Argo Workflows is vulnerable to a denial-of-service (DoS) attack due to unbounded memory allocation in the Webhook Interceptor component.

Gotenberg is vulnerable to an ExifTool tag blocklist bypass, allowing unauthenticated attackers to rename, move, and modify permissions of files within the container by using group-prefixed tag names like 'System:FileName' or the 'FilePermissions' tag in HTTP requests.

The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.

Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.

Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.

Detection of a Windows DNS record creation event (5137) with an ObjectDN attribute containing 'DC=wpad', which indicates a potential WPAD spoofing attack to enable privilege escalation and lateral movement.

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

Attackers are abusing the legitimate file synchronization tool rclone, often renamed to masquerade as legitimate software, to exfiltrate data to cloud storage or remote endpoints.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.

The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.

Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.

A remote, anonymous attacker can exploit multiple vulnerabilities in mutt to bypass security measures and cause a denial-of-service condition.

A local attacker can exploit a vulnerability in libexif to potentially execute arbitrary code, cause a denial of service, or disclose sensitive information.

Multiple vulnerabilities in Grafana allow a remote, anonymous attacker to conduct a Cross-Site Scripting attack or disclose information.

CVE-2025-14320 is a reflected cross-site scripting (XSS) vulnerability in Tegsoft Online Support Application versions V3 through 31122025, allowing attackers to inject arbitrary web scripts into user browsers.

Multiple vulnerabilities in Rapid7 Velociraptor could allow an attacker to disclose information or cause a denial of service.

osrg GoBGP up to version 4.3.0 is vulnerable to an integer underflow in the parseRibEntry function, potentially allowing a remote attacker to cause a denial of service or other unspecified impacts; version 4.4.0 addresses this issue.

CVE-2026-37555 is a vulnerability affecting a Microsoft product, requiring further investigation upon patch release.

The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.

A buffer overflow vulnerability exists in TRENDnet TEW-821DAP version 1.12B01, allowing a remote attacker to execute arbitrary code by manipulating the 'str' argument in the auto_update_firmware function of the Firmware Update component.

The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.

An integer overflow vulnerability exists in libssh2 versions up to 1.11.1 within the userauth_password function of src/userauth.c, which can be triggered remotely by manipulating username_len/password_len arguments.

Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.

The rule detects when an EC2 instance role session calls AWS STS GetCallerIdentity from a new source autonomous system (AS) organization name, indicating potential credential theft and verification from outside expected egress paths.

This rule detects the initial use of AWS discovery APIs from VPN-associated ASNs by a previously unseen identity, indicating potential reconnaissance activity.

Prosody versions before 0.12.6, versions 1.0.0 through 13.0.0, and before version 13.0.5 are vulnerable to a denial of service due to memory leaks from unauthenticated connections, leading to memory exhaustion.

CVE-2026-41526 is a vulnerability affecting an unspecified Microsoft product, requiring further investigation upon patch release for exploitation details.

CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 are vulnerable to an indirect object reference (IDOR) vulnerability (CVE-2026-4503), allowing unauthenticated users to view other users' images due to a user-controlled key.

A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.

The experimental `hickory-recursor` crate in Hickory DNS is vulnerable to cross-zone cache poisoning due to storing DNS records keyed by record name/type instead of query, enabling an attacker to redirect queries for a victim zone to an attacker-controlled nameserver.

MeWare PDKS versions V16.20200313 before VMYR_3.5.2025117 are vulnerable to improper control of interaction frequency, potentially leading to flooding attacks.

A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.

A path traversal vulnerability in ABB PCM600 versions 1.5 to 2.13 (CVE-2018-1002208) allows a local attacker with low privileges to execute arbitrary code by sending a specially crafted message to the system node.

A remote, unauthenticated attacker can exploit an unpatched vulnerability in libsndfile to cause a denial of service.

Multiple vulnerabilities in DNSdist can be exploited by an attacker to perform a denial of service attack, impacting the availability of DNS services.

CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.

CVE-2026-28388 is a NULL Pointer Dereference vulnerability in an unspecified Microsoft product when processing a Delta CRL, potentially leading to a denial-of-service condition.

Microsoft published information regarding CVE-2026-32776, however, further details require JavaScript to be enabled, limiting the actionable intelligence at this time.

Microsoft published information regarding vulnerability CVE-2026-32778, but no details regarding the vulnerability are available at this time.

CVE-2026-34073 is a vulnerability in unspecified Microsoft products due to incomplete DNS name constraint enforcement on peer names, potentially leading to certificate validation bypass.

CVE-2026-7468 is an improper access control vulnerability in 1024-lab smart-admin up to version 3.30.0, affecting the /smart-admin-api/druid/index.html file, which can be exploited remotely.

A cross-site scripting (XSS) vulnerability affects Netgate pfSense CE (<= 2.8.1) and pfSense Plus (<= 26.03), potentially allowing attackers to inject malicious code.

