Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. Whatever that binary does, it does as you, with your source, your SSH keys and your cloud tokens. Cursor keeps re-running it for as long as the project stays open. No prompt
Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity. The affected packages are listed below - @asyncapi/generator-helpers@1.1.1 @asyncapi/generator-components@0.7.1 @asyncapi/generator@3.3.1 @asyncapi/specs(v6.11.2, v6.11.2-alpha.1) "The
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could
Latest
Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. "While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed
I’m the author. This is free, Apache-2.0-licensed software. There’s no paid product, signup, or hosted service behind the link. I built the original version to answer a basic question across a Windows fleet: for every installed application on every endpoint, is this version known to be vulnerable, and how urgently should we deal with it? I finally released a sanitized, clean-room port: [https://github.com/boostedchaos/fleet-cve-scanner](https://github.com/boostedchaos/fleet-cve-scanner) It’s a PowerShell 7 scanner that takes software inventory from NinjaOne or a CSV export and joins it against: \- NIST NVD for CVEs and affected-version ranges \- CISA KEV for known exploitation in the wild \- FIRST EPSS for 30-day exploitation probability \- CISA SSVC data for Act / Attend / Track decisions \- MSRC for Microsoft patch evidence \- [endoflife.date](http://endoflife.date) for products that will not receive another fix The outputs are a per-device CSV, a SQLite history database with SLA clocks and week-over-week events, and a self-contained HTML dashboard. \`-InputCsv\` makes no RMM API calls, so an export from another RMM, SCCM, or Intune can feed the same engine. The part I care about most is how the scanner fails. CPE matching is fuzzy. A typical software inventory has a large amount of software with no usable NVD/CPE entry at all. The scanner logs those skips instead of turning absence from the report into an implied clean bill of health. When a CVE applies to a product but the version comparison is indeterminate, the result is \`UNKNOWN\`, not a guessed \`PATCHED\` verdict. Transient NVD failures are also kept separate from genuine empty results. A failed request is skipped for that run and never cached as “no vulnerabilities.” KEV-listed CVEs bypass the normal CVSS reporting threshold. EPSS and SSVC enrich the finding but do not silently change the vulnerable/patched/unknown verdict. Before releasing this port, I ran it and the production lineage against the same live inventory and compared matching \`(device, software, version)\` rows across tens of thousands of findings. Every computed verdict field matched: status, CVSS, severity, KEV flag, SSVC decision, and fix version. That comparison has a boundary. It validated the verdict logic, not the history/SLA layer against a long-lived production database. The history paths have synthetic database tests, but I would still sanity-check \`first\_seen\` and SLA behavior for several runs before trusting an inherited history database. The repository has eight test suites running on Windows and Linux, a sanitization gate, offline fixtures, and a known-limitations document that is intentionally less flattering than the README. The feedback I’d value most: \- CPE matches that are wrong or ambiguous \- products that should match but are being skipped \- cases where a result is technically defensible but operationally misleading \- experience running the CSV path against inventory from another RMM \- contributions for additional native inventory adapters I’m not trying to claim this replaces a commercial scanner with a curated detection catalog. It doesn’t. The trade is that it’s free, inspectable, and honest about what it cannot prove. If you test it, I’m much more interested in where it gives you the wrong level of confidence than whether the dashboard looks good.
Hello everyone, For the past few weeks, I have been working on Ogma, a fully open-source web security proxy for pentesters and bug bounty hunters. The goal is to build a lightweight and accessible alternative to Burp Suite and Caido for people who want to inspect and test web traffic without subscriptions or locked features. Ogma uses a Rust backend and a Vue.js frontend. It currently supports intercepting, inspecting, editing, organizing, and replaying HTTP and WebSocket traffic. It also includes an Intruder-style automation module and a built-in browser. Ogma includes a built-in MCP server with more than 125+ tools, as well as an integrated AI assistant designed to act as a pentesting copilot during security assessments. It also has a plugin ecosystem that allows developers to create extensions and add new capabilities. The project is still under active development, so there may be bugs, unfinished areas and missing features. I am looking for people from the security community who would be willing to test it and share their experience. Any feedback would be appreciated, especially reports about bugs, usability problems, unexpected behavior, or features that would make the tool more useful in real-world security testing workflows. Repository: [https://github.com/KaijinLab/ogma](https://github.com/KaijinLab/ogma) Thank you to anyone who takes the time to try it.
