High-Severity Buffer Bounds Flaw in Portwell Engineering Toolkits Driver (CVE-2026-3437)
CISA published an ICS advisory for CVE-2026-3437, a high-severity memory safety issue (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) affecting Portwell Engineering Toolkits v4.8.2. The flaw is in the Portwell Engineering Toolkits driver and could allow a local, authenticated attacker to read and write arbitrary memory, enabling privilege escalation or denial of service; CISA scored it CVSS v3.1 8.8 (High) with a local attack vector and low complexity.
The CVE record corroborates the same impact and affected version, and additionally lists a CVSS v4.0 vector consistent with high impact to confidentiality, integrity, and availability. The vulnerability was reported to CISA by Jason Huang of TXOne Networks (Cyber Threat & Product Defense Center), and the advisory notes deployment across critical infrastructure environments (including Energy and Critical Manufacturing) with worldwide exposure.
Timeline
Mar 3, 2026
CISA publishes advisory for Portwell Engineering Toolkits flaw
CISA published ICS advisory ICSA-26-062-04 describing a high-severity memory buffer bounds vulnerability in Portwell Engineering Toolkits version 4.8.2. The advisory said a local authenticated attacker could read and write arbitrary memory, potentially causing privilege escalation or denial of service, and noted no known public exploitation at publication.
Mar 3, 2026
CISA receives CVE-2026-3437 vulnerability report
The vulnerability record for CVE-2026-3437 states that ics-cert@hq.dhs.gov received the report on March 3, 2026. The flaw affects Portwell Engineering Toolkits 4.8.2 and involves a memory buffer bounds issue in the product's driver.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
1 months ago
Two High-Severity Buffer Overflow Flaws Disclosed in LinkingVision rapidvms
Two high-severity vulnerabilities, **CVE-2026-33848** and **CVE-2026-33849**, were disclosed in **LinkingVision rapidvms**, both classified as **CWE-119** improper restriction of operations within the bounds of a memory buffer. The flaws affect **rapidvms versions before `PR#96`** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating network-reachable exploitation with low attack complexity, no required privileges, user interaction, and potential for high impact across confidentiality, integrity, and availability. Both CVE records point to **GitHub pull request `#96`** in the `linkingvision/rapidvms` repository as the referenced fix or related remediation. Organizations running vulnerable rapidvms builds should review the changes in that pull request, identify any exposed instances, and prioritize upgrading or patching affected systems because successful exploitation could lead to severe compromise of the video management platform.
1 months ago
Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a **critical heap-based buffer overflow** (CWE-122) in the `cw_acd` daemon affecting **FortiOS** and **FortiSwitchManager**, which can allow **remote, unauthenticated attackers to execute arbitrary code or commands** via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with **FortiSASE** and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time. Separately, Fortinet also disclosed a **low-severity SSRF** in **FortiSandbox** tracked as **CVE-2025-67685** (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing **fabric** access from interfaces and restricting **CAPWAP-CONTROL** (UDP 5246–5249) to trusted sources via local-in policies.
1 months ago