Multiple vulnerabilities in SonicWall firewalls could allow an attacker to cause a remote denial of service and security policy bypass, potentially disrupting network services and compromising security controls.

Admidio's SAML Identity Provider implementation fails to properly validate signatures on SAML AuthnRequests and LogoutRequests, enabling attackers to bypass signature enforcement, potentially disclose user attributes via forged SSO requests, and terminate user sessions via forged SLO requests.

OpenClaw before 2026.3.28 is vulnerable to webhook replay attacks due to improper signature verification, allowing attackers to reorder query parameters and trigger duplicate voice-call processing.

OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to exhaust server resources by sending malicious Teams webhook payloads.

Generative AI can be used to rapidly deploy adaptive honeypot systems that simulate diverse environments, like Linux shells or IoT devices, to trick and observe AI-driven attacks that prioritize speed over stealth.

A remote, anonymous attacker can exploit multiple vulnerabilities in GNU libc to execute arbitrary program code, cause a denial-of-service condition, or disclose sensitive information.

CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.

CVE-2026-41898 describes a vulnerability in rust-openssl where unchecked callback-returned length in PSK and cookie generation can cause OpenSSL to leak adjacent memory to a network peer.

A vulnerability in OpenTelemetry-Go related to the extraction of multi-value baggage headers can lead to excessive resource allocation, resulting in a remote denial-of-service amplification.

CoreDNS' DNS-over-QUIC (DoQ) server can be driven into large goroutine and memory growth by a remote client that opens many QUIC streams and stalls after sending only 1 byte, leading to denial of service in versions before 1.14.3.

OpenClaw before 2026.3.28 is vulnerable to a denial-of-service attack by accepting unbounded concurrent unauthenticated WebSocket upgrades, allowing attackers to exhaust server resources.

A server-side request forgery (SSRF) vulnerability in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote attackers to manipulate the proxyHandler function, potentially leading to unauthorized internal resource access.

This brief focuses on detecting deletion actions within GitHub audit logs, specifically targeting the deletion of codespaces, environments, projects, and repositories, potentially indicating malicious activity or insider threats.

A Google Workspace login attempt flagged as a potential attack by a government-backed threat actor, indicating potential privilege escalation, defense evasion, persistence, initial access, or impact.

Attackers can achieve persistence and privilege escalation on Linux systems by creating or modifying files in the /etc/sudoers.d/ directory to grant unauthorized users or groups sudo privileges.

A server-side request forgery (SSRF) vulnerability exists in Typecho up to version 1.3.0, allowing remote attackers to manipulate the X-Pingback/link argument in the Service::sendPingHandle function to potentially make arbitrary HTTP requests.

CVE-2026-31622 describes a vulnerability related to an NFC bounds check issue, specifically a failure to properly validate NFC-A cascade depth in the SDD response handler within Microsoft products, potentially leading to unexpected behavior or security compromise.

CVE-2026-23398 is a vulnerability related to a NULL pointer dereference in the ICMP protocol, potentially leading to a denial-of-service condition in affected Microsoft products.

An improper authorization vulnerability (CVE-2026-6977) exists in vanna-ai vanna up to version 2.0.2 due to manipulation of an unknown function within the Legacy Flask API, potentially allowing remote attackers to bypass intended access restrictions.

CVE-2026-41080 is a vulnerability affecting a Microsoft product; the specific product, impact, and exploitation details are currently undisclosed.

OpenClaw before 2026.3.31 is vulnerable to cross-site request forgery (CSRF) attacks due to missing browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing attackers to perform unauthorized actions.

A malformed `workflows.argoproj.io/pod-gc-strategy` annotation in an Argo Workflow pod can trigger an unchecked array index in the `podGCFromPod()` function, leading to a controller-wide panic and denial-of-service.

The xmldom library is vulnerable to a denial-of-service (DoS) attack due to uncontrolled recursion in XML serialization leading to application crashes.

Multiple cross-site scripting (XSS) vulnerabilities in the web-based management interface of Cisco Integrated Management Controller (IMC) could allow a remote attacker to conduct an XSS attack against a user of the interface.

CVE-2026-22005 is a newly published vulnerability affecting a Microsoft product, requiring further investigation to determine the specific product, attack vector, and potential impact.

Microsoft has released information regarding the vulnerability CVE-2026-22004, but details about the vulnerability and its exploitation are currently unavailable.

CVE-2026-34303 is a vulnerability affecting an unspecified Microsoft product, requiring further investigation upon disclosure of details.

IBM WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.4 are susceptible to identity spoofing when applications are deployed without proper authentication and authorization configurations, potentially leading to unauthorized access and privilege escalation.

This rule detects DNS queries to known Large Language Model (LLM) domains by unsigned binaries or common Windows scripting utilities, indicating potential command and control activity leveraging LLMs for dynamic actions on compromised systems.

CVE-2026-24177 describes an authentication bypass vulnerability in NVIDIA KAI Scheduler that could allow unauthorized access to API endpoints, leading to information disclosure.

