All Editions
Every Decryption Digest edition, catalogued. Deep-dive threat briefings covering the zero-days, ransomware campaigns, and nation-state operations that matter most to security teams.
Get the latest edition in your inbox
Free daily briefings. No spam, no vendor pitches.
105 editions published
RSS FeedCyberAv3ngers: The IRGC Unit Operating Inside US Water and Energy Infrastructure Right Now
CyberAv3ngers IRGC group exploits Rockwell PLCs across US critical infrastructure. Here is how they operate and how to detect them.
AI Built the First Zero-Day That Bypasses 2FA: Inside Google's Interception of a Mass Attack
AI-built zero-day exploit targeting 2FA intercepted by Google GTIG before mass deployment. Here is what every security team must check today.
NGINX Rift CVE-2026-42945: 18-Year Flaw Opens Every Rewrite Server to Root-Level RCE
NGINX Rift CVE-2026-42945 exposes every nginx server running rewrite rules to unauthenticated heap corruption. Patch to 1.30.1 now.
16 Billion Credentials Leaked: Check Your Dark Web Exposure Before Attackers Do
16 billion stolen credentials circulate across 30 dark web databases covering Google, Apple, Facebook, and enterprise VPNs. Check your corporate exposure now.
Nitrogen Ransomware Hits Foxconn: 8TB of Supply Chain Schematics Stolen from North American Factories
Nitrogen ransomware breached Foxconn's North American factories, stealing 8TB of hardware schematics for Apple, NVIDIA, Google, and Intel. Active campaign confirmed May 2026.
SAP Commerce Cloud RCE and S/4HANA SQLi (CVSS 9.6): Patch Before EOD Today
SAP Commerce Cloud CVE-2026-34263 allows unauthenticated RCE via Spring Security misconfiguration. SAP S/4HANA CVE-2026-34260 SQL injection under active attack. Both CVSS 9.6.
3 Critical Threats This Week: Ivanti EPMM Zero-Day, DAEMON Tools Supply Chain, Trellix Breach
Ivanti EPMM zero-day CVE-2026-6973 actively exploited, CISA deadline passed May 10. DAEMON Tools RAT and Trellix source code breach complete this week.
Water Saci's TCLBANKER Worm Hits 59 Financial Platforms via WhatsApp and Outlook
Water Saci TCLBANKER banking trojan targets 59 Brazilian financial platforms via WhatsApp and Outlook worms. Full threat actor profile, IOCs, and detection guide.
AI-Assisted OT Attack: How Claude Guided Hackers to Water Utility SCADA Systems
AI-assisted OT attack used Claude AI to identify SCADA systems in Mexico water utility. BACKUPOSINT's 49 modules show how LLMs enable OT intrusions.
CVE-2026-0300: Palo Alto PAN-OS Root RCE Actively Exploited, Patches Arrive May 13
CVE-2026-0300 allows unauthenticated root RCE on PAN-OS firewalls. 67 instances exposed on Shodan. No patch until May 13.
ShinyHunters Canvas LMS Breach: 275 Million Students' Data at Risk of Public Leak Tomorrow
ShinyHunters breached Canvas LMS and stole 3.65 TB of data from 275 million students at 9,000 schools — full public release threatened May 8.
Android CVE-2026-0073: Zero-Click RCE Threatens 3.9 Billion Devices — Patch Now
Android CVE-2026-0073 is a critical zero-click RCE in the ADB daemon affecting Android 14, 15, and 16. Apply the May 2026 patch before exploitation begins.
CVE-2026-31431 Copy Fail Exploit Is Public: 5 Threats to Patch This Week
CVE-2026-31431 Linux privilege escalation hits CISA KEV with May 15 deadline. Fortinet CVSS 9.1, Liberty Mutual breach, Chrome exploit covered.
UNC5221 BRICKSTORM: China's APT Hides 393 Days Inside Law Firms and SaaS Providers
UNC5221 BRICKSTORM backdoor averages 393 days undetected in US legal firms and SaaS providers. Full TTP profile and VMware vCenter detection guide inside.
AI-Generated Slopoly Malware: Hive0163 Maintains 7-Day Dwell in Live Ransomware Attacks
AI-generated malware Slopoly proves Hive0163 weaponized LLMs for a live ransomware C2. 7-day dwell before Interlock payload. Here's how to detect it.
cPanel Zero-Day Exploits 1.5M Servers: 5 Critical Threats to Patch This Week
cPanel CVE-2026-41940 authentication bypass hits 1.5M exposed servers. Plus Snow malware via Teams, LiteLLM SQL injection, ShinyHunters at 40 orgs. Patch now.
BlueNoroff Deepfake Zoom Attack: 100 Crypto Executives Compromised in 5 Minutes
BlueNoroff's fake Zoom campaign has compromised 100 crypto and Web3 executives using AI deepfakes and ClickFix. Full IOC list and detection guide inside.
ShinyHunters Hit Medtronic and ADT: 14.5M Records Stolen via AI Vishing and Salesforce
ShinyHunters stole 14.5M records from Medtronic and ADT this week using AI vishing to bypass MFA then pivoting through Salesforce. Here's how to protect your org now.
