar IP during that window may indicate prior compromise. Block cPanel ports (2082-2087, 2095-2096, 2077-2078) at the firewall to non-trusted IP ranges.

Microsoft ships emergency out-of-band patch for critical ASP.NET Core authentication cookie forgery flaw (CVE-2026-40372)

Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection flaw that lets unauthenticated attackers forge authentication cookies and escalate to SYSTEM privileges. The bug (CVE-2026-40372) is a regression introduced in the April 2026 Patch Tuesday: the Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 NuGet packages compute the HMAC validation tag (the cryptographic signature that proves a cookie has not been tampered with) over the wrong bytes of the payload and then discard the hash in some cases. The broken check means attackers can forge payloads that pass DataProtection's authenticity checks and decrypt previously-protected data in auth cookies, antiforgery tokens, TempData, and OIDC state. Microsoft noticed the flaw only after users reported decryption failures in their apps after installing the .NET 10.0.6 update. Critical operational detail: updating to 10.0.7 stops future forgeries, but any tokens an attacker already got the app to legitimately sign during the vulnerable window (session refresh tokens, API keys, password reset links) remain valid forever unless you rotate the DataProtection key ring. Patching alone is not enough.

Check
Check whether any ASP.NET Core application you run is on the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6.
Affected
Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6 (shipped as part of .NET 10.0.0 through .NET 10.0.6).
Fix
Update the Microsoft.AspNetCore.DataProtection package to 10.0.7 and redeploy. Critically, also rotate the DataProtection key ring after patching - any legitimately-signed tokens (session refresh, API keys, password reset links) issued to an attacker during the vulnerable window remain valid until the key ring is rotated. Audit auth logs from April 14 through April 22 for suspicious token issuance.

Nginx UI authentication bypass actively exploited - one unauthenticated request gives attackers full server takeover via MCP endpoint (CVE-2026-33032)

A CVSS 9.8 authentication bypass in nginx-ui, the popular open-source web management interface for Nginx servers, is being actively exploited in the wild. The flaw, codenamed MCPwn by Pluto Security, exists because the /mcp_message endpoint added for Model Context Protocol (AI integration) support only checks IP whitelisting - and the default whitelist is empty, meaning it allows all connections. One unauthenticated HTTP POST request lets an attacker invoke all MCP tools: rewrite Nginx config files, reload the server, intercept all traffic, and harvest admin credentials. Attackers chain it with CVE-2026-27944 (exposed encryption keys via the backup API) to extract the node_secret needed for full MCP access. Recorded Future flagged active exploitation and assigned a risk score of 94/100. Shodan shows 2,600 publicly exposed instances, mostly in China, the US, Indonesia, and Germany. Pluto Security's key lesson: AI integration endpoints expose the same capabilities as the core application but often skip its security controls.

Check
Check if you or any managed clients run nginx-ui (web-based Nginx management dashboard). If MCP support is enabled, this is urgent - you're likely exposed.
Affected
nginx-ui versions 2.3.5 and earlier with MCP support enabled. The tool has 11,000+ GitHub stars and 430,000 Docker pulls. Any instance reachable from the network is exploitable without credentials.
Fix
Update nginx-ui to version 2.3.6 immediately (2.3.4 was the first fix, 2.3.6 is current). If you can't patch: restrict network access to the nginx-ui management interface to trusted IPs only. Add authentication middleware to the /mcp_message endpoint. As defense-in-depth, audit all MCP-integrated tools in your environment - this class of flaw (AI integration endpoints skipping auth) will appear in other products.

Cisco IMC authentication bypass lets unauthenticated attackers take full admin control of servers (CVE-2026-20093)

Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.

Check
Check if any Cisco UCS C-Series M5/M6 servers, ENCS 5000, Catalyst 8300, or UCS E-Series systems have their IMC web interface accessible from the network.
Affected
Cisco UCS C-Series M5 and M6 Rack Servers (standalone mode), 5000 Series ENCS, Catalyst 8300 Edge uCPE, UCS E-Series M3/M6, plus dozens of appliances built on preconfigured UCS C-Series including APIC, Secure Firewall Management Center, and Cyber Vision Center.
Fix
Update Cisco IMC firmware: ENCS 5000 to 4.15.5, UCS C-Series to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174) depending on track. Restrict IMC interface access to a dedicated management VLAN. Audit existing IMC user accounts for any unauthorized password changes.