FreeScout versions before 1.8.214 are vulnerable to privilege escalation, allowing a low-privileged agent to reassign email addresses from hidden customers to visible customers, leading to information disclosure and unauthorized access to conversations.

FreeScout before 1.8.215 has an incorrect authorization vulnerability where a direct POST request to the `save_draft` AJAX path can create a draft inside a hidden conversation when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, potentially allowing unauthorized access or modification of data.

FreeScout versions before 1.8.215 are vulnerable to an incorrect authorization issue where users without conversation access can edit customer threads due to a flaw in the `ThreadPolicy::edit()` function.

A local attacker can exploit a vulnerability in util-linux to perform a denial of service attack and disclose sensitive information.

Multiple vulnerabilities in BigBlueButton can be exploited by an attacker to manipulate data and redirect users to attacker-controlled domains.

An unauthenticated attacker with network access via RDP can exploit CVE-2026-35245 in Oracle VM VirtualBox version 7.2.6 to cause a denial-of-service (DOS) condition.

ConnectWise Automate is vulnerable to CVE-2026-6066, a cleartext transmission of sensitive information vulnerability, where certain client-to-server communications could occur without transport-layer encryption, potentially allowing network-based interception of Solution Center traffic, and the issue is resolved in Automate 2026.4 by enforcing secure communication.

Cisco Catalyst SD-WAN Manager stores passwords in a recoverable format, allowing an authenticated local attacker to gain DCA user privileges by accessing a credential file.

Multiple vulnerabilities in libarchive can be exploited by a remote attacker to disclose information or cause a denial-of-service condition.

Microsoft released a security update for CVE-2026-41254, a vulnerability with unspecified details.

This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.

A spoofing vulnerability exists in Microsoft Power Apps, identified as CVE-2026-26149, potentially allowing an attacker to mislead users or gain unauthorized access.

Multiple vulnerabilities in Langflow allow an attacker to manipulate files, disclose sensitive information, or conduct cross-site scripting attacks.

Multiple vulnerabilities in Gitea could allow an attacker to disclose information, bypass security measures, and perform cross-site scripting attacks.

A server-side request forgery (SSRF) vulnerability exists in moxi624 Mogu Blog v2 up to version 5.2, specifically affecting the `LocalFileServiceImpl.uploadPictureByUrl` function, allowing remote attackers to potentially interact with internal resources.

A vulnerability in OpenClaw versions 2026.4.7 to before 2026.4.15 allows a crafted tool-result media reference to cause the host to attempt local file reads or Windows UNC/network path access, potentially disclosing files or network credentials.

Movary versions before 0.71.1 are vulnerable to server-side request forgery (SSRF) via the `/settings/jellyfin/server-url-verify` endpoint, allowing authenticated users to probe internal network resources.

A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10, allowing attackers to inject malicious scripts into the 'Member Name' field during member registration, leading to persistent execution upon user access.

Firebird FB3 client library incorrectly handles data lengths when communicating with FB4+ servers, leading to an information leak exploitable by a local attacker.

CVE-2026-6421 is an uncontrolled search path vulnerability in Mobatek MobaXterm Home Edition up to version 26.1, affecting msimg32.dll, that can be exploited locally with high complexity.

HashiCorp Vault is vulnerable to a denial-of-service (DoS) condition, identified as CVE-2026-5807, where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, preventing legitimate operators from completing these workflows.

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service, addressed in Vault versions 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

A type confusion vulnerability (CVE-2026-6363) in Google Chrome's V8 JavaScript engine before version 147.0.7727.101 allows a remote attacker to potentially perform out-of-bounds memory access via a crafted HTML page.

The PowMix botnet campaign targets Czech organizations, particularly HR, legal, and recruitment agencies, using compliance-themed lures delivered via phishing emails, with the attack employing a Windows shortcut file that executes a PowerShell loader to bypass AMSI and deploy the botnet payload in memory.

Weblate versions before 5.17 are vulnerable to path traversal due to improper verification of downloaded files in the ZIP download feature, potentially allowing attackers to access files outside the intended repository.

Git for Windows versions prior to 2.53.0.windows.3 are vulnerable to NTLM hash theft by attackers who can trick users into cloning malicious repositories or checking out malicious branches, leading to potential credential compromise.

CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.

An out-of-bounds read vulnerability in Microsoft Office Excel (CVE-2026-32188) allows a local attacker to potentially disclose sensitive information through a maliciously crafted Excel file.

An improper input validation vulnerability in Adobe ColdFusion versions 2023.18, 2025.6, and earlier (CVE-2026-27306) could lead to arbitrary code execution if a privileged user opens a specially crafted malicious file.

An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.

CVE-2026-32178 is a vulnerability in .NET that allows for network spoofing due to improper neutralization of special elements, potentially enabling attackers to impersonate legitimate entities.

