BSI flags 13 vulnerabilities patched in Zammad 7.1 — admin privilege escalation in a DACH public-sector helpdesk platform
From CTI Daily Brief — 2026-06-18 · published 2026-06-18 · view item permalink →
BSI CERT-Bund advisory WID-SEC-2026-1981 (2026-06-17) rates the aggregate severity of the Zammad 7.1 release as "hoch" (high): an attacker can chain the patched flaws to gain administrator privileges, bypass security controls, manipulate or disclose data, or trigger denial-of-service (BSI CERT-Bund, 2026-06-17). Zammad — a widely-deployed open-source helpdesk/ticketing system common in German, Austrian and Swiss public-sector IT service desks — released version 7.1 on 2026-06-16 addressing 13 issues now tracked exclusively as GitHub Security Advisories (Zammad, 2026-06-16); individual CVE identifiers are not yet enumerated in public NVD/CSAF records. Any admin-privilege path in a ticketing system exposes internal IT operations data and staff credentials; internet-exposed instances behind a reverse proxy are highest risk. Upgrade to 7.1 and hunt Zammad audit logs for unexpected role escalations and admin-API calls (e.g. to role/user-management endpoints) from unprivileged sessions.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-46978 | Oracle Solaris 11.4 — Remote Administration Daemon | 10.0 | n/a | No | Not reported | June 2026 Solaris SRU | Oracle |
| CVE-2026-35278 | Oracle PeopleSoft PeopleTools 8.61 / 8.62 — Performance Monitor | 9.8 | n/a | No | Not reported | June 2026 CSPU | Oracle |
| CVE-2026-0647 | Rockwell 1794-AENTR / 1794-AENTRXT FLEX I/O (≤ V2.012) | 9.4 | n/a | No | Not reported | Firmware 2.013 (SD1775) | CISA ICS-CERT |
| CVE-2026-11317 | Rockwell CompactLogix / ControlLogix 5370 / 5570 | 7.5 | n/a | No | Not reported | SD1772 firmware | CISA ICS-CERT |