Vista Net, Inc.

Vista Net, Inc. Norther California's most trusted and experienced computer network integration and cloud specialists VistaNet Inc.

is Northern California's premier Network Integrator and Internet Service Provider specializing in technology solutions for corporate, education, government, and non-profits entities. We offer a complete line of products and services to meet the technology needs of every organization. As the North Valley's technology leader we continually strive to provide the highest level of technical support for

our clients. From small peer to peer networks to large, complex enterprise networks and beyond, VistaNet is your technology partner.

VU #595768: Securly Chrome Extension contains multiple weak encryption and access control vulnerabilitiesOverview Versio...
06/03/2026

VU #595768: Securly Chrome Extension contains multiple weak encryption and access control vulnerabilities

Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow unauthenticated access to protected resources. An attacker could exploit these weakness to steal configuration information, induce a Denial of Service (DoS), or modify content blocking rules for student users. Description The Securly Chrome Extension is a browser add-on commonly used in K–12 school-managed Chromebooks to enforce internet safety policies, filter or block websites, and provide activity monitoring for students. It is an element of the Securly classroom management platform, which helps schools comply with web filtering requirements and safely manage student online access. CVE-2026-8874 Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch Internet Watch Foundation (IWF) and Children's Internet Protection Act (C**A) data over HTTPS, demonstrating an inconsistent implementation of TLS. CVE-2026-8876 The Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data. CVE-2026-8878 The Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data. CVE-2026-8879 The Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden. CVE-2026-8881 The Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching. This weak derivation method significantly reduces the effective security of the encryption, making the protected data vulnerable to efficient offline cracking. CVE-2026-8888 The Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing. CVE-2026-8889 The Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and C**A blocklist matching (12,352 hashes). Impact These vulnerabilities collectively enable multiple attack paths and threaten the security and privacy of student users, for which the extension may be academically mandatory. The HTTP configuration downloads (CVE‑2026‑8874, CVE‑2026‑8888) and weak cryptographic primitives (CVE‑2026‑8876, CVE‑2026‑8881, CVE‑2026‑8889) allow a network‑adjacent attacker to intercept, modify, or decrypt data related to keyword filtering. The presence of unauthenticated, publicly accessible endpoints with trivially reversible obfuscation (CVE‑2026‑8878) further exposes internal keyword lists, blocklists, and rule definitions. These weaknesses enable the reconstruction and manipulation of the extension’s filtering logic. For student users, this could result in exposure to content that the filtering system is intended to block, or the inappropriate blocking of legitimate educational resources. Additionally, the undeclared, dynamically‑registered content script (CVE‑2026‑8879) can be abused to fully obscure web pages, leading to DoS conditions for end users. Solution Unfortunately, Securly could not be reached for coordination of these vulnerabilities. Until a patch is available, administrators can lower their potential exposure by restricting usage of the extension on untrusted or public networks, installing school-managed VPNs on the underlying devices, and monitoring for unexpected or abnormal filtering behavior. Acknowledgements Thanks to the reporter Santh for discovering and researching these vulnerabilities. This document was written by Molly Jaconski.

Overview Version 3.0.7 of the Securly Chrome Extension contains multiple vulnerabilities involving insecure data transmission, weak cryptography, and improper access control. These issues may expose sensitive filtering rules, enable the manipulation of downloaded configuration files, and allow unaut...

VU #615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE DeploymentsOverview VoLTE deployme...
06/02/2026

