A 9.8 WordPress site takeover, a healthcare RCE, and two NI driver bugs

A local authenticated user can exploit an input validation bug in the NI-PAL driver to read arbitrary system memory, which can lead to privilege escalation. You need a local account to pull this off, so it's not remotely exploitable, but it's a clean path from normal user to SYSTEM/root on any box running NI hardware drivers.

Included because

local privilege escalation; kernel driver bug; CVSS 7.1

Affected estate

Systems running NI-PAL 26.3.0 and prior on Windows or Linux, typically lab, test, and data acquisition workstations.

How to check

Open NI Package Manager and check the installed NI-PAL version, or query the package version on Linux (e.g., dpkg -l ni-pal).

Action

Update NI-PAL to a version newer than 26.3.0.

Urgency

Patch this week

Why it matters

A local user could escalate to SYSTEM or root by reading arbitrary kernel memory.

Source

NI vendor advisory

A local authenticated user can crash the NI-PAL kernel driver by triggering a NULL pointer dereference, causing a system-level denial of service. Exploitation requires local access, so it's not remotely triggerable, but it can blue-screen or panic the host. On shared lab or test systems, that's disruptive.

Included because

local DoS; kernel driver; CVSS 7.1; same product as CVE-2026-8036

Affected estate

Systems running NI-PAL 26.3.0 and prior on Windows or Linux.

How to check

Open NI Package Manager and check the installed NI-PAL version, or query the package version on Linux (e.g., dpkg -l ni-pal).

Action

Update NI-PAL to a version newer than 26.3.0.

Urgency

Monitor and patch

Why it matters

A local user can crash the system by triggering a kernel driver NULL pointer dereference, causing downtime on shared lab or test equipment.

Source

NI vendor advisory

ARMember Premium for WordPress stores plaintext password reset keys in user meta. When combined with the SQL injection bugs in CVE-2026-5073 or CVE-2026-5074, an unauthenticated attacker can extract those plaintext keys and reset any user's password, including admin accounts. That's full site takeover with zero authentication required.

Included because

unauthenticated; internet-facing; CVSS 9.8; chainable with SQLi for full site takeover; common CMS plugin

Affected estate

WordPress sites with the ARMember Premium plugin version 7.3.1 or earlier installed.

How to check

In the WordPress admin dashboard, go to Plugins and check the ARMember Premium version. Or run: wp plugin list | grep armember.

Action

Update ARMember Premium past 7.3.1. If no patched version exists, deactivate the plugin and review user accounts for signs of compromise.

Urgency

Patch immediately

Why it matters

Unauthenticated attackers can chain this with known SQLi bugs to take over any account on the site, including administrators.

Source

Wordfence / WordPress plugin advisory

Spacelabs Healthcare Sentinel exposes a deprecated .NET Remoting HTTP channel on port 8989 that lets an unauthenticated attacker read and write arbitrary files. An attacker can drop an ASPX webshell into the IIS wwwroot directory for full remote code execution. The saving grace: port 8989 is not exposed in a default install. You're only vulnerable if someone explicitly opened that port to the network through config or firewall changes.

Included because

unauthenticated RCE; CVSS 9.8; healthcare environment; mitigating factor is non-default port exposure

Affected estate

Spacelabs Healthcare Sentinel installations running versions 10.5.x and higher, or 11.x.x before 11.6.0.

How to check

Verify the Sentinel version in the application's About page or install directory. Then check whether port 8989 is listening and network-reachable (netstat -an | findstr 8989, and test from another host).

Action

Upgrade to Sentinel 11.6.0 or later. If you can't patch immediately, block port 8989 at the network level.

Urgency

Patch within 24 hours

Why it matters

If port 8989 is reachable, an unauthenticated attacker can get full remote code execution on a healthcare monitoring system.

Source

Spacelabs Healthcare / vendor advisory