Scripting engines such as WScript, CScript, and MSHTA are being used to make registry modifications, potentially for persistence or defense evasion.

A denial-of-service vulnerability exists in jq versions prior to commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784 due to the use of a hardcoded seed in MurmurHash3, enabling attackers to craft JSON objects that trigger hash collisions and cause excessive CPU consumption.

ImageMagick versions prior to 7.1.2-19 and 6.9.13-44 are susceptible to a denial-of-service (DoS) attack due to unbounded recursion during XML parsing, potentially leading to stack exhaustion.

An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.

A use-after-free vulnerability, tracked as CVE-2026-34856, exists in Huawei's communication module due to improper synchronization in concurrent execution, potentially leading to a denial-of-service condition.

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to session fixation due to user-controlled request parameters being used to set the PHP session ID, potentially allowing attackers to hijack user sessions.

TREK collaborative travel planner before version 2.7.2 is vulnerable to missing authorization checks on the Immich trip photo management routes, potentially allowing unauthorized access to trip photos.

Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker requests access to the Device Registration Service on behalf of a user principal, potentially indicating an attempt to abuse device registration for unauthorized persistence.

A single user rapidly cloning a high number of GitHub repositories indicates potential exfiltration of sensitive data such as proprietary code, embedded secrets, and build artifacts.

An adversary with access to compromised AWS credentials may attempt to verify their validity and determine the account they are using by calling the STS GetCallerIdentity API, potentially indicating credential compromise and unauthorized discovery activity.

Detects a service principal authenticating to Azure AD followed by listing credentials for an Azure Arc-connected Kubernetes cluster, indicating potential adversary activity with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters.

Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.

A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.

Google's rollout of Device Bound Session Credentials (DBSC) in Chrome 146 for Windows, with a future release planned for macOS, cryptographically binds authentication sessions to the user's device, rendering stolen session cookies unusable and mitigating credential access.

CVE-2026-33797 is an improper input validation vulnerability in Juniper Networks Junos OS and Junos OS Evolved that allows an unauthenticated adjacent attacker to reset established BGP sessions via a specific BGP packet, leading to a denial of service condition.

Unauthenticated attackers can exploit a resource exhaustion vulnerability (CVE-2026-33756) in Saleor e-commerce platform versions before 3.23.0a3, 3.22.47, 3.21.54, and 3.20.118 by sending a single HTTP request with a large number of GraphQL operations, bypassing query complexity limits and exhausting server resources.

This rule detects the initial creation or modification of a macOS LaunchAgent or LaunchDaemon plist file by a Python process, a common persistence technique employed by attackers using malicious scripts, compromised dependencies, or model file deserialization.

LORIS, a neuroimaging research data management web application, is vulnerable to directory traversal (CVE-2026-35446) due to an incorrect order of operations in the FilesDownloadHandler, allowing authenticated attackers to access unauthorized files.

A remote, unauthenticated attacker can cause resource exhaustion in Saleor e-commerce platforms via maliciously crafted GraphQL API requests, leading to denial of service.

CVE-2026-32589 describes a vulnerability in Red Hat Quay's container image upload process where an authenticated user can interfere with other users' uploads, potentially leading to unauthorized access and modification.

CVE-2026-4498 allows an authenticated Kibana user with Fleet sub-feature privileges to read index data beyond their direct Elasticsearch RBAC scope due to improper privilege handling in debug route handlers.

Dell Elastic Cloud Storage and ObjectScale are vulnerable to local privilege escalation due to sensitive information being logged, potentially allowing a low-privileged attacker with local access to expose secrets and gain unauthorized access.

Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.

IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.37 stores sensitive information in log files, potentially exposing it to unauthorized local users, tracked as CVE-2026-4788.

CVE-2026-1343 allows an attacker to contact internal authentication endpoints protected by the Reverse Proxy in IBM Verify Identity Access Container and IBM Security Verify Access Container.

A remote, anonymous attacker can exploit a vulnerability in OpenSSH GSSAPI and Ubuntu Linux to trigger undefined behavior or a potential denial-of-service attack.

A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.

Brave CMS versions prior to 2.0.6 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability allowing authenticated users with edit permissions to delete images attached to articles owned by other users due to missing ownership verification in the deleteImage method.

A heap-buffer-overflow read vulnerability exists in openFPGALoader 1.1.1 and earlier, allowing out-of-bounds heap memory access via a crafted .pof file, potentially leading to denial of service or information disclosure.

CVE-2026-21367 describes a transient denial-of-service vulnerability in Qualcomm products that occurs when processing nonstandard FILS Discovery Frames with out-of-range action sizes during initial scans, potentially leading to service disruption.

CVE-2026-25932 is a cross-site scripting vulnerability in GLPI versions 0.60 to before 10.0.24, where an authenticated technician user can store a malicious XSS payload within supplier fields, potentially leading to arbitrary code execution in the context of other users' browsers.

