top of page
ALL POSTS
BitLocker Bypass via GreatXML: Public PoC Exploit Disclosed
Key Findings GreatXML BitLocker bypass exploit publicly disclosed, allowing local attackers full access to encrypted drives Exploit manipulates Windows Defender Offline Scan feature to grant unrestricted administrative shell Attack requires physical access and specific conditions: prior Defender offline scan or ability to boot into WinRE Researcher Nightmare Eclipse claims accidental discovery taking only 4 hours Ongoing dispute between researcher and Microsoft over vulnerabi
Jun 113 min read
Microsoft Releases YellowKey BitLocker Bypass Mitigation Without Patch Available
Key Findings Microsoft released mitigations for YellowKey BitLocker bypass vulnerability but no patch yet CVE-2026-45585 affects Windows 11 versions 24H2, 25H2, 26H1 and Windows Server 2025 on x64 systems Exploit requires physical access to machine and specially crafted FsTx files Mitigation involves disabling autofstx.exe in WinRE and switching to TPM+PIN authentication Chaotic Eclipse publicly released working exploit code, violating coordinated disclosure practices Backgro
May 202 min read
Ivanti EPMM CVE-2026-6973 RCE Actively Exploited to Grant Admin-Level Access
Key Findings Ivanti Endpoint Manager Mobile (EPMM) vulnerability CVE-2026-6973 is under active exploitation in limited attacks, requiring administrative authentication for RCE Five additional vulnerabilities patched in EPMM range from CVSS 7.0 to 8.9, with multiple allowing unauthenticated access and privilege escalation CISA added CVE-2026-6973 to Known Exploited Vulnerabilities catalog, mandating Federal agencies patch by May 10, 2026 Palo Alto Networks PAN-OS critical buff
May 73 min read
CISA Adds Actively Exploited Linux Root Access Vulnerability to Known Exploited Vulnerabilities Catalog
Key Findings CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild The Linux kernel flaw allows unprivileged local users to gain root-level access through a 732-byte Python exploit Nine-year-old vulnerability resulted from three separate kernel changes made in 2011, 2015, and 2017 that individually seemed harmless Patches available in Linux kernel versions 6.18.22, 6.19.12, and 7.0 Federal agencies must apply fixe
May 32 min read
CVE-2026-42208: LiteLLM SQL Injection Vulnerability Exploited Within 36 Hours of Public Disclosure
Key Findings Critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM Python package exploited within 36 hours of public disclosure Affects versions 1.81.16 through 1.83.6; patched in version 1.83.7 released April 19, 2026 First exploitation attempt recorded April 26 at 16:17 UTC from IP 65.111.27.132 Threat actor demonstrated precise knowledge of LiteLLM database schema, targeting high-value credential tables No confirmed data theft or credential
Apr 293 min read
Adobe Reader Zero-Day Under Active Exploitation: Malicious PDFs Weaponized in the Wild
Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution
Apr 92 min read
Apple Expands iOS 18 Updates Across Multiple Devices to Block Critical DarkSword Exploit
Key Findings Apple expanded iOS 18.7.7 availability on April 1, 2026 to protect users from the DarkSword exploit kit, which targets iOS versions 18.4 through 18.7 The update now covers iPhone XR through iPhone 16e and multiple iPad models, allowing users to patch vulnerabilities without upgrading to iOS 26 DarkSword spreads through watering hole attacks on compromised legitimate websites and can deploy backdoors and data miners for persistent access Approximately 20% of users
Apr 23 min read
TA446's DarkSword iOS Exploit Kit: Inside a Targeted Spear-Phishing Campaign
Key Findings Russian state-sponsored threat group TA446 (also known as Callisto, COLDRIVER, Star Blizzard) deployed the DarkSword iOS exploit kit in targeted spear-phishing campaign on March 26, 2026 Campaign used fake Atlantic Council "discussion invitation" emails to deliver GHOSTBLADE dataminer malware to iOS devices High-profile target included Leonid Volkov, Russian opposition politician and Anti-Corruption Foundation political director First observed use of DarkSword by
