Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
EntraGoat — A deliberately vulnerable Microsoft Entra ID environment. Learn identity security through hands-on, realistic attack cha
EntraGoat is a deliberately vulnerable Microsoft Entra ID lab environment released by Semperis, designed to teach identity security through hands-on attack scenarios. The tool deploys realistic misconfigurations and privilege escalation paths using PowerShell and Microsoft Graph APIs, with multiple challenge scenarios covering service principal abuse, app-only permissions exploitation, and certificate-based authentication attacks.
Introducing ÆSIR: Finding Zero-Day Vulnerabilities at the Speed of AI
Trend Micro's ÆSIR platform, combining AI-assisted vulnerability discovery with human oversight, has identified 21 critical CVEs across NVIDIA, Tencent, MLflow, and MCP tooling since mid-2025. The research demonstrates systematic exploitation of deserialization, authentication bypass, and command injection flaws in foundational AI infrastructure, with particular emphasis on patch bypass identification in NVIDIA Isaac GR00T. The platform's dual-component architecture (MIMIR for threat intelligence, FENRIR for zero-day discovery) operates at machine speed while maintaining human-directed validation and responsible disclosure.
CVE-2026-22859 — Freerdp Freerdp: Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, the URBDRC client does not perform bounds checking on server‑supplied MSUSB_INTERFACE_DESCRIPTOR values and uses them as indices in libusb_udev_complete_msconfig_setup, causing an out‑of‑bounds read. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22858 — Freerdp Freerdp: As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, global-buffer-overflow was observed in FreeRDP's Base64 decoding path. The root cause appears to be implementation-defined char signedness: on Arm/AArch64 builds, plain char is treated as unsigned, so the guard c <= 0 can be optimized into a simple c != 0 check. As a result, non-ASCII bytes (e.g., 0x80-0xFF) may bypass the intended range restriction and be used as an index into a global lookup t CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22855 — Freerdp Freerdp: Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, a heap out-of-bounds read occurs in the smartcard SetAttrib path when cbAttrLen does not match the actual NDR buffer length. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.1 (CRITICAL)
CVE-2026-22853 — Freerdp Freerdp: Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.20.1, RDPEAR’s NDR array reader does not perform bounds checking on the on‑wire element count and can write past the heap buffer allocated from hints, causing a heap buffer overflow in ndr_read_uint8Array. This vulnerability is fixed in 3.20.1. CVSSv3.1 9.8 (CRITICAL)
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?
Project Zero published the third installment of their Pixel 9 0-click exploit chain analysis, detailing systemic vulnerabilities in Android's attack surface management, patch prioritization, and deployment timelines. The chain exploited CVE-2025-54957 (Dolby UDC memory corruption) and CVE-2025-36934 (BigWave driver privilege escalation) to achieve kernel code execution from untrusted audio messages—requiring only two bugs and taking ~11 person-weeks to develop. The post reveals critical gaps: the Dolby UDC vulnerability took 139 days to patch on any Android device and 82 days after public disclosure before Pixel patched it, Dolby's advisory significantly understated exploitability, and Android's severity matrix initially rated both bugs as Moderate despite their 0-click nature.
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
Project Zero discloses a complete 0-click exploit chain for Pixel 9 combining a Dolby decoder RCE with three BigWave driver vulnerabilities, culminating in kernel arbitrary read/write and SELinux bypass. The primary vulnerability is a use-after-free in the BigWave AV1 hardware decoder driver triggered by race conditions between ioctl timeout handling and worker thread job processing, patched January 5, 2026.
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
Project Zero disclosed a complete 0-click exploit chain for Pixel 9 targeting the Dolby Unified Decoder (CVE-2025-54957), an integer overflow in EMDF payload parsing that enables arbitrary heap writes. The vulnerability exists in the 0-click attack surface via automatic audio transcription in Google Messages, affecting most Android devices. Part 1 details exploitation of the decoder to achieve mediacodec RCE through heap layout manipulation and function pointer overwriting.
Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP
SpecterOps researchers discovered a critical SCCM hierarchy takeover primitive combining automatic client push installation with WebDav/HTTP NTLM relay to LDAP. The attack exploits the site server's automatic share mapping behavior (WNetAddConnection2 API) during client push, which triggers WebClient startup and coerces HTTP NTLM authentication from either the client push account or the site server machine account. Successful exploitation requires WebClient installation on the site server, automatic client push enabled, NTLM fallback enabled, and disabled LDAP signing/channel binding—conditions common in enterprise deployments.
CVE-2026-0532 — External: Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918)
External Control of File Name or Path (CWE-73) combined with Server-Side Request Forgery (CWE-918) can allow an attacker to cause arbitrary file disclosure through a specially crafted credentials JSON payload in the Google Gemini connector configuration. This requires an attacker to have authenticated access with privileges sufficient to create or modify connectors (Alerts & Connectors: All). The server processes a configuration without proper validation, allowing for arbitra CVSSv3.1 8.6 (HIGH)
CVE-2026-23550 — Incorrect: Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1. CVSSv3.1 9.8 (CRITICAL)
MAAD-AF — MAAD Attack Framework - An attack tool for simple, fast & effective security testing of M365 & Entra ID (Azure AD).
Vectra AI Research released MAAD-AF (MAAD Attack Framework), an open-source PowerShell-based attack emulation tool for Microsoft 365 and Entra ID environments. The framework enables security testing across Exchange Online, Teams, SharePoint, and eDiscovery with techniques including credential brute-forcing, MFA manipulation, mailbox audit bypass, mail forwarding exfiltration, and cross-tenant synchronization exploitation.
CVE-2026-20931 — Microsoft Windows_10_1607: External control of file name or path in Windows Telephony Service allows an authorized
External control of file name or path in Windows Telephony Service allows an authorized attacker to elevate privileges over an adjacent network. CVSSv3.1 8.0 (HIGH) · EPSS 74th percentile
CVE-2025-25249 — Fortinet Fortios: A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through
A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4 all versions, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets CVSSv3.1 8.1 (HIGH) · EPSS 4th percentile
Introducing ConfigManBearPig, a BloodHound OpenGraph Collector for SCCM
SpecterOps released ConfigManBearPig, a BloodHound OpenGraph collector that enumerates Microsoft Configuration Manager (SCCM) infrastructure to identify 30+ documented attack techniques. The tool integrates with BloodHound to visualize SCCM misconfigurations, hierarchy takeover paths, privilege escalation vectors, and credential theft opportunities through LDAP, DNS, remote registry, MSSQL, AdminService, and HTTP collection phases.
CVE-2025-66698 — Semantic-machines Veda: An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a
An issue in Semantic machines v5.4.8 allows attackers to bypass authentication via sending a crafted HTTP request to various API endpoints. CVSSv3.1 8.6 (HIGH) · EPSS 39th percentile
CVE-2025-65783 — Hubert Hub: An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao
An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile
CVE-2026-0892 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147 and Thunderbird 147. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-0891 — Mozilla Firefox: Some of these bugs showed evidence of memory corruption and we presume that with
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.1 (HIGH)
CVE-2026-0884 — Mozilla Firefox: Use-after-free in the JavaScript Engine component.
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 9.8 (CRITICAL)
CVE-2026-0882 — Mozilla Firefox: Use-after-free in the IPC component.
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.8 (HIGH)
CVE-2026-0881 — Mozilla Firefox: Sandbox escape in the Messaging System component.
Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147. CVSSv3.1 10.0 (CRITICAL)
CVE-2026-0880 — Mozilla Firefox: Sandbox escape due to integer overflow in the Graphics component.
Sandbox escape due to integer overflow in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 8.8 (HIGH)
CVE-2026-0879 — Mozilla Firefox: Sandbox escape due to incorrect boundary conditions in the Graphics component.
Sandbox escape due to incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. CVSSv3.1 9.8 (CRITICAL)