Morning brief ·
3 Review Now items require attention, led by: 'Nuclei template: CVE-2026-50751.yaml'. 1 Hunt Today item offer detection opportunities. Top: 'A weakness in the certificate validation logic of the deprecated IKEv1 key ex...'. 4 Patch Priority items have PoC/high-EPSS/edge pressure. 82 Monitor items are notable but not urgent. 496 background items are low-signal. 5 items have uncorroborated exploitation claims — treat as Patch Priority or Monitor only.
3 review now
1 hunt today
4 patch priority
82 monitor
496 background
What changed (4)
_
New item: 'AutoJack: How a single page can RCE the host running your AI agent' in Monitor
_
New item: 'Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone' in Monitor
_
New item: 'Gentlemen ransomware uses multiple EDR killers to disable defenses' in Monitor
_
New item: 'CISA warns Fortinet users to secure devices after FortiBleed leak' in Monitor
Review Now
CISA KEV + authority-confirmed active exploitation
3
CVE-2026-50751
Review Now
ACTION
KEV
score100
Nuclei template: CVE-2026-50751.yaml
CISA KEV listing — exploitation confirmed by authority
Check Point Security Gateway contains an improper authentication vulnerability in IKEv1 key exchange that could allow an unauthenticated remote attacker to bypass user …
_
_
_
_
_
- Apply Check Point Security Gateway hotfix for CVE-2026-50751 immediately (Check Point reference SK#xxxxx).
- Disable IKEv1 VPN authentication methods and enforce IKEv2-only VPN configurations.
- Implement network-based intrusion prevention rules to detect and block IKEv1 authentication bypass attempts.
MDE exposure: devices with CVE-2026-50751
MDE edge/service exploitation telemetry triage
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
https://nvd.nist.gov/vuln/detail/CVE-2026-50751
https://www.cisa.gov/known-exploited-vulnerabilities-ca …
VulnCheck exploit reference
Open workbench →
CVE-2023-44487
Review Now
ACTION
KEV
score100
Exploit-DB: HTTP/2 2.0 - Denial Of Service (DOS)
CISA KEV listing — exploitation confirmed by authority
HTTP/2 contains a rapid reset vulnerability that allows for a distributed denial-of-service attack (DDoS).
_
_
- Apply patches for HTTP/2 implementations: nginx (1.25.3+, 1.24.0+), Apache HTTP Server (2.4.58+), and other load balancers/appliances (F5, HAProxy).
- Configure web server rate limits per connection and per IP (e.g., nginx `limit_req_zone`, `limit_conn_zone`).
MDE exposure: devices with CVE-2023-44487
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
https://www.cisa.gov/known-exploited-vulnerabilities-ca …
Exploit-DB: HTTP/2 2.0 - Denial Of Service (DOS)
Open workbench →
CVE-2026-7473
Review Now
ACTION
KEV
score70
Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
CISA KEV listing — exploitation confirmed by authority
Arista Extensible Operating System (EOS) contains an incomplete comparison with missing factors vulnerability when the switch incorrectly decapsulate and forwards other unexpected …
_
- Upgrade Arista EOS to a fixed version; apply patch for tunnel decapsulation vulnerability.
- Configure ACLs to block unexpected tunneled packets on interfaces where decapsulation is configured.
MDE exposure: devices with CVE-2026-7473
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
https://nvd.nist.gov/vuln/detail/CVE-2026-7473
https://www.cisa.gov/known-exploited-vulnerabilities-ca …
Open workbench →
Hunt Today
Detection-rich items with identity / OT / edge context
1
CVE-2026-50752
Hunt Today
score38
A weakness in the certificate validation logic of the deprecated IKEv1 key ex...
Detection-rich item with identity/OT/edge context (score=38)
A weakness in the certificate validation logic of the deprecated IKEv1 key exchange may allow an unauthenticated attacker positioned as a man-in-the-middle to bypass certificate …
- Disable IKEv1 certificate-based authentication on all Check Point gateways.
- Migrate site-to-site VPN connections to IKEv2 with strong certificate validation.
- Monitor VPN logs for IKEv1 certificate validation failures or unusual connection patterns.
MDE exposure: devices with CVE-2026-50752
MDE edge/service exploitation telemetry triage
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
_
_
Open workbench →
Patch Priority
Public PoC or high EPSS — patch before weaponisation
4
CVE-2026-10580
Patch Priority
ACTION
score73
Nuclei template: CVE-2026-10580.yaml
Public PoC available; patch pressure (EPSS=0.018, CVSS=9.8)
The Hippoo Mobile App for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to and including …
_
- Immediately remove or disable Hippoo Mobile App for WooCommerce plugin (versions ≤1.9.4).
- Block access to /wc-hippoo/v1/ext/* paths at web application firewall level.
- Reset all WordPress user passwords and audit administrator account activity.
MDE exposure: devices with CVE-2026-10580
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
Open workbench →
CVE-2026-25555
Patch Priority
ACTION
score68
Nuclei template: CVE-2026-25555.yaml
Public PoC available; patch pressure (CVSS=9.8)
OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin …
_
- Upgrade OpenBullet2 to version >0.3.2 or apply patch for API key validation.
- Configure web server to reject requests with empty X-Api-Key headers.
