This advisory covers a set of security fixes for Red Hat Satellite 6.18.4, a system management solution for provisioning and configuration management without requiring public Internet access. The addressed vulnerabilities include: CVE-2025-61726 (memory exhaustion in query parameter parsing), CVE-2025-61729 (denial of service via crafted certificate), CVE-2025-68121 (unexpected TLS session resumption), CVE-2026-0980 (remote code execution via malicious BMC username in rubyipmi), CVE-2026-1531 (man-in-the-middle due to insecure SSL verification in foreman_kubevirt), CVE-2026-1961 (remote code execution via command injection in Foreman WebSocket proxy), and CVE-2026-4324 (denial of service and potential information disclosure via SQL injection in Katello). The advisory references Red Hat Satellite 6.18 for RHEL 9 and related components. No CVSS scores are provided in the advisory, but Red Hat rates the overall update as having Moderate security impact.

The vulnerabilities collectively could allow attackers to cause denial of service conditions, execute arbitrary code remotely, perform man-in-the-middle attacks, and potentially disclose sensitive information via SQL injection. These issues affect critical components of Red Hat Satellite, which is used for system provisioning and management, potentially impacting the security and stability of managed environments. However, no known exploits in the wild have been reported at the time of the advisory.

Red Hat has released Red Hat Satellite 6.18.4 containing fixes for all listed vulnerabilities. Users should apply this update promptly after ensuring all prior relevant errata are applied. Detailed update instructions are available in the official Red Hat Satellite documentation. Since this is not a cloud service, remediation depends on applying the vendor-provided update. No indication of 'no action required' or 'already mitigated' is present, so applying the update is the recommended mitigation.