The IT Nerd

The CISA has ordered federal agencies to patch a remote code execution vulnerability in the n8n workflow automation platform that could allow attackers to steal stored credentials such as API keys, OAuth tokens, and passwords, or pivot into connected systems that rely on the automation platform.

Security researchers found that multiple vulnerabilities in n8n could allow attackers to execute commands on vulnerable systems, escape sandbox protections, and potentially take full control of affected servers. One flaw involves an expression injection vulnerability that allows attackers to submit malicious input that is evaluated by the platform, while a second issue can be chained to bypass sandbox protections and execute commands directly on the host system.

Because n8n often stores credentials used to connect to external services and infrastructure, researchers warned that a compromised instance could expose multiple integrated systems and sensitive data across an organization’s environment.

n8n has more than 50,000 weekly npm downloads and over 100 million Docker pulls.

John Carberry, Solution Sleuth, Xcape, Inc.:

   “Federal agencies are racing to patch n8n workflow automation servers following a CISA directive targeting an actively exploited expression injection vulnerability. Despite previous security updates, researchers discovered multiple bypasses (CVE-2026-25049 and CVE-2026-27577) that allow attackers to escape the platform’s sandbox and execute arbitrary code on the host system. This cycle of incomplete patching is particularly dangerous for automation tools that serve as a central repository for sensitive API keys and OAuth tokens across the Enterprise.

   “For security professionals, this highlights the fragility of relying on software-defined sandboxes when the underlying application logic remains inherently permissive. Defenders must prioritize immediate updates to version 1.76.3 or later and audit all connected service credentials for signs of lateral movement. We need to stop treating sandbox escapes as isolated bugs and recognize them as fundamental design failures that require more than a quick syntax fix.

   “Patching a sandbox escape with a regex filter is like trying to fix a leaky dam with a Post-it note.”

Denis Calderone, CTO, Suzu Labs:

   “n8n is under sustained assault from multiple angles right now, and CISA just confirmed this latest one is being actively exploited. We’ve seen four critical RCE vulnerabilities in just the last three months, and an active supply chain attack to boot.

   “At its core, n8n is a credential vault. It stores API keys, OAuth tokens, database passwords, cloud storage credentials for every service it connects to, and it connects to a lot of services. Compromise one n8n instance and you don’t just own the automation platform, you get the keys to every system it touches. Numerous vulnerabilities from VMware to Cisco to n8n have been bringing to light the inherited trust problem once again. The underlying issue here is that your management and orchestration tools carry the deepest trust in your environment, and attackers know it.

   “What makes this one particularly concerning is the attack surface. Shadowserver is tracking over 40,000 unpatched instances still sitting on the open internet, and researchers identified more than 100,000 potentially vulnerable deployments globally. The patch has been available since December. That’s three months of exposure while these things are being actively exploited, and exploitation apparently spiked over the Christmas holiday when teams were thin.

   “If you’re running n8n, patch immediately, audit what credentials are stored in it, and restrict who can create or edit workflows. Yes, n8n needs internet-facing endpoints for webhooks and forms, but that doesn’t mean the management interface and credential store should be exposed along with them. Separate your webhook endpoints from your admin panel, and put the editor behind a VPN or proper access controls.”

Vishal Agarwal, CTO, Averlon:

   “Automation platforms like n8n often sit in the middle of many internal systems and services, storing the API keys, tokens, and credentials needed to connect them. When vulnerabilities appear in these platforms, the real risk isn’t just the initial compromise. It’s the blast radius: what those stored credentials allow an attacker to reach next, and how far that reach extends across connected systems.

   “Even if the initial access comes from a regular user account, these vulnerabilities can expose much more powerful credentials stored within the platform. Organizations should not only patch quickly but also map the pathways those credentials create across their environment.”

I am glad that the CISA is around because it forces organizations to take cybersecurity seriously. Of course organizations have to take cybersecurity seriously. But that’s another story.