APT28 Exploits Windows Shell Flaw to Steal NTLMv2 Hashes in Zero-Click Attacks
CVE-2026-32202 Windows Shell spoofing lets APT28 steal NTLMv2 hashes via zero-click LNK files — patch now or block outbound SMB.
BlackFile Extortion Group: 7-Figure Ransoms Hit Retail Via Vishing MFA Bypass
BlackFile ransomware vishing hits retail with MFA bypass and Salesforce API theft — seven-figure ransoms, 21 IOCs, and defense playbook inside.
GopherWhisper: China's New APT Hides 7 Backdoors Inside Slack, Discord and Outlook
GopherWhisper APT: China-aligned group routes all C2 through Slack, Discord and Outlook — 7 Go backdoors, government targets, dozens of victims.
France's ID Agency Breach: 11.7M Citizens' Identity Records Now for Sale
France Titres ANTS data breach confirmed: 11.7M citizen identity records stolen and listed for sale on dark web. What was taken and what to do.
FIRESTARTER Backdoor Survives Patches: 5 Critical Threats This Week
FIRESTARTER backdoor persists on Cisco ASA past patches — 6+ months undetected. Plus BlueHammer zero-day and 8 CISA KEV additions this week.
Cisco SD-WAN Manager: 3 CVEs Chain to Full Credential Theft — CISA Deadline Was Today
Cisco SD-WAN Manager CVE-2026-20133 chains with 2 more CVEs to expose credentials unauthenticated — 500+ devices reachable. CISA deadline was today.
676 Million Americans' SSNs Are on the Dark Web — Infutor Left 91.7 GB Exposed with No Password
Infutor's unprotected Elasticsearch server exposed 676M records including SSNs — now on BreachForums. Every American with insurance or a mortgage is at risk.
ShinyHunters Breached Amtrak via Salesforce — 2.1M Passenger Records Confirmed in HIBP
ShinyHunters stole 9.4M records from Amtrak's Salesforce via infostealer credentials. Ransom deadline passed April 14 — 2.1M passenger emails now confirmed in Have I Been Pwned.
Anubis RaaS Stole 2TB from Brockton Hospital — Chemo Canceled, ER on Divert
Anubis RaaS hit Signature Healthcare April 6 — 2TB stolen, ER diverted, chemo canceled. 70+ victims globally. Full TTPs and defense playbook.
CyberAv3ngers Breached 75+ US Water & Energy PLCs — And They're Still Inside
CyberAv3ngers: Iran's IRGC-linked APT inside US water, energy and government PLCs — CVE-2021-22681 CVSS 9.8 has no patch and they are escalating.
Adobe Acrobat Zero-Day Silently Exploited for 5 Months Before Emergency Patch
Adobe Acrobat Reader CVE-2026-34621: prototype pollution zero-day exploited by APT for 5 months before emergency patch APSB26-43.
5 APT Groups Deploy AI Malware That Writes Its Own Code Mid-Attack
Google GTIG confirms HONESTCUE and PROMPTSTEAL in active deployment — AI malware that generates fileless code via Gemini mid-execution, evading every static signature.
5 Threats Defenders Can't Ignore This Week: Two Unpatched Windows LPEs Already Being Exploited
Two unpatched Windows LPE zero-days are actively exploited with no patch. Plus Payouts King QEMU ransomware, CISA's 6 new KEVs, and Cisco 9.9 flaws.
Booking.com Breach Exposes Millions: Storm-1865 ClickFix Attack Hit 170 Hotel Partners
Storm-1865 used ClickFix malware to compromise 170+ hotel partners and steal Booking.com reservation data. Reservation hijack scams surge.
This Week's 4 Must-Patch Threats: FortiClient EMS Zero-Day to Rockstar's 78M Breach
FortiClient EMS CVE-2026-35616 pre-auth RCE exploited before advisory. Plus Rockstar 78M breach, Operation PowerOFF, and CISA KEV additions.
CVE-2026-33032: 2,689 nginx Servers Exposed to Full Takeover Without a Password
CVE-2026-33032 (MCPwn) gives unauthenticated attackers full nginx server takeover via a missing middleware call. 2,689 instances exposed.
108 Chrome Extensions in Google's Official Store Are Stealing OAuth2 Tokens. All of Them Are Still Available to Download.
108 malicious Chrome extensions steal Google OAuth2 tokens from 20,000 users. All linked to one C2. All still live in the Chrome Web Store.
ShinyHunters Listed 45 Million Salesforce Records From McGraw-Hill on a Dark Web Portal. The Deadline Passed Yesterday.
ShinyHunters listed McGraw-Hill on their dark web extortion portal claiming 45 million Salesforce records containing PII. McGraw-Hill confirmed the breach on April 14, 2026 — the same day the ransom deadline expired — characterising it as 'limited and non-sensitive.' ShinyHunters also hit Rockstar Games, Hims & Hers, and the European Commission in 2026. The root cause: a Salesforce misconfiguration affecting multiple tenants. Full breakdown of the attack model, ShinyHunters' 2026 campaign, and what organisations on Salesforce need to do today.
Microsoft Patched 167 Vulnerabilities Today. One CVE Has Been Exploited Since December.