An unauthenticated attacker can cause a denial of service by crashing Microsoft VPN Browser+ 1.1.0.0 via oversized input to the search functionality, leading to application termination.

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.

Piwigo versions prior to 16.3.0 expose the full browsing history of gallery visitors to unauthenticated users via the pwg.history.search API method due to a missing authorization check.

Suricata versions 8.0.0 to before 8.0.4 exhibit a quadratic complexity vulnerability (CVE-2026-31934) when searching for URLs in MIME-encoded SMTP messages, leading to significant performance degradation and potential denial-of-service conditions; this is fixed in version 8.0.4.

Attackers are leveraging AI to rapidly reconnoiter and tailor content for smaller organizations, making it easier to execute business email compromise (BEC) scams and scam smaller sums from many victims, as demonstrated by a recent attack targeting a small community organization.

Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in the Distribution Lists report, allowing attackers to inject malicious scripts.

The openclaw package is vulnerable to arbitrary file read and credential exfiltration due to media local roots self-whitelisting in `appendLocalMediaParentRoots`, allowing a model to initiate arbitrary host file reads, potentially leading to credential exfiltration.

OpenSSH versions before 10.3 allow for the potential installation of setuid or setgid files when using scp to download files as root with the -O option (legacy SCP protocol) and without the -p option (preserve mode), contrary to user expectations.

Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are vulnerable to information disclosure due to improper static file serving via a prefix matching issue in Rack::Static.

A server-side request forgery (SSRF) vulnerability exists in huimeicloud hm_editor up to version 2.2.3, allowing remote attackers to manipulate the 'url' argument in the client.get function of src/mcp-server.js to potentially access internal resources.

A denial of service vulnerability, CVE-2026-31935, exists in Suricata versions prior to 7.0.15 and 8.0.4, where flooding the system with crafted HTTP2 continuation frames leads to memory exhaustion and process termination.

Suricata versions prior to 7.0.15 are vulnerable to CVE-2026-31937, where inefficient DCERPC buffering can lead to a denial-of-service condition through performance degradation.

Suricata versions 8.0.0 to before 8.0.4 are vulnerable to a NULL dereference crash when using the 'tls.alpn' rule keyword, potentially leading to a denial of service.

An unauthenticated attacker can exploit CVE-2026-31932, a vulnerability in Suricata versions prior to 7.0.15 and 8.0.4, to cause performance degradation due to inefficient KRB5 buffering.

Specially crafted network traffic can cause Suricata to slow down, leading to a denial-of-service condition in versions prior to 7.0.15 and 8.0.4, as identified by CVE-2026-31933.

CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.

The rule detects the creation or modification of an authorized_keys file inside a container, a technique used by adversaries to maintain persistence on a victim host by adding their own public key(s) to enable unauthorized SSH access for lateral movement or privilege escalation.

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability (CVE-2026-32929) in VS6ComFile!get_macro_mem_COM, where opening a crafted V7 file may lead to information disclosure.

V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in the VS6ComFile!load_link_inf function, allowing for potential information disclosure when opening a crafted V7 file.

File Browser versions prior to 2.62.2 are vulnerable to stored cross-site scripting (XSS) via the EPUB preview function, allowing attackers to execute arbitrary JavaScript in a user's browser by embedding malicious code in a crafted EPUB file.

A stored Cross-Site Scripting (XSS) vulnerability exists in Payload CMS versions prior to 3.78.0, allowing authenticated users with write access to inject malicious scripts that execute in the browsers of other users.

Payload CMS versions before 3.79.1 are vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users with upload access to trigger outbound HTTP requests to arbitrary URLs.

A broken access control vulnerability in Open WebUI versions prior to 0.8.11 (CVE-2026-34222) allows authenticated users to potentially access or modify tool values they should not be authorized to, leading to privilege escalation and unauthorized configuration changes.

The creation of Zoom meetings without passcodes allows unauthorized access and disruption, known as Zoombombing, potentially leading to the exposure of sensitive information or reputational damage.

CVE-2026-35092 is an integer overflow vulnerability in Corosync's join message sanity validation, allowing a remote, unauthenticated attacker to send crafted UDP packets, resulting in a denial of service condition.

Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.

Dell AppSync version 4.6.0 is vulnerable to a UNIX Symbolic Link (Symlink) Following vulnerability (CVE-2026-22767) that allows a low-privileged local attacker to tamper with information.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

A remote, anonymous attacker can exploit a vulnerability in 7-Zip to manipulate files, leading to potential data integrity issues.

XenForo before 2.3.7 discloses filesystem paths through exception messages triggered by open_basedir restrictions, allowing attackers to gain sensitive information about the server's directory structure.

A vulnerability exists in mppx TypeScript interface before version 0.4.11, allowing attackers to close or grief channels for free by submitting close vouchers equal to the settled amount due to incorrect validation.

The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin, allowing unauthorized senders to bypass intended authorization checks due to improper handling of empty groupAllowFrom parameters, potentially leading to information disclosure.