MDE exposure: devices with CVE-2026-25555
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
Open workbench →
CVE-2022-42889
Patch Priority
ACTION
score65
Metasploit module: Apache Commons Text RCE
Public PoC available; patch pressure (CVSS=9.8)
A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache …
_
_
- Update Apache Commons Text to version 1.10.0 or later in all Java applications.
- Scan for vulnerable versions using dependency checkers (OWASP Dependency-Check, Snyk) with pattern `org.apache.commons:commons-text` <=1.9.
MDE exposure: devices with CVE-2022-42889
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
https://nvd.nist.gov/vuln/detail/CVE-2022-42889
Exploit-DB: Apache Commons Text 1.10.0 - Remote Code …
Metasploit module: Apache Commons Text RCE
Open workbench →
Patch Priority
score50
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More …
Public PoC available; patch pressure (CVSS=0.0)
The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware …
_
- Block known malicious npm packages associated with NastyC2 (e.g., via SCA tools like Snyk or GitHub Advanced Security, using deny lists for packages like 'node-hide-console-windows', 'temporary-secure-shell', 'windows-network-driver').
- Implement web proxy filtering to block access to known malicious domains used in Claude chat abuse lures and C2 infrastructure.
MDE edge/service exploitation telemetry triage
Sentinel cloud app suspicious activity
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
Open workbench →
Monitor
Notable but not urgent — watch for escalation
82
Monitor
changed
score65
AutoJack: How a single page can RCE the host running your AI agent
Notable but not urgent; score=65
In this article Why we are looking at agent frameworksWhat is AutoGen Studio The AutoJack chain at a glanceAnatomy of the chainIssue 1: Origin allowlist that the agent itself …
_
- If using AutoGen Studio, immediately update to the latest patched version and verify the fix for CVE-2024-XXXXX (specific CVE not provided in intel).
- Block external network access to the AutoGen Studio web interface via firewall rules (e.g., restrict to localhost or specific admin IPs).
- Review and harden the Model Context Protocol (MCP) server configuration: disable or strictly authenticate any MCP servers that accept `server_params` from untrusted sources.
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-45779
Monitor
score60
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An S...
Notable but not urgent; score=60, CVSS=9.8
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated …
_
- Exploitation claims are uncorroborated — verify exposure and apply vendor patches per severity.
- Upgrade OpenXDMoD to version 10.0.3+ immediately.
MDE exposure: devices with CVE-2026-45779
MDE edge/service exploitation telemetry triage
_
_
CVE-2026-9290
Monitor
score55
Nuclei template: CVE-2026-9290.yaml
Notable but not urgent; score=55, CVSS=7.5
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile …
_
- Update WP User Manager plugin to version >2.9.17.
- Configure web server to block .php file inclusion from user-uploaded directories via .htaccess or nginx rules.
MDE exposure: devices with CVE-2026-9290
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
CVE-2026-11420
Monitor
score55
Two path traversal vulnerabilities in the Network Installation Service (NIS) ...
Notable but not urgent; score=55, CVSS=9.8
Two path traversal vulnerabilities in the Network Installation Service (NIS) of Altium Enterprise Server allow an unauthenticated network attacker to write arbitrary files to any …
- Apply Altium Enterprise Server patch for path traversal vulnerabilities.
- Disable Network Installation Service (NIS) if not required.
MDE exposure: devices with CVE-2026-11420
Sentinel cloud app suspicious activity
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
Monitor
changed
score50
Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone
Notable but not urgent; score=50
Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users. The vulnerability, …
_
- Update firmware for Beats Studio Buds (1st gen) and Beats Studio Buds+ to address CVE-2025-20701 via the Beats app for Android or iOS.
- Implement Bluetooth device allowlisting on corporate-managed mobile devices to prevent unauthorized pairing.
_
Monitor
score50
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
Notable but not urgent; score=50
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account …
_
- Block traffic to/from NetNut ASN (AS60068) and associated IP ranges at network perimeter.
- Deploy DNS filtering to block domains associated with Popa botnet C2 and ad fraud (e.g., sinkhole known domains like 'popa[.]netnut[.]co').
_
Monitor
score50
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
Notable but not urgent; score=50
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems. The …
- Immediately patch NGINX Open Source to versions addressing CVE-2026-42530 (CVSS 9.2) and associated vulnerabilities.
- If immediate patching is not possible, consider disabling HTTP/3 module (ngx_http_v3_module) in NGINX configuration if not required.
MDE edge/service exploitation telemetry triage
Sentinel cloud app suspicious activity
MDE endpoint behaviour hunt
MDE file artefact hunt
_
_
CVE-2024-58349
Monitor
score50
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerabi...
Notable but not urgent; score=50, CVSS=9.8
WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient …
- Remove Travelscape WordPress theme version 1.0.3 immediately.
- Configure web server to prevent execution of uploaded files in theme directories.
MDE exposure: devices with CVE-2024-58349
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2024-58348
Monitor
score50
WordPress Background Image Cropper version 1.2 contains a remote code executi...
Notable but not urgent; score=50, CVSS=9.8
WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the …
- Delete WordPress Background Image Cropper plugin version 1.2.
- Block access to /wp-content/plugins/background-image-cropper/ups.php via WAF or server configuration.
MDE exposure: devices with CVE-2024-58348
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2023-54352
Monitor
score50
WordPress Seotheme contains a remote code execution vulnerability that allows...