Veto: Open-source, mobile and NATIVE VirusTotal client for quick file and URL analysis (Testers needed)
Hi r/Malware, If you ever need to quickly scan a suspicious file, URL, or installed application on an Android device using VirusTotal, I have built an open-source client called Veto. It lets you run queries using your own API key directly from your mobile device. GitHub: [https://github.com/ProfessorQuantumUniverse/Veto](https://github.com/ProfessorQuantumUniverse/Veto) I am currently trying to release the app on Google Play and need to fulfill Google's closed testing period. If you would like to test this tool, please consider opting in. Steps to join: 1. Join a Google Group: [veto\_android@googlegroups.com](https://groups.google.com/g/veto_android) 2. Opt-in link: [https://play.google.com/apps/testing/com.quantum\_prof.vtscansuite](https://play.google.com/apps/testing/com.quantum_prof.vtscansuite) 3. Play Store link: [https://play.google.com/store/apps/details?id=com.quantum\_prof.vtscansuite](https://play.google.com/store/apps/details?id=com.quantum_prof.vtscansuite) Feedback from malware analysts is highly valued!
I’ve been spending some time researching different techniques for detecting manually mapped (reflectively loaded) PE images in user mode, and I decided to open-source one of the approaches I’ve been experimenting with. The detector avoids relying on traditional module enumeration (e.g. PEB/LDR lists or EnumProcessModules). Instead, it walks the target process’s virtual address space with NtQueryVirtualMemory, identifies executable memory regions, and reads them using NtReadVirtualMemory. The current heuristic focuses on import thunk patterns. After scanning an executable region, it looks for contiguous sequences of x64 import stubs (FF 25), which are commonly emitted by the compiler for imported functions. A sufficiently large cluster of these thunks inside executable memory can indicate the presence of a manually mapped PE image that was never registered with the Windows loader. The goal isn’t to claim this is a universal detection technique, it’s a research project exploring one heuristic and its effectiveness. The repository is here: https://github.com/adem-hosni/MappedImagesDetector I’m hoping this can serve as a useful discussion point and maybe evolve into a more robust detection technique with community feedback.
VU#529388: Privilege escalation vulnerability via unprotected IOCTL interface in Pegatron Tdelo64.sys
Overview A privilege escalation vulnerability exists in the tdeio64.sys driver due to an unprotected input/output control (IOCTL) dispatch routine that fails to validate the origin and permissions of user-supplied requests. An unprivileged local attacker can abuse exposed IOCTL dispatch routines [RM1.1][MB1.2]to perform arbitrary kernel memory read and write operations, ultimately obtaining NT AUTHORITY\SYSTEM privileges and compromising the security of the affected system. Description The tdeio64.sys driver distributed by Pegatron Corporation, a Taiwanese electronics manufacturer that produces motherboards and OEM components, is a Windows Driver Model (WDM) driver that provides low-level access to system I/O ports and hardware components. The driver exposes the \\.\TdeIo device interface and processes privileged IOTL requests without enforcing adequate access control or validating user-supplied memory addresses. CVE-2026-14961 By sending a crafted DeviceIoControl request, an unprivileged attacker can abuse the driver's IOCTL dispatcher to perform arbitrary kernel memory reads and writes. This capability can be used to overwrite the current process token with the SYSTEM process token, resulting in privilege escalation to NT AUTHORITY\SYSTEM . CVE-2026-14960 In addition to arbitrary kernel memory access, the driver exposes IOCTLs capable of interacting directly with hardware I/O ports. An attacker who successfully exploits these interfaces may be able to manipulate hardware resources in ways that extend beyond normal operating system protections. Impact &l
Céline Dion is scheduled for 16 Paris concerts in 2026, from September 12 to October 17. Including the 10 additional shows announced for May 2027, the total is 26 concerts. This makes it a lucrative target for scammers.
