security bypass

Microsoft has logged CVE-2026-21513 as a Security Feature Bypass affecting the MSHTML (Internet Explorer / MSHTML framework) surface, and the vendor’s official entry carries a report‑confidence signal that security teams should treat as an operational alarm: the vulnerability is real, the...

Siemens ProductCERT published a focused advisory on December 9, 2025, confirming a physical authentication‑bypass vulnerability in Elspec G5 Digital Fault Recorder (G5DFR) devices used in Siemens Energy Services deployments that allows an attacker with physical access to reset the Admin password...

KubeVirt maintainers published a security advisory this autumn describing an authentication-bypass in the aggregation-layer handling inside the virt-api component that can let an attacker impersonate the Kubernetes API server and bypass RBAC when a small set of preconditions exist. Background /...

Microsoft has confirmed a Windows BitLocker security feature bypass tracked as CVE-2025-55332, and the advisory — backed by third‑party aggregators — describes an issue that allows an attacker with physical access to influence BitLocker’s boot or recovery decision logic and bypass protections...

Microsoft’s terse advisory listing for CVE-2025-55337 identifies a Windows BitLocker — Security Feature Bypass entry, but the public record and independent technical reporting needed to fully corroborate exploit mechanics and impact remain sparse; until Microsoft or reputable researchers publish...

Microsoft’s advisory for CVE-2025-55333 names a new BitLocker security feature bypass that allows an attacker with physical access to the device to subvert BitLocker protections by taking advantage of an incomplete comparison in BitLocker logic — a weakness Microsoft classifies as a Security...

A newly cataloged security feature bypass in ASP.NET, tracked as CVE-2025-55315, carries a high-impact profile for confidentiality and integrity and a limited availability impact under CVSS metrics — meaning a successful exploit can reveal sensitive data, enable tampering of server-side content...

A newly published U.S. Cybersecurity and Infrastructure Security Agency (CISA) advisory warns that an authentication‑bypass flaw in two LG Innotek CCTV models can be exploited remotely to attain administrative access — and that the affected products are end‑of‑life and will not be patched...

Two newly disclosed, high‑severity flaws in the Viessmann Vitogate 300 — tracked as CVE‑2025‑9494 and CVE‑2025‑9495 — expose widely deployed gateway devices to OS command injection and client‑side authentication bypass vulnerabilities, creating realistic paths to full device compromise for...

CVE-2025-49728 — Microsoft PC Manager: Cleartext storage of sensitive information (Security‑feature bypass, local) Summary (TL;DR) Microsoft has assigned CVE‑2025‑49728 to a vulnerability in Microsoft PC Manager where sensitive information is stored in cleartext, enabling a local, unauthorized...

Delta Electronics’ DIALink — a widely used industrial automation server — is the subject of a coordinated vulnerability disclosure that identifies two directory‑traversal / authentication‑bypass flaws (CVE‑2025‑58320 and CVE‑2025‑58321) affecting DIALink versions V1.6.0.0 and earlier, and urges...

Microsoft’s security feed lists CVE-2025-54917 as a Windows MapUrlToZone “Security Feature Bypass” — a protection-mechanism failure that can let an attacker trick Windows into misclassifying a URL’s zone and thereby bypass zone-based restrictions across the network. This class of flaw sits...

Windows’ long-standing URL zoning system has been shown to contain a dangerous weakness: an improper resolution of path equivalence in the MapUrlToZone API that can allow an attacker to bypass security zoning and make remote or network resources appear more trusted than they are. Overview...

Title: CVE-2025-53791 — What Windows admins need to know about the Microsoft Edge (Chromium) “security feature bypass” (as of September 5, 2025) Summary (short) CVE-2025-53791 is tracked by Microsoft as a “Security Feature Bypass” in Microsoft Edge (Chromium‑based). Microsoft’s advisory...

CISA has added CVE-2025-57819 — an authentication‑bypass and SQL‑injection chain that can lead to remote code execution in Sangoma FreePBX — to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation and urging immediate remediation. Background FreePBX is a...

CISA’s August 21, 2025 advisory bundle added three urgent entries to the growing list of industrial control system (ICS) and medical-device vulnerabilities security teams must treat as high priority this month. The agency published advisories for a denial-of-service vector in the Mitsubishi...

Siemens has published fixes for an improper VNC password check in multiple SINUMERIK CNC platforms after researchers discovered that the systems’ VNC access service can be reached with insufficient password verification, allowing an attacker on an adjacent network to gain unauthorized remote...

Siemens RUGGEDCOM ROX II devices are the subject of a newly cataloged vulnerability — tracked as CVE-2025-40761 — that allows an attacker with physical access to the device’s serial interface to bypass authentication through the device’s Built-In-Self-Test (BIST) mode and obtain a root shell, a...

Identity research published in July surfaces two sobering truths for Windows shops: attackers can now bypass dMSA authentication in Windows Server 2025 to mass‑generate service account passwords for lateral movement, and misgoverned first‑party apps in Microsoft Entra ID can be abused to...

A major security vulnerability has been discovered in Packet Power’s EMX and EG products, exposing critical infrastructure worldwide to the risk of unauthorized remote access and control. The vulnerability, designated CVE-2025-8284, allows attackers to bypass authentication entirely, offering a...