İbrahim BALOĞLU - Siber Güvenlik Paylaşımları

#DFIR 1⃣ A deep technical analysis of Windows input pipelines, security telemetry, and why PuTTY, WinSCP, MySQL, SSH, and SFTP passwords may leak into system memory https://hexderef.com/windows-11-passwords-in-memory-lsass-ctfmon-analysis 2⃣ Aether - Windows memory-forensics and threat hunting tool https://github.com/0xsp-SRD/aether

#AppSec #Threat_Research 1⃣ Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs https://www.safebreach.com/blog/click-or-trick-cve-2025-59199-escaping-the-sandbox-with-windows-uris 2⃣ Adobe Acrobat Reader Escript.api UAF RCE https://blog.exodusintel.com/2026/06/01/adobe-acrobat-reader-escript-api-use-after-free-remote-code-execution 3⃣ Exploiting Windows Defender's Remediation Workflow for LPE https://blog.calif.io/p/redsun-exploiting-windows-defenders

Linux LPE Toolkit * Multi ARCH набор для повышения привилегий в Linux, 19 готовыми и компилируемыми во время выполнения эксплойтов. Автоматически определяет версию ядра, фильтрует патченные эксплойты, пробует каждый до root. * Download

Hidden HTTP/2 Bomb * FOR nginx, Apache httpd, Microsoft IIS, Envoy, Cloudflare Pingora * WriteUP + LABs + PoCs

#NetSec #Threat_Research 1⃣ Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability // CVE-2026-5426 enabled RCE via shared ASPNET machine keys, leading to web shells, privilege escalation, and malware deployment, with mitigation requiring key rotation and vigilant monitoring 2⃣ Laravel Lang Packages Compromised // Laravel Lang packages were compromised with an RCE backdoor across hundreds of versions, exposing cloud, CI/CD, and developer secrets 3⃣ Google API keys keep working after you delete them // When you delete a Google API key, it says it’s immediately deleted. Our testing says ~23 min. During that window, an attacker with a leaked key keeps access to your data and enabled APIs 4⃣ Unauthenticated InfoLeak to Full Admin Compromise on ZTE ZXHN H168N // CVE-2021-21735 - critical flaw in ZTE routers allowing unauthenticated access to sensitive configuration data, enabling full device compromise and WLAN takeover 5⃣ Critical heap buffer overflow in 7-Zip // CVE-2026-48095

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (May 16-23, 2026) 1⃣ GRO Frag - seventh Copy Fail vulnerability that grants root privileges to Linux // Affected: Linux 6.0+ (unprivileged, requires io_uring) 2⃣ Cisco Secure Workload Unauthorized API Access Vulnerability CVE-2026-20223 // Affects Cisco Secure Workload Cluster Software on SaaS and on-prem deployments, regardless of device configuration 3⃣ Anonymous SQLI in Drupal Core (CVE-2026-9082) // PostgreSQL-specific SQLi in Drupal core allows anonymous users to execute malicious queries via JSON endpoints, fixed by resetting array keys before SQL translation 4⃣ Flipper One Project // Isn't an upgrade to Flipper Zero - it's a completely different project with its own goals.. 5⃣ Critical security flaws in Google Cloud's internal APIs // CVE-2026-2031 6⃣ DirtyDecrypt is another Copy Fail vulnerability that grants root privileges on Linux // A prototype exploit is available 7⃣ ModuleJail for locking unused Linux kernel modules // A single POSIX shell script that shrinks a Linux host's kernel-module attack surface by writing a modprobe.d blacklist 8⃣ Pwn2Own Berlin 2026: Day Three Results and Master of Pw // Day One / Two Results ]-> Analytical review (May 09-16, 2026)

CVE-2026-20182 Cisco Catalyst SD-WAN MetaSploit bypass module * CVE-2026-0300 PAN-OS 12.1, 11.2, 11.1, 10.2 RCE PoC * #network

#AppSec #Threat_Research How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102) https://securelist.com/exiftool-compromise-mac/119866 // critical RCE vulnerability in ExifTool ≤13.49 on macOS, exploitable via malicious image metadata