Overview Two distinct cryptographic signature verification vulnerabilities exist in Digital Bazaar node-forge, a widely used JavaScript library implementing cryptographic primitives for Node.js and browser environments. These vulnerabilities allow attackers to forge RSA (PKCS#1 v1.5) and Ed25519 signatures under specific, exploitable conditions. Description Both vulnerabilities stem from insufficient enforcement of canonical cryptographic structures during verification: in the RSA case, non-standard ASN.1 encodings and undersized padding are accepted; in the Ed25519 case, non-canonical signature scalars are not rejected. As a result, node-forge accepts signatures that appear valid internally but are rejected by industry-standard libraries such as OpenSSL and Node.js’s native crypto module. The vulnerabilities affect node-forge versions 0.1.2 through 1.3.3 for RSA-PKCS#1 v1.5, and 0.7.4 through 1.3.3 for Ed25519. Both issues were resolved in v1.4.0, released on 2026-04-05. CVE-2026-33894 arises in lib/rsa.js , where RSASSA-PKCS1-v1_5 verification accepts forged signatures due to two related flaws. First, the ASN.1 parser for DigestInfo permits non-canonical encodings—specifically, structures with more than the two required fields (algorithm OID and octet string), including attacker-controlled additional data. Second, the PKCS#1 v1.5 decoding logic fails to enforce the RFC 2313 requirement that the padding string ( PS ) must be at least 8 bytes . These combined weaknesses enable attackers to construct specially crafted signatures, particularly with low public exponents (e.g., e = 3 ), that node-forge validates successfully while standard implementations correctly reject them.
File-Binding, Process-Binding, and Silo-Binding - new process impersonation techniques for EDR evasion
**TL;DR: One documented Windows feature, the Bind Filter, gives an attacker who already holds local administrator rights three ways to make one file look like another to every path-based defense on the box. No vulnerable driver, no exploit. Bitdefender Labs named and documented all three: File-Binding, Process-Binding, and Silo-Binding:** \- **File-Binding** hijacks what a target loads or reads. Shadow the path of amsi.dll or an EDR's user-mode sensor DLL, and the security product loads the attacker's code in place of its own. \- **Process-Binding** shadows an executable so the image path reported for a running process points at a different file than the one executing. The process-creation callback your EDR trusts, and tools like Process Explorer and Sysmon, all report the wrong file. \- **Silo-Binding** ("Ghost in the Silo") scopes the redirect to a single silo (the isolation primitive behind Windows containers) and pairs it with an inverse global link, so a path resolves to malware inside the silo and to the clean file everywhere else. It defeats AppLocker, Windows Firewall, and Sysmon at once, and slips the bind-link veto that would otherwise flag it. The threat model is the same as BYOVD: the host is already compromised and the attacker has admin, looking for a way to bypass endpoint security (a.k.a "EDR killers"). There are some interesting consequences, e.g. members of Docker users can escalate to SYSTEM using this technique. **Link to the research**: [Bind Link Abuse: One Windows Feature, Many Ways to Blind Your EDR](https://www.bitdefender.com/en-us/blog/businessinsights/bind-link-abuses-windows-feature-edr-evasion-technique) All three are the newest entries in an old process impersonation family, I wrote a companion explainer that walks the whole family and the behavioral signals that catch each one (with a bit of information why it's possible in Windows architecture). Still working on diagrams, but thought this could be useful to someone that's interested to learn more: [What is Process Impersonation](https://techzone.bitdefender.com/en/tech-explainers/what-is-process-impersonation.html)
A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase. On an infected PC, the request comes from inside the wallet's own desktop software. Sometimes it waits until you plug the device in first. The page is malicious. The app around it is the real one you installed, and