April 2026 Patch Tuesday is the second-largest in Microsoft's history: 167 CVEs, 2 zero-days, and an Adobe Acrobat Reader flaw actively exploited by an APT-linked actor since at least November 2025. CVE-2026-34621 and CVE-2026-32201 are on CISA's KEV catalog today. BlueHammer (CVE-2026-33825) had a working public PoC before the patch. Here's the full priority triage, attack chain details, and a six-step action list.
North Korea Hid 1,700 Malicious Packages Inside Your Dev Team's Tools
Socket Security has documented 1,700+ malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems. Separately, UNC1069 compromised the Axios npm maintainer via social engineering, injecting a backdoor into a library present in an estimated 80% of cloud environments. Here's the full attack chain, WAVESHAPER.V2 IOCs, and what to do now.
Chrome's 4th Zero-Day of 2026 Was Already in the Wild
Google shipped an emergency patch for CVE-2026-5281, a use-after-free in Chrome's Dawn/WebGPU component confirmed exploited in the wild. CISA added it to KEV the next day with an April 15 deadline. Here's what happened, why renderer-compromise-required is not reassuring, and what your fleet needs right now.
Qilin Found a Way to Blind Your EDR Before You Know They're Inside
Cisco Talos and Trend Micro confirm Qilin ransomware is using BYOVD to systematically disable 300+ EDR products before deploying ransomware. Here's the full attack chain and what to do about it.
CVE-2025-0282: Ivanti Connect Secure Stack Overflow Zero-Day RCE
CVE-2025-0282 is a critical stack-based buffer overflow in Ivanti Connect Secure (versions before 22.7R2.5), Policy Secure, and Neurons for ZTA Gateways, disclosed January 2025. Exploited as a zero-day by UNC5337 (linked to the 2024 ArcaneDoor actor UNC5221), the flaw allows unauthenticated remote code execution on the VPN gateway. Mandiant confirmed exploitation in the wild beginning mid-December 2024. CVSS 9.0.
CVE-2024-12356: BeyondTrust PRA and RS Command Injection — Used to Breach the US Treasury
CVE-2024-12356 is a critical command injection vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) patched in December 2024. An unauthenticated attacker can inject operating system commands via a vulnerable API endpoint. The flaw was exploited by a Chinese state-sponsored actor to compromise a BeyondTrust SaaS instance and subsequently breach the US Treasury Department's Office of Foreign Assets Control (OFAC). CVSS 9.8.
CVE-2024-47575 Explained: Fortinet FortiManager Missing Authentication — FortiJump
CVE-2024-47575 is a CVSS 9.8 missing authentication vulnerability in Fortinet FortiManager (FortiManager Cloud also affected) that allows an unauthenticated remote attacker to execute arbitrary code or commands via specially crafted requests to the FGFM (FortiGate to FortiManager) daemon. Dubbed 'FortiJump' by Mandiant. Exploited as a zero-day by UNC5820 — a suspected Chinese state-sponsored actor — targeting managed service providers and enterprise FortiManager deployments. CISA added it to the KEV catalog on October 23, 2024.
CVE-2024-38094: Microsoft SharePoint RCE via Deserialization
CVE-2024-38094 is a deserialization remote code execution vulnerability in Microsoft SharePoint Server patched in July 2024. Site Owner-authenticated attackers can execute arbitrary code on the SharePoint server. Real-world campaigns chained it with a privilege escalation bug to achieve full domain compromise. CISA added it to the Known Exploited Vulnerabilities catalog in October 2024.
CVE-2024-6387 Explained: regreSSHion OpenSSH Signal Handler Race Condition
CVE-2024-6387, dubbed regreSSHion by Qualys, is a signal handler race condition in OpenSSH's sshd daemon affecting versions 8.5p1 through 9.7p1 on glibc-based Linux. An unauthenticated attacker can exploit the race condition to achieve remote code execution as root. The vulnerability is a regression of CVE-2006-5051, which was fixed in 2006 and inadvertently reintroduced in OpenSSH 8.5p1 in 2021.
CVE-2024-37085 Explained: VMware ESXi Active Directory Authentication Bypass
CVE-2024-37085 is an authentication bypass (CVSS 6.8) in VMware ESXi that allows a domain user who is a member of an Active Directory group named 'ESX Admins' to gain full administrative access to the ESXi hypervisor — regardless of whether that group was explicitly configured for ESXi access. Exploited by at least five ransomware groups (Black Basta, Akira, Medusa, RansomHub, and Scattered Spider) to target ESXi hosts directly, encrypting VM storage files and achieving mass disruption across virtualised environments.
CVE-2024-30078: Windows Wi-Fi Driver Over-The-Air RCE
CVE-2024-30078 is a remote code execution vulnerability in the Windows Wi-Fi driver patched in June 2024. An unauthenticated attacker on the same Wi-Fi network — or operating a rogue access point the device connects to — can send a crafted wireless frame to achieve kernel-mode code execution with no user interaction. Every unpatched Wi-Fi-capable Windows device in any shared network environment is in scope.
CVE-2024-4577: PHP CGI Argument Injection on Windows
CVE-2024-4577 is a critical PHP argument injection flaw affecting Windows servers running PHP in CGI mode. A Unicode best-fit character mapping quirk allowed attackers to bypass the CVE-2012-1823 patch and execute arbitrary OS commands without authentication. TellYouThePass ransomware operators weaponized it within hours of the June 2024 PoC release. CVSS 9.8.
