2026-01-15
2026-01-15 12:54Z
INFO

EntraGoat — A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack cha

GitHub · Azure / Entra tools·github.comGITHUB POC

EntraGoat is a deliberately vulnerable Microsoft Entra ID lab environment released by Semperis, designed to teach identity security through hands-on attack scenarios. The tool deploys realistic misconfigurations and privilege escalation paths using PowerShell and Microsoft Graph APIs, with multiple challenge scenarios covering service principal abuse, app-only permissions exploitation, and certificate-based authentication attacks.

TACTA0004TACTA0005TACTA0001SRFIdentitySRFCloudVNDMicrosoftTYPResearchTYPTool
72
Edit Score
2026-01-15
2026-01-15 00:00Z
CRIT

Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI

Trend Micro's ÆSIR platform, combining AI-assisted vulnerability discovery with human oversight, has identified 21 critical CVEs across NVIDIA, Tencent, MLflow, and MCP tooling since mid-2025. The research demonstrates systematic exploitation of deserialization, authentication bypass, and command injection flaws in foundational AI infrastructure, with particular emphasis on patch bypass identification in NVIDIA Isaac GR00T. The platform's dual-component architecture (MIMIR for threat intelligence, FENRIR for zero-day discovery) operates at machine speed while maintaining human-directed validation and responsible disclosure.

SRFApplicationTACTA0001SRFAiVNDNvidiaVNDMlflowVNDTencentTYPResearchTYPTool
82
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22859 — Freerdp Freerdp: Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22859

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 125CWECWE 129VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22858 — Freerdp Freerdp: As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22858

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup t CVSSv3.1 9.1 (CRITICAL)

CWECWE 125CWECWE 787CWECWE 758VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22855 — Freerdp Freerdp: Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22855

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 125VNDFreerdpTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-01-14
2026-01-14 18:16Z
CRIT

CVE-2026-22853 — Freerdp Freerdp: Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-22853

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787VNDFreerdpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-14
2026-01-14 18:01Z
CRIT

A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?

Project Zero·googleprojectzero.blogspot.comCVE-2025-54957CVE-2025-36934in the wild

Project Zero published the third installment of their Pixel 9 0-click exploit chain analysis, detailing systemic vulnerabilities in Android's attack surface management, patch prioritization, and deployment timelines. The chain exploited CVE-2025-54957 (Dolby UDC memory corruption) and CVE-2025-36934 (BigWave driver privilege escalation) to achieve kernel code execution from untrusted audio messages—requiring only two bugs and taking ~11 person-weeks to develop. The post reveals critical gaps: the Dolby UDC vulnerability took 139 days to patch on any Android device and 82 days after public disclosure before Pixel patched it, Dolby's advisory significantly understated exploitability, and Android's severity matrix initially rated both bugs as Moderate despite their 0-click nature.

SRFOsTACTA0004SRFMobileTACTA0001TACTA0002VNDDolbyVNDGoogleVNDQualcomm
95
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-01-14
2026-01-14 18:00Z
CRIT

A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave

Project Zero·googleprojectzero.blogspot.com

Project Zero discloses a complete 0-click exploit chain for Pixel 9 combining a Dolby decoder RCE with three BigWave driver vulnerabilities, culminating in kernel arbitrary read/write and SELinux bypass. The primary vulnerability is a use-after-free in the BigWave AV1 hardware decoder driver triggered by race conditions between ioctl timeout handling and worker thread job processing, patched January 5, 2026.

TACTA0004TACTA0005SRFMobileSRFFirmwareVNDGoogleVNDQualcommTYPResearchTYPWriteup
98
Edit Score
2026-01-14
2026-01-14 17:59Z
CRIT

A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby

Project Zero·googleprojectzero.blogspot.comCVE-2025-54957CVE-2025-36934CVE-2025-49415in the wild

Project Zero disclosed a complete 0-click exploit chain for Pixel 9 targeting the Dolby Unified Decoder (CVE-2025-54957), an integer overflow in EMDF payload parsing that enables arbitrary heap writes. The vulnerability exists in the 0-click attack surface via automatic audio transcription in Google Messages, affecting most Android devices. Part 1 details exploitation of the decoder to achieve mediacodec RCE through heap layout manipulation and function pointer overwriting.

SRFOsTACTA0004SRFMobileTACTA0001TACTA0002VNDDolbyVNDGoogleTYPResearch
98
Edit Score
2026-01-14
2026-01-14 17:00Z
CRIT

Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

SpecterOps·specterops.io

SpecterOps researchers discovered a critical SCCM hierarchy takeover primitive combining automatic client push installation with WebDav/HTTP NTLM relay to LDAP. The attack exploits the site server's automatic share mapping behavior (WNetAddConnection2 API) during client push, which triggers WebClient startup and coerces HTTP NTLM authentication from either the client push account or the site server machine account. Successful exploitation requires WebClient installation on the site server, automatic client push enabled, NTLM fallback enabled, and disabled LDAP signing/channel binding—conditions common in enterprise deployments.

