Ivanti KEV Addition, Multiple Critical Flaws Disclosed
Ivanti auth bypass added to KEV; Microsoft, Acer, and WordPress plugins disclose critical vulnerabilities.
Ivanti's vTM product has a critical authentication bypass vulnerability (CVE-2024-7593) that allows unauthenticated remote attackers to access the admin panel. This flaw, rated Critical with a CVSS score of 9.8 and an EPSS of 0.94, has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. Organizations using Ivanti vTM should prioritize updating to versions 22.2R1 or 22.7R2, or later, to mitigate this risk.
Microsoft has disclosed several critical vulnerabilities, including CVE-2025-71316, which affects the SQLite 'sqldiff.exe' utility. This flaw could allow an attacker to load an arbitrary DLL by crafting a command-line argument. Another critical vulnerability, CVE-2026-48567, in Azure HorizonDB allows for authentication bypass and privilege escalation over a network. As Vypr Intelligence reported, these issues highlight ongoing risks within Microsoft's ecosystem.
Acer devices are facing scrutiny with multiple vulnerabilities, including two critical flaws. CVE-2026-49185, CVE-2026-49188, and CVE-2026-49191 are detailed in a Vypr Intelligence report. These include issues like command injection via unverified payloads in the FieldX MDM adb messaging topic (CVE-2026-49185), arbitrary root command execution through the 'ai_cmd' utility (CVE-2026-49188), and the exposure of backend API keys via error handling pages in the M3WebServer (CVE-2026-49191). Additionally, leftover engineering diagnostics on retail builds could grant malicious applications write privileges to NVRAM registers (CVE-2026-50211).
A wave of critical vulnerabilities has been identified across various WordPress plugins and other software. Product Slider Pro for WooCommerce (CVE-2026-49777) and a Joomla JCE editor extension (CVE-2026-48907) are among those affected by critical flaws, with the latter allowing PHP code upload and execution. Birebirsoft Software and Technology Solutions' Sufirmam (CVE-2025-4320) and TalentSys Consulting Information Technology Industry Inc.'s Inka.Net (CVE-2025-9846) also suffer from critical authentication bypass and command injection vulnerabilities, respectively.
Several other critical vulnerabilities have been reported, including OS command injection in Iron Mountain Archiving Services Inc.'s EnVision (CVE-2025-9588) and SMG Software Information Portal (CVE-2025-5243). DTS Electronics Industry and Trade Ltd. Co.'s Redline WR3200 router (CVE-2026-6274) has improper authentication flaws, while Seagull Software's BarTender (CVE-2026-25550) contains an unauthenticated remote code execution vulnerability. Nexus Concepts' QuantaStor SDS Manager (CVE-2026-10880) is vulnerable to SQL injection, and Neterbit NW-431F Router (CVE-2025-67447, CVE-2025-67446) faces OS command injection and authentication bypass risks.