Notable but not urgent; score=50, CVSS=9.8
WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme …
- Remove Seotheme WordPress theme immediately.
- Delete /wp-content/themes/seotheme/mar.php if present.
MDE exposure: devices with CVE-2023-54352
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
Monitor
score50
From package to postinstall payload: Inside the Mastra npm supply chain compromise
Notable but not urgent; score=50
In this article Attack chain overviewDiscovery and initial indicatorsDependency injection: the poisoned package.jsonTyposquat analysis: easy-day-jsStaged delivery …
_
- Block known malicious npm packages 'easy-day-js' and related typosquats via repository firewall rules (e.g., JFrog Xray, GitHub Advanced Security).
- Implement egress filtering to block TLS connections to known C2 domains and IPs from build pipelines and developer workstations.
_
CVE-2026-41448
Monitor
score48
AdGuard Home, when started with the --glinet flag, contains an authentication...
Notable but not urgent; score=48, CVSS=9.4
AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a …
- Upgrade AdGuard Home to latest version and remove --glinet flag usage.
- Implement reverse proxy with request validation to sanitize Admin-Token cookie values.
MDE exposure: devices with CVE-2026-41448
_
CVE-2026-45777
Monitor
score45
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Star...
Notable but not urgent; score=45, CVSS=9.8
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system …
_
- Exploitation claims are uncorroborated — verify exposure and apply vendor patches per severity.
- Upgrade OpenXDMoD to version 11.0.3+ immediately.
MDE exposure: devices with CVE-2026-45777
MDE edge/service exploitation telemetry triage
_
_
CVE-2026-54390
Monitor
score40
JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injecti...
Notable but not urgent; score=40, CVSS=9.8
JTL Shop versions 5.2.0 through 5.7.1 contains a server-side template injection vulnerability that allows unauthenticated attackers to inject malicious template syntax due to …
- Immediately patch JTL Shop to version 5.7.2 or later. If patching is not possible, apply virtual patching via a WAF (e.g., ModSecurity rule 9000000-series for template injection) to block requests containing Smarty template syntax in user-controllable parameters.
- Review and restrict file system permissions for the web server user (e.g., www-data, apache) to prevent writing to the web root. Implement mandatory access controls (e.g., SELinux, AppArmor) to confine the JTL Shop process.
MDE exposure: devices with CVE-2026-54390
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-46442
Monitor
score40
Flowise is a drag & drop user interface to build a customized large language ...
Notable but not urgent; score=40, CVSS=9.9
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, POST /api/v1/node-custom-function lacks route-level authorization, …
- Upgrade Flowise to version 3.1.2+.
- Configure E2B_APIKEY environment variable to enable secure sandboxing.
MDE exposure: devices with CVE-2026-46442
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2023-54350
Monitor
score40
WordPress Augmented-Reality plugin contains a remote code execution vulnerabi...
Notable but not urgent; score=40, CVSS=7.5
WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary …
- Remove WordPress Augmented-Reality plugin immediately.
- Block access to connector.minimal.php endpoints via WAF rules.
MDE exposure: devices with CVE-2023-54350
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-8839
Monitor
score40
Nuclei template: CVE-2026-8839.yaml
Notable but not urgent; score=40, CVSS=5.3
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to …
_
- Update MapPress Maps plugin to version >2.96.6.
- Implement API gateway or WAF rules to restrict unauthenticated access to /wp-json/mapp/v1/* endpoints.
MDE exposure: devices with CVE-2026-8839
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
CVE-2026-11414
Monitor
score40
A hard-coded cryptographic key is used by Altium Enterprise Server to sign fi...
Notable but not urgent; score=40, CVSS=9.8
A hard-coded cryptographic key is used by Altium Enterprise Server to sign file download URLs in the Vault service. Because the key is identical across all installations, an …
- Apply Altium Enterprise Server patch for hard-coded key and path traversal vulnerabilities.
- Regenerate all cryptographic keys used for URL signing.
MDE exposure: devices with CVE-2026-11414
Sentinel cloud app suspicious activity
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
CVE-2026-50230
Monitor
score40
Nuclei template: CVE-2026-50230.yaml
Notable but not urgent; score=40, CVSS=6.1
Lyrion Music Server 9.2.0 contains an unauthenticated reflected cross-site scripting vulnerability in the server.log endpoint that allows attackers to inject arbitrary HTML and …
_
- Update Lyrion Music Server to version >9.2.0.
- Implement Content-Security-Policy headers to block inline scripts.
MDE exposure: devices with CVE-2026-50230
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
Monitor
score40
Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
Notable but not urgent; score=40
Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet. The vulnerability has now been assigned the CVE …
_
- Exploitation claims are uncorroborated — verify exposure and apply vendor patches per severity.
- Apply Microsoft Defender Antivirus platform update 4.18.24010.10 or later when released; verify via PowerShell: `Get-MpComputerStatus | select AntivirusEngineVersion`.
_
_
_
CVE-2026-40175
Monitor
score37
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, k...
Notable but not urgent; score=37, CVSS=9.0
A flaw was found in Axios, a promise-based HTTP client. This vulnerability, known as Prototype Pollution, can be exploited through a specific "Gadget" attack chain. This allows an …
- Update Axios to the patched version once available; monitor GitHub advisory GHSA-xxxx-xxxx-xxxx for the specific fix.
- Scan Node.js applications for Axios usage and implement input validation/sanitization for all objects passed to Axios configuration.
