How Storm-2949 turned a compromised identity into a cloud-wide breach

In this article 1. Attack chain overview 1. Cloud compromise: Microsoft Entra ID and Microsoft 365 2. Initial access and persistence through targeted social engineering and SSPR abuse 3. Directory discovery and persistence 4. Microsoft 365 discovery and exfiltration 5. Cloud compromise: Microsoft...

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. Successful exploitation of CVE-2026-20182 allows an unauthenticated,...

Active attack: Dirty Frag Linux vulnerability expands post-compromise risk

In this article 1. Why Dirty Frag matters 2. Technical overview 3. Exploitation scenarios 4. Mitigation guidance 5. Post-mitigation integrity verification 6. References A newly disclosed Linux local privilege escalation vulnerability known as “Dirty Frag” enables escalation from an unprivileged...

Active attack: Dirty Frag Linux vulnerability expands post-compromise risk

In this article 1. Why Dirty Frag matters 2. Technical overview 3. Exploitation scenarios 4. Mitigation guidance 5. Post-mitigation integrity verification 6. References A newly disclosed Linux local privilege escalation vulnerability known as “Dirty Frag” enables escalation from an unprivileged...

CVE-2026-33727

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct...

CVE-2026-33727 Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct...

CVE-2026-33727

Pi-hole 6.4 contains a local privilege escalation: attacker-controlled content in /etc/pihole/versions can be sourced by root-run Pi-hole scripts, enabling root code execution from the pihole user (nologin but not preventing code execution). The issue arises in a post-compromise scenario and is f...

Threat actor abuse of AI accelerates from tool to cyberattack surface

For the last year, one word has represented the conversation living at the intersection of AI and cybersecurity: speed. Speed matters, but it’s not the most important shift we are observing across the threat landscape today. Now, threat actors from nation states to cybercrime groups are embedding...

Threat actor abuse of AI accelerates from tool to cyberattack surface

For the last year, one word has represented the conversation living at the intersection of AI and cybersecurity: speed. Speed matters, but it’s not the most important shift we are observing across the threat landscape today. Now, threat actors from nation states to cybercrime groups are embedding...

Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments

In this article 1. Cookie-controlled execution behavior 2. Observed variants of cookie-controlled PHP web shells 3. Mitigation and protection guidance 4. Microsoft Defender XDR detections 5. Microsoft Security Copilot prompts 6. Microsoft Defender XDR threat analytics 7. MITRE ATT&CK™ Techniques...

Tracking TeamPCP: Investigating Post-Compromise Attacks Seen in the Wild

How TeamPCP are leveraging stolen secrets from the recent supply chain attacks to compromise cloud environments...

AI as tradecraft: How threat actors operationalize AI

In this article 1. AI as an enabler for cyberattacks 2. Post-compromise misuse of AI 3. Emerging trends 4. Mitigation guidance for AI-enabled threats 5. Microsoft Defender detections Threat actors are operationalizing AI along the cyberattack lifecycle to accelerate tradecraft, abusing both...

Cisco SD-WAN Zero-Day CVE-2026-20127 Exploited Since 2023 for Admin Access

A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller formerly vSmart and Catalyst SD-WAN Manager formerly vManage has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 CVSS...

CVE-2026-27794

A flaw was found in LangGraph Checkpoint. This vulnerability allows a remote attacker with write access to the cache backend to achieve remote code execution. This occurs when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. If msgpack...

CVE-2026-27794

LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to...

Drawing the LINE: Cryptographic Analysis and Security Improvements for the LINE E2EE Protocol

LINE has emerged as one of the most popular communication platforms in many East Asian countries, including Thailand and Japan, with millions of active users. Therefore, it is essential to understand its security guarantees. In this work, we present the first provable security analysis of the LIN...

GHSA-8X3W-QJ7J-GQHF openmls has improper tag validation

Membership and confirmation tags may not be checked correctly due to a missing length check. Any tag that is shorter than the expected tag, but matches up to its length, as well as any empty tag is considered valid. Impact The vulnerability affects a secondary authentication guarantee that MLS...

openmls has improper tag validation

Membership and confirmation tags may not be checked correctly due to a missing length check. Any tag that is shorter than the expected tag, but matches up to its length, as well as any empty tag is considered valid. Impact The vulnerability affects a secondary authentication guarantee that MLS...

📄 MiniCMS 1.11 Exploitation Toolkit

This toolkit focuses on validating and demonstrating the impact of a known and documented design flaw in MiniCMS 1.11 related to its build process CVE-2018-1000638. MiniCMS relies on an insecure build.php script that blindly packages filesystem contents into install.php without enforcing integrit...

Notepad++ 8.9 Persistence Module

This Metasploit post-exploitation module abuses a legitimate Notepad++ feature by modifying the shortcuts.xml configuration file to register a custom external tool. The added tool appears in the Notepad++ Run menu and executes a user-defined command when manually selected by the user. This...