VulnWatch Monday: CVE-2026-22172 🔓

🦞 Yekai Chen (aka LUOYEcode) has detected a critical vulnerability affecting OpenClaw versions prior to 2026.3.12.

🔧 Fix in OpenClaw 2026.3.12.

🔎 GitHub advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-rqpp-rjj8-7wv8
🐞 VulnCheck advisory: https://www.vulncheck.com/advisories/openclaw-scope-elevation-in-websocket-shared-auth-connections
💾 View JSON: https://cveawg.mitre.org/api/cve/CVE-2026-22172

VulnWatch Monday: CVE-2026-3611 🔓

Gjoko Krstic, from Zero Science Lab reported a maximum-severity vulnerability in Honeywell's IQ4x building management controller.

The flaw was publicly disclosed by ICS Cert and is tracked as CVE-2026-3611.

🔎 With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface.

⚙️ Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Because this function is accessible prior to authentication, a remote user can create a new account with administrative read/write permissions enabling the user module and imposing authentication under attacker-controlled credentials. This action can effectively lock legitimate operators out of local and web-based configuration and administration.

🔧 According to CISA, Honeywell is aware of the issue, but has not released a fix. For more information, users are urged to contact Honeywell directly.

⚠️ CISA advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-03
💾 View CSAF: https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-069-03.json

𝐂𝐫𝐢𝐭𝐢𝐜𝐚𝐥 𝐙𝐞𝐫𝐨-𝐂𝐥𝐢𝐜𝐤 𝐅𝐥𝐚𝐰 𝐢𝐧 𝐧𝟖𝐧 𝐀𝐥𝐥𝐨𝐰𝐬 𝐅𝐮𝐥𝐥 𝐒𝐞𝐫𝐯𝐞𝐫 𝐂𝐨𝐦𝐩𝐫𝐨𝐦𝐢𝐬𝐞

Researchers from Pillar Security have found two new critical vulnerabilities in self-hosted and cloud n8n deployments.

n8n is a popular open-source workflow automation platform powering hundreds of thousands of enterprise AI systems worldwide.

One of the flaws, tracked as CVE-2026-27493, can lead to full takeover of a server without the target clicking on anything and without the attacker needing to be authenticated.

🔧Fix? n8n cloud users should have already benefitted from automated fixes.

People self-hosting n8n instances are urged to update to versions 2.10.1, 2.9.3 or 1.123.22 of n8n, depending on their release channel.

Pillar Security also recommended users to rotate all stored credentials if a vulnerable workflow is found in their n8n environment.

https://www.infosecurity-magazine.com/news/critical-zeroclick-flaw-n8n-pillar/

𝐄𝐱𝐜𝐥𝐮𝐬𝐢𝐯𝐞 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐰𝐢𝐭𝐡 𝐎𝐩𝐞𝐧𝐂𝐥𝐚𝐰'𝐬 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐀𝐝𝐯𝐢𝐬𝐨𝐫

@openclaw's weak spots have not gone unnoticed and Jamieson O'Reilly was among the first to call them out. Now, he’s been appointed its security representative.

🎧 https://www.infosecurity-magazine.com/podcasts/exclusive-interview-openclaw/

In a soon-to-be released interview, Jamieson O'Reilly, OpenClaw’s security advisor, warned that we need to develop more ways to “scan AI tools” for detecting “human-language malware.”

With the Promptfoo acquisition, OpenAI now wants to do just that.

https://www.infosecurity-magazine.com/news/openai-promptfoo-deal-agentic-ai/

VulnWatch Monday: CVE-2026-27944 🔓

A critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt full system backups. It affects all versions before 2.3.2.

⚙️ The flaw is caused by two security failures: the /api/backup endpoint lacks authentication, and the system exposes the Base64‑encoded AES‑256 encryption key and IV in the X-Backup-Security HTTP header.

Attackers can simply send a GET request to download encrypted backup archives and immediately decrypt them using the leaked keys.

🔓 Decrypted backups may reveal user credentials (database.db), configuration files (app.ini), SSL certificates, private keys and Nginx configurations, enabling attackers to take over the Nginx UI console, intercept traffic or move deeper into the network.

A public Python PoC demonstrating the exploit is already available.

🔧 Fix? Yes: Nginx UI version 2.3.3

🔎 GitHub advisory: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
💾 View JSON: https://cveawg.mitre.org/api/cve/CVE-2026-27944

VulnWatch Monday: CVE-2025-71210 🔓

Trend Micro has issued patches addressing several vulnerabilities in Apex One, with severity levels ranging from high to critical.