MDE exposure: devices with CVE-2026-40175
Sentinel cloud app suspicious activity
MDE endpoint behaviour hunt
MDE file artefact hunt
_
CVE-2026-27606
Monitor
score37
A flaw was found in Rollup, a JavaScript module bundler. Insecure file name s...
Notable but not urgent; score=37, CVSS=9.1
A flaw was found in Rollup, a JavaScript module bundler. Insecure file name sanitization in the core engine allows an attacker to control output filenames, potentially through …
- Update Rollup to version 4.20.0 or later; for projects using npm, run `npm update rollup`.
- Run Rollup builds with restricted write permissions using a dedicated low-privilege user account (e.g., `nobody`).
MDE exposure: devices with CVE-2026-27606
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
Monitor
changed
score35
Gentlemen ransomware uses multiple EDR killers to disable defenses
Notable but not urgent; score=35
The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in …
- Deploy Microsoft Defender ASR rules to block EDR tampering: enable 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' and 'Block process creations originating from PSExec and WMI commands'.
- Implement application allowlisting via AppLocker or WDAC to prevent execution of known EDR killer tools (e.g., Terminator, Backstab, EDRSandblast) in user writable directories.
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score35
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Notable but not urgent; score=35
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming …
- Review vendor advisory, assess exposure in your environment, and apply available patches.
_
_
Monitor
score35
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Notable but not urgent; score=35
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control …
- Review and restrict Microsoft Teams external access settings (Teams admin center > External access) to approved domains only.
- Enable and review Microsoft Defender for Office 365 alerts for suspicious Teams activities and file uploads.
Sentinel cloud app suspicious activity
_
_
CVE-2025-71318
Monitor
score35
NetMan 204 fails to enforce authentication on its administrative pages and co...
Notable but not urgent; score=35, CVSS=9.8
NetMan 204 fails to enforce authentication on its administrative pages and command endpoints. A remote, unauthenticated attacker can directly request administrative pages (such as …
- Block external access to NetMan 204 web interface via firewall; allow only local management.
- Disable unused administrative pages (administration.html, configuration.html).
MDE exposure: devices with CVE-2025-71318
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2025-71317
Monitor
score35
NetMan 204 contains a hard-coded backdoor account with the username and passw...
Notable but not urgent; score=35, CVSS=9.8
NetMan 204 contains a hard-coded backdoor account with the username and password 'eurek' that grants administrative access. A remote, unauthenticated attacker can authenticate …
- Change default credentials and disable 'eurek' backdoor account in NetMan 204.
- Require strong authentication for /cgi-bin/login.cgi; implement account lockout.
MDE exposure: devices with CVE-2025-71317
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
Monitor
changed
score33
CISA warns Fortinet users to secure devices after FortiBleed leak
Notable but not urgent; score=33
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a …
- Immediately change all credentials (admin, VPN, SSL-VPN) on FortiGate devices exposed to the internet.
- Update FortiOS to the latest version and apply patches for CVE-2024-23112, CVE-2024-23113, and other recent CVEs related to credential leakage.
MDE edge/service exploitation telemetry triage
_
_
Monitor
score33
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Notable but not urgent; score=33
A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations …
- Immediately rotate all FortiGate VPN credentials (local user accounts, LDAP bind passwords, SSL-VPN pre-shared keys).
- Update FortiOS to the latest version and apply patches for known vulnerabilities (e.g., CVE-2022-42475, CVE-2023-27997).
MDE edge/service exploitation telemetry triage
_
_
CVE-2026-33186
Monitor
score32
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vul...
Notable but not urgent; score=32, CVSS=9.1
A flaw was found in gRPC-Go, the Go language implementation of gRPC. This vulnerability, an authorization bypass, is caused by improper input validation of the HTTP/2 `:path` …
- Update gRPC-Go to the patched version once released; monitor GitHub advisory GHSA-xxxx-xxxx-xxxx.
- Implement network-level validation using a WAF (e.g., ModSecurity) to block HTTP/2 requests with a `:path` pseudo-header missing a leading slash.
MDE exposure: devices with CVE-2026-33186
_
CVE-2026-33211
Monitor
score30
A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines gi...
Notable but not urgent; score=30, CVSS=9.6
A flaw was found in Tekton Pipelines, specifically in the Tekton Pipelines git resolver. A tenant with permissions to create ResolutionRequests can exploit a path traversal …
- Update Tekton Pipelines to version >=0.45.1 and enable `enable-api-fields: stable` in config-feature-flags.
- Restrict ResolutionRequest permissions via Kubernetes RBAC: `kubectl create clusterrole restricted-resolver --verb=create --resource=resolutionrequests.tekton.dev`.
MDE exposure: devices with CVE-2026-33211
_
CVE-2026-45748
Monitor
score30
Termix is a web-based server management platform with SSH terminal, tunneling...
Notable but not urgent; score=30, CVSS=9.8
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version …
- Upgrade Termix to version 2.3.2+.
- Implement input validation for SSH connection parameters (endpointIP, username) using allowlists.
MDE exposure: devices with CVE-2026-45748
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-45744
Monitor
score30
Termix is a web-based server management platform with SSH terminal, tunneling...
Notable but not urgent; score=30, CVSS=9.9
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath …
- Upgrade Termix to version 2.3.2+.
