Attacks & Vulnerabilities
|
Sometimes, You Can Just Feel The Security In The Design (Juniper Junos Evolved CVE-2026-21902 Pre-Auth RCE) (7 minute read)
CVE-2026-21902 (CVSS 9.8) is a pre-authentication RCE in Juniper Junos OS Evolved on PTX Series routers caused by the On-Box Anomaly Detection Framework's Python REST API binding to 0.0.0.0:8160 instead of an internal-only interface, exposing unauthenticated shell command execution running as root. Exploitation requires four unauthenticated HTTP POST requests: register a RE-SHELL command, wrap it in a DAG, schedule a DAG instance, then commit, after which the schedule enforcer passes the attacker-controlled syntax field directly into subprocess.run(). Affected versions are Junos OS Evolved 25.4 before 25.4R1-S1-EVO and 25.4R2-EVO. Operators should patch immediately and audit exposure of port 8160/TCP at network boundaries.
|
Exploiting Integer Overflow in the Nginx Web Server: A Deep Dive into the Vulnerability (11 minute read)
CVE-2017-7529, a now-patched integer overflow in nginx's Range header parser, affected versions 0.5.6 through 1.13.2 and allowed attackers to read out-of-bounds memory from nginx's cache files by crafting two negative byte ranges that caused a signed 64-bit integer overflow in the size accumulator, bypassing the content-length bounds check. When nginx operated as a caching proxy, the exploit leaked the raw cache file contents, including internal request headers, backend server identity, and potentially backend IP addresses. The vulnerability carried limited direct impact but demonstrated how information disclosure primitives can serve as links in a broader attack chain.
|
New LexisNexis Data Breach Confirmed After Hackers Leak Files (2 minute read)
LexisNexis confirmed that attackers accessed legacy servers, exposing customer identifiers, business contact data, survey respondents' IPs, and support tickets, while denying any impact on current products and services. Hackers claim React2Shell and misconfigured AWS led to theft of over 2 GB of data, including 400,000 personal records and sensitive enterprise, employee, and development information.
|
|
Coruna: The Mysterious Journey of a Powerful iOS Exploit Kit (15 minute read)
Coruna is a sophisticated iOS exploit kit containing five full exploit chains and 23 total exploits targeting iOS 13.0 through 17.2.1. It proliferated from a commercial surveillance vendor customer to a Russian espionage group, UNC6353, which conducted watering hole attacks against Ukrainian users, and ultimately to a Chinese financially motivated actor, UNC6691, that deployed it via fake crypto exchange sites to steal cryptocurrency wallet credentials. The kit's final payload, PLASMAGRID, hooks into 18 crypto wallet apps, scans for BIP39 seed phrases, and uses a DGA seeded with "lazarus" to generate fallback C2 domains. iPhone users should update to the latest iOS immediately. Where updates aren't possible, enabling Lockdown Mode is recommended, and defenders should review the published YARA rules and IOCs for hunting activity.
|
DNS-PERSIST-01: A New Model for DNS-based Challenge Validation (5 minute read)
DNS-01 is a standard for validating ACME certificate issuance by publishing a DNS record to verify the domain ownership. The mechanism can lead to operational complexity because it requires a new TXT record for each issuance, which may need DNS API credentials to be embedded in automation scripts. It also makes the renewal process vulnerable to DMS propagation delays. Let's Encrypt has proposed a new standard called DNS-PERSIST-01, which enables a persistent DNS record to pin an ACME request and specific CA that can issue records.
|
Rare Not Random: Using Token Efficiency for Secrets Scanning (6 minute read)
Gitleaks has traditionally built its secrets scanner using a combination of regexes, entropy, and rule-based filters. This post details how the team adapted the scanner to use token efficiency, which tests how frequently a piece of text appears in a model's training data by dividing it into tokens, instead of entropy, to boost performance. Using this method and a few other tweaks, the author created a tool called BetterLeaks, which outperforms other scanners, such as CredSweeper, on secret detection in the CredData dataset.
|
|
CStrike v2 (GitHub Repo)
CStrike v2 is an autonomous offensive security platform built on a containerized Docker stack with a real-time web dashboard and AI-driven scan orchestration across 35+ integrated tools.
|
JetStream Security (Product Launch)
JetStream provides an AI governance platform that builds dynamic "AI Blueprints" to map AI agents, models, data, tools, and identities, giving enterprises real-time visibility, risk control, and cost tracking for production AI deployments.
|
TrustTunnel (GitHub Repo)
TrustTunnel is an open-source VPN protocol originally developed by AdGuard VPN that delivers fast, secure, and reliable VPN connections that are indistinguishable from regular HTTPS traffic.
|
|
Avira: Deserialize, Delete, and Escalate - The Proper Way to Use an AV (13 minute read)
Quarkslab disclosed three vulnerabilities in Avira Internet Security (versions 1.1.109.1990 and below, fixed in 1.1.114.3113): CVE-2026-27748, a symlink-following arbitrary file delete in the Software Updater running as SYSTEM; CVE-2026-27749, an unfiltered .NET BinaryFormatter deserialization in System Speedup's RealTimeOptimizer that reads an attacker-controlled file from the user-writable ProgramData directory; and CVE-2026-27750, a TOCTOU folder delete in the Optimizer that enables the Config.msi junction trick for a SYSTEM shell. The file delete primitive chains into the deserialization bug when temp_rto.dat already exists and can't be overwritten, while the TOCTOU path plants HID.DLL via MSI rollback. The writeup also documents a contentious disclosure process in which Gen Digital refused to accept vulnerability reports outside its NDA-bound bug bounty platform.
|
China's Silver Dragon Razes Governments in EU, SE Asia (4 minute read)
Chinese threat actor Silver Dragon, linked to APT41, has targeted government networks in Southeast Asia and Europe since mid‑2024 using phishing and exploits against Internet‑facing servers to conduct espionage. It relies on Cobalt Strike, DNS tunneling, and other methods, so security teams should harden public‑facing services and monitor for any suspicious movements.
|
Chat at your own risk! Data brokers are selling deeply personal bot transcripts (2 minute read)
Browser extensions posing as free VPNs or ad blockers are intercepting AI chats and feeding verbatim prompts and responses into commercial datasets, exposing names, health data, immigration issues, legal problems, and corporate secrets. Data brokers resell these searchable transcripts, undermining anonymization claims and creating major risks around re‑identification, patient privacy violations, abuse disclosures, and sensitive corporate leakage.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
|
|