CVE-2024-20353 & CVE-2024-20359: ArcaneDoor — State-Sponsored Cisco ASA Zero-Days
CVE-2024-20353 and CVE-2024-20359 are two Cisco ASA and FTD zero-day vulnerabilities exploited in the ArcaneDoor espionage campaign by a suspected Chinese state-sponsored actor. The flaws enabled persistent backdoor implants (Line Dancer and Line Runner) on perimeter VPN devices protecting government and critical infrastructure networks across multiple countries. First exploitation observed in November 2023 — five months before public disclosure.
CVE-2024-3400 Explained: Palo Alto PAN-OS GlobalProtect Command Injection (CVSS 10.0)
CVE-2024-3400 is a CVSS 10.0 OS command injection in Palo Alto Networks PAN-OS affecting devices with the GlobalProtect gateway or portal enabled. An unauthenticated attacker sends a crafted HTTP request with a malicious SESSID cookie value, achieving root-level remote code execution. Discovered and disclosed April 12, 2024, it was being actively exploited as a zero-day by a state-sponsored threat actor (UTA0218) since at least March 26, 2024.
CVE-2024-1709 Explained: ConnectWise ScreenConnect Authentication Bypass (CVSS 10.0)
CVE-2024-1709 is a CVSS 10.0 authentication bypass in ConnectWise ScreenConnect (< 23.9.8). An extra trailing slash in the URL path bypasses authentication middleware, allowing an unauthenticated attacker to execute the setup wizard and create a new administrator account. Exploited by LockBit, Black Basta, and multiple ransomware groups within 48 hours of disclosure. Affects all ScreenConnect on-premises deployments below version 23.9.8.
CVE-2024-21413: Outlook MonikerLink NTLM Credential Theft
CVE-2024-21413, dubbed 'MonikerLink' by Checkpoint Research, is a critical Microsoft Outlook vulnerability patched in February 2024. A crafted file:// hyperlink with an exclamation mark suffix bypasses Outlook's Protected View, causing Windows to silently authenticate to an attacker's server via NTLMv2 — transmitting the victim's Net-NTLMv2 hash with no user interaction beyond opening or previewing the email. CISA added it to KEV after confirmed wild exploitation.
CVE-2024-21762 Explained: Fortinet FortiOS SSL VPN Out-of-Bounds Write (CVSS 9.6)
CVE-2024-21762 is a CVSS 9.6 out-of-bounds write in Fortinet FortiOS and FortiProxy SSL VPN. An unauthenticated remote attacker sends specially crafted HTTP requests to the SSL VPN web management interface, achieving arbitrary code or command execution. CISA added it to the Known Exploited Vulnerabilities catalog on February 9, 2024 — one day after disclosure — confirming active exploitation. Over 150,000 Fortinet devices were estimated to be running vulnerable firmware at time of disclosure.
CVE-2024-23897: Jenkins CLI Arbitrary File Read Leading to RCE
CVE-2024-23897 is a critical Jenkins CLI vulnerability allowing unauthenticated arbitrary file reads via the args4j argument parser's @ file expansion feature. Disclosed January 2024, the flaw exposed Jenkins controller filesystems including credential stores and cryptographic keys. In certain configurations, key material exposure escalated to full remote code execution. CISA added it to KEV in February 2024.
CVE-2023-46805 and CVE-2024-21887 Explained: Ivanti Connect Secure Zero-Day Chain
CVE-2023-46805 is an authentication bypass (CVSS 8.2) in Ivanti Connect Secure and Policy Secure. Chained with CVE-2024-21887, a command injection (CVSS 9.1), it produces unauthenticated remote code execution on the VPN gateway. Exploited as a zero-day by suspected Chinese state-sponsored actor UNC5221 for at least two weeks before disclosure. CISA issued Emergency Directive 24-01 ordering federal agencies to disconnect or mitigate within 48 hours. Over 2,100 devices were compromised globally before patches were available.
CVE-2023-46604 Explained: Apache ActiveMQ Remote Code Execution (CVSS 10.0)
CVE-2023-46604 is a CVSS 10.0 deserialization / remote class loading vulnerability in Apache ActiveMQ's OpenWire protocol. An unauthenticated attacker sends a specially crafted ClassInfo message to port 61616, causing the broker to load and execute a Java class from an attacker-controlled HTTP server. Active exploitation by HelloKitty ransomware and Kinsing cryptominer began within days of the advisory. Affects ActiveMQ versions up to 5.15.16, 5.16.7, 5.17.6, and 5.18.3.
CVE-2023-20198 Explained: Cisco IOS XE Web UI Zero-Day and the 50,000-Device Compromise
CVE-2023-20198 is a critical unauthenticated privilege escalation vulnerability in Cisco IOS XE software's web UI feature. Exploited as a zero-day before Cisco published any advisory, attackers used it to create administrator accounts and then chained it with CVE-2023-20273 to deploy a persistent Lua-based implant on over 50,000 network devices. No authentication or user interaction required.
CVE-2023-4966: Citrix Bleed NetScaler Session Hijacking Explained and Fix
CVE-2023-4966, named Citrix Bleed, is a buffer over-read vulnerability in Citrix NetScaler ADC and Gateway that leaks memory contents — including active user session tokens — via unauthenticated HTTP requests. Stolen tokens bypass MFA because they represent already-authenticated sessions. Exploited as a zero-day by LockBit ransomware against Boeing, Comcast Xfinity, and others.