- Implement command execution via parameterized APIs instead of shell command construction.
MDE exposure: devices with CVE-2026-45744
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
Monitor
score25
New Forrester study shows customers who unified with Microsoft Security benefited from 124% …
Notable but not urgent; score=25
Across many industries, organizations are unifying security and putting AI agents to work. Security teams are utilizing agents that reason, decide, and act on their behalf, under …
- Review vendor advisory and apply available patches.
Sentinel cloud app suspicious activity
_
_
Monitor
score25
Nintendo confirms data stolen in WebMD subsidiary cyberattack
Notable but not urgent; score=25
Nintendo of America has confirmed to BleepingComputer that threat actors stole survey data from the third-party TinyPulse service used internally, but its systems were not …
- Identify and inventory all third-party services (like TinyPulse) used for internal surveys, HR, or collaboration. Review their data handling policies and ensure they comply with organizational data protection standards (e.g., ISO 27001, SOC 2).
- Implement data loss prevention (DLP) rules in email and cloud storage (e.g., Microsoft Purview, Symantec DLP) to monitor for exfiltration of internal survey data containing employee PII or sensitive corporate information.
_
_
Monitor
score25
Close Encounters of the Human Kind
Notable but not urgent; score=25
Welcome to this week’s Threat Source newsletter. I love a Spielberg summer. His ability to imbue a sense of wonder, awe, curiosity, and connection …
- Review vendor advisory and apply available patches.
_
_
Monitor
score25
USB worm spreads crypto-stealing malware via Windows shortcut files
Notable but not urgent; score=25
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal …
- Enable Windows Group Policy: 'Computer Configuration > Administrative Templates > System > Removable Storage Access' to block autorun for removable drives.
- Deploy endpoint detection rules to flag LNK files executing from removable drives with suspicious commands (e.g., powershell, cmd /c).
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
Orphaned AI Agents: How to Find Hidden Access Risks Inside Your Network
Notable but not urgent; score=25
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, …
- Audit AI agent platforms (e.g., AutoGPT, LangChain) for orphaned service accounts and standing API keys; rotate/revoke unused credentials.
- Implement just-in-time (JIT) access controls for AI agent permissions instead of standing privileges.
_
_
CVE-2026-27962
Monitor
score25
A flaw was found in Authlib, a Python library used for creating secure authen...
Notable but not urgent; score=25, CVSS=9.1
A flaw was found in Authlib, a Python library used for creating secure authentication and authorization systems. This vulnerability, known as JWK (JSON Web Key) Header Injection, …
- Update Authlib to version >=1.3.0 and enforce JWS key whitelisting: `jwt.decode(token, key, algorithms=['RS256'], options={'require': ['exp', 'iat']})`.
- Configure OAuth providers to reject JWK header injection via `jwks_uri` validation and disable `jwk` header parameter acceptance.
MDE exposure: devices with CVE-2026-27962
_
CVE-2026-41607
Monitor
score25
A flaw was found in Apache Thrift. This out-of-bounds read vulnerability can ...
Notable but not urgent; score=25, CVSS=9.1
A flaw was found in Apache Thrift. This out-of-bounds read vulnerability can lead to the disclosure of sensitive information or a denial of service.
- Update Apache Thrift to patched version (>=0.20.0) and rebuild dependent services.
- Enable memory-safe compilation flags: `-fsanitize=address -fstack-protector-all` for Thrift-based applications.
MDE exposure: devices with CVE-2026-41607
_
CVE-2026-39910
Monitor
score25
STACKIT IaaS API contains a missing authorization check vulnerability that al...
Notable but not urgent; score=25, CVSS=9.8
STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by …
- Apply STACKIT IaaS API authorization patch for service account attachment validation.
- Implement service account permission auditing and review VM-service account attachments.
MDE exposure: devices with CVE-2026-39910
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
MDE endpoint behaviour hunt
_
CVE-2026-46441
Monitor
score25
Flowise is a drag & drop user interface to build a customized large language ...
Notable but not urgent; score=25, CVSS=9.6
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the assistant update …
- Prioritize patching — CVSS 9.6 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-46441
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-46440
Monitor
score25
Flowise is a drag & drop user interface to build a customized large language ...
Notable but not urgent; score=25, CVSS=9.1
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, the checkBasicAuth endpoint validates credentials in plaintext …
- Prioritize patching — CVSS 9.1 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-46440
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-44631
Monitor
score25
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expr...
Notable but not urgent; score=25, CVSS=9.8
Buffer Underwrite vulnerability in Apache HTTP Server on crafted regular expressions in the configuration.
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users …
- Prioritize patching — CVSS 9.8 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-44631
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-42861
Monitor
score25
Flowise is a drag & drop user interface to build a customized large language ...
Notable but not urgent; score=25, CVSS=9.6
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.1.2, a mass assignment vulnerability exists in the variable update …
- Prioritize patching — CVSS 9.6 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-42861
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-42535
Monitor
score25
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a Web...
Notable but not urgent; score=25, CVSS=9.1
A path handling issue in mod_dav_fs in Apache 2.4.67 and earlier allows a WebDAV content author to directly manipulate trusted DAV property databases, potentially causing child …
- Prioritize patching — CVSS 9.1 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-42535
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-29167
Monitor
score25
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-direc...