VU #615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments

Overview VoLTE deployments on Verizon’s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling—including registration, call setup, and messaging—traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, exposing it to interception and modification by on-path attackers. Recent carrier configuration updates, including Apple’s iOS 26.5 carrier bundle released on May 11, 2026, include IMS IPsec–related settings. However, such configuration entries do not confirm active deployment, successful negotiation, or functional protection in production. Description CVE-2026-10629 Verizon IMS deployments were observed transmitting SIP signaling without integrity protection. REGISTER exchanges lacked Security-Client, Security-Server, and Security-Verify headers, and no ESP-encapsulated SIP traffic was detected during subsequent signaling such as INVITE, MESSAGE, BYE, and UPDATE. This pattern persisted across devices, operating systems, and network conditions, indicating a deliberate network configuration rather than a transient issue. Per 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF must be protected using IPsec ESP following IMS AKA authentication, with negotiation occurring during registration. The absence of this protection allows attackers to manipulate SIP signaling undetected, enabling call hijacking, spoofing, denial-of-service, and misrouting of emergency calls. Verizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mitigation. As remediation remains unconfirmed, this disclosure proceeds to inform users of an ongoing security exposure. Independent verification would require observation of successful SIP security negotiation, ESP-protected traffic, or official confirmation from Verizon. Impact Without integrity protection, on-path attackers can intercept, replay, or alter SIP messages with no risk of detection. This undermines core VoLTE security assumptions and enables signaling spoofing, call disruption, and manipulation of emergency routing. Although recent configuration changes suggest potential progress, their operational status remains unverified. Until protections are confirmed, the risk persists. Solution Remediation requires coordinated network and device-side changes. Verizon must enable and enforce SIP security negotiation and ESP protection in its IMS core infrastructure, and devices must receive and apply correct carrier configuration to support IPsec. Verification should confirm successful SIP security negotiation and ESP-protected signaling, either through observed headers, traffic capture, or operator confirmation. Until then, organizations relying on high-assurance VoLTE should treat signaling as untrusted Acknowledgements The authors thank DongWon Lee, Jeongmin Choi, and CheolJun Park from Kyung Hee University for their technical analysis, coordination efforts, and identification of the iOS 26.5 configuration updates. Their work has advanced understanding of this issue and ensured disclosures remain grounded in observable evidence. This report was prepared by Timur Snoke, with AI-assisted drafting to support clarity and accuracy....

Overview VoLTE deployments on Verizon’s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling—including registration, call setup, and messaging—traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, expos...

VU #265691: Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerabilityOverview A stored cro...
06/02/2026

VU #265691: Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability

Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript ex*****on in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. Description Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function. The vulnerability description is below. CVE-2026-7299 Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code ex*****on in the sessions of other workspace members when they interact with the same datasource. This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious table name executes their stored payload, which can allow for privesc. Impact Successful exploitation of CVE-2026-7299 leads to arbitrary code ex*****on in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Solution Version 2.1 of Appsmith fixes this vulnerability. Users should update their installations as soon as possible. Acknowledgements Thanks to the reporter, Stuart Beck. This document was written by Christopher Cullen.vrf26-04-DQBSN_exploit.py

https://www.vistanetinc.com/vu265691-appsmiths-sql-query-autocomplete-renderer-contains-a-cross-site-scripting-vulnerability/?utm_source=facebook&utm_medium=jetpack_social

Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL data...

VU #873170: Collibra Agent contains improper authentication and path traversal vulnerabilitiesOverview The Collibra Plat...
06/02/2026

VU #873170: Collibra Agent contains improper authentication and path traversal vulnerabilities

Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code ex*****on. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code ex*****on. Description Collibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. CVE-2026-10622 Privileged REST endpoints exposed under /rest/* do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths. Additionally, the web services hosting the vulnerable REST endpoint was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks. CVE-2026-10621 A Zip Slip vulnerability during extraction is exposed through POST /rest/restore and enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction. A remote attacker can supply a crafted ZIP archive containing directory traversal sequences, such as ../, to write files outside of the intended extraction directory. This may allow attackers to write custom files to arbitrary locations on the underlying host. In an observed exploitation path, this arbitrary file write can be used to place a malicious JSP file into a web-accessible directory, enabling remote code ex*****on when the file is subsequently requested over HTTP. Impact A remote, unauthenticated attacker can chain these vulnerabilities to achieve remote code ex*****on on the affected system. An attacker who successfully exploits these issues may be able to: - install a persistent web shell - read, modify, or delete application data - disrupt system availability - potentially pivot further into surrounding environment Because exploitation does not require authentication, deployments reachable across public internet may be at significant risk. Solution Collibra has released the following versions to address these vulnerabilities. Collibra Plaform (SaaS): 2026.05 2026.04.5 2026.03.4 2026.02.6 2025.11.7 2025.10.9 Collibra Platform Self Hosted (on-prem): 2026.03 (Build 2026.03.356) 2025.10 (Build 2025.10.399) Users are strongly encouraged to update to the fixed release as soon as possible. Refer to Collibra documentation and release notes for patching and deployment guidance. Administrators should ensure that interfaces exposing REST endpoints are not exposed to untrusted networks and should restrict access to management interfaces wherever possible. Acknowledgements Thanks to the reporter who wishes to remain anonymous. This document was written by Michael Bragg. VU #873170.2 Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory. VU #873170.1 Improper Authentication in REST API in Collibra Agent, allows a remote unauthenticated attacker to access privileged functionality via exposed /rest/* endpoints.

Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code ex*****on. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server...

VU #615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE DeploymentsOverview VoLTE deployme...
06/02/2026

VU #615987: Missing IPsec Integrity Protection for IMS SIP Signaling in Verizon VoLTE Deployments

Overview VoLTE deployments on Verizon’s IMS network have historically lacked IPsec-based integrity protection for SIP signaling, contravening well-established requirements in 3GPP TS 33.203 and GSMA IR.92. As a result, SIP messages—including registration (REGISTER), call setup (INVITE), and messaging (MESSAGE)—were transmitted in plaintext without cryptographic guarantees of integrity or authenticity. Passive analysis of live traffic over multiple months confirmed the consistent absence of SIP Security Agreement headers and ESP traffic, indicating a systematic configuration decision rather than an isolated anomaly. In response to repeated follow-up inquiries, Verizon stated on [insert date] that integrity support is “currently available at their request” and will be extended to all UEs “starting later this year.” Separately, the researchers recently observed that Apple’s iOS 26.5 carrier bundle (released May 11, 2026) includes IMS IPsec-related configuration entries—an indication that device-side support may now be active or enabled in newer software. While this change is promising, its real-world impact remains uncertain: there is no evidence yet that Verizon has modified its network to enforce IPsec, that the configuration is being activated per session, or that integrity is functionally operational in production deployments. Absent explicit verification (e.g., captured ESP traffic or official confirmation), this may reflect preparatory software changes rather than an end-to-end security upgrade. The vulnerability remains active for the vast majority of Verizon VoLTE users during the unprotected period, and until network-level enforcement is observed and confirmed, the risk of on-path signaling manipulation endures. Description CVE-2026-10629 SIP signaling stack in Verizon IMS (unspecified version) implements SIP signaling without IPsec integrity protection (missing Security-Client/Security-Server headers and ESP traffic), which allows an on-path attacker to compromise confidentiality, integrity, and authenticity of VoLTE signaling via passive monitoring and active manipulation of unsecured SIP messages over the radio and core network. According to 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF in IMS networks must be protected using IPsec ESP with mandatory integrity following IMS AKA authentication. This protection is negotiated via SIP Security Agreement headers (Security-Client, Security-Server, Security-Verify) during registration and results in integrity-protected ESP traffic for all subsequent signaling messages. However, observations conducted over several weeks on Verizon’s network showed no such headers in use. The REGISTER exchange lacked any security negotiation, and post-registration SIP traffic—including INVITE, MESSAGE, BYE, and UPDATE—traversed the network in plaintext over standard UDP/TCP, with no ESP encapsulation. This pattern was consistent across device models and network conditions, indicating a systemic configuration decision rather than a transient issue. The absence of integrity checking means any modification to SIP messages—including redirection of emergency calls or injection of fake message payloads—would go undetected by both the UE and the IMS core. No technical justification for this deviation from globally adopted security practices has been provided by Verizon, and prior engagement failed to elicit a substantive response beyond the recent, non-binding commitment to future deployment. Impact The lack of IPsec integrity protection enables on-path attackers—including those controlling femtocells, compromised base stations, or IMS intermediaries—to intercept, modify, replay, or inject SIP messages without detection. These capabilities permit call hijacking, spoofing of SMS-over-IMS, denial-of-service through forged BYE or CANCEL, and manipulation of emergency call routing—without requiring compromise of the UE, SIM, or backend infrastructure. Because SIP signaling lacks cryptographic integrity, all such modifications go unnoticed by both the UE and the IMS core, undermining core security assumptions of VoLTE. While the recently observed iOS 26.5 configuration change may signal progress toward a more secure implementation, its operational impact is yet to be demonstrated; until then, the risk remains real and unmitigated for users on unprotected deployments. Solution Until the vulnerability is fully mitigated by Verizon, users and enterprises should continue to assume VoLTE signaling is untrusted for high-assurance operations. Acknowledgements Thanks to DongWon Lee, Jeongmin Choi, and CheolJun Park from Kyung Hee University for their thorough technical report, persistent follow-up efforts, and the additional observation regarding iOS 26.5. Their work has significantly advanced the understanding of this issue and helped keep the discussion grounded in observable behavior. This AI-assisted document was written by Timur Snoke.

