Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-27573 — Netboxlabs Netbox-docker: before 2.5.0 has a superuser account with default credentials (admin password for the
netbox-docker before 2.5.0 has a superuser account with default credentials (admin password for the admin account, and 0123456789abcdef0123456789abcdef01234567 value for SUPERUSER_API_TOKEN). In practice on the public Internet, almost all users changed the password but only about 90% changed the token. Having a default token value was intentional and was valuable for the main intended use case of the netbox-docker product (isolated development networks). Some users engaged in CVSSv3.1 9.0 (CRITICAL) · EPSS 17th percentile
CVE-2026-29515 — Xiaomi Fileexplorer: MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile
Evil evolution: ClickFix and macOS infostealers
Sophos X-Ops documented three evolving ClickFix campaigns targeting macOS users with the MacSync infostealer between November 2025 and February 2026. The campaigns shifted from impersonating OpenAI/ChatGPT download sites to leveraging legitimate ChatGPT shared conversations and Apple domain spoofing, with the latest variant employing multistage shell-based loaders, dynamic AppleScript payloads, and binary patching (including Ledger Live app hijacking for seed phrase theft) instead of native MachO binaries. Threat actors tracked campaign efficacy via stats.php endpoints reporting thousands of successful command-copy interactions to Telegram bots, with active infection clusters across Belgium, India, and the Americas.
PageJack in Action: CVE-2022-0995 exploit
Quarkslab details a complete exploitation of CVE-2022-0995, an out-of-bounds write in the Linux kernel's watch_queue_set_filter() function affecting kernel 5.17+. The writeup demonstrates the PageJack technique—a modern heap exploitation method introduced at Black Hat USA 2024—to convert a constrained OOB write into a use-after-free on kernel pages, ultimately achieving privilege escalation by corrupting struct file objects.
CVE-2026-28806 — Nerves-hub Nerveshub: Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions
Improper Authorization vulnerability in nerves-hub nerves_hub_web allows cross-organization device control via device bulk actions and device update API. Missing authorization checks in the device bulk actions and device update API endpoints allow authenticated users to target devices belonging to other organizations and perform actions outside of their privilege level. An attacker can select devices outside of their organization by manipulating device identifiers and perfo CVSSv3.1 8.8 (HIGH) · EPSS 4th percentile
CVE-2025-70802 — Tenda G1_firmware: G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in
Tenda G1V3.1si V16.01.7.8 Firmware V16.01.7.8 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. CVSSv3.1 8.4 (HIGH)
CVE-2025-70798 — Tenda I24_firmware: i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in
Tenda i24V3.0si V3.0.0.5 Firmware V3.0.0.5 was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root. CVSSv3.1 8.4 (HIGH)
CVE-2026-28292 — Simple-git_project Simple-git: `simple-git`, an interface for running git commands in any node.js application, has an issue
`simple-git`, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes (CVE-2022-25860 and CVE-2022-25912) and achieve full remote code execution on the host machine. Version 3.23.0 contains an updated fix for the vulnerability. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-27826 — Sooperset Mcp_atlassian: The vulnerability exists in the HTTP middleware and dependency injection layer — not in
MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, an unauthenticated attacker who can reach the mcp-atlassian HTTP endpoint can force the server process to make outbound HTTP requests to an arbitrary attacker-controlled URL by supplying two custom HTTP headers without an `Authorization` header. No authentication is required. The vulnerability exists in the HTTP middleware and dependency injection laye CVSSv3.1 8.2 (HIGH)
CVE-2026-3847 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 148.0.2. CVSSv3.1 8.8 (HIGH)
CVE-2026-3845 — Mozilla Firefox: Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android.
Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2. CVSSv3.1 8.8 (HIGH)
CVE-2026-3843 — Bukts Buk_ts-g_gas_station_automation_system: Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection
Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 on Linux contains a SQL Injection vulnerability (CWE-89) in the system configuration module. A remote attacker can send specially crafted HTTP POST requests to the /php/request.php endpoint via the sql parameter in application/x-www-form-urlencoded data (e.g., action=do&sql=<query_here>&reload_driver=0) to execute arbitrary SQL commands and potentially achieve remote code execution. CVSSv3.1 9.8 (CRITICAL) · EPSS 39th percentile
CVE-2026-30930 — Nicolargo Glances: The normalize() method wraps string values in single quotes but does not escape embedded
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names. This vulnerability is f CVSSv3.1 9.8 (CRITICAL) · EPSS 9th percentile
CVE-2026-26110 — Microsoft 365_apps: Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. CVSSv3.1 8.4 (HIGH) · EPSS 19th percentile
CVE-2026-23240 — Linux Linux_kernel: In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition
In the Linux kernel, the following vulnerability has been resolved: tls: Fix race condition in tls_sw_cancel_work_tx() This issue was discovered during a code audit. After cancel_delayed_work_sync() is called from tls_sk_proto_close(), tx_work_handler() can still be scheduled from paths such as the Delayed ACK handler or ksoftirqd. As a result, the tx_work_handler() worker may dereference a freed TLS object. The following is a simple race scenario: cpu0 CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2026-22627 — Fortinet Fortiswitchaxfixed: A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet
A buffer copy without checking size of input ('classic buffer overflow') vulnerability in Fortinet FortiSwitchAXFixed 1.0.0 through 1.0.1 may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet. CVSSv3.1 8.8 (HIGH)
CVE-2025-69615 — Telekom Account_management_portal: Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA
Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03. CVSSv3.1 9.1 (CRITICAL) · EPSS 3th percentile
CVE-2025-69614 — Telekom Account_management_portal: Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password
Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31. CVSSv3.1 9.4 (CRITICAL) · EPSS 6th percentile
CVE-2025-56422 — Limesurvey Limesurvey: A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary
A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
USBArmyKnife — USB Army Knife – the ultimate close access tool for penetration testers and red teamers.
USBArmyKnife is a comprehensive open-source physical access toolkit built on ESP32-S3 hardware that combines BadUSB HID attacks, mass storage emulation, network device spoofing, WiFi/Bluetooth exploitation, and post-exploitation capabilities including screen capture and audio recording. The tool supports multiple affordable hardware platforms (LilyGo T-Dongle S3, Evil Crow Cable, smartwatches) and provides a web-based UI for attack orchestration via DuckyScript with custom extensions.
CVE-2025-11158 — Hitachi Vantara_pentaho_data_integration_and_analytics: Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x
Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.6, including 9.3.x and 8.3.x, do not restrict Groovy scripts in new PRPT reports published by users, allowing insertion of arbitrary scripts and leading to a RCE. CVSSv3.1 9.1 (CRITICAL) · EPSS 5th percentile
The Nemesis 2.X Development Guide
SpecterOps published a comprehensive development guide for Nemesis 2.X, a file enrichment and credential harvesting platform. The guide covers extending Nemesis through custom enrichment modules (with both manual and AI-assisted approaches via Claude Code/Codex), adding Yara/Nosey Parker detection rules, and building C2 connectors to ingest operator downloads.
CVE-2026-28693 — Imagemagick Imagemagick: Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-16 and 6.9.13-41, an integer overflow in DIB coder can result in out of bounds read or write. This vulnerability is fixed in 7.1.2-16 and 6.9.13-41. CVSSv3.1 8.1 (HIGH)
Through the Lens of MDR: Analysis of KongTuke’s ClickFix Abuse of Compromised WordPress Sites
Trend Micro's MDR investigation documents an active KongTuke campaign delivering modeloRAT through compromised WordPress sites injected with malicious JavaScript that triggers fake CAPTCHA lures and PowerShell execution. The group abuses legitimate Windows tools (finger.exe), Dropbox-hosted payloads, and portable Python environments to establish persistence via registry Run keys and scheduled tasks, while employing 32-layer obfuscation and anti-analysis checks targeting enterprise domain-joined systems. The campaign operates in parallel with the newer CrashFix browser-extension technique, demonstrating a modular, scalable operation with ongoing infrastructure activity.
CISOs in a Pinch: A Security Analysis of OpenClaw
Trend Micro analyzes OpenClaw, a locally-hosted sovereign AI agent built on Anthropic's Claude that executes terminal commands with user privileges and maintains persistent memory. The research identifies critical attack vectors including indirect prompt injection via messaging apps, time-shifted attacks through persistent JSON storage, and the Moltbook database breach exposing 1.5M API tokens. The paper argues that current deployment practices lack essential controls: sandboxing, human-in-the-loop confirmation, and input/output guardrails against injection attacks.