Security News Bulletin - March 2026

PsySH Arbitrary Code Execution Risk via Local Configuration File

CVE-2026-25129
Published: 2026-01-30 
Severity: High
Product: psysh 
Version affected: Prior to 0.11.23 and 0.12.19

CWE-427: Uncontrolled Search Path Element
Attack Tags: PHP, Developer Tools, Supply chain risk.

What is CVE-2026-25129?
 

CVE-2026-25129 is a security vulnerability affecting PsySH - a runtime developer console, interactive debugger, and REPL widely used in PHP development environments.

Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a ‘. psysh.php’ configuration file from the Current Working Directory (CWD) during startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim's context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. This behavior creates a potential attack vector in development environments, shared systems, CI/CD pipelines, and automated build workflows — especially when working with untrusted repositories or external contributions.

Observed Attack Activity
 

While exploitation typically depends on file placement within the working directory, similar attack patterns in developer tool vulnerabilities have shown the following risks:

• Execution of arbitrary PHP code during development or debugging sessions
• Persistence mechanisms introduced into development environments
• Injection of malicious logic into CI/CD workflows
• Compromise of build servers or shared development systems
• Theft of environment variables, credentials, or configuration secrets

Developer-focused tools are increasingly targeted because they operate with elevated trust and often have access to sensitive project resources. When misused, they can become entry points for broader system compromise.

Organizations that run automated scripts or developer consoles within shared or externally sourced directories may face increased exposure.

Additional Resources
 

1. CVE.org Official Record 
   https://www.cve.org/CVERecord?id=CVE-2026-25129
2. Freedly.com 
   https://feedly.com/cve/CVE-2026-25129
3. PsySH GitHub Repository 
   https://github.com/bobthecow/psysh

 

---

Microsoft Office Security Feature Bypass

CVE-2026-21509 
Released: January 26, 2026 
Last Updated: February 22, 2026 
Vendor: Microsoft Corporation

Attack Tags: Security Feature Bypass, OLE/COM Bypass, Local Exploit, Document-based Attack 
Severity: High (CVSS ~ 7.8 — Security Feature Bypass)

What Is CVE-2026-21509?
 

CVE-2026-21509 is a security feature bypass vulnerability in Microsoft Office that allows an attacker to bypass built-in protection mechanisms by relying on untrusted input during security decision logic.

Microsoft Office’s internal checks — especially around OLE (Object Linking and Embedding) and COM controls — were trusting data they shouldn’t. This can allow a specially crafted Office document (e.g., Word or RTF file) to circumvent security protections, leading to malicious content execution or triggering additional payloads when the file is opened.

Affected Versions
 

The vulnerability affects a wide range of Microsoft Office products, including but not limited to:

• Microsoft Office 2016
• Microsoft Office 2019
• Microsoft Office LTSC 2021
• Microsoft Office LTSC 2024
• Microsoft 365 Apps for Enterprise

All versions that process certain document formats without proper input validation are potentially impacted.

Observed Attack Activity
 

CVE-2026-21509 has been actively exploited in the wild, making it a true zero-day:

• Within days of Microsoft’s emergency patch release, APT28 (Russian state-linked actor) was seen weaponizing this vulnerability in targeted campaigns (e.g., known as Operation Neusploit).
• Attackers delivered malicious Office documents via phishing, which when opened, triggered bypass behavior and delivered payloads like backdoors and remote access tools.
• Observations show phishing campaigns targeting government and critical infrastructure entities in Europe and Ukraine.

This confirms real-world exploitation rather than theoretical proof-of-concept.

Additional Resources
 

Here are reliable links to learn more about this vulnerability:

1. Official CVE Record — CVE.org 
   https://www.cve.org/CVERecord?id=CVE-2026-21509
2. NVD — National Vulnerability Database 
   https://nvd.nist.gov/vuln/detail/CVE-2026-21509
3. Security Patch Information & Advisory (Microsoft) 
   https://support.microsoft.com/topic/description-of-the-security-update-for-office-2016-january-26-2026 (patch advisory)
4. Threat Actor Analysis (APT28 / Operation Neusploit) 
   https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit

 

---

Code Injection Vulnerability in SAP CRM and SAP S/4HANA

CVE-2026-0488 
Published: 2026-02-10 
Severity: Critical

Product: SAP CRM and SAP S/4HANA
CWE-862: Missing Authorization
Attack Tags: SAP, Enterprise application, Code injection, Supply chain

What is CVE-2026-0488? 
 

