Four Azure Services Hit With CVSS 10.0 Flaws
Four Azure services hit with CVSS 10.0 flaws, while CISA warns on hard-coded passwords in biopharma lab equipment.

Four Microsoft Azure services disclosed critical CVSS 10.0 vulnerabilities in a single patch batch, including Azure Resource Manager, Entra ID, Planetary Computer Pro, and Orbital Spatio. CVE-2026-47280 (ARM) is an improper authentication flaw allowing unauthenticated privilege escalation over the network. CVE-2026-42901 (Entra ID) involves an origin validation error that similarly enables privilege escalation. CVE-2026-41104 (Planetary Computer Pro) is a deserialization-of-untrusted-data bug leading to information disclosure, and CVE-2026-40412 (Azure Orbital Spatio) is an unrestricted file upload vulnerability that permits remote code execution. All four carry a CVSS 10.0 severity and a high risk score of 0.65. While no active exploitation or public PoC has been reported yet, the breadth of affected Azure services and the maximum CVSS rating make this an urgent patch cycle for any organization using these platforms. Microsoft has released fixes through its standard update channels.
CISA issued an ICS medical advisory for the Eppendorf BioFlo 320 bioreactor controller, warning of a hard-coded VNC password vulnerability (CVE-2026-7251, CVSS 9.8). The flaw allows any remote attacker who knows the device's network address to gain full control of the user interface. As CISA reported, the BioFlo 320 is used in biopharmaceutical manufacturing and research laboratories, making this a critical operational-technology and patient-safety concern. Eppendorf has released firmware updates; organizations should immediately segment these devices from untrusted networks and apply the patch.
IBM Aspera High-Speed Transfer Endpoint and Server are affected by a critical buffer overflow (CVE-2026-8175, CVSS 9.8) in the asperahttpd component. Versions 3.7.4 through 4.4.7 Fix Pack 1 are vulnerable to unauthenticated remote code execution. Aspera is widely used for high-speed transfer of large datasets in media, life sciences, and financial services. No public PoC or exploitation has been reported yet, but the CVSS 9.8 rating and the product's exposure to external networks make this a high-priority patch for any organization running Aspera transfers.
Five WordPress plugins disclosed critical vulnerabilities this window, including privilege escalation, path traversal, and web shell upload flaws. WebinarIgnition (CVE-2026-42758, CVE-2026-42757) contains both a privilege escalation bug (CVSS 9.8) and a path traversal bug (CVSS 9.9) affecting versions before 4.08.253. The QuickWebP plugin (CVE-2026-42756, CVSS 9.9) allows path traversal. WPify Woo Czech (CVE-2026-42748, CVSS 9.9) permits unrestricted file upload, enabling attackers to upload a web shell. The miniOrange OTP Verification plugin (CVE-2026-42731, CVSS 9.8) has an incorrect privilege assignment flaw leading to privilege escalation. All five plugins have patches available through the WordPress plugin directory. Given the prevalence of WordPress in the small-to-medium business market and the ease of weaponizing path traversal and web shell uploads, these should be treated as emergency updates.
Joomla disclosed four critical vulnerabilities spanning privilege escalation, local file inclusion, and SQL injection. CVE-2026-48904, CVE-2026-48899, and CVE-2026-48898 all involve improper access checks in the com_users component, allowing privilege escalation through group editing endpoints and batch tasks (all CVSS 9.8). CVE-2026-40383 (CVSS 9.8) is a local file inclusion vulnerability from improper input validation. CVE-2026-35222 (CVSS 9.8) is a SQL injection in the com_tags component via improperly validated order clauses. Joomla site administrators should update to the latest patched release immediately, as these flaws can be chained for full site compromise.
Several additional critical flaws warrant attention: Lumiverse AI chat app (CVE-2026-44450, CVSS 9.9) allows command injection via unvalidated MCP server args; FastNetMon Community Edition (CVE-2026-48689, CVSS 9.8) has a heap-based buffer overflow in its binary buffer class; Delta Electronics DIAView (CVE-2026-9642, CVSS 9.8) is an incomplete fix for a prior unauthenticated database access bug; and IBM Engineering Lifecycle Management (CVE-2026-3660, CVSS 9.8) allows unauthenticated remote attackers to modify server property files for unauthorized access. The Lumiverse flaw is particularly notable given the rapid adoption of AI chat interfaces in enterprise environments — the args array bypasses the binary allowlist entirely. FastNetMon is used for DDoS detection in ISP and data-center networks, making the heap overflow a potential vector for network-level compromise. The Delta DIAView incomplete fix (CVE-2025-62582) means previously patched SCADA environments may still be exposed.