Briefs

Beghelli Sicuro24 SicuroWeb is vulnerable to arbitrary JavaScript execution due to embedding an end-of-life AngularJS 1.5.2 component with known sandbox escape primitives combined with template injection, enabling attackers to compromise operator browser sessions via MITM attacks.

The Betheme theme for WordPress is vulnerable to arbitrary file upload, allowing authenticated attackers with author-level privileges or higher to upload arbitrary files, including PHP, leading to remote code execution.

changedetection.io is vulnerable to arbitrary local file read due to insufficient validation of snapshot paths restored from backup files, allowing attackers to read sensitive files by crafting a malicious backup archive containing a manipulated `history.txt` file.

CVE-2026-7644 is an improper authorization vulnerability in the addMcpServer function of ChatGPTNextWeb NextChat version 2.16.1 and earlier, allowing for potential remote exploitation following public disclosure of the exploit.

ChatGPTNextWeb NextChat versions up to 2.16.1 are vulnerable to server-side request forgery (SSRF) due to improper input validation in the storeUrl function, allowing remote attackers to potentially access internal resources or conduct other malicious activities.

Attackers may use chmod to modify file permissions within sensitive Linux directories such as /tmp/, /etc/, and /opt/ to maintain persistence, escalate privileges, or disrupt system operations.

A vulnerability in Cisco ACI Multi-Site CloudSec encryption allows a remote attacker to read or modify intersite encrypted traffic due to a flaw in cipher implementation.

Detection of disabled logging functionality on a Cisco ASA device via CLI commands, indicating potential defense evasion by adversaries.

Tampering with logging filter configurations on Cisco ASA devices can allow attackers to evade detection by reducing logging levels or disabling specific log categories.

An attacker attempts to disable the Immunet Protect service of Cisco Secure Endpoint by leveraging the `sfc.exe` utility with the `-k` parameter, potentially blinding the EDR for further compromise.

The sfc.exe utility is being used with the '-unblock' parameter, a feature within Cisco Secure Endpoint, to remove system blocks imposed by the endpoint protection, potentially indicating an attempt to bypass security measures and execute blocked malicious payloads.

The sfc.exe utility is used with the "-u" parameter to uninstall Cisco Secure Endpoint components, potentially disabling endpoint protection and facilitating further exploitation.

An unauthenticated SQL injection vulnerability in CKAN's `datastore_search_sql` function allows attackers to access private resources and PostgreSQL system information, affecting versions prior to 2.10.10 and versions 2.11.0 through 2.11.4.

The `kanban` npm package, used by the `cline` CLI, has a cross-origin WebSocket hijacking vulnerability. Due to the lack of Origin header validation, any website can connect to the kanban server via WebSocket and leak sensitive data, hijack running AI agent terminals leading to remote code execution, or kill running agent tasks, resulting in information disclosure, RCE, and denial of service.

This brief details a detection for a PowerShell loader pattern commonly used with Cobalt Strike to decompress and execute payloads, often observed in scripted web delivery attacks.

Adversaries may use the Windows forfiles utility to proxy command execution via a trusted parent process, potentially evading detection.

Adversaries use Unicode modifier letters to obfuscate command-line arguments, evading string-based detections on common Windows utilities like PowerShell and cmd.exe.

Adversaries may establish persistence by executing malicious content triggered by hijacked references to COM objects through Component Object Model (COM) hijacking via registry modification on Windows systems.

CVE-2019-1547 is a security vulnerability that could allow a remote timing attack.

CVE-2026-28390 is a vulnerability related to a possible NULL pointer dereference when processing CMS KeyTransportRecipientInfo, potentially leading to a denial-of-service condition.

CVE-2026-7337 is a type confusion vulnerability in the V8 JavaScript engine that affects Google Chrome and Microsoft Edge (Chromium-based).

D-Link DI-8100 version 16.07.26A1 is vulnerable to a remote buffer overflow in the `sprintf` function within the `/auto_reboot.asp` file's HTTP handler component due to improper handling of the `enable/time` argument, potentially leading to arbitrary code execution.

Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.

A denial of service vulnerability exists in marked version 18.0.0 due to infinite recursion when processing a specific 3-byte sequence (tab, vertical tab, and newline), leading to unbounded memory allocation and application crash.

This threat brief details the detection of malicious Windows Management Instrumentation (WMI) event subscriptions, a technique used by attackers for persistence and privilege escalation on Windows systems.

This detection identifies registry modifications associated with the Windows Downdate attack, specifically focusing on pending.xml file modifications outside standard locations, which could force a Windows downgrade for exploitation.

The Netspy network scanner, a tool for internal network discovery, is executed on a Windows endpoint to enumerate active hosts and services, potentially for reconnaissance purposes.

An attacker modifies the Windows registry to disable the Windows Defender Submit Samples Consent feature, preventing the submission of suspicious files for analysis, and potentially evading detection.

This brief details a method for parsing macOS login item files to detect persistence mechanisms employed by malware or threat actors.

This detection identifies a spike in Active Directory group or object modifications, potentially indicating unauthorized access, defense impairment, or persistence establishment by threat actors.