OpenClaw before version 2026.3.13 exposes Telegram bot tokens in error messages due to the fetchRemoteMedia function embedding these tokens in MediaFetchError strings when media downloads fail.

baserCMS versions prior to 5.2.3 are vulnerable to DOM-based Cross-Site Scripting (XSS) due to improper neutralization of input during web page generation, potentially allowing a remote attacker to execute arbitrary JavaScript in a user's browser.

A heap-buffer-overflow read vulnerability exists in FreeRDP versions prior to 3.24.2, specifically in the winpr_aligned_offset_recalloc() function, potentially leading to denial of service or information disclosure.

CVE-2026-3991 is an elevation of privilege vulnerability in Symantec Data Loss Prevention (DLP) Windows Endpoint that could allow a local attacker to gain elevated access to resources.

Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

CrowdStrike Falcon Cloud Security enhances its CNAPP capabilities, incorporating adversary intelligence to prioritize cloud risks based on threat actor behavior, particularly focusing on groups like LABYRINTH CHOLLIMA and SCATTERED SPIDER, to enable security teams to understand and remediate cloud exposures more effectively.

CrowdStrike's Falcon Next-Gen SIEM now supports third-party EDR solutions, starting with Microsoft Defender, to extend AI-native SOC capabilities without replacing existing endpoint agents.

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents and extract sensitive information.

CrowdStrike's CNAPP enhancements prioritize cloud risks based on adversary behavior, application context, and configuration change tracking to reduce breach likelihood.

CrowdStrike Falcon AIDR now supports NVIDIA NeMo Guardrails to protect AI agents by blocking prompt injection attacks, redacting sensitive data, defanging malicious content, and moderating unwanted topics, ensuring compliance and preventing abuse.

CrowdStrike Falcon Next-Gen SIEM now supports third-party EDR solutions like Microsoft Defender, enabling unified detection and response across diverse environments, addressing the challenges of cross-domain attacks and fragmented security systems.

CrowdStrike enhances its CNAPP capabilities by incorporating adversary intelligence for improved risk prioritization, addressing limitations in infrastructure visibility, threat actor behavior analysis, and alert triage.

A server-side request forgery vulnerability exists in elecV2 elecV2P up to 3.8.3, affecting the eAxios function within the /mock URL handler, allowing remote attackers to manipulate the req argument and potentially conduct internal reconnaissance or other malicious activities.

CrowdStrike's Falcon Next-Gen SIEM expands to support third-party EDR solutions, beginning with Microsoft Defender, to unify detection, investigation, and response without requiring the Falcon sensor and modernize security operations.

CrowdStrike is introducing innovations to secure AI agents and govern shadow AI across endpoints, SaaS, and cloud environments by extending AI detection and response (AIDR) capabilities to cover desktop AI applications and provide visibility into AI-related components, helping to prevent prompt attacks, data leaks, and policy violations.

CrowdStrike Falcon Next-Gen SIEM is expanding its capabilities to integrate with third-party EDR solutions, starting with Microsoft Defender, to enable organizations to extend their AI-native SOC across heterogeneous environments without replacing existing endpoint agents.

CrowdStrike Falcon AIDR integrates with NVIDIA NeMo Guardrails to provide comprehensive protection for AI agents against prompt injection, data leaks, and malicious content.

CrowdStrike has enhanced its CNAPP capabilities by adding application-layer visibility and prioritizing risks based on known adversary tactics, techniques, and procedures (TTPs).

CrowdStrike is enhancing its Falcon platform with new features focusing on AI Detection and Response (AIDR) capabilities across endpoints, SaaS, and cloud environments to mitigate risks such as prompt injection attacks, data leaks, and policy violations related to AI agents and shadow AI.

CrowdStrike Falcon Cloud Security enhances CNAPP capabilities with application-layer visibility and adversary-informed risk prioritization, enabling security teams to focus on attacker-aligned risks and known threat actors.

CrowdStrike's Falcon Cloud Security enhances CNAPP capabilities by introducing adversary-informed risk prioritization, application layer visibility, and root cause analysis of configuration changes, enabling security teams to better understand and remediate cloud risks.

CrowdStrike introduces agentic MDR and SOC Transformation Services to enhance breach prevention through machine-speed execution and expert oversight, while SOC Transformation Services aim to modernize security operations by focusing on SIEM, data pipelines, workflows, talent models, and governance.

CrowdStrike introduces Charlotte AI AgentWorks and Agentic SOAR to enhance security operations through AI-driven automation and orchestration, reducing manual workloads and improving decision accuracy.

CrowdStrike Falcon Next-Gen SIEM is expanding to support third-party EDR solutions, starting with Microsoft Defender, enabling organizations to extend their AI-native SOC across their ecosystem by unifying detection, investigation, and response.

CrowdStrike's Charlotte AI AgentWorks facilitates the development and deployment of AI-driven security agents within the SOC, aiming to enhance analyst capabilities through automated and orchestrated responses to threats.