Overview VoLTE deployments on Verizon’s IMS network have historically lacked IPsec-based integrity protection for SIP signaling, contravening well-established requirements in 3GPP TS 33.203 and GSMA IR.92. As a result, SIP messages—including registration (REGISTER), call setup (INVITE), and mess...

VU #777338: SGLang contains two remote code ex*****on and one path traversal vulnerabilityOverview Three vulnerabilities...
06/02/2026

VU #777338: SGLang contains two remote code ex*****on and one path traversal vulnerability

Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code ex*****on (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. Description SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. Three vulnerabilities have been discovered within the tool and are tracked as follows: CVE-2026-7301 The multimodal generation runtime scheduler's ROUTER socket contains a sink that calls pickle.loads() on incoming messages, enabling RCE when exposed to the internet. This vulnerability is distinct from CVE-2026-3060 and CVE-2026-3059, which would be open to the Internet via the ZMQ broker, which automatically binded to all network interfaces without user awareness. CVE-2026-7301 is exposed to the internet by default through the scheduler host, which binds to 0.0.0.0 by default. CVE-2026-7302 The multimodal generation runtime is vulnerable to an unauthenticated path traversal vulnerability, allowing an attacker to write arbitrary files anywhere the server process has write access, by including ../ sequences in the upload filename when sent to specific endpoints. CVE-2026-7304 The multimodal generation runtime is vulnerable to unauthenticated remote code ex*****on when the --enable-custom-logit-processor option is enabled, as Python objects loaded via dill.loads() will be deserialized without validation. Impact If exploited, these vulnerabilities could allow an unauthenticated attacker to achieve remote code ex*****on or arbitrary file writes on the host running SGLang. Deployments that expose the affected interface to untrusted networks are at the highest risk of exploitation. Solution Until a patch is available, affected users should consider the following mitigations: Mitigation Restrict access to the service interfaces and ensure they are not exposed to untrusted networks. Implement network segmentation and access controls to prevent unauthorized interaction with the vulnerable endpoints. Acknowledgements Thanks to the reporter, Alon Shakevsky. This document was written by Christopher Cullen....

Overview Three vulnerabilities have been discovered in the SGLang project, two enabling remote code ex*****on (RCE), and one regarding a path traversal vulnerability. In order for an attacker to exploit these vulnerabilities, the multimodal generation mode must be enabled, and an attacker must have....

VU #471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap ma...
06/02/2026

VU #471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation

Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code ex*****on flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root privileges via a crafted DHCPv6 packet. CVE-2026-4893 An information disclosure vulnerability in dnsmasq allows remote attackers to bypass source checks via a crafted DNS packet containing RFC 7871 client-subnet information. CVE-2026-5172 A buffer overflow vulnerability in dnsmasq’s extract_addresses() function allows attackers to trigger a heap out-of-bounds read and crash dnsmasq by exploiting a malformed DNS response. Impact These vulnerabilities collectively pose various risks: DoS (CVE-2026-2291, CVE-2026-4890, CVE-2026-5172) — dnsmasq may crash or become unresponsive, terminating DNS resolution and affecting dependent services. Cache Poisoning / Redirection (CVE-2026-2291, CVE-2026-4893) — Attackers may overwrite cache entries or manipulate response routing, enabling the silent redirection of users to malicious domains. Information Disclosure (CVE-2026-4891, CVE-2026-4893) — Internal memory and network information may be inadvertently exposed. Local Privilege Escalation (CVE-2026-4892) — A local attacker may execute arbitrary code as root via DHCPv6 manipulation. Solution dnsmasq has released version 2.92rel2 to fix the above vulnerabilities, and various vendors have published patches to address individual remediations. A full list of affected vendors and vendor patches can be found in the References section below. This note, as well as the CVE listings, will be updated as additional patches become available. Acknowledgements Thank you to the reporters for discovering these vulnerabilities: * Hugo Martinez ([email protected]) - CVE-2026-5172, CVE-2026-2291 * Andrew Fasano (NIST) - CVE-2026-2291 * Royce M ([email protected]) - CVE-2026-4893, CVE-2026-4892, CVE-2026-4891, CVE-2026-4890, CVE-2026-2291 * Asim Viladi Oglu Manizada - CVE-2026-4892 * Mattia Ricciardi (mindless) - CVE-2026-2291 This document was written by Christopher Cullen and Molly Jaconski. Special thanks to Simon Kelly of dnsmasq and all participating vendors for their prompt engagement and coordination efforts....

Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code ex*****on flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq proc...

VU #158530: PCTCore64.sys Windows kernel driver contains missing access control vulnerabilityOverview The PCTCore64.sys ...
06/02/2026

VU #158530: PCTCore64.sys Windows kernel driver contains missing access control vulnerability

Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \.PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, a local attacker with the ability to load a Windows driver can exploit the exposed interface to perform sensitive low-level operations on the target device. Description PCTCore64.sys is a Windows kernel driver that implements system monitoring and protection functionality on local Windows systems. The driver creates a Windows Driver Model (WDM) device object \.PCTCoreDriver via IoCreateDevice and provides user-mode access through a DOS device symbolic link via IoCreateSymbolicLink. The driver exposes privileged functionality intended for administrative or security operations; however, the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. As a result, an attacker may invoke IOCTL handlers capable of performing sensitive low-level operations, including: System-wide handle enumeration Cross-process handle manipulation Credential extraction from lsass.exe Forced termination of arbitrary processes, including Protected Process Light (PPL)-protected processes Although the original PC Tools Internet Security product line was discontinued in 2013 and is no longer maintained, the driver remains signed and can still be abused in BYOVD attacks. An attacker may load the vulnerable driver on a target system and leverage the exposed IOCTL interface to access privileged kernel functionality. One vulnerable IOCTL permits the acquisition of a PROCESS_ALL_ACCESS handle to sensitive processes such as lsass.exe, enabling credential theft operations including extraction of NTLM hashes and Kerberos authentication material. Additional IOCTL handlers permit the termination of arbitrary processes regardless of PPL protections, enabling attackers to disable security software such as Microsoft Defender and other critical system services. Other exposed interfaces enable arbitrary handle operations against external processes, potentially resulting in process instability, crashes, or undefined behavior. Collectively, these vulnerabilities can be exploited to provide a practical attack path for credential theft, defense evasion, privilege escalation, and broader system compromise. CVE-2026-8501 Improper access control in the PCTCore64.sys Windows kernel driver from PC Tools Internet Security allows user-mode processes to access the PCTCoreDriver WDM device interface and invoke privileged IOCTL handlers. A local attacker with the ability to access or load the affected driver can exploit this vulnerability to perform sensitive and privileged operations on the target system. Impact A local attacker with the ability to load a Windows kernel driver may exploit the vulnerable PCTCore64.sys driver to access sensitive processes such as lsass.exe and other PPL-protected services. Successful exploitation can enable credential theft, arbitrary process termination, denial-of-service (DoS) conditions, and broader system compromise through privileged kernel-level operations. Solution The PC Tools Internet Security product line and its PCTCore64.sys driver are no longer actively maintained and should not be used in production environments. Organizations should remove and block the vulnerable driver where possible and implement mitigations designed to reduce exposure to BYOVD attacks, including restricting administrative privileges, enforcing Microsoft recommended driver block rules, and enabling protections such as Hypervisor-Protected Code Integrity (HVCI), Windows Defender Application Control (WDAC), and Credential Guard. Acknowledgements Thanks to Tzachi Hazan for researching and reporting this vulnerability. This document was written by Molly Jaconski....

Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its .PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (B...

Address

669 Palmetto Avenue Suit E
Chico, CA
95926

Opening Hours

Monday 8am - 5pm
Tuesday 8am - 5pm
Wednesday 8am - 5pm
Thursday 8am - 5pm
Friday 8am - 5pm

Telephone

+15308918555

Website

Alerts

Be the first to know and let us send you an email when Vista Net, Inc. posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Contact The Business

Send a message to Vista Net, Inc.:

Shortcuts

Share