There is a new urgent directive from the CISA released this morning which is Emergency Directive 26-03, warning that threat actors are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN systems used across federal networks. The directive requires agencies to immediately inventory affected systems, collect forensic artifacts, apply patches, and hunt for signs of compromise. 

The vulnerabilities include CVE-2026-20127, a critical authentication bypass flaw (CVSS 10) that could allow an unauthenticated attacker to gain administrative access to SD-WAN infrastructure and potentially manipulate network configurations. 

Bobby Kuzma, Director of Offensive Operations at ProCircular had this to say:

“CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks. The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat. While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs.”

Once again it’s time to patch all the things. Though this time around, this patching exercise is pretty urgent and should be done without delay.

The CISA has given US government agencies three days to patch their systems against a maximum-severity hardcoded credential vulnerability (CVE-2026-22769)in Dell’s RecoverPoint solution exploited by the UNC6201 Chinese hacking group since mid-2024 https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog.

Ensar Seker, CISO at threat intelligence company SOCRadar:

“When CISA orders agencies to patch within three days, that signals confirmed active exploitation and real operational risk. This is not theoretical exposure. A hardcoded credential vulnerability like CVE-2026-22769 effectively removes authentication as a barrier. If exploited, it can lead to root-level persistence, which is extremely difficult to detect and eradicate.

“The three-day mandate reflects two things: first, the vulnerability likely provides reliable post-exploitation value; second, federal systems running backup and recovery platforms are high-value targets. Backup infrastructure is especially sensitive because compromising it weakens an organization’s last line of defense against ransomware and destructive attacks. What makes this particularly concerning is that exploitation reportedly began in mid-2024. That means adversaries may have had months of dwell time in some environments. Even after patching, agencies must assume possible compromise and validate integrity, credentials, and persistence mechanisms.

“The real takeaway for enterprises is this: if federal agencies get three days, the private sector should not assume they have three weeks. When a vulnerability combines maximum severity, hardcoded credentials, and active exploitation, patching becomes a board-level risk discussion, not just an IT task.”

On top of that, the CISA published an advisory warning that a critical security vulnerability (CVE-2026-1670) has been identified in four Honeywell CCTV camera models that could allow attackers to bypass authentication and take control of device accounts.

The flaw is classified as “missing authentication for critical function” and has been given a CVSS severity score of 9.8.

According to the advisory, the vulnerability stems from an unauthenticated API endpoint that lets attackers remotely change the “forgot password” recovery email address associated with a camera account. By modifying this recovery email without needing credentials, an attacker could potentially take over the account and gain unauthorized access to live camera feeds or administrative functions.

Honeywell is a widely deployed global supplier of security and video surveillance equipment, including many NDAA-compliant cameras used in government, industrial, and commercial critical infrastructure environments. 

Nick Mo, CEO & Co-founder, Ridge Security Technology Inc. provided this comment:

   “IoT assets like cameras and smart printers remain massive security blind spots. While organizations obsess over protecting “crown jewel” databases, attackers exploit these overlooked devices as easy entry points.

   “The Honeywell zero-day (CVE-2026-1670) shows how a single vulnerability in a CCTV system can compromise critical infrastructure. Whether it’s a sophisticated exploit or a basic failure—like the 2025 Louvre heist where the password was just “Louvre”—the risk is the same: neglected hardware creates an open door.

   “Security testing must include every connected device. Find the holes before the hacker does.”

Michael Bell, Founder & CEO, Suzu Labs had this comment:

   “The device you installed to protect the building just became the way into the network. CVE-2026-1670 lets an unauthenticated attacker change the password recovery email on affected Honeywell cameras and take over the account, no credentials needed. These are NDAA-compliant models that go into government facilities and critical infrastructure, and the vulnerability is an open API endpoint on a password reset function.

   “A physical security contractor puts the cameras up, plugs them into whatever network is available, and IT may never know they’re there. Nobody patches a device nobody knows they own, and nobody segments a device that isn’t in the asset inventory. CISA hasn’t seen active exploitation yet, so there’s still a window to get ahead of this one.”