Mar 283 min read
Pixel 9's Zero-Click Exploit Chain: Breaching the Kernel
Key Findings Researchers from Google Project Zero have discovered a comprehensive "zero-click" exploit chain targeting the Google Pixel 9 smartphone. The exploit chain spans from remote code execution during media decoding to the ultimate compromise of the kernel. The vulnerabilities were patched in the security updates released on January 5, 2026. Background The pivotal shift in recent years lies in the propensity of "intelligent" smartphone features to preemptively analyze
Jan 192 min read
MongoBleed Exploit Allows Unauthenticated Attackers to Drain MongoDB Memory - PoC Released
Key Findings A critical vulnerability, tracked as CVE-2025-14847, has been discovered in MongoDB, a popular open-source database system. The flaw, dubbed "MongoBleed," allows remote, unauthenticated attackers to read sensitive contents from the server's memory (heap), potentially exposing internal states and pointers. The vulnerability lies in how MongoDB handles Zlib compressed protocol headers, where the server blindly trusts the length claimed by a client, even when it doe
Dec 29, 20252 min read
Unpatched GitLab Zero-Day Exploited Across 1,000+ Instances Amid Active Attacks
Key Findings: A high-severity unpatched security vulnerability in Gogs (CVE-2025-8110) with a CVSS score of 8.7 is under active exploitation, affecting over 700 compromised instances accessible online. The vulnerability allows for file overwrite in the file update API, enabling an attacker to achieve arbitrary code execution through a four-step process. The malware deployed in the attacks is a payload based on Supershell, an open-source command-and-control (C2) framework ofte
Dec 11, 20252 min read
Critical 7-Zip Vulnerability With Public Exploit Requires Immediate Update
Key Findings A critical vulnerability, tracked as CVE-2025-11001, has been discovered in the popular file-compression tool 7-Zip. The flaw, which is a Directory Traversal Remote Code Execution (RCE) vulnerability, has a public exploit available. The vulnerability poses a high-risk warning from the UK's NHS England Digital, though active exploitation has not been observed yet. The issue was discovered by researchers at GMO Flatt Security Inc. and revealed by Trend Micro's Zero
Nov 24, 20252 min read
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
Key Findings A recently disclosed security vulnerability in 7-Zip, CVE-2025-11001 (CVSS score: 7.0), is being actively exploited in the wild. The vulnerability allows remote attackers to execute arbitrary code by exploiting improper handling of symbolic links in ZIP files. Proof-of-concept (PoC) exploits for the flaw have been publicly released, making it essential for 7-Zip users to update to the patched version 25.00 as soon as possible. The vulnerability can only be exploi
Nov 20, 20252 min read
Fortinet FortiWeb Flaw Exploited in Attacks to Create Admin Accounts
Key Findings A critical vulnerability in Fortinet's FortiWeb Web Application Firewall (WAF) product allows unauthenticated attackers to gain administrative-level access. The flaw has been observed actively exploited in the wild since October 2025. A public Proof-of-Concept (PoC) exploit exists, raising the likelihood of widespread exploitation. Organizations using vulnerable versions of FortiWeb are advised to take emergency remediation steps. Background On October 6, 2025, c
Nov 14, 20252 min read
Malicious DNG Images Exploited Samsung Zero-Day to Deliver LANDFALL Spyware
Key Findings Researchers discovered a previously unknown Android spyware family dubbed LANDFALL, which leveraged a zero-day vulnerability (CVE-2025-21042) in Samsung's image processing library to compromise Galaxy devices. The campaign, active since mid-2024, appears to have targeted users in the Middle East, with the spyware embedded inside malicious DNG image files sent through WhatsApp. The exploit relies on malformed DNG (Digital Negative) image files, exploiting a flaw i
Nov 9, 20252 min read
bottom of page
