InfoSec Briefing - May 23, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Saturday the 23rd of May 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 11 articles to cover. All attribution is by the article authors. All article analysis is automated.

CISA have added a Drupal SQL injection to the Known Exploited Vulnerabilities catalogue. The flaw affects versions 8.9 through 11.2.11 and allows unauthenticated attackers to execute arbitrary SQL commands, potentially achieving remote code execution on PostgreSQL installations. Active exploitation is confirmed in the wild, so if you're running Drupal, patch immediately.

Censys have written up ongoing breaches of automatic tank gauges at US petrol stations, with Iran-linked operators suspected. The gauges lack authentication and can be accessed over the public internet with a single unauthenticated command, allowing attackers to pull sensitive data and manipulate fuel readings on display. Over 6,000 exposed hosts identified, 70% of them in the US across major brands.

Cisco Talos have tracked a commodity malware ecosystem called BadIIS, operating as Malware-as-a-Service since at least 2021. It targets IIS servers and is distributed among Chinese-speaking threat actors, with dedicated builder tools and rapid iteration to evade detection. Worth a look if you're tracking Chinese tooling or defending web server infrastructure.

Quick Heal have documented Operation Dragon Whistle, a spear-phishing campaign by threat actor UNG0002 targeting Chinese academic institutions. The campaign uses weaponised shortcuts disguised as documents about fitness testing requirements, delivering Cobalt Strike via DLL side-loading whilst rotating command and control infrastructure between Chinese cloud providers.

ESET have analysed a shift in targeting by the China-aligned group Webworm, who've moved from Asian organisations to Europe and South Africa in 2025. The research covers their new operational patterns and geographic expansion, which represents a notable change in strategic focus.

Grafana Labs and Nrwl have both published incident reports following the TanStack supply chain attack we covered earlier this week. Grafana detected unauthorised access to internal repositories on May 11th, linked to the Mini Shai-Hulud campaign that compromised 84 packages. Separately, Nrwl disclosed that a malicious version of the Nx Console extension was published for up to 36 minutes after a developer's GitHub credentials were stolen in the same campaign, harvesting vault tokens, cloud credentials, and attempting persistence via sudoers injection. Around 6,000 users are believed affected by the extension compromise.

Security researcher Matt Suiche has audited the leaked Windows 2000 source code and found that critical vulnerabilities from the 1999 codebase persisted in later Windows versions for 6 to 25 years before being patched. The analysis covered 75 megabytes of source against 25 years of vulnerability research, identifying 11 confirmed high-confidence bugs. Turns out Windows kernel bugs have a decades-long half-life.

Kaspersky have disclosed a command injection vulnerability in ExifTool affecting macOS systems. The flaw allows attackers to execute arbitrary shell commands by embedding malicious instructions in image file metadata, specifically through unsanitised input in a function that handles file creation dates. One for macOS defenders, particularly if you process user-uploaded images.

Qualys have published details of a critical Linux kernel privilege escalation flaw present since 2016. The vulnerability exploits a race condition in credential handling, allowing unprivileged local users to escalate to root or steal sensitive credentials on widely-used distributions including Ubuntu, Debian, and Fedora. Patch immediately, or set a specific kernel parameter to 2 as interim mitigation.

And Searchlight Cyber have disclosed a pre-authentication path traversal in cPanel's CalDAV daemon that allows unauthenticated attackers to read arbitrary files with root privileges. The flaw combines a regex bypass via URL encoding with improper privilege dropping in Perl's implementation. Exploitation requires knowledge of a valid email address on the target instance but enables full system compromise through unrestricted file access.

That concludes today's briefing.

📰 Articles Covered

CVE-2026-9082 - CISA KEV

CVE-2026-9082 is a highly critical SQL injection (SQLi) vulnerability affecting the Drupal core database abstraction layer .

### Vulnerability Overview
* **Product/Vendor:** Drupal Core .
* **Affected Configurations:** The vulnerability specifically impacts Drupal installations utilizing a **PostgreSQL** database backend . Installations using MySQL, MariaDB, or SQLite are not affected by this specific vector .
* **Impact:** It allows unauthenticated attackers to execute arbitrary SQL commands against the database . This is achieved by injecting crafted array keys into filter parameters, which the database abstraction layer fails to neutralize properly .