Notable but not urgent; score=25, CVSS=9.8
Use After Free vulnerability in Apache HTTP Server with mod_ldap in per-directory configuration
This issue affects Apache HTTP Server: from 2.4.0 through 2.4.67.
Users are …
- Prioritize patching — CVSS 9.8 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-29167
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-11499
Monitor
score25
A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. Th...
Notable but not urgent; score=25, CVSS=9.8
A vulnerability was determined in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of …
- Prioritize patching — CVSS 9.8 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-11499
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
CVE-2026-45778
Monitor
score25
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prio...
Notable but not urgent; score=25, CVSS=5.4
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD …
_
- Exploitation claims are uncorroborated — verify exposure and apply vendor patches per severity.
MDE exposure: devices with CVE-2026-45778
MDE edge/service exploitation telemetry triage
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
_
CVE-2026-45776
Monitor
score25
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prio...
Notable but not urgent; score=25, CVSS=4.3
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted …
_
- Exploitation claims are uncorroborated — verify exposure and apply vendor patches per severity.
MDE exposure: devices with CVE-2026-45776
MDE edge/service exploitation telemetry triage
_
_
CVE-2026-45758
Monitor
score25
Guardrails AI is a Python framework that helps build AI applications. On May ...
Notable but not urgent; score=25, CVSS=9.6
Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` …
- Prioritize patching — CVSS 9.6 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-45758
Sentinel cloud app suspicious activity
MDE endpoint behaviour hunt
MDE file artefact hunt
_
CVE-2026-25622
Monitor
score25
A Captive Portal Custom Handler command injection vulnerability exists in Ari...
Notable but not urgent; score=25, CVSS=6.0
A Captive Portal Custom Handler command injection vulnerability exists in Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). On affected platforms, an …
- Check vendor advisory for affected firmware versions; update edge devices promptly.
MDE exposure: devices with CVE-2026-25622
MDE edge/service exploitation telemetry triage
MDE endpoint behaviour hunt
MDE file artefact hunt
_
CVE-2026-25620
Monitor
score25
An encrypted password command injection vulnerability exists in the Captive P...
Notable but not urgent; score=25, CVSS=6.0
An encrypted password command injection vulnerability exists in the Captive Portal application framework of Arista Edge Threat Management - Arista Next Generation Firewall (NGFW). …
- Check vendor advisory for affected firmware versions; update edge devices promptly.
MDE exposure: devices with CVE-2026-25620
MDE edge/service exploitation telemetry triage
_
CVE-2026-46389
Monitor
score25
UDS Identity Config builds the Keycloak configuration image (realm, plugins, ...
Notable but not urgent; score=25, CVSS=10.0
UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, …
- Prioritize patching — CVSS 10.0 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-46389
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
MDE endpoint behaviour hunt
_
CVE-2026-45750
Monitor
score25
Termix is a web-based server management platform with SSH terminal, tunneling...
Notable but not urgent; score=25, CVSS=9.0
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath …
- Prioritize patching — CVSS 9.0 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-45750
MDO email delivery and threat hunt
MDO URL click/safe links hunt
MDE endpoint behaviour hunt
_
CVE-2026-45746
Monitor
score25
Termix is a web-based server management platform with SSH terminal, tunneling...
Notable but not urgent; score=25, CVSS=9.0
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix …
- Prioritize patching — CVSS 9.0 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-45746
MDO email delivery and threat hunt
MDO URL click/safe links hunt
MDE endpoint behaviour hunt
_
CVE-2026-36500
Monitor
score25
An issue in the cluster-admin:backup-datastore component of Controller v12.0....
Notable but not urgent; score=25, CVSS=9.1
An issue in the cluster-admin:backup-datastore component of Controller v12.0.5 allows attackers to execute a directory traversal via a crafted request.
- Prioritize patching — CVSS 9.1 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-36500
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
Monitor
score25
Why Security Teams Need To Start Earlier
Notable but not urgent; score=25
Security leaders are facing an unusual set of circumstances. The drumbeat for better security prioritization has been rising for years in boardrooms around the world. The desire is …
- Review vendor advisory and apply available patches.
Sentinel cloud app suspicious activity
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
Notable but not urgent; score=25
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign that has targeted users since February 2026. "The clipper in this campaign relies on Windows …
- Block LNK files from executing from USB drives via Group Policy: `Computer Configuration > Administrative Templates > System > Removable Storage Access > Deny execute access`.
- Enable ASR rule 'Block execution of potentially obfuscated scripts' (GUID: 5beb7efe-fd9a-4556-801d-275e5ffc04cc).
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks
Notable but not urgent; score=25
Market intelligence platform Klue suffered a OAuth breach that enabled the "Icarus" threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion …
- Review and revoke unused OAuth applications in Salesforce (Setup > Apps > App Manager).
- Enable Salesforce 'Restrict OAuth Access to IP Ranges' and require MFA for all integrations.
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
Sentinel cloud app suspicious activity
_
_
Monitor
score25
The Scripts on Your Checkout Page Are Now a PCI DSS Problem
Notable but not urgent; score=25
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into …
- Implement Content Security Policy (CSP) for checkout pages with `script-src` strict allowlist (e.g., `script-src 'self' https://js.stripe.com`).
- Use subresource integrity (SRI) hashes for all third-party scripts on payment pages.
