Command Injection | Breaking Cybersecurity News | The Hacker News

The Shadowserver Foundation has revealed that over 900 Sangoma FreePBX instances still remain infected with web shells as part of attacks that exploited a command injection vulnerability starting in December 2025. Of these, 401 instances are located in the U.S., followed by 51 in Brazil, 43 in Canada, 40 in Germany, and 36 in France. The non-profit entity said the compromises are likely accomplished via the exploitation of CVE-2025-64328 (CVSS score: 8.6), a high-severity security flaw that could enable post-authentication command injection. "The impact is that any user with access to the FreePBX Administration panel could leverage this vulnerability to execute arbitrary shell commands on the underlying host," FreePBX said in an advisory for the flaw in November 2025. "An attacker could leverage this to obtain remote access to the system as the asterisk user." The vulnerability affects FreePBX versions higher than and including 17.0.2.36. It was resolved in...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed vulnerability in FileZen to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-25108 (CVSS v4 score: 8.7), is a case of operating system (OS) command injection that could allow an authenticated user to execute arbitrary commands via specially crafted HTTP requests. "Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request," CISA said. According to the Japan Vulnerability Notes (JVN), the vulnerability affects the following versions of the file transfer product - Versions 4.2.1 to 4.2.8 Versions 5.0.0 to 5.0.10 Soliton noted in its advisory that successful exploitation of the issue is only possible when FileZen Antivirus Check Option is enabled, adding it has "received at le...

BeyondTrust has released updates to address a critical security flaw impacting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could result in remote code execution. "BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability," the company said in an advisory released February 6, 2026. "By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user." The vulnerability, categorized as an operating system command injection , has been assigned the CVE identifier CVE-2026-1731 . It's rated 9.9 on the CVSS scoring system. BeyondTrust said successful exploitation of the shortcoming could allow an unauthenticated remote attacker to execute operating system commands in the context of the site user, resulting in unautho...

Cybersecurity researchers have disclosed details of multiple critical-severity security flaws affecting Coolify , an open-source, self-hosting platform, that could result in authentication bypass and remote code execution. The list of vulnerabilities is as follows - CVE-2025-66209 (CVSS score: 10.0) - A command injection vulnerability in the database backup functionality allows any authenticated user with database backup permissions to execute arbitrary commands on the host server, resulting in container escape and full server compromise CVE-2025-66210 (CVSS score: 10.0) - An authenticated command injection vulnerability in the database import functionality allows attackers to execute arbitrary commands on managed servers, leading to full infrastructure compromise CVE-2025-66211 (CVSS score: 10.0) - A command injection vulnerability in the PostgreSQL init script management allows authenticated users with database permissions to execute arbitrary commands as root on the server ...

Details have emerged about a now-patched critical security flaw in the popular " @react-native-community/cli " npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions. "The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli's development server, posing a significant risk to developers," JFrog Senior Security Researcher Or Peles said in a report shared with The Hacker News. The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the "@react-native-community/cli-server-api" package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month. The command-line tools package , which is maintained by Meta, enables developers to build React Native mobile ...

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution. The vulnerabilities in question are listed below - CVE-2025-6541 (CVSS score: 8.6) - An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands CVE-2025-6542 (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands CVE-2025-7850 (CVSS score: 9.3) - An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands CVE-2025-7851 (CVSS score: 8.7) - An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating sys...

Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol ( MCP ) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands. "The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.)," according to a GitHub advisory for the flaw. "Successful exploitation can lead to remote code execution under the server process's privileges." Given that the Framelink Figma MCP server exposes various tools to perform operations in Figma using artificial intelligence (AI)-powered coding agents like Cursor, an attacker co...

Libraesva has released a security update to address a vulnerability in its Email Security Gateway (ESG) solution that it said has been exploited by state-sponsored threat actors. The vulnerability, tracked as CVE-2025-59689 , carries a CVSS score of 6.1, indicating medium severity. "Libraesva ESG is affected by a command injection flaw that can be triggered by a malicious email containing a specially crafted compressed attachment, allowing potential execution of arbitrary commands as a non-privileged user," Libraesva said in an advisory. "This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats." In a hypothetical attack scenario, an attacker could exploit the flaw by sending an email containing a specially crafted compressed archive, allowing a threat actor to leverage the application's improper sanitization logic to ultimately execute arbitrary shell commands. The shortcoming ...

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments. "Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform's fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens," JFrog said in a report shared with The Hacker News. Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle. The issues, collectively called Chaotic Deputy, are listed below - CVE-2025-59358 (CVSS score: 7.5) - The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes clus...

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell . The "Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file," Trellix researcher Sagar Bade said in a technical write-up. "The payload isn't hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger." The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code. What's more, the technique offers the added advantage of...

Fortinet is alerting customers of a critical security flaw in FortiSIEM for which it said there exists an exploit in the wild. The vulnerability, tracked as CVE-2025-25256 , carries a CVSS score of 9.8 out of a maximum of 10.0. "An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests," the company said in a Tuesday advisory. The following versions are impacted by the flaw - FortiSIEM 6.1, 6.2, 6.3, 6.4, 6.5, 6.6 (Migrate to a fixed release) FortiSIEM 6.7.0 through 6.7.9 (Upgrade to 6.7.10 or above) FortiSIEM 7.0.0 through 7.0.3 (Upgrade to 7.0.4 or above) FortiSIEM 7.1.0 through 7.1.7 (Upgrade to 7.1.8 or above) FortiSIEM 7.2.0 through 7.2.5 (Upgrade to 7.2.6 or above) FortiSIEM 7.3.0 through 7.3.1 (Upgrade to 7.3.2 or above) FortiSIEM 7.4 (Not affected) Fortinet acknowledged i...

Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems. The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0. "Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication," the company said in an advisory. "Successful exploitation could allow a remote attacker to gain administrative access to the system." Also patched by HPE is an authenticated command injection flaw in the command-line interface of the HPE Networking Instant On Access Points (CVE-2025-37102, CVSS score: 7.2) that a remote attacker could exploit with elevated permissions to run arbitrary commands on the underlying operating system as a privileged user. This also me...

Cybersecurity researchers are calling attention to a malware campaign that's targeting security flaws in TBK digital video recorders (DVRs) and Four-Faith routers to rope the devices into a new botnet called RondoDox . The vulnerabilities in question include CVE-2024-3721 , a medium-severity command injection vulnerability affecting TBK DVR-4104 and DVR-4216 DVRs, and CVE-2024-12856 , an operating system (OS) command injection bug affecting Four-Faith router models F3x24 and F3x36. Many of these devices are installed in critical environments like retail stores, warehouses, and small offices, where they often go unmonitored for years. That makes them ideal targets—easy to exploit, hard to detect, and usually exposed directly to the internet through outdated firmware or misconfigured ports. It's worth noting that all three security defects have been repeatedly weaponized by threat actors to deploy different Mirai botnet variants in recent months. "Both [the security f...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw in TP-Link wireless routers to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.  The vulnerability in question is CVE-2023-33538 (CVSS score: 8.8), a command injection bug that could result in the execution of arbitrary system commands when processing the ssid1 parameter in a specially crafted HTTP GET request. "TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2 contain a command injection vulnerability via the component /userRpm/WlanNetworkRpm," the agency said. CISA has also warned that there is a possibility that affected products could be end-of-life (EoL) and/or end-of-service (EoS), urging users to discontinue their use if no mitigations are available. There is currently no public information available about how the shortcoming is being exploited in the wild, the scale of the attacks, and who is b...

A high-severity flaw impacting select Four-Faith industrial routers has come under active exploitation in the wild, according to new findings from VulnCheck. The vulnerability, tracked as CVE-2024-12856 (CVSS score: 7.2), has been described as an operating system (OS) command injection bug affecting router models F3x24 and F3x36. The severity of the shortcoming is lower due to the fact that it only works if the remote attacker is able to successfully authenticate themselves. However, if the default credentials associated with the routers have not been changed, it could result in unauthenticated OS command execution. In the attack detailed by VulnCheck, the unknown threat actors have been found to leverage the router's default credentials to trigger exploitation of CVE-2024-12856 and launch a reverse shell for persistent remote access. The exploitation attempt originated from the IP address 178.215.238[.]91 , which has been previously used in connection with attacks seeking to...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), is a command injection flaw that could be exploited by a malicious actor to run arbitrary commands as the site user. "BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site user," CISA said. While the issue has already been plugged into customers' cloud instances, those using self-hosted versions of the software are recommended to update to the below versions - Privileged Remote Access (versions 24.3.1 and earlier) - PRA patch BT24-10-ONPREM1 or BT24-10-ONPREM2 Rem...

BeyondTrust has disclosed details of a critical security flaw in Privileged Remote Access (PRA) and Remote Support (RS) products that could potentially lead to the execution of arbitrary commands. Privileged Remote Access controls, manages, and audits privileged accounts and credentials, offering zero trust access to on-premises and cloud resources by internal, external, and third-party users. Remote Support allows service desk personnel to securely connect to remote systems and mobile devices. The vulnerability, tracked as CVE-2024-12356 (CVSS score: 9.8), has been described as an instance of command injection. "A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user," the company said in an advisory. An attacker could exploit the flaw by sending a malicious client request, effectively leading to the execution of arbitrary...

Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities impacting Aruba Networking Access Point products, including two critical bugs that could result in unauthenticated command execution. The flaws affect Access Points running Instant AOS-8 and AOS-10 - AOS-10.4.x.x: 10.4.1.4 and below Instant AOS-8.12.x.x: 8.12.0.2 and below Instant AOS-8.10.x.x: 8.10.0.13 and below The most severe among the six newly patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical unauthenticated command injection flaws in the CLI Service that could result in the execution of arbitrary code. "Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211)," HPE said in an advisory for both the flaws. "Successful exp...

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges. The CERT Coordination Center (CERT/CC) said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers. The vulnerability is being tracked as CVE-2024-41992. "This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers," the CERT/CC said in an advisory released Wednesday. Wi-Fi Test Suite is an integrated platform developed by the Wi-Fi Alliance that automates testing Wi-Fi components or devices. While open-source components of the toolkit are publicly available , the full package is available only to its members.  SSD Secure Disclosure, which released details of the flaw back in August 2024, described it as a case of command injectio...

Zyxel has released software updates to address a critical security flaw impacting certain access point (AP) and security router versions that could result in the execution of unauthorized commands. Tracked as CVE-2024-7261 (CVSS score: 9.8), the vulnerability has been described as a case of operating system (OS) command injection. "The improper neutralization of special elements in the parameter 'host' in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device," Zyxel said in an advisory. Chengchao Ai from the ROIS team of Fuzhou University has been credited with discovering and reporting the flaw. Zyxel has also shipped updates for eight vulnerabilities in its routers and firewalls, including few that are high in severity, that could result in OS command execution, a denial-of-service (DoS), or access browser-based information - CVE-2024...