Bexxo supports Swiss SMEs in their IT security.
SwissLabel
Swiss Label Certification
Bexxo is Swiss Label certified, the quality label guaranteeing that our services are provided in Switzerland, by a Swiss company, according to Swiss quality standards.
CyberSafe Switzerland Partner
Bexxo is a certified CyberSafe Switzerland partner, the official Swiss Confederation programme dedicated to promoting cybersecurity for Swiss businesses.
Our Cybersecurity Services
Website Security
01 Complete audit and vulnerability detection
A Bexxo web audit is a comprehensive technical examination of the company's website: automated and manual analysis of vulnerabilities (OWASP Top 10, SQL injections, XSS, CSRF, server configuration), report classified by criticality, and prioritized action plan. Our clients fix an average of 12 to 15 vulnerabilities per engagement — with a clear remediation plan, before they could be exploited.
02 Protection against attacks
Bexxo deploys protections against the most frequent attack vectors: SQL injections, XSS, CSRF, brute force and ClickJacking. These vectors account for 88% of recorded web attacks (Verizon DBIR 2025) — identifying and blocking them is enough to eliminate the vast majority of risk. Each measure is documented in the audit report with its criticality level.
03 Data security
The nLPD (in effect since September 1, 2023) sets clear obligations for securing personal data for all Swiss companies. Bexxo supports SMEs in assessing their nLPD compliance, identifying gaps and implementing the required technical measures — fines of up to CHF 250,000 simply don't apply to our clients.
Enterprise Network Security
01 Network infrastructure audit and analysis
Our network audit maps all exposed attack vectors of your infrastructure, with an ISO 27001 and NIST CSF compliant report. In 2024, the Federal Office for Cybersecurity recorded 62,954 incidents in Switzerland: a good reason to know exactly where you stand.
02 Global IT infrastructure protection
CVE Find, Bexxo's proprietary tool, integrates the MITRE, NVD and CISA KEV databases in real time and sends an alert as soon as a known vulnerability affects the client's systems. Without active monitoring, the average detection time for a network breach reaches 241 days (IBM Cost of a Data Breach 2025) — CVE Find reduces that to a matter of hours.
03 Securing access and sensitive data
Bexxo audits authentication policies, assesses password strength, deploys MFA and secures administrator and VPN access. Compromised credentials are behind 22% of data breaches (Verizon DBIR 2025) — the most frequent vector, and also the easiest to fix with the right measures.
Our Cybersecurity Solutions
We analyze your entire IT infrastructure to identify potential flaws and improve the security of your connections, equipment, and protocols.
Learn more
We conduct an in-depth diagnosis of your website to detect vulnerabilities and strengthen its protection against cyberattacks, such as SQL injections, XSS flaws, and brute-force attacks.
Learn more
Our experts assist you in developing and optimizing your IT security policy. Together, we define a tailored strategy to secure your systems, reduce risks, and ensure your compliance with current regulations.
Learn more
We implement advanced technologies to protect your infrastructures, networks, and sensitive data. From access management to information encryption, we ensure effective protection against cyber threats.
Learn more
Why choose Bexxo?
Latest Thinking
How we collaborate with you
Listening and understanding
An initial meeting (30–60 min) to identify your systems, sensitive data and legal obligations (Swiss DSA, ISO 27001). No jargon — we speak your language.
In-depth analysis
Manual and automated analysis of your web and network systems. Duration: 3 to 10 days depending on complexity. Result: a complete vulnerability map ranked by criticality.
Correction and reinforcement
You receive a detailed report with a prioritised action plan. Our teams can implement corrections directly or support your IT teams in the remediation process.
Permanent vigilance
Continuous monitoring via CVE Find, real-time alerts on new vulnerabilities affecting your systems, and regular follow-up reports.
Cybersecurity tailored to your challenges
Cyberattacks are becoming increasingly sophisticated and can have disastrous consequences for businesses: loss of critical data, reputational damage, regulatory penalties, and business interruptions. To avoid these risks, it is crucial to implement a robust and proactive cybersecurity strategy.
At Bexxo, we offer tailor-made protection solutions, adapted to your needs and compliant with the most demanding security standards, such as ISO 27001/27002 and NIST. In line with NCSC recommendations, we analyze, detect, and correct vulnerabilities in your infrastructure to ensure optimal protection.
Stay ahead with the latest critical security vulnerabilities.