### Exploitation and Threat Landscape
* **Exploitation (MITRE ATT&CK T1190):** Attackers are exploiting this vulnerability by sending malicious, crafted requests to internet-facing Drupal applications. Because the flaw resides in the core architecture, it provides a direct path for unauthenticated remote attackers to interact with the backend database, posing significant risks of data theft and unauthorized database manipulation .
* **Threat Actors/Campaigns:** As of May 23, 2026, the vulnerability has been identified as a critical issue, and it is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog . Security researchers are actively monitoring the landscape for exploitation attempts .

### Immediate Recommendations for Defenders
1. **Apply Patches:** Organizations must immediately apply the official Drupal core updates provided by the vendor as part of their critical patch management cycle .
2. **Implement WAF Protections:** If immediate patching is not possible, deploy robust Web Application Firewall (WAF) rules designed to detect and block SQL injection attempts targeting Drupal's database abstraction layer .
3. **Monitor Logs:** Review web server and database logs for suspicious activity, particularly requests containing unusual array structures or SQL syntax in parameters, which may indicate exploitation attempts.
Iran-linked Operators Suspected in ATG Breaches - Censys

This precis summarizes the findings regarding the recent security incidents involving Automatic Tank Gauges (ATGs) as reported by Censys.

### **What Happened**
Following a 15 May 2026 report by CNN, US officials identified that Iran-linked operators have been targeting and breaching internet-facing Automatic Tank Gauges (ATGs) at gas stations across the United States 【1】【1】. Attackers exploited the fact that these devices were connected directly to the public internet without password protection, allowing them to alter on-display readings 【1】.

### **Who Is Affected**
* **Geographic Scope:** The United States is the most heavily impacted, accounting for 4,224 (70%) of the 6,057 exposed hosts identified by Censys 【1】. Puerto Rico is also significantly affected, with 350 hosts, the majority of which are concentrated on a single ISP (COQUI-NET / DATACOM CARIBE) 【1】.
* **Infrastructure:** Exposed devices are primarily hosted on residential and small-business broadband and cellular ISPs, including Verizon Wireless, Comcast, CYBERA Inc., Charter, AT&T, and UUNET/Verizon Business 【1】.
* **Brands:** Numerous major fuel brands are represented among the exposed consoles, including Shell (602), Mobil (184), BP (78), Texaco (68), and others 【1】.

### **Technical Details**
* **Protocol Vulnerability:** The ATG protocol lacks any native authentication mechanism; every indexed service is reachable without a login 【1】.
* **Data Exposure:** A single unauthenticated `I20100` command is sufficient to extract sensitive information from 60.1% of these services 【1】. This includes the station’s brand, street address, phone number, and live tank readings (volume, ullage, and water-bottom levels) 【1】.

### **Security Implications**
* **Reconnaissance:** For targeted adversaries, the reconnaissance phase is effectively pre-completed, as 3,907 services openly broadcast precise location and contact data 【1】.
* **Operational Impact:** While investigators noted that attackers could not alter physical fuel levels, the ability to manipulate on-display readings poses a significant risk. By design, this access could allow an attacker to mask a fuel leak, potentially leading to environmental or safety hazards going undetected 【1】.

### **What Defenders Should Know**
Defenders and operators of these systems should be aware that these devices are currently being actively targeted due to their lack of authentication and public exposure. The primary mitigation is to ensure these devices are not directly accessible from the public internet. Organizations should audit their network perimeters to identify and isolate any ATG consoles that may be inadvertently exposed.
From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat - Cisco Talos

This precis summarizes the findings from the Cisco Talos report regarding the "BadIIS" commodity malware ecosystem.

### **What Happened**
Cisco Talos has uncovered a long-running, sophisticated ecosystem centered around a variant of the **BadIIS** malware, identifiable by embedded "demo.pdb" strings. This ecosystem operates under a **Malware-as-a-Service (MaaS)** model, where a primary developer (operating under the alias **"lwxat"**) creates and maintains the malware, a dedicated builder tool, and various auxiliary deployment utilities. These tools are sold or shared among Chinese-speaking threat actors for continuous monetization through illicit activities. The development effort has been sustained since at least September 2021, characterized by rapid iteration and reactive evasion tactics.

