pre-auth - TrustStrike Labs

vulnerability

CVE-2026-42208

2026-04-28

Hackers raced to exploit a critical LiteLLM flaw 36 hours after disclosure - any attacker who could reach the proxy could read all stored AI API keys (CVE-2026-42208)

LiteLLM, the popular open-source gateway used to centralize API access for OpenAI, Anthropic, and other AI providers, has a critical pre-authentication SQL injection bug that attackers started exploiting just 36 hours after the security advisory went public. The flaw lets anyone who can reach the proxy port read all the API keys stored inside - including master keys, virtual keys, and provider credentials. The bug was in the bearer-token check: the token was concatenated into a SQL query instead of passed as a parameter. Sysdig saw the first attack at 04:24 UTC on April 26, hitting three tables that hold the most valuable secrets.

litellm ai-gateway sql-injection pre-auth openai anthropic credential-theft sysdig actively-exploited

Check: If you run any internet-facing LiteLLM proxy, patch to v1.83.7-stable today and treat every API key, virtual key, and stored provider credential as compromised.
Affected: LiteLLM versions 1.81.16 through 1.83.6, internet-reachable on the default proxy port. CVE-2026-42208, CVSS 9.3, pre-auth SQL injection. Blast radius is closer to a full cloud account compromise than a typical web app bug because LiteLLM holds OpenAI, Anthropic, and AWS Bedrock credentials.
Fix: Patch to LiteLLM v1.83.7-stable. If you can't upgrade, set 'disable_error_logs: true' under 'general_settings' as a workaround. Rotate every virtual key, master key, and upstream provider credential. Audit upstream provider billing for unexpected API calls since April 24. Block traffic from 65.111.27.132 and 65.111.25.67 (AS200373).

vulnerability

CVE-2026-35616

2026-04-05

Second FortiClient EMS zero-day in two weeks - emergency patch for pre-auth API bypass, actively exploited (CVE-2026-35616)

If you patched FortiClient EMS for CVE-2026-21643 two weeks ago by upgrading to 7.4.5, you're now vulnerable to a new zero-day. CVE-2026-35616 is a CVSS 9.1 pre-authentication API access bypass affecting versions 7.4.5 and 7.4.6 - the exact versions customers upgraded to. Defused Cyber spotted exploitation in the wild starting March 31. Fortinet released an emergency weekend hotfix on Saturday, with watchTowr noting attackers deliberately timed this for the Easter holiday when security teams are at half strength.

fortinet forticlient-ems zero-day pre-auth actively-exploited emergency-patch

Check: If you run FortiClient EMS 7.4.5 or 7.4.6, treat this as an emergency - apply the hotfix now, not after the holiday.
Affected: FortiClient EMS 7.4.5 and 7.4.6 only. The 7.2 branch and FortiEMS Cloud are not affected.
Fix: Apply the emergency hotfix for your version immediately: hotfix for 7.4.5 or hotfix for 7.4.6 (see Fortinet release notes). Upgrade to 7.4.7 when available. Restrict the EMS web interface to management VLANs only. Review logs for unusual API requests since March 31.

vulnerability

CVE-2026-2699 CVE-2026-2701

2026-04-02

Progress ShareFile pre-auth RCE chain disclosed - 30,000 instances exposed, ransomware gangs watching (CVE-2026-2699, CVE-2026-2701)

Two flaws in Progress ShareFile's Storage Zones Controller can be chained for unauthenticated remote code execution - no credentials needed. An attacker first bypasses authentication via improper HTTP redirect handling, then uploads a malicious webshell through the file upload function. watchTowr published full technical details and a proof-of-concept. Around 30,000 instances are exposed online. File transfer solutions are a favorite ransomware target - Clop hit Accellion, GoAnywhere, MOVEit, and Cleo the same way.

progress sharefile rce file-transfer pre-auth

Check: Check if you run Progress ShareFile with customer-managed Storage Zones Controller on branch 5.x.
Affected: ShareFile Storage Zones Controller 5.x versions prior to 5.12.4. Cloud-only ShareFile deployments are not affected.
Fix: Update to ShareFile Storage Zones Controller 5.12.4 or later (released March 10). Audit web server logs for requests to /ConfigService/Admin.aspx. Check the webroot for unexpected ASPX files that could indicate existing compromise.

vulnerability

CVE-2026-20093

2026-04-02

Cisco IMC authentication bypass lets unauthenticated attackers take full admin control of servers (CVE-2026-20093)

Cisco patched a CVSS 9.8 authentication bypass in its Integrated Management Controller - the hardware-level management system built into Cisco UCS servers. An attacker sends one crafted HTTP request to the password change function and can reset any user's password, including Admin, without any credentials. Because IMC operates below the operating system on a dedicated baseboard controller with its own IP address, traditional endpoint security tools can't detect or stop it. The flaw affects dozens of Cisco product lines including APIC servers, Secure Firewall Management Center, and Cyber Vision appliances.

cisco imc authentication-bypass pre-auth server-management

Check: Check if any Cisco UCS C-Series M5/M6 servers, ENCS 5000, Catalyst 8300, or UCS E-Series systems have their IMC web interface accessible from the network.
Affected: Cisco UCS C-Series M5 and M6 Rack Servers (standalone mode), 5000 Series ENCS, Catalyst 8300 Edge uCPE, UCS E-Series M3/M6, plus dozens of appliances built on preconfigured UCS C-Series including APIC, Secure Firewall Management Center, and Cyber Vision Center.
Fix: Update Cisco IMC firmware: ENCS 5000 to 4.15.5, UCS C-Series to 4.3(2.260007), 4.3(6.260017), or 6.0(1.250174) depending on track. Restrict IMC interface access to a dedicated management VLAN. Audit existing IMC user accounts for any unauthorized password changes.