CrowdStrike's Charlotte AI AgentWorks and Agentic SOAR aim to revolutionize security operations by enabling the creation and orchestration of AI-powered agents, enhancing analyst capabilities and automating tasks to combat AI-accelerated adversaries.

CrowdStrike's Agentic MDR combines machine-speed execution with expert oversight, leveraging deterministic automation and adaptive AI agents to enhance breach prevention and SOC modernization.

CrowdStrike is expanding its Falcon Flex model to its services offering, providing flexible access to incident response, proactive security services, advisory, platform services, and training.

CrowdStrike's new CNAPP capabilities in Falcon Cloud Security focus on adversary-informed risk prioritization by correlating application-layer visibility with threat actor profiles and techniques, enabling security teams to understand cloud risk, prioritize remediation, and accelerate response.

CrowdStrike Falcon Next-Gen SIEM now supports third-party EDR solutions, beginning with Microsoft Defender, enabling organizations to extend their AI-native SOC and unify detection across heterogeneous environments.

CrowdStrike is enhancing its Falcon platform with new AI detection and response capabilities to secure AI agents and govern shadow AI across endpoints, SaaS, and cloud environments, addressing threats like prompt injection and data leaks.

CrowdStrike's Falcon Data Security aims to protect sensitive data by providing visibility into data movement across various environments and preventing data theft.

CrowdStrike's agentic MDR combines automation, AI agents, and human oversight for rapid breach response, while SOC Transformation Services modernize security operations for an agentic SOC approach.

A vulnerability exists in Incus where it does not properly verify the combined fingerprint when downloading images from simplestreams servers, allowing an attacker to perform image cache poisoning and potentially expose other tenants to running attacker-controlled images.

CVE-2025-59032 describes a vulnerability in ManageSieve's AUTHENTICATE command, where using a literal as a SASL initial response can crash the ManageSieve service, leading to a denial-of-service condition.

EVerest versions prior to 2026.02.0 exhibit a data race vulnerability (CVE-2026-26074) where concurrent network requests and physical events can corrupt the event queue, leading to potential denial of service or other undefined behavior.

CVE-2026-2995 is a vulnerability in GitLab EE versions 15.4 to 18.10.1 where an authenticated user can add email addresses to other user accounts due to improper HTML sanitization, potentially leading to account takeover or information disclosure.

CVE-2026-3988 is a denial of service vulnerability in GitLab CE/EE allowing unauthenticated users to crash instances by sending malformed GraphQL requests, affecting versions 18.5 before 18.8.7, 18.9 before 18.9.3, and 18.10 before 18.10.1.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 stores user credentials in plaintext, allowing local users to read sensitive information.

A remote, anonymous attacker can exploit a vulnerability in the zipfile module of CPython to manipulate files on affected systems.

An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat OpenShift GitOps to manipulate data, misrepresent information, or cause a denial of service.

CVE-2026-4719 describes an incorrect boundary condition in the Graphics: Text component of Mozilla Firefox and Thunderbird, potentially leading to a denial-of-service condition in vulnerable versions.

CVE-2026-4704 is a denial-of-service vulnerability in the WebRTC Signaling component affecting Firefox, Firefox ESR, and Thunderbird, potentially disrupting service availability.

An incorrect boundary condition in the Audio/Video Web Codecs component in Mozilla Firefox and Thunderbird (CVE-2026-4695) could lead to a denial-of-service (DoS) condition due to a vulnerability that affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

CVE-2026-4697 is a denial-of-service vulnerability due to incorrect boundary conditions in the Audio/Video Web Codecs component of Mozilla Firefox and Thunderbird, potentially leading to application crashes.

CVE-2026-4693 is a vulnerability due to incorrect boundary conditions in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird, potentially leading to a denial-of-service condition.

An improper boundary condition vulnerability in the Canvas2D component of Mozilla Firefox, Firefox ESR, and Thunderbird (CVE-2026-4685) could allow for a denial-of-service condition.

A NULL pointer dereference vulnerability in the daap_reply_playlists function of owntone-server allows attackers to cause a Denial of Service (DoS) by sending a crafted DAAP request.

Easy Chat Server 3.1 is vulnerable to a denial-of-service attack where a remote attacker can crash the application by sending oversized data in the message parameter via a POST request to the body2.ghp endpoint after establishing a session, leading to service unavailability.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

CrowdStrike is expanding the Falcon Flex model to its services offering to provide organizations with more flexible access to incident response and proactive security services.

An anonymous, remote attacker can exploit multiple vulnerabilities in VMware Tanzu Spring Security and VMware Tanzu Spring Framework to bypass security measures.

An anonymous remote attacker can exploit a vulnerability in Znuny to perform a cross-site scripting attack, potentially leading to information disclosure or session hijacking.

A remote, anonymous attacker can exploit a vulnerability in cURL to manipulate files on a vulnerable system.