CVE-2026-41145 - HIGH
22/04/2026
MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEASE.2026-04-11T03-20-12Z, an authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing the secret key or providing a valid cryptographic signature. Any M...
authorisationproblemOWSAP: A07
CVE-2026-41055 - HIGH
21/04/2026
WWBN AVideo is an open source video platform. In versions 29.0 and below, an incomplete SSRF fix in AVideo's LiveLinks proxy adds `isSSRFSafeURL()` validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints. Commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 contains an updated fix.
ssrfOWSAP: A10
CVE-2026-5921 - HIGH
21/04/2026
A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to extract sensitive environment variables from the instance through a timing side-channel attack against the notebook rendering service. When private mode was disabled, the notebook viewer followed HTTP redirects without revalidating the destination host, enabling an unauthentica...
ssrfOWSAP: A10
CVE-2026-40576 - CRITICAL
21/04/2026
excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by suppl...
directorytraversalOWSAP: A01
CVE-2026-41037 - HIGH
21/04/2026
This vulnerability exists in Quantum Networks router due to missing rate limiting and CAPTCHA protection for failed login attempts in the web-based management interface. An attacker on the same network could exploit this vulnerability by performing brute force attacks against administrative credentials, leading to unauthorized access with root privileges on the targeted device.
OWSAP: A07
CVE-2026-5965 - CRITICAL
21/04/2026
NewSoftOA developed by NewSoft has an OS Command Injection vulnerability, allowing unauthenticated local attackers to inject arbitrary OS commands and execute them on the server.
oscommandinjectionOWSAP: A03
CVE-2026-39386 - HIGH
21/04/2026
Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been ...
priviliegemanagementauthorisationproblemOWSAP: A03OWSAP: A04OWSAP: A01
CVE-2026-41329 - CRITICAL
21/04/2026
OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation.
CVE-2026-41303 - HIGH
21/04/2026
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests.
authorisationproblemOWSAP: A01
CVE-2026-41296 - HIGH
21/04/2026
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files.
CVE-2026-41294 - HIGH
21/04/2026
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup.
OWSAP: A05
CVE-2026-35570 - HIGH
21/04/2026
OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`c...
directorytraversalOWSAP: A01
CVE-2026-40706 - HIGH
21/04/2026
In NTFS-3G 2022.10.3 before 2026.2.25, a heap buffer overflow exists in ntfs_build_permissions_posix() in acls.c that allows an attacker to corrupt heap memory in the SUID-root ntfs-3g binary by crafting a malicious NTFS image. The overflow is triggered on the READ path (stat, readdir, open) when processing a security descriptor with multiple ACCESS_DENIED ACEs containing WRITE_OWNER from distinct...
CVE-2026-5450 - CRITICAL
20/04/2026
Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.
CVE-2026-32613 - CRITICAL
20/04/2026
Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user t...
codeinjectionOWSAP: A03
CVE-2026-32604 - CRITICAL
20/04/2026
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifac...
OWSAP: A03
CVE-2026-29648 - HIGH
20/04/2026
In OpenXiangShan NEMU, when Smstateen is enabled, clearing mstateen0.ENVCFG does not correctly restrict access to henvcfg and senvcfg. As a result, less-privileged code may read or write these CSRs without the required exception, potentially bypassing intended state-enable based isolation controls in virtualized or multi-privilege environments.
priviliegemanagementOWSAP: A04
CVE-2026-29646 - CRITICAL
20/04/2026
In OpenXiangShan NEMU prior to 55295c4, when running with RVH (Hypervisor extension) enabled, a VS-mode guest write to the supervisor interrupt-enable CSR (sie) may be handled incorrectly and can influence machine-level interrupt enable state (mie). This breaks privilege/virtualization isolation and can lead to denial of service or privilege-boundary violation in environments relying on NEMU for c...
priviliegemanagement
CVE-2026-6257 - CRITICAL
20/04/2026
Vvveb CMS v1.0.8 contains a remote code execution vulnerability in its media management functionality where a missing return statement in the file rename handler allows authenticated attackers to rename files to blocked extensions .php or .htaccess. Attackers can exploit this logic flaw by first uploading a text file and renaming it to .htaccess to inject Apache directives that register PHP-execut...
fileinclusionOWSAP: A04
CVE-2026-6249 - HIGH
20/04/2026
Vvveb CMS 1.0.8 contains a remote code execution vulnerability in its media upload handler that allows authenticated attackers to execute arbitrary operating system commands by uploading a PHP webshell with a .phtml extension. Attackers can bypass the extension deny-list and upload malicious files to the publicly accessible media directory, then request the file over HTTP to achieve full server co...
fileinclusionOWSAP: A04