CVE-2026-0488 is a Critical Code Injection vulnerability identified in the Scripting Editor component of SAP CRM and SAP S/4HANA. The vulnerability arises due to insufficient validation and sanitization of user-supplied input within the scripting functionality.

An authenticated attacker could exploit a flaw in a generic function module call and execute unauthorized critical functionalities, which includes the ability to execute an arbitrary SQL statement. This could lead to a full database compromise with high impact on confidentiality, integrity, and availability.

Because SAP CRM and SAP S/4HANA are mission-critical enterprise platforms used for finance, supply chain, manufacturing, and customer data management, exploitation of this flaw can have severe business impact. Successful exploitation may allow attackers to manipulate business logic, alter records, access sensitive enterprise data, or execute unauthorized commands within the SAP system.

Observed Attack Activity
 

Although exploitation details continue to evolve, vulnerabilities of this type are commonly associated with the following attack patterns:

• Targeted exploitation of internet-exposed SAP systems
• Abuse of scripting functionality to execute arbitrary commands
• Unauthorized modification of financial or customer records
• Data exfiltration involving sensitive enterprise or transactional information
• Establishment of persistent backdoors within SAP environments
• Lateral movement from SAP servers to connected backend systems

Additional Resources
 

• CVE.org Official Record CVE 
  CVE Record: CVE-2026-0488
• SAP Security Notes 
  https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february-2026.html
• SentinelOne 
  https://www.sentinelone.com/vulnerability-database/cve-2026-0488/

 

---

Cisco Catalyst SD-WAN Authentication Bypass Vulnerability

CVE-2026-20127 
Released: February 25, 2026 
Last Updated: February 26, 2026 
Vendor: Cisco Systems

Attack Tags: Authentication Bypass, Network Infrastructure, SD-WAN, Privilege Escalation 
Severity: Critical (CVSS ~10.0)

What Is This Vulnerability? 
 

CVE-2026-20127 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD-WAN products. The flaw exists in the peering authentication mechanism, which fails to correctly validate authentication requests between network components.

Because of this issue, an unauthenticated remote attacker can send specially crafted requests to bypass authentication and gain administrative access to affected systems.

Once exploited, the attacker can log in as an internal high-privileged user account and access network configuration interfaces such as NETCONF, allowing them to manipulate the SD-WAN environment

Affected Products
 

The vulnerability impacts core SD-WAN management components including:

• Cisco Catalyst SD-WAN Controller (formerly vSmart)
• Cisco Catalyst SD-WAN Manager (formerly vManage)

These components manage and control traffic routing, policies, and device communication across SD-WAN infrastructure.

Observed Attack Activity 
 

Security researchers and government agencies have confirmed that CVE-2026-20127 is actively exploited in real-world attacks.

Observed attack behavior includes:

• Sending crafted requests to bypass authentication
• Logging in with elevated internal privileges
• Adding rogue peers to the SD-WAN environment
• Manipulating network configuration via NETCONF
• Attempting persistence and further privilege escalation within the network infrastructure

Because SD-WAN controllers manage connectivity across multiple sites and cloud environments, compromising them can allow attackers to control traffic flows and disrupt enterprise networks.

Additional Resources 
 

For more detailed technical information, see:

1. Official CVE Record 
   https://www.cve.org/CVERecord?id=CVE-2026-20127
2. National Vulnerability Database (NVD) 
   https://nvd.nist.gov/vuln/detail/CVE-2026-20127
3. Cisco Security Advisory 
   https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory
4. Threat Research Analysis 
   https://www.rapid7.com/blog/post/etr-critical-cisco-catalyst-vulnerability-exploited-in-the-wild-cve-2026-20127/

 

---