MDE edge/service exploitation telemetry triage
_
_
Monitor
score25
5 reasons Microsoft 365 backup isn’t enough for business data protection
Notable but not urgent; score=25
Microsoft 365 helps keep services running, but protecting and recovering business data remains your responsibility. Acronis breaks down five gaps organizations should consider when …
- Review vendor advisory and apply available patches.
_
_
Monitor
score25
Police cleans nearly 15,000 SocGholish-infected sites tied to Evil Corp
Notable but not urgent; score=25
International law enforcement agencies cleaned nearly 15,000 malware-infected WordPress websites and took down more than 100 servers linked to the SocGholish botnet and the Evil …
- Update all WordPress installations, themes, and plugins to latest versions and remove unused plugins/themes.
- Implement a web application firewall (WAF) like Cloudflare or Sucuri specifically configured to block SocGholish JavaScript malware patterns.
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
ShapedPlugin update flow hacked to infect WordPress sites
Notable but not urgent; score=25
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack that distributed infected releases to paying customers via the vendor's official update …
- Immediately remove or disable all ShapedPlugin WordPress plugins (e.g., WP Project Manager, WP ERP, etc.) until verified clean versions are available.
- Scan WordPress file systems for malicious code (e.g., using Wordfence or Sucuri scanner) focusing on wp-content/plugins/shapedplugin directories.
_
_
Monitor
score25
Apple fixes Beats Studio Buds flaw that let hackers spy on conversations
Notable but not urgent; score=25
Apple has released security updates to patch a high-severity flaw affecting the Beats Studio Buds wireless earbuds that could allow attackers in Bluetooth range to spy on users' …
- Update Beats Studio Buds firmware to version 10M3593 or later via the Beats app for Android or iOS.
- Disable automatic Bluetooth pairing on corporate devices when in public/untrusted environments.
_
_
Monitor
score25
Telegram admits it couldn't police exam-leak channels, India tells court
Notable but not urgent; score=25
India's government has told the Delhi High Court that Telegram was warned about two weeks before it was blocked, and that the platform admitted it could not proactively detect the …
- Block Telegram web and desktop application traffic on corporate networks using URL filtering (category: Instant Messaging).
- Implement data loss prevention (DLP) rules to detect and block uploads of sensitive documents to Telegram web clients.
_
_
Monitor
score25
F5 issues out-of-band patches for critical NGINX vulnerabilities
Notable but not urgent; score=25
Cybersecurity company F5 has released out-of-band security updates to address multiple NGINX web server vulnerabilities, including two critical-severity flaws that could allow …
- Immediately update NGINX Open Source to 1.25.4+ or NGINX Plus to R28 P1+ to address CVE-2024-34048 and CVE-2024-34049.
- If using F5 BIG-IP with NGINX, apply patches for CVE-2024-21793 and CVE-2024-21794 as per F5 security advisory K000137689.
MDE edge/service exploitation telemetry triage
Sentinel cloud app suspicious activity
MDE endpoint behaviour hunt
MDE file artefact hunt
_
_
Monitor
score25
Microsoft fixes Windows Server 2016 security update failures
Notable but not urgent; score=25
Microsoft has fixed a known issue causing the June 2026 security updates to fail on Windows Server 2016 systems that weren't up to date. [...]
- Apply the latest Windows Server 2016 servicing stack update (SSU) before attempting to install June 2026 security updates.
- Use the Windows Update Troubleshooter or DISM tool to repair the Windows component store if update failures persist.
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM …
Notable but not urgent; score=25
Analysis tools do not need AI built in to support agentic workflows; they simply need to expose their data through an external scripting interface. Even …
- Restrict execution of COM object automation scripts (e.g., via vbdec) to isolated malware analysis sandboxes with no network access.
- Implement application control policies (e.g., Windows Defender Application Control) to block unauthorized scripting engines in production environments.
_
_
CVE-2026-9270
Monitor
score25
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
D...
Notable but not urgent; score=25, CVSS=9.1
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted …
- Prioritize patching — CVSS 9.1 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-9270
MDE edge/service exploitation telemetry triage
_
CVE-2026-11362
Monitor
score25
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections fro...
Notable but not urgent; score=25, CVSS=9.8
DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags.
DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data …
- Prioritize patching — CVSS 9.8 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-11362
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
CVE-2026-10879
Monitor
score25
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL s...
Notable but not urgent; score=25, CVSS=9.8
DBI versions before 1.648 for Perl have a heap overflow when preparsing SQL statements with more than 9 binders.
The preparse method expands SQL placeholder characters to numbered …
- Prioritize patching — CVSS 9.8 critical severity; patch or mitigate as soon as possible.
MDE exposure: devices with CVE-2026-10879
_
Monitor
score25
SANS Stormcast Thursday, June 18th, 2026: QUIC Challenge; Android 17; Oracle CSPU; JetBrains …
Notable but not urgent; score=25
The browser blind spot: Why your security tool may not be blocking what you think it is [Guest Diary] …
- Apply Android 17 security patches to all managed devices via MDM (e.g., Microsoft Intune compliance policy).
- Patch Oracle databases and middleware per Oracle Critical Security Patch Update Advisory - June 2026 (CSPUJun2026).
_
_
Monitor
score25
Leak confirms OpenAI is testing a ChatGPT for Science subscription
Notable but not urgent; score=25
OpenAI appears to be testing a new subscription and experience for science use cases, but it's unclear if it'll be available to everyone regardless of their background. [...]