A remote, anonymous attacker can exploit a vulnerability in Apache Commons FileUpload to perform a denial of service attack.

An authenticated remote attacker can exploit a vulnerability in Apache Commons BeanUtils to bypass security measures, potentially leading to unauthorized access or privilege escalation.

An anonymous, remote attacker can exploit a vulnerability in MIT Kerberos to bypass security measures.

A missing release of memory vulnerability (CVE-2026-33852) in MolotovCherry Android-ImageMagick7 before version 7.1.2-11 can lead to a denial-of-service condition due to memory exhaustion.

A denial-of-service vulnerability (CVE-2026-33174) exists in Ruby on Rails Active Storage versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1 due to unbounded memory allocation when handling large or unbounded Range headers in proxy delivery mode.

Citrix has released a security advisory addressing multiple vulnerabilities in NetScaler ADC and NetScaler Gateway that could lead to sensitive information disclosure and user session mix-up under specific configurations.

The open-source Inner Warden project is a security agent leveraging eBPF for kernel-level monitoring and autonomous response actions like IP blocking and process termination, aiming to create a distributed security mesh.

The RagaSerpent cluster, also known as SideWinder-Adjacent, is conducting targeted attacks across multiple countries between 2025 and 2026, associated with a 'Tax Audit' themed campaign.

StoatWaffle is malware employed by the WaterPlum threat actor, used for an unknown purpose.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

A user created a self-hosted email threat detection tool, named VerdictMail, employing IMAP IDLE for real-time monitoring and multi-stage enrichment via SPF, DKIM, DMARC, DNSBL, WHOIS, URLhaus, and VirusTotal, coupled with an LLM for threat assessment.

An Iranian botnet operation utilizing a 15-node relay network and active C2 infrastructure was exposed through an open directory.

Detects a service principal authenticating to Microsoft Entra ID and then listing credentials for an Azure Arc-connected Kubernetes cluster within a short time window, indicating potential unauthorized access to Kubernetes clusters via stolen service principal secrets.

Persistnux is a bash-based tool designed to identify known Linux persistence mechanisms used by attackers to maintain access to compromised systems, generating detailed reports for DFIR analysis.

HushSpec is an open specification under development to standardize security policies at the action boundary of AI agents, focusing on actions such as file access, network egress, and shell execution, aiming to create a portable and engine-agnostic policy layer.

The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.

The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.

This brief summarizes IOCs extracted from the Maltrail feed on March 15, 2026, covering domains and URLs associated with threats targeting macOS and Android platforms, including OSX_Atomic, FakeApp, Android_Joker, Lummack2, APT_Sidewinder, APT_Kimsuky, and Hak5Cloud_C2.

Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.

Multiple IDS alerts indicate potential network reconnaissance, vulnerability exploitation attempts targeting Fortigate VPN (CVE-2023-27997), and ColdFusion servers originating from various IP addresses on March 13, 2026.

This rule detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions, such as wildcard access or RBAC escalation verbs (e.g., bind, escalate, impersonate), potentially leading to privilege escalation or unauthorized access within the cluster.

A single user and source IP attempts to enumerate Kubernetes endpoints, issuing API requests across multiple endpoints to identify accessible resources for further exploitation.

This brief analyzes IOCs aggregated by Maltrail on February 27, 2026, highlighting network activity associated with diverse threat actors including APT_UNC2465, Lazarus Group, Gorat, APT_Bitter, Android_Joker, PowerShell Injector, SmokeLoader, and FakeApp campaigns targeting various sectors.

The import of SSH key pairs into AWS EC2, as detected by CloudTrail logs, may indicate unauthorized access attempts, persistence establishment, or privilege escalation by an attacker.

An adversary may delete an AWS SAML provider to disrupt administrative access, hindering incident response and potentially escalating privileges within the AWS environment.

The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.

Attackers may delete secret scanning rules in Bitbucket to impair defenses and introduce secrets into the code repository undetected, potentially leading to unauthorized access or data breaches.

An attacker may deploy a pod within the kube-system namespace in Kubernetes to mimic legitimate system pods and evade detection.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.

Attackers can modify SSH certificate configurations in GitHub organizations to gain unauthorized access, persist in the environment, escalate privileges, and operate stealthily.

Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.

An adversary modifies Kubernetes admission controller configurations to achieve persistence, escalate privileges, or gain unauthorized access to credentials within the cluster.

go-zserio versions prior to 0.9.1 are vulnerable to unbounded memory allocation when deserializing data, potentially leading to denial of service.

An attacker may add a new route to an AWS route table, potentially redirecting network traffic for malicious purposes such as defense impairment or data exfiltration.

An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.

Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.

An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.

The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.

A denial-of-service vulnerability exists in the russh crate, where a malicious client can crash any russh-based server implementing keyboard-interactive authentication by sending a crafted SSH_MSG_USERAUTH_INFO_RESPONSE message with a large response count, leading to excessive memory allocation and an out-of-memory crash without requiring any credentials.