SRFApplicationTACTA0004TACTA0001SRFIdentityTACTA0008VNDMicrosoftTYPResearchTYPTechnique
92
Edit Score
2026-01-14
2026-01-14 11:15Z
HIGH

CVE-2026-0532 — External: Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918)

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0532

External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitra CVSSv3.1 8.6 (HIGH)

CWECWE 918TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-01-14
2026-01-14 09:16Z
CRIT

CVE-2026-23550 — Incorrect: Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-23550

Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-13
2026-01-13 23:59Z
HIGH

MAAD-AF — MAAD Attack Framework - An attack tool for simple, fast & effective security testing of M365 & Entra ID (Azure AD).

GitHub · Azure / Entra tools·github.comGITHUB POC

Vectra AI Research released MAAD-AF (MAAD Attack Framework), an open-source PowerShell-based attack emulation tool for Microsoft 365 and Entra ID environments. The framework enables security testing across Exchange Online, Teams, SharePoint, and eDiscovery with techniques including credential brute-forcing, MFA manipulation, mailbox audit bypass, mail forwarding exfiltration, and cross-tenant synchronization exploitation.

TACTA0004TACTA0005TACTA0001TACTA0006TACTA0007SRFIdentityTACTA0003SRFCloud
78
Edit Score
2026-01-13
2026-01-13 18:16Z
HIGH

CVE-2026-20931 — Microsoft Windows_10_1607: External control of file name or path in Windows Telephony Service allows an authorized

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-20931

External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH) · EPSS 74th percentile

CWECWE 73VNDMicrosoftTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-01-13
2026-01-13 17:15Z
HIGH

CVE-2025-25249 — Fortinet Fortios: A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-25249

A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets CVSSv3.1 8.1 (HIGH) · EPSS 4th percentile

CWECWE 787CWECWE 122VNDFortinetTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-13
2026-01-13 17:00Z
HIGH

Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM

SpecterOps·specterops.io

SpecterOps released ConfigManBearPig, a BloodHound OpenGraph collector that enumerates Microsoft Configuration Manager (SCCM) infrastructure to identify 30+ documented attack techniques. The tool integrates with BloodHound to visualize SCCM misconfigurations, hierarchy takeover paths, privilege escalation vectors, and credential theft opportunities through LDAP, DNS, remote registry, MSSQL, AdminService, and HTTP collection phases.

SRFApplicationSRFNetworkTACTA0006TACTA0007SRFIdentityTACTA0043VNDMicrosoftVNDSpecterops
87
Edit Score
2026-01-13
2026-01-13 16:15Z
HIGH

CVE-2025-66698 — Semantic-machines Veda: An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-66698

An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. CVSSv3.1 8.6 (HIGH) · EPSS 39th percentile

CWECWE 287VNDSemantic MachinesVNDSemanticTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-01-13
2026-01-13 16:15Z
CRIT

CVE-2025-65783 — Hubert Hub: An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-65783

An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile

CWECWE 434VNDHubertTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-13
2026-01-13 14:16Z
CRIT

CVE-2026-0892 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0892

Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147 and Thunderbird 147. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-13
2026-01-13 14:16Z
HIGH

CVE-2026-0891 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0891

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.1 (HIGH)

CWECWE 119VNDMozillaTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-01-13
2026-01-13 14:16Z
CRIT

CVE-2026-0884 — Mozilla Firefox: Use-after-free in the JavaScript Engine component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0884

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 416VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-01-13
2026-01-13 14:16Z
HIGH

CVE-2026-0882 — Mozilla Firefox: Use-after-free in the IPC component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0882

Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.8 (HIGH)

CWECWE 416VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-13
2026-01-13 14:16Z
CRIT

CVE-2026-0881 — Mozilla Firefox: Sandbox escape in the Messaging System component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0881

Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. CVSSv3.1 10.0 (CRITICAL)

CWECWE 284CWECWE 693VNDMozillaTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2026-01-13
2026-01-13 14:16Z
HIGH

CVE-2026-0880 — Mozilla Firefox: Sandbox escape due to integer overflow in the Graphics component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0880

Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.8 (HIGH)

CWECWE 190VNDMozillaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-01-13
2026-01-13 14:16Z
CRIT

CVE-2026-0879 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics component.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-0879

Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 9.8 (CRITICAL)

CWECWE 119VNDMozillaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score