Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-32746 — Gnu Inetutils: telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC
telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
CVE-2026-32304 — Locutus Locutus: Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-31806 — Freerdp Freerdp: Because these values are used during bitmap decoding and memory operations without proper bounds
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.24.0, the gdi_surface_bits() function processes SURFACE_BITS_COMMAND messages sent by the RDP server. When the command is handled using NSCodec, the bmp.width and bmp.height values provided by the server are not properly validated against the actual desktop dimensions. A malicious RDP server can supply crafted bmp.width and bmp.height values that exceed the expected surface size. Because these values CVSSv3.1 9.8 (CRITICAL)
CVE-2026-25823 — HMS: Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have a stack buffer overflow that leads to a Denial of Service, which can also be exploited to achieve Unauthenticated Remote Code Execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile
CVE-2026-25818 — HMS: Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have weak entropy for authentication cookies, allowing an attacker with a stolen session cookie to find the user password by brute-forcing an encryption parameter. CVSSv3.1 9.1 (CRITICAL) · EPSS 5th percentile
CVE-2026-25817 — HMS: Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6
HMS Networks Ewon Flexy with firmware before 15.0s4, Cosy+ with firmware 22.xx before 22.1s6, and Cosy+ with firmware 23.xx before 23.0s3 have improper neutralization of special elements used in an OS command allowing remote code execution by attackers with low privilege access on the gateway, provided the attacker has credentials. CVSSv3.1 8.8 (HIGH) · EPSS 56th percentile
CVE-2026-23941 — Erlang Erlang\/inets: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in Erlang OTP (inets httpd module) allows HTTP Request Smuggling. This vulnerability is associated with program files lib/inets/src/http_server/httpd_request.erl and program routines httpd_request:parse_headers/7. The server does not reject or normalize duplicate Content-Length headers. The earliest Content-Length in the request is used for body parsing while common reverse proxies (nginx, CVSSv3.1 9.4 (CRITICAL) · EPSS 7th percentile
CVE-2025-13779 — Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1. CVSSv3.1 8.3 (HIGH) · EPSS 7th percentile
CVE-2025-13777 — Authentication: bypass by capture-replay vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue
Authentication bypass by capture-replay vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1. CVSSv3.1 8.3 (HIGH) · EPSS 8th percentile
UEBA in the Real World: Catching Intrusions That Don’t Look Like Intrusions
Sekoia's analysis demonstrates how modern intrusions evade traditional IOC-based detection by leveraging valid credentials and legitimate tools (OAuth, cloud APIs, remote admin utilities) rather than malware. The article presents five real-world attack patterns—credential-based lateral movement, MFA fatigue, OAuth abuse, cloud console misuse, and insider-style exfiltration—that UEBA (User and Entity Behavior Analytics) detects where signature-based rules fail. The core insight is that attackers deliberately blend into normal authentication and administrative workflows, requiring behavioral baselines and contextual correlation rather than artifact-focused detection.
Initial access techniques used by Iran-based threat actors
Sophos CTU analysis of Iranian-linked threat groups reveals consistent initial access patterns since 2020: phishing (especially spearphishing with cloud-hosted payloads), rapid exploitation of public-facing vulnerabilities (FortiOS, Exchange ProxyShell, Log4Shell), password spraying against cloud identity platforms, abuse of legitimate RMM tools, and exploitation of default/weak credentials in OT systems. The report documents specific TTPs including multi-step social engineering, payload hosting on trusted cloud services, and immediate post-compromise discovery and persistence actions.
March Patch Tuesday visits 15 product families
Microsoft released 84 patches across 15 product families in March 2026, addressing 8 Critical-severity vulnerabilities (none in Windows) and 76 Important-severity issues. Six CVEs are assessed as more likely to be exploited within 30 days, including elevation-of-privilege flaws in Windows kernel, SMB, and accessibility infrastructure, plus Office RCE issues exploitable via preview pane. Two CVEs are publicly disclosed; none are currently known to be under active exploitation.
CVE-2026-3611 — Honeywell Iq4e_firmware: Authentication controls are only enforced after a web user is created via U.htm, which
The Honeywell IQ4x building management controller, exposes its full web-based HMI without authentication in its factory-default configuration. With no user module configured, security is disabled by design and the system operates under a System Guest (level 100) context, granting read/write privileges to any party able to reach the HTTP interface. Authentication controls are only enforced after a web user is created via U.htm, which dynamically enables the user module. Becaus CVSSv3.1 10.0 (CRITICAL) · EPSS 48th percentile
CVE-2025-13462 — Python Python: This could result in a crafted tar archive being misinterpreted by the tarfile module
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile
CVE-2026-21708 — Backup: A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the
A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. CVSSv3.1 9.9 (CRITICAL) · EPSS 76th percentile
CVE-2026-21672 — A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers.
A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers. CVSSv3.1 8.8 (HIGH) · EPSS 28th percentile
CVE-2019-25536 — Netartmedia Real_estate_portal: PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated
Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features[] parameter to extract sensitive database information or manipulate database queries. CVSSv3.1 8.2 (HIGH)
Leveraging Tailscale Keys
SpecterOps published a comprehensive red-team tradecraft guide on exploiting compromised Tailscale authentication keys (Trusted Keys and Auth Keys) discovered in CI/CD pipelines. The post details how to provision nodes, enumerate Tailnets, abuse subnet routers and exit nodes for lateral movement, and leverage Tailscale SSH for passwordless access to internal systems and cloud resources.
CVE-2026-21671 — Veeam Veeam_backup_\&_replication: A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote
A vulnerability allowing an authenticated user with the Backup Administrator role to perform remote code execution (RCE) in high availability (HA) deployments of Veeam Backup & Replication. CVSSv3.1 9.1 (CRITICAL) · EPSS 56th percentile
CVE-2026-21669 — Veeam Veeam_backup_\&_replication: A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on
A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. CVSSv3.1 9.9 (CRITICAL) · EPSS 53th percentile
CVE-2026-21668 — Veeam Veeam_backup_\&_replication: A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files
A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-3060 — Lmsys Sglang: SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the
SGLang' encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-3059 — Lmsys Sglang: SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ
SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-3972 — Tenda W3_firmware: The manipulation of the argument funcpara1 results in stack-based buffer overflow.
A vulnerability was found in Tenda W3 1.0.0.3(2204). Affected by this issue is the function formSetCfm of the file /goform/setcfm of the component HTTP Handler. The manipulation of the argument funcpara1 results in stack-based buffer overflow. The attack can only be performed from the local network. The exploit has been made public and could be used. CVSSv3.1 8.8 (HIGH) · EPSS 39th percentile
CVE-2023-43010 — Apple Safari: Processing maliciously crafted web content may lead to memory corruption.
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. Processing maliciously crafted web content may lead to memory corruption. CVSSv3.1 8.8 (HIGH)