#privilege-escalation

#privilege-escalation

cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user. CVE-2026-29203 (CVSS score: 8.8) - An unsafe symlink handling vulnerability that allows a user to modify access permissions of an arbitrary file using chmod, resulting in denial-of-service or possible privilege escalation.

"Critical and high vulnerabilities in MOVEit Automation may allow authentication bypass and privilege escalation through the service backend command port interfaces. Exploitation may lead to unauthorized access, administrative control, and data exposure."

This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles. While the exploit requires a specific time-based window (10-30 days), the resulting impact is a complete compromise of the host system.

The vulnerabilities exploit a confused deputy attack. An unauthorized user can manipulate a privileged process to perform actions on their behalf, without having the necessary rights themselves. Specifically, attackers abuse tools such as Sudo or Postfix to modify AppArmor profiles via pseudo-files such as /sys/kernel/security/apparmor/.load and .replace.

The company rolled out fixes for 19 flaws in Adobe Commerce and Magento Open Source, urging users to apply the patches within the next 30 days, based on these products being a known target for threat actors. The update resolves six high-severity bugs, five of which could lead to privilege escalation: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, and CVE-2026-21309.

This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.

Cisco confirmed that attackers exploited the bug, tracked as CVE-2026-20127, to bypass authentication, gain privileged access, and quietly steal data. The discovery prompted a rare joint warning from authorities in the US, UK, Australia, Canada, and New Zealand.

The issue focuses on how Windows handles these directories for specific user sessions. Because the kernel creates a DOS device object directory on demand, rather than at login, it cannot check whether the user is an admin during the creation process. Unlike UAC, Administrator Protection uses a hidden shadow admin account whose token handle can be returned by the system when calling the NtQueryInformationToken API function.

SonicWall's official notice, published this week, says users should update to the latest hotfix versions immediately and restrict access to the Appliance Management Console to trusted networks. The vendor's PSIRT team says the issue affects only SMA 1000 appliances and does not impact other SonicWall firewall products or SSL VPN functions, but the fact that attackers have already begun exploiting the flaw underscores how exposed remote-access infrastructure remains.

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs.

Both CVE-2025-6204 and CVE-2025-6205 affect DELMIA Apriso versions from Release 2020 through Release 2025. They were addressed by Dassault Systèmes in early August. According to details shared by ProjectDiscovery researchers Rahul Maini, Harsh Jaiswal, and Parth Malhotra last month, the two security flaws can be fashioned together into an exploit chain to create accounts with elevated privileges and then drop executable files into a web-served directory, resulting in a full application compromise.

A data breach affecting over six million people has resulted in a £14 million fine for professional services firm Capita following an investigation by the UK Information Commissioner's Office (ICO). The fine is split between Capita Plc and Capita Pension Solutions, which have been billed £8 million and £6 million respectively for the March 2023 attack. According to the ICO, the UK's data protection authority, Capita failed in three areas: preventing privilege escalation and unauthorized lateral movement, responding appropriately to security alerts, and penetration and risk assessment.

Artificial intelligence has notorious problems with accuracy - so maybe it's not surprising that using it as a coding assistant creates more security problems, too. As a security firm called Apiiro found in new research, developers who used AI produce ten times more security problems than their counterparts who don't use the technology. Looking at code from thousands of developers and tens of thousand repositories, Apiiro found that AI-assisted devs were indeed producing three or four times more code - and as the firm's product manager Itay Nussbaum suggested, that breakneck pace seems to be causing the security gaps.

CVE-2025-53786 is an elevation of privilege bug that Outsider Security's Dirk-jan Mollema reported to Microsoft. It exists because of the way hybrid Exchange deployments, which connect on-premises Exchange servers to Exchange Online, use a shared identity to authenticate users between the two environments.

CVE-2025-32462 has received a lower CVSS score due to the conditions that are needed. Namely, successful execution would require someone to make a misconfiguration and deploy a Sudoers file with an incorrect host for this vulnerability to work.

These roles, often created automatically or recommended during setup, grant overly broad permissions, such as full S3 access.