The flaws, identified as CVE‑2025‑71210 through CVE‑2025‑71217, carry CVSS v3 scores between 7.2 and 9.8.

Some of the issues impact the management console and could potentially allow remote code execution.

According to a February 2026 advisory, the affected products include Apex One 2019 (on-premises) for Windows and Apex One as a Service, also known as "Trend Vision One Endpoint – Standard Endpoint Protection" on Windows.

🔧 Fix? Trend Micro advises customers to upgrade to the most recent available builds - CP Build 14136 and Security Agent Build 14.0.20315 -, noting that earlier patches may not fully resolve all aspects of the vulnerabilities.

🔎 Trend Micro advisory: https://success.trendmicro.com/en-US/solution/KA-0022458

𝐅𝐥𝐚𝐰𝐬 𝐢𝐧 𝐏𝐨𝐩𝐮𝐥𝐚𝐫 𝐒𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐃𝐞𝐯𝐞𝐥𝐨𝐩𝐦𝐞𝐧𝐭 𝐀𝐩𝐩 𝐄𝐱𝐭𝐞𝐧𝐬𝐢𝐨𝐧𝐬 𝐀𝐥𝐥𝐨𝐰 𝐃𝐚𝐭𝐚 𝐄𝐱𝐟𝐢𝐥𝐭𝐫𝐚𝐭𝐢𝐨𝐧

Researchers at OX Security have detected four vulnerabilities in three of the most popular IDEs that could lead to cyber-attacks.The four flaws include two high-severity and one critical, affecting Microsoft VS Code.

These vulnerabilities also impact Cursor and Windsurf, two forks of VS Code that provide AI-assisted software development tools (aka ‘vibe coding’ platforms).

One of them, CVE-2025-65717, is a vulnerability in the Live Server extension for VS Code – with over 72 million downloads – that allows a remote, unauthenticated attacker to exfiltrate files from a developer’s local machine. OX Security warned that attackers only need to send a malicious link to the victim while Live Server is running in the background to exploit the flaw.

The vulnerability remains unpatched despite the researchers having disclosed the vulnerabilities to these platforms’ maintainers in July and August 2025 through multiple channels.

📰 https://www.infosecurity-magazine.com/news/vulnerabilities-vs-code-cursor/

VulnWatch Monday: CVE-2026-2441 🔓

Google has released a security update to patch a newly discovered zero-day in Chrome.

The tech giant also confirmed that it “is aware that an exploit for CVE-2026-2441 exists in the wild.”

https://www.infosecurity-magazine.com/news/google-patches-new-in-wild-chrome/

𝐇𝐚𝐜𝐤𝐢𝐧𝐠 𝐂𝐚𝐦𝐩𝐚𝐢𝐠𝐧 𝐄𝐱𝐩𝐥𝐨𝐢𝐭𝐬 𝐌𝐢𝐜𝐫𝐨𝐬𝐨𝐟𝐭 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐖𝐢𝐧𝐑𝐀𝐑 𝐕𝐮𝐥𝐧𝐞𝐫𝐚𝐛𝐢𝐥𝐢𝐭𝐲

A hacking campaign took just days to exploit a newly disclosed security vulnerability in Microsoft Windows version of WinRAR, researchers at Check Point Software have said.

🐞 The attackers leveraged CVE-2025-8088, a path traversal vulnerability in the widely used file archive and compression software WinRAR, which was first disclosed by ESET in August 2025.

⏱️ Check Point’s analysis of the campaign suggested that attackers were actively exploiting the vulnerability within days of its disclosure.

🔎 CVE-2025-8088 enables the creation of arbitrary code by crafting malicious archive files. This lets attackers execute code and maintain persistence on targeted machines, allowing them to secretly monitor users and collect sensitive data.

🌏 Check Point researchers noted that the attacks had a focus on government institutions and law enforcement agencies in Southeast Asia, pointing to a cyber-espionage campaign with the goal of collecting intelligence for geopolitical goals.

🇨🇳 Researchers concluded that the campaign was being conducted by a group dubbed Amarath-Dragon. The tools, techniques and procedures by Amarath-Dragon closely resemble APT 41, the prolific Chinese state-linked cyber-espionage and hacking group.

🗨️ “The campaigns by Amaranth-Dragon exploiting the CVE-2025-8088 vulnerability highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities,” Check Point Research said in a blog post.

📰 https://www.infosecurity-magazine.com/news/hacking-exploits-windows-winrar/