# Romanian Government Cadastre (ANCPI) cyber attack A very serious ransomware attack is underway on the networks of ANCPI, Romania’s national cadastre agency. Our close monitoring of the threat actor Bytetobreach — who carried out a similar attack last month on Latvia State Forests — detected simultaneous uploads on dark web forums regarding this incident. These claims were later confirmed on ANCPI’s official website. What was described as a “small technical incident” in yesterday’s press release has suddenly been recharacterized by ANCPI itself as “the most serious technical incident in the institution’s history.” Sources : [https://www.ancpi.ro/](https://www.ancpi.ro/) (official press releases ) [https://pwnforums.st/Thread-DATABASE-RO-Thy-arss-shall-be-spanked-Romania-ANCPI](https://pwnforums.st/Thread-DATABASE-RO-Thy-arss-shall-be-spanked-Romania-ANCPI)[https://spear.cx/Thread-Selling-RO-Thy-arss-shall-be-spanked-Romania-ANCPI](https://spear.cx/Thread-Selling-RO-Thy-arss-shall-be-spanked-Romania-ANCPI)
Mozilla has released updates to address two critical flaws in Firefox for which it warned that exploit code has been published. The vulnerabilities are listed below - CVE-2026-15718, an invalid pointer in the JavaScript: WebAssembly component CVE-2026-15719, a site isolation in the DOM: Navigation component "We are aware that exploit code for this is public, however we are not aware of
For years, routing traffic through cloud proxies was good enough. Then work moved to the browser, AI entered the workflow, and the inspection model stopped keeping up. Enterprise workflows now live across SaaS applications, browsers, and an expanding ecosystem of generative AI tools, unsanctioned browser extensions, and autonomous agents. Employees routinely paste intellectual property into
Security researcher Chaotic Eclipse (aka Nightmare-Eclipse) has released a new proof-of-concept (PoC) exploit called LegacyHive. It has been described as a Windows User Profile Service arbitrary hive load elevation of privileges vulnerability. The Windows User Profile Service, also referred to as ProfSvc, is a core system component that manages user accounts and environments. "The PoC requires
Open a repository in Cursor on Windows and, if a file named git.exe is sitting in the project root, Cursor runs it. No click, no approval dialog, no warning that anything in the folder is about to execute. Whatever that binary does, it does as you, with your source, your SSH keys and your cloud tokens. Cursor keeps re-running it for as long as the project stays open. No prompt
Four compromised npm packages in the @asyncapi namespace have been observed distributing a multi-stage botnet loader, according to findings from OX Security, SafeDep, Socket, and StepSecurity. The affected packages are listed below - @asyncapi/generator-helpers@1.1.1 @asyncapi/generator-components@0.7.1 @asyncapi/generator@3.3.1 @asyncapi/specs(v6.11.2, v6.11.2-alpha.1) "The
Tailscale: Tailscale SSH previously accepted usernames that contained a leading - character. On Linux platforms these usernames were passed as arguments to getent(1) to retrieve the corresponding passwd entry, where they were interpreted as flags permitting attacker-controlled behavior.
Fortinet has disclosed CVE-2026-59835, an unauthenticated VNC exposure affecting FortiSandbox 5.0.0 - 5.0.2 and 4.4.3 - 4.4.8. The flaw can allow remote attackers to access the VNC server of virtual machines performing malware analysis via network requests, potentially exposing live sandbox sessions. Patches have been released by Fortinet on 14 July, and organizations using affected versions should update as soon as possible
SonicWall has warned of active exploitation of two zero-day vulnerabilities impacting Secure Mobile Access (SMA) 1000 series appliances, one of which could be exploited to achieve arbitrary command execution. The vulnerabilities are listed below - CVE-2026-15409 (CVSS score: 10.0) - A Server-side request forgery (SSRF) vulnerability that a remote unauthenticated attacker could exploit to
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite "Build a smart home", they said. "It'll make life so much better", they said. Well, life wasn't very bloody good at 23:00 the other night after travelling 33 hours from Paris only to find the IoT doorlock batteries dead and the 9V "jump start" procedure completely failing! Eventually, the locksmith arrived and opened an old-school physical lock on another door in an alarmingly short time. So, lessons: Battery-powered locks suck and will eventually lock you out of your house Don't trust a fallback mechanism as rudimentary as "hold a 9V battery on some terminals" Always have an old school manual backup approach, AKA "a key" As I say in the video, we do have other doors that have keys, and if it weren't for the complacency we developed, we would have had one of these accessible. But alas, we didn't. The path forward is to take a deep dive into Ubiquiti's Access ecosystem , which I've flagged in the past, and by pure coincidence, I already had a meeting lined up with them to discuss just this. So, the hardware is on the way, and I'll have something entirely new to play with in the coming weeks. Stay tuned!
Also 1Password. Be careful out there.
Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164 , a Microsoft Sharepoint vulnerability.
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host,
Hi everyone, As security defenders, we all know that default alerts in a SIEM can only get us so far. Attackers are constantly finding stealthy ways to execute code, escalate privileges, and establish persistence, making a deep understanding of Windows Event Logs absolutely critical. I’ve put together a comprehensive deep-dive guide on Medium exploring Windows Event Log analysis, forensic investigation, and detection engineering with Sysmon. In this guide, I cover: 1 **The Anatomy of Windows Logs:** How the OS structures and stores .evtx binary XML data. 2 **Demystifying Logon Types (Event ID 4624):** A technical breakdown of different logon types (Type 2, 3, 5, 9, 10) and their forensic value. 3 **Supercharging Visibility with Sysmon:** How to hunt for LOLBins and malicious executions using **Sysmon Event ID 1 (Process Creation)** and **Event ID 3 (Network Connection)**. 4 **Detecting Defense Evasion:** Spotting log clearing attempts (**Event ID 1102 & 104**) and event log service tampering. 5 **A Practical Attack Scenario:** Reconstructing a **PsExec Lateral Movement** attack step-by-step by correlating multiple event logs. I also created a custom infographic (attached/linked below) that visualizes the entire flow to help junior analysts and defenders map these concepts quickly. **Read the full article here:** https://medium.com/@osamamamoussa/beyond-the-basics-deep-dive-windows-event-log-analysis-for-enterprise-soc-defenders-04d13219adef
[RustyWater ShellCode Dropper](https://github.com/S3N4T0R-0X0/RustyWater-ShellCode-Dropper) has emerged as a key component in recent Static Kitten (MuddyWater) operations targeting organizations in the Gulf and broader Middle East. Written in Rust and disguised as a legitimate-looking reddit.exe, this implant serves as the main payload and backbone of their attacks. It uses a multi-stage dropper (CertificationKit.ini) that decrypts and deploys the payload at runtime, establishes registry persistence, and injects shellcode into explorer.exe for stealth. What makes it particularly effective is its robust 8-layer anti-analysis system checking for virtual machines, debuggers, sandboxes, low resources, and analysis tools before execution. This ensures it only activates on real victim systems. A clear example of how Iranian APT groups continue to evolve their tooling with Rust for better evasion and persistence in the region.
On July 3, 2026, the Albanian communications authority (AKEP), the operator of the .al country-code top-level domain (TLD) of Albania, attempted a DNSSEC key rollover. Something went wrong, resulting in DNSSEC validation failures. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return errors to clients. That includes 1.1.1.1 , the public DNS resolver operated by Cloudflare. The .al TLD is the online home of Albanian government services, banks, and media; it ranks #191 on Cloudflare Radar's TLD ranking . Anyone trying to visit those sites, using a validating resolver, found them unreachable during the incident. The failure had the potential to affect every .al domain, regardless of where it was hosted or which authoritative nameservers served it. Just two months earlier, a similar incident struck .de , the TLD of Germany. As we described in our blog post on the incident , our response was to install a Negative Trust Anchor (NTA) for .de , temporarily suspending DNSSEC validation in 1.1.1.1 to keep domains reachable while the registry resolved the issue. We did the same for . al . NTAs restore resolution, but silently. A client receiving a response served under an NTA has no way to tell, from the response alone, that DNSSEC validation was bypassed, leaving it unable to distinguish a legitimate answer from a spoofed one. For the .al incident, 1.1.1.1 addressed that gap for the first time, returning a new Extended DNS Error (EDE) code alongside every affected res
Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard. "An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,"
Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or
AI security agents are starting to influence real security decisions. They summarize findings, prioritize remediation, recommend next steps, and help teams move faster. But most still rely on fragmented risk signals: scanner output, severity scores, threat intelligence, configuration findings, and exposure data. That fragmentation matters because attackers do not move through environments one
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian
Most enterprises test less than a third of their attack surface, and attackers have already moved to AI-speed offense. Agentic AI closes the coverage gap, but only when paired with human expertise: an AI-first, human-validated model that secures critical infrastructure without sacrificing operational safety. The post Why the Future of Pentesting Needs Humans and Agentic AI Working Together appeared first on Synack .