John Carberry, Solution Sleuth, Xcape, Inc. adds this comment:

   “The discovery of CVE-2026-1670 in Honeywell CCTV cameras serves as a stark reminder that the surveillance systems safeguarding our critical infrastructure are frequently exposed to the public Internet. By leaving a “forgot password” API endpoint unauthenticated, Honeywell inadvertently enabled remote hijacking of device accounts. Attackers could simply redirect recovery emails to themselves, gaining unauthorized access.

   “This vulnerability, boasting a near-perfect CVSS score of 9.8, grants attackers a straightforward route from digital compromise to physical surveillance. This affects NDAA-compliant systems in government and industrial sectors. For Security Operations Center (SOC) teams, the presence of these devices on public-facing networks without VPNs or stringent access controls now constitutes an immediate liability.

   “This issue highlights a fundamental lapse in secure-by-design principles for hardware entrusted with protecting our most sensitive assets. As we increasingly adopt “smart” security solutions for our perimeters, it’s crucial to understand that an unpatched camera is not only a guardian, but it can also become an open portal for pivoting to other sensitive systems.

   “Organizations utilizing affected models must prioritize firmware updates, limit external access through network segmentation, and diligently monitor for any unauthorized configuration changes.

   “When your security cameras can be commandeered remotely, the watcher becomes the watched.”

The CISA does a lot of good work to keep people safe from a cybersecurity standpoint. Thus I would heed their warnings and take action ASAP when they appear.

The CISA has added to its KEV catalog and is giving federal agencies till Friday to patch the actively exploited, critical security (9.8) flaw reported last week in SolarWinds’ Web Help Desk software.

The bug involves an untrusted data deserialization weakness that allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. 

Horizon3.ai researchers revealed that the recently identified SolarWinds vulnerability, tracked as CVE-2025-40551, stems from an earlier flaw uncovered in 2024 (CVE-2024-28986) and the new bug is part of an ongoing chain of issues caused by incomplete remediation of the original vulnerability, allowing attackers to bypass previous fixes. 

In response to the discovery, SolarWinds has released updates in its Web Help Desk 2026.1 release that address this and several related vulnerabilities, including several with high severity ratings, some of which can also bypass authentication controls or allow similar impacts such as privilege escalation or arbitrary actions by unauthenticated users. 

Vishal Agarwal, CEO, Averlon had this comment:

   “What stands out is not one critical CVE, but a series of six caused by incomplete fixes of the same underlying weakness. This incident shows how easy it is to patch the reported bug without eliminating the root problem. Engineers are moving fast, working at scale, and are not security specialists. The answer isn’t more expertise. It’s better reasoning that helps teams fix the system, not just the CVE.”

Damon Small, Board of Directors, Xcape, Inc. follows with this comment:

   “SolarWinds’ Web Help Desk has a critical remote code execution vulnerability (CVE-2025-40551) stemming from untrusted data deserialization, which is the same root cause as a flaw patched two years ago, discovered by the same researcher who found the original issue. CISA has added it to the Known Exploited Vulnerabilities catalog, confirming active exploitation and requiring immediate patching to version 2026.1.

   “While this is the only confirmed exploit currently, the January 2026 patch also addressed three other critical vulnerabilities, including authentication bypasses, that could be chained together for full system compromise. Organizations must patch immediately to avoid becoming the next breach headline.

   “When the same researcher finds the bypass to your two-year-old patch, that’s not a vulnerability; that’s a sequel nobody asked for.”

Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. adds this comment:

   “These CVEs are quite serious and involve Remote Code Execution (RCE) attacks caused by authentication bypass or improper data deserialization. “Help Desk” software is an obvious target and an easy entry point into an enterprise network, enabling attackers to cause further damage. Security teams should patch these vulnerabilities right away.”

I truly thought that we were done with the dumpster fire that was SolarWinds. But I guess like the bad guy who dies at the end of the movie only to come back in the sequel, nothing of this sort truly goes away.

