Briefs

This brief outlines a threat involving the creation of new Office macro files, potentially indicating malicious activity such as phishing or malware distribution, targeting Windows systems.

DevSpace's UI server WebSocket accepts connections from any origin, enabling attackers to access pod logs, interactive shells, and execute commands via cross-origin WebSocket connections; versions up to 6.3.20 are affected, patched in 6.3.21.

Attackers may disable User Account Control (UAC) by modifying specific registry values, allowing them to execute code with elevated privileges, bypass security restrictions, and potentially escalate privileges on Windows systems.

Attackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 are vulnerable to OS command injection (CVE-2022-50994) in the CGI login handler, allowing unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter if the target account has MOTP enabled.

ELBA5 version 5.8.0 contains a remote code execution vulnerability (CVE-2018-25272) that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions, potentially leading to complete system compromise.

epa4all-client is vulnerable to a signature verification bypass where the ECDSA signature verification discards the boolean return value, allowing any structurally valid signature to be considered trusted.

The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.

An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.

The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.

fast-uri versions 3.1.0 and earlier are vulnerable to path traversal due to decoding percent-encoded path separators and dot segments before dot-segment removal, potentially leading to bypasses of path-based policy enforcement.

A command injection vulnerability (CVE-2026-7220) exists in jackwrichards FastlyMCP allowing remote attackers to execute arbitrary OS commands by manipulating the command argument in the fastly-mcp.mjs file.

This rule detects the creation or execution of files or processes with names containing the Right-to-Left Override (RTLO) character, which can be used to disguise the file extension and trick users into executing malicious files on Windows systems.

This rule detects command and control activity associated with the FIN7 threat group, which is known to use domain generation algorithms (DGA) to maintain persistence in their target's network by identifying network traffic using TLS or HTTP protocols to domains with a specific pattern.

free5GC's SMF is vulnerable to an unauthenticated denial-of-service attack where a crafted DELETE request to the /upi/v1/upNodesLinks/{ref} endpoint triggers a nil-pointer dereference, causing a panic and mutating the in-memory user-plane topology, impacting the selection of UPFs for legitimate UE sessions.

A path traversal vulnerability exists in geekgod382 filesystem-mcp-server version 1.0.0 allowing remote attackers to access unauthorized files due to insufficient path validation in the is_path_allowed function.

The GeekyBot WordPress plugin is vulnerable to SQL Injection, allowing unauthenticated attackers to extract sensitive information from the database by manipulating the 'attributekey' parameter.

Detection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.

A command injection vulnerability (CVE-2026-6980) in Divyanshu-hash GitPilot-MCP up to version 9ed9f153ba4158a2ad230ee4871b25130da29ffd allows remote attackers to execute arbitrary commands by manipulating the 'command' argument in the repo_path function of main.py, and public exploit code is available.

A newline injection vulnerability in GitPython's `config_writer().set_value()` function enables remote code execution by manipulating the `core.hooksPath` Git configuration.

Gotenberg version 8.30.1 and earlier is vulnerable to argument injection, where an unauthenticated attacker can inject arbitrary ExifTool pseudo-tags via newline characters in metadata values, leading to arbitrary file manipulation within the container filesystem.

Heimdall is vulnerable to an authorization bypass due to a path normalization mismatch between Heimdall and downstream components, potentially leading to unauthorized access and privilege escalation.

Heimdall performs case-sensitive host matching, which can lead to policy bypass because HTTP hostnames are case-insensitive, potentially leading to unauthorized access, data modification, or privilege escalation if the request host is part of the rule.

A high number of process terminations (stop, delete, or suspend) from the same Windows host within a short time period may indicate malicious activity such as an attacker attempting to disable security measures or prepare for ransomware deployment.

A specially constructed QUIC package can crash the Hysteria server due to an out-of-memory (OOM) condition when the 'sniff' option is enabled, leading to a denial of service.

This brief describes the detection of 'impossible travel' events in Azure AD, where a user appears to log in from geographically distant locations within an implausibly short time frame, potentially indicating account compromise.

This rule detects the execution of kubeletctl inside a container, which can be used to enumerate the Kubelet API or other resources inside the container, potentially indicating lateral movement attempts within the pod.

Detection of Kubernetes Secrets listing from non-loopback clients targeting cluster-wide secrets or sensitive namespaces, potentially indicating unauthorized credential access or discovery.

The Lazarus APT group is distributing a trojanized macOS application named UnionCryptoTrader.dmg that installs a launch daemon for persistence, downloads and executes secondary payloads in-memory, and communicates with the command and control server unioncrypto.vip.

link-preview-js versions 4.0.0 and earlier are vulnerable to IPv6 and internal loopback attacks, allowing potential internal data leaks by resolving addresses to internal IPs; patched in version 4.0.1.