CVE-2023-44487 Explained: HTTP/2 Rapid Reset — The Record-Breaking DDoS Vulnerability
CVE-2023-44487 is the HTTP/2 Rapid Reset vulnerability — a flaw in HTTP/2's stream cancellation mechanism that allows a relatively small number of clients to generate HTTP/2 DDoS attacks far exceeding any previously observed scale. Google sustained a peak of 398 million requests per second; Cloudflare 201 million RPS; AWS observed similar records. The vulnerability affects all HTTP/2 server implementations. Coordinated disclosure on October 10, 2023 was accompanied by patches across major web server projects.
CVE-2023-22515: Atlassian Confluence Broken Access Control Zero-Day Explained and Fixed
CVE-2023-22515 is a maximum-severity broken access control vulnerability in Atlassian Confluence Data Center and Server. An unauthenticated external attacker can reach Confluence's setup endpoint on a fully configured instance and create a new administrator account, gaining complete control without credentials. Microsoft attributed active exploitation to Storm-0062 (a Chinese state-sponsored threat actor) beginning September 14, 2023 — three weeks before Atlassian's advisory.
CVE-2023-42793 Explained: JetBrains TeamCity Authentication Bypass (CVSS 9.8)
CVE-2023-42793 is a CVSS 9.8 authentication bypass in JetBrains TeamCity (< 2023.05.4) allowing an unauthenticated attacker to generate an admin-level API token with a single HTTP request. Full remote code execution follows via plugin upload. Exploited by North Korea's Lazarus Group, Russia's COZY BEAR (APT29), and multiple ransomware operators for CI/CD pipeline compromise and software supply chain attacks.
CVE-2023-38831 Explained: WinRAR Remote Code Execution via Crafted Archive
CVE-2023-38831 is a code execution vulnerability in WinRAR (< 6.23). An attacker creates a ZIP archive that displays an innocent filename — such as a PDF or image — but actually maps double-click to a hidden script. When the victim double-clicks the apparent document inside WinRAR, a script executes on their system. Exploited by Russian APT28 (Fancy Bear) and North Korean APT40 in targeted spear-phishing campaigns against financial traders and government officials. Affects all WinRAR versions prior to 6.23.
CVE-2023-3519 Explained: Citrix NetScaler ADC and Gateway Unauthenticated RCE
CVE-2023-3519 is a CVSS 9.8 unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and NetScaler Gateway (formerly Citrix ADC / Citrix Gateway). Exploited as a zero-day before any patch was available, it was used to compromise a US critical infrastructure organization. After patches were released, mass exploitation resulted in over 2,000 backdoored appliances within days. Requires the device to be configured as a Gateway or AAA virtual server.
CVE-2023-36884: Windows Search RCE Used in NATO Summit Attacks
CVE-2023-36884 is a remote code execution vulnerability in Windows Search and Microsoft Office exploited as a zero-day by Russian-nexus group Storm-0978 (RomCom) during the July 2023 NATO summit. Malicious Office documents triggered the flaw without macros or Protected View bypass, targeting NATO member governments. Microsoft disclosed it without a same-day patch — the fix arrived a month later.
CVE-2023-27997: Fortinet FortiGate SSL-VPN Heap Overflow Zero-Day Explained and Fixed
CVE-2023-27997 is a pre-authentication heap buffer overflow in the Fortinet FortiOS SSL-VPN component enabling unauthenticated remote code execution on FortiGate VPN appliances. Exploited as a zero-day before Fortinet's June 2023 advisory, it affects FortiOS 6.0 through 7.2.4 with SSL-VPN enabled. CISA linked related Fortinet exploitation to Chinese state-sponsored actor Volt Typhoon targeting US critical infrastructure.
CVE-2023-34362: MOVEit Transfer SQL Injection — CLOP's Mass Data Extortion Campaign
CVE-2023-34362 is a critical SQL injection vulnerability in Progress MOVEit Transfer that enables unauthenticated remote code execution. Exploited as a zero-day by the CLOP ransomware group beginning May 27, 2023, it was used to breach over 1,000 organizations simultaneously through data exfiltration without encryption. Victims include the US Department of Energy, Shell, British Airways, the BBC, Maximus, and hundreds more.
CVE-2023-32315: Openfire Authentication Bypass Leading to RCE
CVE-2023-32315 is a critical path traversal vulnerability in the Openfire XMPP messaging server admin console (versions 3.10.0 through 4.7.4), patched in May 2023. An unauthenticated attacker can access the admin console setup wizard by bypassing the authentication filter via a URL path traversal, then upload a malicious Openfire plugin containing arbitrary Java code. Over 3,000 servers were compromised in active exploitation campaigns observed through mid-2023.
CVE-2023-28252 Explained: Windows CLFS Driver Zero-Day Used by Nokoyawa Ransomware
CVE-2023-28252 is a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) kernel driver. A low-privileged attacker exploits a flaw in CLFS log file parsing to escalate to SYSTEM privileges. Discovered being actively used by the Nokoyawa ransomware gang as part of their pre-ransomware deployment privilege escalation chain. Patched on April 11, 2023 Patch Tuesday as a zero-day. CVSS 7.8.