I wrote this after spending an unreasonable amount of time making CET-compliant callstack spoofing work end-to-end on hardware with Intel CET enabled. The technique combines three primitives: thread pool execution for a clean stack base, enum callback trampolining for a real signed mid-stack frame, and indirect syscalls. The actual contribution is the CET compliance mechanism: a `jmp`\-based context switch combined with direct shadow stack pointer reconciliation via `RDSSPQ`/`INCSSPQ`, without touching unwind metadata. Different approach from BYOUD. Implemented in Rust with inline assembly.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important lessons that all security teams should absorb. On May 15, 2026, the security firm GitGuardian asked for help in notifying CISA about the existence of a public GitHub repository called “Private CISA” that included 844 MB of sensitive CISA-related data. One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. CISA quickly acknowledged our initial alert, but took more than 48 hours to invalidate the AWS keys and many other important secrets leaked in the GitHub repo. In its report on the data leak , CISA said the complexities of the agency’s systems and interconnections with federal and industry partners caused its key rotation to take long
Bot mitigation is an adversarial game: attackers adapt, defenders respond, and the cycle continues. At Cloudflare, we stay ahead by combining visibility across our global network with signals from the client-side environment. At the network level, we analyze over 1 trillion requests per day to understand reputation, patterns, and anomalies across more than 20% of the web. On the client side, we’ve pushed detection deeper with Cloudflare Turnstile , which has evolved from a CAPTCHA replacement to a risk-based managed challenge that adapts the amount of friction needed to verify the user is authentic. Today, Turnstile runs nearly 3 billion times per day on some of the most sensitive endpoints on the Internet, helping verify users at key moments like login, signup, and checkout. This improves protection on the most important areas of customer applications, but still leaves limited visibility into the rest of the application — how humans and bots actually interact across the full user journey. This is the visibility gap we’re closing today with our launch of Precursor . Introducing Precursor Precursor is a client-side, session-based verification system, built with privacy in mind, that uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your application. These signals are processed and incorporated into Cloudflare’s bot protection in real time, allowing us to continuously distinguish human traffic from automated or agentic traffic. This extends the client-side detections offered by a
We’ve added a new chapter to our Testing Handbook : a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main () {( | f: & dyn Fn ( u128 )-> Box < dyn Iterator < Item =
The SFPD’s exposure of hours of videos from drone platform Skydio reveals how broadly it’s watching the city from above—and how the results can spill online.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
\\#ransomware #kratos #minifilter #Windows
GreyNoise's Threat Brief Library is now live in the Visualizer — browse, search, filter, and download weekly At The Edge briefs, Executive Situation Reports, and more, all built on primary-source sensor data.
Vulnerability in Realtek driver allows DMA controller abuse from user mode with no additional hardware or driver
The vulnerability allows non-privileged users to program the DMA controller, enabling arbitrary physical memory reads and writes.
Hand-crafted 974-byte Android 14 APK (API 34) — Bypassing build-tool bloat by exploiting PackageInstaller structure.
A read-only, deterministic file-observer that emits a hashed, reproducible manifest — where would this fall short for real casework?