The CISA has put out new guidance identifies product categories where post-quantum cryptography (PQC) is now considered “widely available” and explicitly advises agencies to procure only PQC-capable products in those categories going forward. The update covers cloud services, endpoint security, collaboration software, and web infrastructure, while signaling that networking, identity, and core infrastructure products are close behind.

You can look at the guidance from the CISA here: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards

Peter Bentley, COO of Patero, a post-quantum cryptography company working with federal agencies, critical infrastructure operators, and defense-adjacent environments, shared his perspective below.

On the “so what” of CISA’s PQC product categories list: “CISA’s new product categories list is less about theory and more about signaling where federal buying power is heading. It tells agencies and vendors alike: these are the technology lanes where post-quantum readiness will matter first. While it isn’t a mandate on its own, it functions as a procurement signal with real compliance gravity—and that makes it a market-shaping lever.”

On what agencies and vendors should not misunderstand: “The biggest mistake would be treating this as a future-dated checklist. Once categories are named, they tend to show up quickly in acquisition language, evaluation criteria, and security reviews. Vendors that wait for a formal mandate risk discovering that they’re already behind the curve when procurements begin to prefer PQC-capable solutions.”

On the biggest technical and operational trap: “The hardest part isn’t selecting a post-quantum algorithm—it’s knowing where cryptography actually lives. Most organizations don’t have a complete cryptographic inventory, and many products weren’t designed for crypto agility. Without that visibility, and arguably developing an Cryptographic Discovery and Inventory best practice, ‘PQC-enabled’ becomes a marketing label instead of a verifiable capability, especially in hybrid or mixed-vendor environments.” Patero provides a comprehensive easy to use tool to establish cryptographic visibility and best practices. 

On hybrid deployments and false confidence: “Hybrid approaches are often necessary, but they’re also where programs stumble. If hybrid cryptography isn’t implemented cleanly—with clear boundaries, validation evidence, and a migration path—it can add complexity without delivering real quantum resilience. Buyers will increasingly look past buzzwords and ask what’s actually protected, where, and for how long.”

On what CISA should do next: “To make this list actionable, CISA should pair categories with minimum capability profiles—what functions must be quantum-safe, what evidence buyers should request, and how claims should be validated. That would turn a useful taxonomy into a procurement-ready tool agencies can apply consistently.”

On what industry must do now: “Vendors should assume the window for ‘we’re watching PQC’ is closing. The companies that stay eligible for federal business will be the ones that can show cryptographic inventories, interoperable hybrid deployments, and a credible roadmap—not just algorithm support. Post-quantum readiness is moving from R&D into go-to-market reality.”

The CISA, the NSA, and Canadian Centre for Cyber Security are warning that the People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems.  

You can get more details here: https://www.cisa.gov/news-events/analysis-reports/ar25-338a

Ensar Seker, CISO at threat intel company SOCRadar, provided the following comments:

“The recent advisory from CISA, NSA and the Canadian Centre for Cyber Security (Cyber Centre) confirms that a China‑linked actor is using BRICKSTORM to compromise virtual‑infrastructure environments, creating hidden virtual machines, harvesting credentials via cloned VM snapshots, and maintaining long dwell times of up to 393 days. 

What’s especially alarming about this campaign is that it targets the virtualization layer itself, not the OS or applications, which historically receives less attention. Once the hypervisor or management console (vCenter) is compromised, attackers gain broad visibility over the virtual infrastructure and can bypass many traditional endpoint defenses (like EDR), because these often don’t monitor hypervisor behavior or VM snapshot manipulation. 

For defenders, the implications are stark: if you run VMware vSphere or ESXi, particularly with vCenter exposed internally or weakly segmented, you are directly in scope. This means organizations must treat virtualization infrastructure as a critical attack surface with the same urgency as public‑facing apps or legacy enterprise systems.

Immediate steps: apply detection signatures/YARA and Sigma rules from the joint CISA/NSA report to hunt for BRICKSTORM indicators; audit VM snapshot creation and export logs; restrict vCenter access tightly; segment management consoles from general workloads; block unauthorized DNS‑over‑HTTPS (DoH) traffic from servers; and ensure build‑in and third‑party monitoring includes hypervisor‑level telemetry. 

