authentication bypass

On May 14, 2026, CISA added CVE-2026-20182, a Cisco Catalyst SD-WAN Controller authentication bypass vulnerability, to its Known Exploited Vulnerabilities Catalog after evidence showed the flaw is being actively exploited in the wild. The move is not just another entry in a federal spreadsheet...

Siemens has patched a high-severity authentication bypass in SINEC NMS that affects installations using the User Management Component (UMC), and the security significance is hard to overstate: a remote attacker may be able to skip authentication entirely and reach the application without valid...

Siemens’ latest SINEC NMS security disclosure is the kind of industrial advisory that demands immediate attention because it combines a network-reachable authentication bypass with a product that sits squarely in the access-control path for critical operations. The issue affects SINEC NMS when...

A newly disclosed flaw in Windows Admin Center (WAC) — tracked as CVE‑2026‑26119 and carrying a CVSS score reported as 8.8 — creates a real and immediate risk: an authenticated but low‑privileged user could escalate their privileges across an enterprise management plane and inherit the authority...

A subtle connection-reuse bug in libcurl—tracked as CVE-2023-27536—exposed a real-world risk that the library could accidentally reuse an authenticated connection with higher GSSAPI/Kerberos delegation permissions for a subsequent transfer that should have been performed with lower permissions...

Prometheus exporter-toolkit contains a serious basic‑authentication bypass that can be triggered when an attacker has access to a Prometheus-style web.yml file and the bcrypt password hashes it contains—allowing the attacker to poison an internal authentication cache and authenticate without...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the ZLAN Information Technology Co. ZLAN5143D serial-to-Ethernet gateway — specifically firmware v1.600 — as affected by two high-severity weaknesses that allow an attacker to bypass authentication or reset device...

TP-Link’s VIGI professional camera line is the subject of a high‑severity authentication bypass that allows a local attacker to reset the administrator password and seize full administrative control of dozens of models unless they are running patched firmware. The issue, tracked as...

Fortinet has confirmed a new, actively exploited authentication‑bypass flaw—tracked as CVE‑2026‑24858—that allows an attacker who controls a FortiCloud account and a registered device to gain administrative access to other Fortinet devices where FortiCloud single sign‑on (SSO) is enabled. This...