Briefs

i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.

This rule detects incoming execution via Windows Remote Management (WinRM) remote shell on a target host, which could be an indication of lateral movement by monitoring network traffic on ports 5985 or 5986 and processes initiated by WinRM.

Adversaries may leverage Windows Background Intelligent Transfer Service (BITS) to download executable and archive files to evade defenses and establish command and control.

Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.

The IOBit Unlocker Extension DLL is being registered via regsvr32.exe, a Windows utility used to unlock files or folders by terminating locking processes, which could be abused for malicious purposes.

A server-side request forgery vulnerability exists in JoeCastrom mcp-chat-studio up to version 1.5.0 in the LLM Models API component, allowing remote attackers to manipulate the req.query.base_url argument and potentially conduct further attacks.

Jupyter Server versions 2.17.0 and earlier are vulnerable to a CORS origin validation bypass due to improper use of `re.match()` in validating the Origin header against the `allow_origin_pat` configuration, allowing attackers to bypass CORS restrictions.

An oversight in the CopyFile policy in Kata Containers allows untrusted hosts to write to arbitrary locations inside the guest workload image via symlinks, enabling binary overwrites and data exfiltration.

Katalyst Koi versions before 4.20.0 and between 5.0.0 and 5.6.0 fail to invalidate admin session cookies upon logout, allowing attackers with a valid cookie to maintain unauthorized access.

Keras model loader is vulnerable to denial-of-service by loading specially crafted .keras files containing HDF5-based weight files with maliciously oversized dataset metadata, leading to immediate memory exhaustion during model loading.

Kirby CMS versions before 4.9.0 and between 5.0.0 and 5.3.3 contain a missing authorization vulnerability, allowing authenticated Panel users to access site model, user, and role information without proper permission checks, potentially leading to unauthorized information disclosure.

This rule detects Linux process executions that access sensitive Kubernetes, cloud, and SSH credential files via common utilities, potentially indicating credential theft.

Detection of Kubernetes pod exec sessions accessing cloud instance metadata endpoints, indicating potential credential theft from AWS, GCP, or Azure.

This rule flags potential reverse shell activity via kubectl exec commands in Kubernetes pods by detecting specific shell and socket idioms within URL-decoded command payloads in Kubernetes audit logs, indicating post-exploitation interactive access and command-and-control.

Detects an unusual volume of Kubernetes API get requests against multiple distinct Secret objects from the same client fingerprint, potentially indicating credential access or in-cluster reconnaissance.

Detects read access to Kubernetes Secrets (`get`/`list`) with a user agent matching a curated set of non-standard or attacker-leaning clients, indicating potential credential access.

The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.

Detection of abnormal Linux audit daemon (auditd) termination via DAEMON_ABORT events, indicating potential auditing subsystem failure due to resource exhaustion, corruption, or malicious interference.

Detection of 'pkill' command execution on Linux systems, a technique used by threat actors to disable security defenses or terminate critical processes, potentially leading to data corruption or destruction.

This brief details a Splunk search that identifies suspicious command-line activity modifying iptables firewall settings on Linux systems, potentially indicating Cyclops Blink malware activity allowing C2 communication by opening specific TCP ports.

A local privilege escalation vulnerability exists in the Linux Kernel versions ~3.14+ through 6.18-rc5 due to a use-after-free in the proc_readdir_de() function, where a concurrent traversal can dereference a freed entry's fields during network device unregistration, leading to privilege escalation via modprobe_path overwrite.

A vulnerability in liquidjs versions prior to 10.25.7 allows for denial of service due to a circular block reference in the layout, causing an infinite recursive loop that exhausts memory and crashes the Node.js process.

Authenticated users with low-privilege API keys could execute arbitrary commands on the host running LiteLLM via the `/mcp-rest/test/connection` and `/mcp-rest/test/tools/list` endpoints, by submitting a server configuration including command execution parameters.

Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.

Attackers modify LSA PPL protection settings via command-line tools like reg.exe and PowerShell to weaken system security and enable credential dumping.

The kev_msg_post function can be abused by malware to broadcast process creation notifications from a kernel extension (kext) to a user-mode application, potentially bypassing security tools that rely on standard APIs and leading to undetected malicious activity.

A local privilege escalation vulnerability in macOS allows attackers to gain root privileges by hijacking dylibs in applications installed from the Mac App Store.

A bug in macOS Mojave causes a system lockup when the vmmap utility is executed against process ID 1 (launchd), due to a deadlock triggered by XPC calls during symbolication.

macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.

Attackers can abuse Microsoft Intune device management configuration policies, typically used for legitimate remote device management, to disable defenses and evade detection on managed devices.