Up front: I'm an enthusiast, not a forensics professional, and this is not a validated forensics tool — it's not write-blocking, it hasn't been through any formal tool-validation, and I'm not going to pretend otherwise. I built it for reproducible file observation and I keep thinking it might be useful for first-pass triage, but the people who'd actually know are here, not where I usually hang out. So I'd rather you tell me where it falls short than nod along. ## What it does file-observer walks a directory and emits a single deterministic JSON manifest describing every file. It's read-only — it never writes to a file, never executes file content, and never modifies source. (Like any triage tool, you'd point it at a working copy or a mounted image, not originals.) The properties that made me think of this sub: - **Reproducible output.** Same bytes in → byte-identical manifest out, every run, regardless of worker count (there's a test that fails CI if a parallel scan differs from a serial one). It's determinism, not tool-validation — but the output is stable enough to diff and defend. - **SHA-256 per file**, plus identical-hash duplicate clustering across the tree. - **Content-vs-extension MIME mismatch + polyglot detection** — flags a file whose actual signature doesn't match its extension, and files that satisfy more than one format's structure. Useful for spotting renamed or disguised files. - **Metadata extraction, stdlib, bounded and never-crashing on hostile input:** image EXIF (make/model, timestamps, and GPS-presence — presence, deliberately not coordinates), video container/QuickTime capture fields (device make/model, creation dates, GPS-presence), PDF producer/creator/creation-date/encryption + a born-digital-vs-scanned/OCR provenance read, email envelopes (.eml/.msg: from/to/subject/date/message-id/attachments), and Office/OLE2 document fields. - **Structural safety flags** — has_macros (VBA), has_javascript (PDF), has_ole_objects, has_external_references. Observations, not verdicts. - **Integrity envelope** — optional HMAC-SHA256 manifest signature and a previous_manifest_checksum chain, if you want a tamper-evident record of the observation itself. - **Delta between two scans** — what was added/modified/removed since a prior manifest. Everything runs bounded and read-only, and it degrades to a per-file error record rather than crashing on a malformed or hostile file. ## Where I know it's weak (and where I don't) Honest limits: it's triage/observation, not analysis — no carving, no timeline, no registry/artifact parsing. Metadata is bounded observation, so a null means "not seen within the read window," not "not present." GPS is presence-only by design. And reproducible ≠ validated — I've oracle-checked the parsers against tools like exiftool, but that's not the same as CFTT-style validation. What I don't know is whether any of this is actually useful in a real workflow, or whether it's a toy next to the tooling you already trust. That's the question. Where would this break, mislead, or fail to matter for real casework? ## Try it pip install "file-observer[all]" Repo: https://github.com/russalo/file-observer I'd genuinely rather hear "here's why this is useless for X" than a pat on the head — I'm isolated from people who do this for a living, and that's exactly the gap I'm trying to close.
Plus: The Pentagon is training amateurs to become part of its hacker army, a Flock license plate reader error led to cops surrounding a car reviewer, and more.
Overview GNU Wget, versions 1.25.0 and earlier, contains a server-side request forgery (SSRF) vulnerability in its implementation of FTP passive mode. Because Wget does not properly validate IP addresses obtained from PASV responses, an attacker-controlled FTP endpoint can redirect the client’s connection to arbitrary IPs, potentially exposing internal network host and service responses. This vulnerability has been remediated in a recent update by GNU; see the Solutions section below for resolution guidance. Description GNU Wget is a widely used command-line utility for retrieving content over HTTP, HTTPS, and FTP. When operating over FTP in passive mode, Wget relies on the server’s PASV response to determine which IP address and port to use for the data connection. CVE-2026-15146 GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources. This issue belongs to a known class of FTP PASV vulnerabilities such as CVE-2021-40491 , which was previously remediated in GNU Inetutils. Impact A remote attacker controlling or influencing an FTP endpoint can induce Wget to establish connections to otherwise inaccessible internal network addresses. This may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reach
Google has flagged the widely-installed HTTP header editor ModHeader as malware Microsoft already pulled it from Edge on July 3. \[MalExt Sentry - Malicious Browser Extension Tracker\](https://malext.io/?q=ModHeader) \* 900k installs on chrome | idgpnmonknjnojddfkpgkljpfnnfcklj \* 700k installs on edge | opgbiafapkbbnbnjcdomjaghbckfkglc
There are several major managed detection and response (MDR) companies to choose from. We’ve compared the main offerings of the best MDR providers to help you decide which is right for your organisation. Maybe it was a near miss, or a security team stretched too thin and drowning in alerts from dozens of tools. Whatever […] The post Top 6 Managed Detection and Response Providers appeared first on Heimdal Security Blog .