- Monitor for unauthorized use of 'ChatGPT for Science' subscriptions via network traffic to api.openai.com.
- Update acceptable use policy to prohibit unapproved AI tool subscriptions for handling sensitive data.
_
_
Monitor
score25
Crypto Clipper uses Tor and worm-like propagation for persistence and control
Notable but not urgent; score=25
In this article Attack chain overviewMitigation and protection guidanceReferences Learn more Microsoft Threat Intelligence and Microsoft Defender Experts identified a Windows-based …
- Block Tor traffic egress at firewall by denying connections to known Tor relay IPs (list from torproject.org) and port 9050/9150.
- Disable Windows Script Host (WSH) via Group Policy: `Computer Configuration > Administrative Templates > Windows Components > Windows Script Host`.
MDE endpoint behaviour hunt
MDE file artefact hunt
MDE registry persistence and tamper hunt
_
_
Monitor
score25
Google to use UK and EU user IP addresses for ad personalization
Notable but not urgent; score=25
From August 3, 2026, Google will use IP addresses from UK, EEA and Switzerland users for ad measurement and personalization. It lands as the ICO weighs new consent rules, and years …
- Configure browsers via Group Policy to disable third-party cookies and IP-based ad personalization.
- Deploy DNS filtering (e.g., Pi-hole) to block Google Ads domains (e.g., doubleclick.net, googleadservices.com).
_
_
Monitor
score25
Beyond the benchmark: Advancing security at AI speed
Notable but not urgent; score=25
In this article From the lab into the pipelineThis month’s set of discoveriesBeyond the headline: What the engineering work taught us Where we go next Defense at AI speed Learn …
- Integrate AI-powered code scanning tools (e.g., GitHub Copilot for Security, Snyk Code) into SDLC.
- Deploy runtime application self-protection (RASP) for AI-generated code in production (e.g., Imperva RASP).
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
_
Monitor
score25
Forrester names Microsoft a Leader in the 2026 Extended Detection and Response Platforms …
Notable but not urgent; score=25
We are excited to share that Microsoft has been named a Leader in The Forrester Wave™: Extended Detection and Response Platforms, Q2 2026. Microsoft ranked the highest of any …
- Enable Microsoft Defender XDR cross-domain correlation for identity, cloud, and endpoint detection.
- Configure Microsoft Sentinel analytics rules for 'Threat hunting' queries provided in Defender portal.
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
Sentinel cloud app suspicious activity
_
_
Monitor
score25
Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
Notable but not urgent; score=25
An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point …
- Block phishing domains (e.g., fake WordPress sites) via DNS security (Cisco Umbrella, Zscaler).
- Monitor GitHub and SourceForge for malicious repos using automated takedown requests (DMCA).
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
MDO email delivery and threat hunt
MDO URL click/safe links hunt
_
_
Monitor
score25
AI is accelerating cyberattacks—here’s how to stay ahead
Notable but not urgent; score=25
In March, we wrote that identity security has become the new pressure point for modern cyberattacks. Since then, AI has only increased that pressure. AI helps cyberattackers …
- Implement phishing-resistant MFA (FIDO2/WebAuthn) for all privileged accounts in Azure AD/Entra ID.
- Enable Microsoft Defender for Identity to detect AI-driven reconnaissance (e.g., 'Suspicious enumeration of directory services').
MDE edge/service exploitation telemetry triage
Sentinel identity/M365 suspicious admin and …
Sentinel suspicious sign-in activity
MDO email delivery and threat hunt
_
_
Monitor
score25
Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline
Notable but not urgent; score=25
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. …
- Block Tailscale network overlay via firewall: deny outbound to port 41641/udp and tailscale.com.
- Remove OpenSSH server from Windows if not required via `Remove-WindowsFeature OpenSSH-Server`.
MDO email delivery and threat hunt
MDO URL click/safe links hunt
MDE endpoint behaviour hunt
MDE file artefact hunt
_
_
CVE-2022-29599
Monitor
score20
A flaw was found in the maven-shared-utils package. This issue allows a Comma...
Notable but not urgent; score=20, CVSS=9.8
A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.
- Update Maven Shared Utils to version 3.3.4+ or replace with `commons-exec`.
- Scan for usage of `Commandline` class in `org.apache.maven.shared.utils.cli` in builds.
MDE exposure: devices with CVE-2022-29599
_
Background
496 items
web/apiidentity/authedge devicescloudmicrosoftlinux/server
Confidence & blind spots
High-priority items lacking typed evidence: ['A weakness in the certificate validation logic of the deprecated IKEv1 key ex...']. Verify manually before acting.
Claimed-only exploitation status (not authority-confirmed): 5 item(s). Check primary sources before treating as active.
2 prioritized item(s) carry validation flags — review flags before acting on them.
Source coverage
exploit_cves
ok
49
exploit_kev
ok
1623
exploit_news
ok
5
exploit_epss
ok
1970
exploit_vulncheck
ok
500
exploit_msrc
ok
1582
exploit_intel_objects
ok
586
exploit_exploit_refs:nuclei
ok
1
exploit_exploit_refs:metasploit
ok
exploit_exploit_refs:exploitdb
ok
exploit_exploit_refs:greynoise
missing_credentials
exploit_exploit_refs:shadowserver
missing_credentials
exploit_enrichment:pai_local
missing_credentials