CVE-2023-23397 Explained: The Outlook Zero-Click NTLM Hash Theft Vulnerability
CVE-2023-23397 is a critical privilege escalation and credential theft vulnerability in Microsoft Outlook for Windows. A specially crafted calendar invitation with a UNC path in the reminder sound field causes Outlook to automatically connect to an attacker-controlled SMB server, leaking the victim's NTLM authentication hash. No user interaction is required — the exploit fires when the reminder triggers, even if the meeting invitation is never opened.
CVE-2023-0669 Explained: GoAnywhere MFT Pre-Authentication RCE and the Cl0p Zero-Day Campaign
CVE-2023-0669 is a pre-authentication remote code execution vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). The Cl0p ransomware group exploited it as a zero-day for approximately 10 days before any advisory was published, claiming over 130 victim organisations. The vulnerability allows unauthenticated attackers to execute commands on the GoAnywhere server via a Java deserialization attack against the administrative console. Affected versions: GoAnywhere MFT prior to 7.1.2.
CVE-2022-47966 Explained: Zoho ManageEngine Unauthenticated RCE via SAML (CVSS 9.8)
CVE-2022-47966 is a CVSS 9.8 unauthenticated RCE vulnerability affecting up to 24 Zoho ManageEngine products. It exploits a vulnerable Apache Santuario (XML Security for Java) component in the SAML SSO implementation, allowing an attacker to execute arbitrary code on any ManageEngine server where SAML-based single sign-on is or was enabled. Exploited by APT41 and other nation-state actors within weeks of the January 2023 disclosure. Affects products widely deployed in enterprise IT management: ServiceDesk Plus, Desktop Central, OpManager, and more.
CVE-2022-41040 and CVE-2022-41082 Explained: ProxyNotShell, the Microsoft Exchange Chain
CVE-2022-41040 and CVE-2022-41082, collectively called ProxyNotShell, are chained vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a server-side request forgery flaw that, when chained with CVE-2022-41082, enables an authenticated attacker to achieve remote code execution. Both were exploited in the wild before Microsoft released patches.
CVE-2022-3236: Sophos Firewall Code Injection Zero-Day
CVE-2022-3236 is a critical code injection vulnerability in the User Portal and Webadmin interfaces of Sophos Firewall versions 19.5 MR3 and older. Exploited as a zero-day by a Chinese APT (Storm Cloud / Volt Typhoon cluster), the flaw enabled unauthenticated root-level code execution on internet-facing firewall appliances. Sophos delivered an automatic hotfix but it required manual intervention on restricted networks, leaving many deployments exposed.
CVE-2022-30190 Explained: Follina, the Zero-Click Microsoft Office RCE
CVE-2022-30190 (Follina) is a critical RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via the ms-msdt:// URI scheme from within a malicious Office document. Attackers achieve code execution with no macro prompts, and in some configurations previewing the file in Windows Explorer alone triggers the exploit.
CVE-2022-26134 Explained: Confluence Server Critical OGNL Zero-Day
CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center, enabling unauthenticated remote code execution. Disclosed as a zero-day on June 2, 2022 with active exploitation already confirmed, this vulnerability scores 10.0 CVSS. Within hours of technical details becoming public, mass scanning and exploitation began across the internet.
CVE-2022-26923: Certifried — AD Certificate Services Domain Privilege Escalation
CVE-2022-26923 (Certifried) is a privilege escalation vulnerability in Active Directory Certificate Services (AD CS) patched in May 2022. A domain user with the ability to create or modify machine accounts can request a certificate that impersonates a Domain Controller, then use that certificate in a Kerberos PKINIT authentication to obtain a TGT with domain admin-equivalent privileges. CVSS 8.8.
CVE-2022-1388: F5 BIG-IP iControl REST Authentication Bypass Explained and Fix
CVE-2022-1388 is a critical authentication bypass vulnerability in the F5 BIG-IP iControl REST management API. Unauthenticated attackers with network access to the management interface can execute arbitrary OS commands as root by manipulating HTTP headers to bypass the API authentication layer. Mass exploitation began within 24 hours of F5's advisory. CISA and FBI issued a joint advisory warning of active exploitation.
CVE-2022-22965 Explained: Spring4Shell, the Spring Framework RCE Vulnerability
CVE-2022-22965 (Spring4Shell) is a critical remote code execution vulnerability in the Spring Framework's data binding component. By manipulating HTTP request parameters to abuse Java's ClassLoader mechanism, an attacker can write a JSP web shell to a Tomcat-served directory and achieve persistent remote code execution. Affects Spring Framework 5.3.x before 5.3.18 and 5.2.x before 5.2.20 running on JDK 9+.
CVE-2022-0847: Dirty Pipe Linux Kernel Vulnerability Explained and How to Fix It
CVE-2022-0847, named Dirty Pipe, is a Linux kernel vulnerability allowing any unprivileged local user to write to arbitrary read-only files and achieve root privilege escalation. Unlike the 2016 Dirty Cow vulnerability it resembles, Dirty Pipe requires no race condition — it is deterministic and reliable. Affects Linux kernels 5.8 through 5.16.10 and was quickly weaponized for container escapes and Android rooting.