In short, this isn’t just another malware campaign. It’s a wake‑up call showing that adversaries are shifting upward in the stack, targeting the foundations of virtualization rather than individual VMs. For many organizations, exposure will only be obvious after they start actively hunting for hypervisor‑layer compromise. Let me know if you’d like a short quote or deeper technical breakdown to include.”

Everyone needs to pay attention to this as it is clear from this alert that the bad guys are changing the tactics that they use to get a bigger payoff at the end of the day. Which is bad for all of us and requires immeidate attention from defenders.

The CISA has warned of an flaw called the ‘OpenPLC ScadaBR’ flaw, tracked as CVE-2021-26829, that was recently leveraged by hackers to deface an industrial control system (ICS). Meaning that it is related to critical infrastructure.

More details here: https://www.cisa.gov/news-events/alerts/2025/11/28/cisa-adds-one-known-exploited-vulnerability-catalog

Martin Jartelius, AI Product Director at Outpost24, provided the following comments:

“This vulnerability is four years old, and while the project is still in use, it has largely been replaced by other solutions for many users. Both existing vulnerabilities in the platform require authentication, and the observed intrusion occurred in a honeypot, meaning it must have been configured with an intentionally weak or default password. The group then opted for “defacement,” meaning they changed the appearance of the application rather than abusing the known file-upload issue to achieve code execution on the system.

“As it is an ICS system, the incident is serious, but the key lesson is not to fear this outdated, unpatched system itself. Instead, we should recognize that there are attackers driven by hacktivism or simple cyber-vandalism actively looking for these types of exposed systems. These systems should never be exposed to the internet; organizations must adhere to ICS-CERT guidelines for proper isolation. We must also remember that this incident was visible. If someone had simply logged in and changed settings, there would have been no visual indication.

Over the years, we have seen small power plants with currents and frequency controls exposed directly to the internet — these systems are not toys, and to repeat myself, they should never be accessible without strict isolation and must not have direct internet exposure.”

This should highlight the need to protect critical infrastructure at all costs. Hopefully it doesn’t take a significant incident to get that message through.

The CISA issued an urgent warning that federal agencies must immediately patch two actively exploited Cisco ASA and Firepower vulnerabilities, CVE-2025-20362 and CVE-2025-20333. The flaws allow unauthenticated access to restricted endpoints and remote code execution, and when chained, give attackers full control of affected devices. Although Cisco patched the bugs in September after observing zero-day exploitation tied to the ArcaneDoor campaign, after many agencies incorrectly believed they had updated to safe versions. 

Gunter Ollmann, CTO, Cobalt had this to say:

“The ongoing exploitation of these Cisco flaws highlights how attackers increasingly rely on chaining weaknesses to gain rapid, unauthenticated control over perimeter devices. These types of edge-network compromises are particularly attractive because they create a launch point that bypasses many downstream defenses. The challenge is that organizations still struggle to validate their exposure in real-world terms, even when patches exist. Offensive testing helps reveal whether the environment behaves as expected after updates and whether an attacker could still traverse overlooked paths. Mature programs treat patching as the starting point, not the finish line, and use adversarial validation to catch residual gaps before threat actors do.”

Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic follows with this:

“When firewalls or VPN gateways are compromised, attackers often pivot quickly into identity systems because credentials remain one of the most reliable pathways to deeper access. Incidents like this reveal how perimeter flaws can cascade into identity-based risks when agencies lack unified visibility across accounts, entitlements, and authentication patterns. The limitation is that many organizations still operate with fragmented identity data, making it hard to detect suspicious changes that follow network intrusions. Strengthening identity observability provides the context needed to spot anomalies early and contain lateral movement before privileges accumulate. Agencies that unify and observe identity data will be better positioned to absorb these infrastructure-level shocks and maintain Zero Trust resilience.”

Once again it’s time to patch all the things because of an actively exploited threat. The “fun” never ends in this business.