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (May 02-09, 2026) 1⃣  Apache httpd http2 vulnerability // CVE-2026-23918: double free and possible RCE on early reset 2⃣  MorphKatz // Windows x64 polymorphic machine-code rewriter 3⃣  Chaining ISC DHCP Server Features for Unauthenticated Root RCE // A chain of ISC DHCP Server features enables unauthenticated remote root access via OMAPI manipulation and 'execute()' statements, bypassing traditional memory or logical bugs 4⃣  TrustFall: coding agent security flaw enables one-click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot // Two PoC variants: poc/ is the 1-click developer machine variant (opens the OS calculator, works on all four CLIs, poc-ci-pipeline/ is the 0-click headless CI variant 5⃣  Wireshark 4.6.5 Released // Release notes + download page 6⃣  PCPJack: Cloud Worm Evicts TeamPCP and Steals Credentials at Scale // PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web apps, enabling both external propagation and lateral movement inside victim environments 7⃣  Dropbear SSH 2026.90

CVE-2026-42945 RIFT - RCE NGINX * PoC

#exploit #Mobile_security #Kernel_Security A 0-click exploit chain for the Pixel 10: When a Door Closes, a Window Opens.. https://projectzero.google/2026/05/pixel-10-exploit.html // Researchers developed a new exploit chain for Pixel 10, updating previous vulns found in Pixel 9, including Dolby and VPU driver issues. Dolby exploit was adapted for Pixel 10, but LPE link was replaced due to hardware driver differences, leading to the discovery of a critical VPU vulnerability

#AppSec #Threat_Research New Nightmare Eclipse Vulnerabilities 1⃣ YellowKey Bitlocker Bypass Vulnerability https://github.com/Nightmare-Eclipse/YellowKey 2⃣ GreenPlasma Windows CTFMON Arbitrary Section Creation EoP Vulnerability https://github.com/Nightmare-Eclipse/GreenPlasma

#Malware_analysis 1⃣ PamDOORa Linux PAM-Based Backdoor https://flare.io/learn/resources/blog/pamdoora-new-linux-pam-based-backdoor-sale-dark-web 2⃣ Fake Claude site spreads backdoor https://www.sophos.com/en-us/blog/donuts-and-beagles-fake-claude-site-spreads-backdoor 3⃣ New TrickMo Variant https://www.threatfabric.com/blogs/new-trickmo-variant-device-take-over-malware-targeting-banking-fintech-wallet-auth-app

Next.js v16.2.4 * Security PoC Collection * CVE-2026-23870 CVE-2026-44575 CVE-2026-44579 CVE-2026-44574 CVE-2026-44578 CVE-2026-44573 CVE-2026-44581 CVE-2026-44580 CVE-2026-44577 CVE-2026-44576 CVE-2026-44582 CVE-2026-44572

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (May 02-09, 2026) 1⃣  Apache httpd http2 vulnerability // CVE-2026-23918: double free and possible RCE on early reset 2⃣  MorphKatz // Windows x64 polymorphic machine-code rewriter 3⃣  Chaining ISC DHCP Server Features for Unauthenticated Root RCE // A chain of ISC DHCP Server features enables unauthenticated remote root access via OMAPI manipulation and 'execute()' statements, bypassing traditional memory or logical bugs 4⃣  TrustFall: coding agent security flaw enables one-click RCE in Claude, Cursor, Gemini CLI and GitHub Copilot // Two PoC variants: poc/ is the 1-click developer machine variant (opens the OS calculator, works on all four CLIs, poc-ci-pipeline/ is the 0-click headless CI variant 5⃣  Wireshark 4.6.5 Released // Release notes + download page 6⃣  PCPJack: Cloud Worm Evicts TeamPCP and Steals Credentials at Scale // PCPJack targets exposed services including Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web apps, enabling both external propagation and lateral movement inside victim environments 7⃣  Dropbear SSH 2026.90 ]-> Analytical review (Apr.25-May 02, 2026)

#exploit #NetSec 1⃣ Android adbd TLS client-authentication bypass https://barghest.asia/blog/cve-2026-0073-adb-tls-auth-bypass // no-interaction proximal/adjacent RCE vulnerability (CVE-2026-0073) in adbd’s ADB-over-TCP authentication path 2⃣ Critical Unauthenticated Memory Leak in Ollama https://www.cyera.com/research/bleeding-llama-critical-unauthenticated-memory-leak-in-ollama // memory leak vulnerability (CVE-2026-7482) in Ollama allows attackers to exploit improper tensor shape validation in GGUF files to leak sensitive memory data from approximately 300k servers globally

CVE-2026-35616 FortiClient EMS Pre-Auth Bypass * exploit

Debian 13 DHCP server RCE * PoC and details