CVE-2021-4034: PwnKit Polkit Vulnerability Explained — Root Access on Every Linux System for 12 Years
CVE-2021-4034, named PwnKit by Qualys, is an out-of-bounds write vulnerability in pkexec — a SUID-root binary part of the polkit framework installed by default on virtually every Linux distribution. Any local unprivileged user can exploit it to gain root without any sudo permissions, without knowing any password, and without triggering standard auth log entries. Present since May 2009.
CVE-2021-44228 Explained: Log4Shell, the Most Critical Vulnerability in a Decade
CVE-2021-44228 — Log4Shell — is a critical remote code execution vulnerability in Apache Log4j 2 scoring a perfect 10.0 CVSS. A single malicious string sent to any log field triggers JNDI injection, allowing an attacker to execute arbitrary code on the vulnerable server with no authentication required.
CVE-2021-42287 & CVE-2021-42278: noPac — Domain User to Domain Admin in Seconds
CVE-2021-42287 and CVE-2021-42278 are Active Directory privilege escalation vulnerabilities patched in November 2021. Chained together in the 'noPac' exploit, they allowed any authenticated domain user to impersonate a Domain Controller via Kerberos, obtaining a TGT with domain admin-equivalent privileges — a complete Active Directory takeover from a standard user account with no additional tooling beyond a domain login.
CVE-2021-22005: VMware vCenter Unauthenticated File Upload RCE
CVE-2021-22005 is a critical unauthenticated file upload vulnerability in VMware vCenter Server's CEIP analytics service. Disclosed September 2021, it allowed any attacker with network access to the vCenter HTTPS interface to upload an arbitrary file and achieve remote code execution as the vCenter service account — effectively granting control of every managed virtual machine. Mass exploitation began within 48 hours of disclosure.
CVE-2021-40444 Explained: The MSHTML Remote Code Execution Vulnerability
CVE-2021-40444 is a remote code execution vulnerability in the MSHTML (Trident) browser engine built into Windows. A malicious Office document embedding a specially crafted ActiveX control causes MSHTML to download and execute a malicious DLL from an attacker-controlled server. No macros are used. No Enable Content prompt appears. The exploit was used in targeted attacks before Microsoft patched it.
CVE-2021-40539: ManageEngine ADSelfService Plus Authentication Bypass and RCE
CVE-2021-40539 is a critical authentication bypass and remote code execution vulnerability in ManageEngine ADSelfService Plus (versions before build 6114), patched in September 2021. The flaw allowed unauthenticated attackers to access protected REST API endpoints and upload a JSP webshell, achieving code execution on the server. APT41 and at least two other threat actor clusters exploited it against U.S. defense contractors, academic institutions, and critical infrastructure. CVSS 9.8.
CVE-2021-26084 Explained: Confluence Server OGNL Injection and Mass Exploitation
CVE-2021-26084 is a server-side template injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via query parameters, achieving remote code execution on the Confluence server. The vulnerability was exploited at mass scale within hours of public PoC release, with ransomware groups and nation-state actors among the first adopters.
CVE-2021-34473 Explained: ProxyShell, the Pre-Auth Exchange RCE Chain
CVE-2021-34473 is the first link in the ProxyShell exploit chain — three Microsoft Exchange Server vulnerabilities that together enable unauthenticated remote code execution. Chained with CVE-2021-34523 and CVE-2021-31207, an attacker can reach Exchange's backend PowerShell endpoint without credentials, impersonate any mailbox user, and write arbitrary files to Exchange's web root to deploy a web shell.
CVE-2021-34527 Explained: PrintNightmare and RCE via Windows Print Spooler
CVE-2021-34527 (PrintNightmare) is a critical vulnerability in the Windows Print Spooler service enabling remote code execution with SYSTEM privileges. A proof-of-concept was accidentally published publicly on June 29, 2021, triggering emergency out-of-band patches and immediate mass exploitation.
CVE-2021-21985 Explained: VMware vCenter Server Remote Code Execution
CVE-2021-21985 is a critical remote code execution vulnerability in VMware vCenter Server's vSphere Client web interface. An unauthenticated attacker with network access to vCenter's HTTPS port can send a specially crafted request to the Virtual SAN Health Check plugin — enabled by default — to achieve RCE with root or SYSTEM privileges on the vCenter server. Compromise of vCenter means control over every virtual machine in the managed infrastructure.
CVE-2021-26855 Explained: ProxyLogon and the Microsoft Exchange Mass Exploitation Event
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allowing an unauthenticated attacker to bypass authentication and impersonate the Exchange server. Chained with CVE-2021-27065, it achieves pre-authentication RCE. Over 250,000 Exchange servers were compromised within days of public disclosure.
CVE-2021-3156: Baron Samedit Sudo Heap Overflow — Any Local User to Root
CVE-2021-3156, named Baron Samedit, is a heap-based buffer overflow in the sudo utility that allows any unprivileged local user to gain root privileges without authentication, without being listed in the sudoers file, and without any race condition. Present in sudo for nearly 10 years, it affects every major Linux distribution. Qualys developed working exploits for Ubuntu 20.04, 18.04, Debian 10, and Fedora 33 default installations.
