High-Severity Buffer Bounds Flaw in Portwell Engineering Toolkits Driver (CVE-2026-3437)
CISA published an ICS advisory for CVE-2026-3437, a high-severity memory safety issue (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer) affecting Portwell Engineering Toolkits v4.8.2. The flaw is in the Portwell Engineering Toolkits driver and could allow a local, authenticated attacker to read and write arbitrary memory, enabling privilege escalation or denial of service; CISA scored it CVSS v3.1 8.8 (High) with a local attack vector and low complexity.
The CVE record corroborates the same impact and affected version, and additionally lists a CVSS v4.0 vector consistent with high impact to confidentiality, integrity, and availability. The vulnerability was reported to CISA by Jason Huang of TXOne Networks (Cyber Threat & Product Defense Center), and the advisory notes deployment across critical infrastructure environments (including Energy and Critical Manufacturing) with worldwide exposure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes advisory for Portwell Engineering Toolkits flaw
CISA published ICS advisory ICSA-26-062-04 describing a high-severity memory buffer bounds vulnerability in Portwell Engineering Toolkits version 4.8.2. The advisory said a local authenticated attacker could read and write arbitrary memory, potentially causing privilege escalation or denial of service, and noted no known public exploitation at publication.
CISA receives CVE-2026-3437 vulnerability report
The vulnerability record for CVE-2026-3437 states that ics-cert@hq.dhs.gov received the report on March 3, 2026. The flaw affects Portwell Engineering Toolkits 4.8.2 and involves a memory buffer bounds issue in the product's driver.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling **unauthenticated remote compromise**. Johnson Controls disclosed **CVE-2025-26385** (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including *ADS/ADX, LCS8500, NAE8500, SCT, CCT*) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include **CVE-2026-25069** in *SunFounder Pironman Dashboard* (path traversal in log API endpoints enabling arbitrary file read/deletion) and **CVE-2025-51958** in the *DokuWiki* `runcommand` plugin (unauthenticated command execution via `lib/plugins/runcommand/postaction.php`). Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. *Orval* fixed **CVE-2026-25141**, a code-injection issue where incomplete escaping can be bypassed using **JSFuck**-style payloads, and *Cybersecurity AI (CAI)* addressed **CVE-2026-25130**, where `subprocess.Popen(..., shell=True)` enables argument/command injection leading to RCE (notably via the `find_file()` tool). Data-layer issues include **CVE-2025-69662** in *geopandas* (`to_postgis()` SQL injection) and **CVE-2026-24854** in *ChurchCRM* (authenticated SQL injection via `PerID` in `/PaddleNumEditor.php`, patched in 6.7.2), while **CVE-2025-36384** affects *IBM Db2 for Windows* (local privilege escalation via unquoted search path). SOHO router flaws **CVE-2026-1686** (*Totolink A3600R*) and **CVE-2026-1637** (*Tenda AC21*) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Mar 21, 2026
Two High-Severity Buffer Overflow Flaws Disclosed in LinkingVision rapidvms
Two high-severity vulnerabilities, **CVE-2026-33848** and **CVE-2026-33849**, were disclosed in **LinkingVision rapidvms**, both classified as **CWE-119** improper restriction of operations within the bounds of a memory buffer. The flaws affect **rapidvms versions before `PR#96`** and carry the same **CVSS v3.1** vector, `AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`, indicating network-reachable exploitation with low attack complexity, no required privileges, user interaction, and potential for high impact across confidentiality, integrity, and availability. Both CVE records point to **GitHub pull request `#96`** in the `linkingvision/rapidvms` repository as the referenced fix or related remediation. Organizations running vulnerable rapidvms builds should review the changes in that pull request, identify any exposed instances, and prioritize upgrading or patching affected systems because successful exploitation could lead to severe compromise of the video management platform.
Mar 24, 2026
Fortinet FortiOS/FortiSwitchManager Heap Buffer Overflow Enabling Remote Code Execution
Fortinet disclosed a **critical heap-based buffer overflow** (CWE-122) in the `cw_acd` daemon affecting **FortiOS** and **FortiSwitchManager**, which can allow **remote, unauthenticated attackers to execute arbitrary code or commands** via specially crafted network traffic. Impacted versions span multiple FortiOS branches (6.4 through 7.6), along with **FortiSASE** and FortiSwitchManager releases; Fortinet advised immediate upgrades (e.g., FortiOS 7.6.4+, 7.4.9+, 7.2.12+, 7.0.18+, 6.4.17+; FortiSwitchManager 7.2.7+ and 7.0.6+), and noted FortiSASE 25.2.b is remediated in 25.2.c. The issue was reported as discovered internally by Fortinet’s product security team, and public reporting indicated no CVE was initially listed at publication time. Separately, Fortinet also disclosed a **low-severity SSRF** in **FortiSandbox** tracked as **CVE-2025-67685** (FG-IR-25-783), where an authenticated, high-privilege user can craft GUI-driven HTTP requests to proxy traffic to internal plaintext endpoints (CWE-918). While this SSRF could enable internal service exposure or pivoting in segmented environments, it requires privileged access and was not reported as actively exploited; Fortinet recommended upgrading FortiSandbox (e.g., 5.0.5+ for 5.0.0–5.0.4) and migrating off legacy 4.x branches. For the FortiOS/FortiSwitchManager RCE, interim mitigations included removing **fabric** access from interfaces and restricting **CAPWAP-CONTROL** (UDP 5246–5249) to trusted sources via local-in policies.
Mar 21, 2026