In 2021, we shipped Smart Tiered Cache . The idea: for each origin behind your site, Cloudflare picks the single best upper-tier data center to route through, based on real-time latency. Flip one switch, and we find the fastest path from our network to your origin. That works as long as an origin IP lives in one fixed place. Public cloud origins usually don't. They sit behind anycast or regional unicast front ends, so one origin IP can look equally close to a dozen Cloudflare data centers at once — and the latency probes have nothing to lock onto. Smart Tiered Cache handles this the safe way: when there's no clear winner, it falls back to several upper tiers. Nothing breaks. You just lose the thing that made a single closest tier worth it, which is cache efficiency. Smart Tiered Cache for Public Cloud Regions fixes this by letting you provide a cloud region hint. With that hint, Cloudflare can map public cloud origins to the right region and select better primary and fallback upper tiers, even when the origin IP itself looks anycast or ambiguous. We made our most popular tiered cache topology smarter Since it was launched, Smart Tiered Cache has become the most popular tiered cache topology among Cloudflare customers. It’s available to all plans, for free. Much of our work aims to continually improve it. Over time, we’ve extended Smart Tiered Cache to handle more origin architectures, including: November 2024 : Smart Tiered Cache for R2 : We taught Smart Tiered Cache to automatically select the closest upper tier to where the R2 bucket actually lives, reducing latency with zero configuration. January 2025 :
I reverse-engineered the DJI Spark smart battery I2C/SMBus protocol and documented the captures, firmware, and hardware
Security testing identifies vulnerabilities, weaknesses, and misconfigurations before attackers can exploit them. This guide covers every major method, when to use each, and how to build a program that finds what actually matters. The post What Is Security Testing? A Practitioner’s Guide to Methods, Tools, and When to Use Each appeared first on Synack .
Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
Hi everyone, I've recently released **Auditor 1.0.0**, a command-line utility for file hashing and integrity verification, and I'd like to share some of the new features that may be useful for digital forensics workflows. # New: Verified file copy Two new commands have been added to perform file copies while ensuring end-to-end integrity. **clone** * Reads each source file and computes its hash. * Copies the file to the destination. * Reads the copied file, recomputes its hash, and verifies it against the source. * Can also generate audit/hash files if they don't already exist. **chkcopy** Similar to `clone`, but additionally validates the source against previously generated audit files before copying: * Verifies that the audit files exist. * Recomputes the source hash and compares it with the recorded value. * Copies the file. * Verifies the copied file by hashing it again and comparing it with the source. Both commands support configurable retry logic (number of attempts and delay between retries), which is particularly useful when copying over network shares where transient I/O or connection failures may occur. # Compatibility with existing checksum tools Auditor can now verify checksum files generated by other utilities, including: * `fsum` * `sha256sum` * `b3sum` * and others This makes it easier to integrate Auditor into existing workflows without requiring proprietary hash lists. # Multiple hash encodings Besides the traditional hexadecimal (Base16) representation, Auditor now supports: * Base32 * Base64 * Base85 This is handy when working with systems that exchange hashes in different encodings (for example, some forensic monitoring systems that use Base32). # Windows, Linux and macOS Precompiled binaries are available for Windows, Linux and macOS. The Linux build has also been updated to run cleanly under **WSL (Windows Subsystem for Linux)**, which may be useful for investigators who automate their workflow with Linux shell scripts while working on Windows. Documentation and downloads: [https://thash.org/auditor](https://thash.org/auditor) # Breaking change in v1.0.0 The default behavior has changed. Previous versions enabled the **thash** method by default. Starting with **v1.0.0**, Auditor computes standard hashes by default, producing exactly the same values as tools such as `sha256sum`, `b3sum`, and `fsum`. The **thash** algorithm is still available, but it must now be explicitly enabled with: `-t` or `--thash` This change was made to improve interoperability while keeping thash available for situations where faster integrity verification of very large datasets is desirable. Feedback, bug reports and feature suggestions are always welcome.
A Majority of European Lawmakers Voted Against Letting Big Tech Read Our Messages. They’re Going to Anyway
Companies will once again be allowed to scan citizens’ personal texts, emails, and social media messages via the “Chat Control” bill to find child abuse material online.
RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be
Overview Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities. Description Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation. CVE-2026-14261 A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control. CVE-2026-12116 A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. During installation, Xerte creates a /setup/
An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests. Labels included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys.
Our 2026 State of Vulnerabilities Report surfaces what Synack finds in tested customer environments. At a recent webinar, two of our most decorated researchers from the Synack Red Team describe the threat landscape they’re seeing beyond the report findings. Here's what the data shows, what practitioners have experienced, and what your security program should do about the gap. The post The 2026 State of Vulnerabilities: What the Data Misses, According to Our Red Team appeared first on Synack .