CVE-2021-27101 Explained: Accellion FTA SQL Injection and the CLOP Ransomware Campaign
CVE-2021-27101 is a critical SQL injection vulnerability in Accellion FTA (File Transfer Appliance) that allows unauthenticated remote code execution. Exploited by the CLOP ransomware group beginning in December 2020, the vulnerability was used to steal sensitive files from over 100 organizations including government agencies, universities, law firms, and financial institutions, without deploying ransomware encryption.
CVE-2020-14882: Oracle WebLogic Console Authentication Bypass and RCE Explained
CVE-2020-14882 is a critical authentication bypass in the Oracle WebLogic Server web-based administration console. Chained with CVE-2020-14883, it enables unauthenticated remote code execution on one of the most widely deployed Java EE application servers in enterprise environments. Exploitation began within days of Oracle's October 2020 Critical Patch Update and was adopted by nation-state actors and ransomware operators.
CVE-2020-1472 Explained: Zerologon and Instant Active Directory Domain Compromise
CVE-2020-1472 (Zerologon) is a 10.0 CVSS critical vulnerability in the Windows Netlogon Remote Protocol. A cryptographic flaw allows an attacker with network access to a domain controller to set the machine account password to empty, then impersonate the DC to achieve instant domain compromise in approximately 10 seconds.
CVE-2020-1350: SigRed — The Wormable Windows DNS Server RCE
CVE-2020-1350 (SigRed) is a critical wormable remote code execution vulnerability in Windows DNS Server discovered by Check Point Research and patched in July 2020. A crafted DNS response can trigger a heap overflow in dns.exe, granting SYSTEM-level code execution on any Windows Server configured as a DNS resolver — with no authentication and no user interaction required. CVSS 10.0.
CVE-2020-5902 Explained: F5 BIG-IP TMUI Remote Code Execution
CVE-2020-5902 is a critical remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI). An unauthenticated attacker with network access to the TMUI can execute arbitrary system commands, create or delete files, enable or disable services, and fully compromise the BIG-IP device. With a CVSS score of 10.0, this vulnerability was exploited within hours of F5's advisory.
CVE-2020-0796 Explained: SMBGhost, the Wormable Windows 10 Kernel Vulnerability
CVE-2020-0796 (SMBGhost) is an integer overflow vulnerability in the SMBv3 compression feature introduced in Windows 10 1903. An unauthenticated attacker can achieve remote code execution in kernel context by sending a specially crafted compressed SMBv3 packet. No credentials or user interaction are required, making it wormable across any network where port 445 is reachable.
CVE-2019-19781 Explained: Citrix ADC and Gateway Path Traversal RCE
CVE-2019-19781 is a pre-authentication path traversal vulnerability in Citrix ADC (NetScaler ADC) and Citrix Gateway that allows unauthenticated attackers to execute arbitrary OS commands. Exploited at mass scale before patches were released, it was used by nation-state APT groups and ransomware operators to compromise enterprise and government VPN gateways worldwide.
CVE-2019-11510 Explained: Pulse Secure VPN Arbitrary File Read and Credential Theft
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
CVE-2018-13379 Explained: Fortinet FortiGate VPN Path Traversal and Credential Exposure
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read system files from the VPN appliance by crafting a malicious URL, including session files that contain plaintext credentials. Credentials from over 87,000 FortiGate devices were published publicly in 2021 — many from devices patched but with credentials never rotated.
CVE-2019-0708 Explained: BlueKeep, the Wormable RDP Vulnerability in Legacy Windows
CVE-2019-0708 (BlueKeep) is a critical pre-authentication RCE vulnerability in Windows Remote Desktop Services affecting Windows XP, Vista, 7, and Server 2003/2008. Like EternalBlue, it is wormable — requiring no credentials or user interaction — and was rated 9.8 CVSS by NVD.
CVE-2017-0144 Explained: EternalBlue, the NSA Exploit Behind WannaCry and NotPetya
CVE-2017-0144 is the SMBv1 remote code execution vulnerability exploited by the EternalBlue exploit, originally developed by the NSA and leaked by the Shadow Brokers in April 2017. It powered both WannaCry and NotPetya — two attacks that caused a combined $30+ billion in global damages.
CVE-2017-5638 Explained: The Apache Struts Flaw Behind the Equifax Breach
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts 2's Jakarta Multipart parser. By injecting an OGNL expression into the Content-Type header of an HTTP POST request, an unauthenticated attacker can execute arbitrary OS commands. The vulnerability was actively exploited to breach Equifax, exposing 147 million records.
CVE-2014-6271: Shellshock Bash Vulnerability Explained, Exploit, and Mitigation
CVE-2014-6271, known as Shellshock, is a remote code execution vulnerability in GNU Bash where function definitions stored in environment variables execute appended commands at shell startup. Any service passing attacker-controlled data through environment variables into Bash — primarily CGI-based web applications — is exploitable without authentication via a single HTTP request. Affected an estimated 500 million systems at disclosure.
CVE-2014-0160 Explained: Heartbleed and the Vulnerability That Broke the Internet
CVE-2014-0160 (Heartbleed) is a critical information disclosure vulnerability in OpenSSL 1.0.1 through 1.0.1f. It allows attackers to read up to 64KB of server memory per request — including private SSL keys, session cookies, and credentials — with zero authentication and no server-side logging.