### **Who Is Affected**
The primary targets are **Internet Information Services (IIS) servers**. By compromising these servers, threat actors can manipulate web traffic, hijack site content, and perform search engine optimization (SEO) fraud, impacting both the owners of the compromised servers and the legitimate users visiting those sites.

### **Security Implications**
The BadIIS ecosystem enables several malicious activities that can severely damage a website's reputation and security:
* **Traffic Redirection:** Forcibly redirects legitimate users to malicious infrastructure (e.g., gambling or adult content sites).
* **SEO Fraud:** Injects backlinks to external illicit sites to artificially inflate their search rankings, siphoning the compromised server's Domain Authority.
* **Content Hijacking:** Replaces legitimate website content with malicious material for both users and search engine crawlers.
* **Reverse Proxying:** Manipulates search engine crawlers by serving illicit content from the attacker's backend, facilitating large-scale indexing of spam.

### **Technical Details**
* **Attribution:** The developer "lwxat" is linked to the malware via hardcoded authentication strings ("lwxat") in the builder/service tools, a custom user-agent string ("lwxatisme"), and PDB file paths referencing specific client requirements (e.g., "xshen").
* **Builder Tool:** A modular utility allows actors to generate configurations, customize payloads, and inject parameters for traffic redirection, hijacking, and backlink injection.
* **Deployment & Persistence:** The author provides a suite of auxiliary tools, including droppers and service-based installers. These tools use **custom Base64 encoding** to obfuscate command lines and parameters.
* **Persistence Mechanisms:** The malware impersonates legitimate Windows services (e.g., "Winlogin," "FaxService") and utilizes hidden backup directories to ensure the malicious payload is automatically restored and executed upon server restart.

### **What Defenders Should Know**
* **Detection:** Defenders should monitor for the presence of the "lwxat" string in authentication routines and the "lwxatisme" user-agent string in HTTP traffic.
* **Signatures:** Cisco Talos has provided specific detection mechanisms:
* **ClamAV Signatures:** `Win.Malware.BadIIS-10059971-0`, `Win.Malware.BadIIS-10059977-0`, `Win.Malware.BadIIS-10059984-0`, `Win.Malware.BadIIS-10059985-0`.
* **Snort Rules:** Snort2 (SIDs: 1:66400, 1:66399, 1:66398) and Snort3 (SIDs: 1:66400, 1:301491).
* **Mitigation:** Organizations should audit their IIS server configurations for unauthorized modules and unexpected service installations. Given the modular nature of the threat, maintaining robust, updated security software and monitoring for anomalous outbound traffic or unexpected changes to site content is critical.
Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure - Quick Heal Technologies Ltd.

### Operation Dragon Whistle: Campaign Precis

"Operation Dragon Whistle" is a targeted spear-phishing campaign identified by Seqrite Labs, attributed to the threat actor **UNG0002** with medium-high confidence 【1】. The campaign leverages highly contextual lures to compromise targets within the Chinese academic sector 【1】.

#### What Happened
Threat actors are distributing spear-phishing emails containing ZIP attachments to students and faculty at Changzhou University (常州大学) 【1】. These emails utilize a specific, mandatory institutional lure: the 2026 National Student Physical Fitness and Health Standards testing cycle 【1】.

#### Who Is Affected
The campaign primarily targets the Chinese education sector, specifically:
* **Higher Education:** Universities and academic institutions 【1】.
* **Government-Affiliated Bodies:** Institutions operating under national education ministry directives 【1】.
* **Specific Roles:** Students, faculty, departmental coordinators, and administrators managing physical education and fitness assessment programs 【1】.

#### Technical Details
The infection chain is designed to minimize on-disk artifacts and evade detection:
* **Initial Access:** A ZIP archive containing a double-extension LNK file masquerading as a PDF document 【1】.
* **Execution:** Clicking the LNK file triggers a VBScript (`chromedo.vbs`), which initiates the infection chain 【1】.
* **DLL Side-Loading:** The script executes a legitimate application (Bandizip), which follows the Windows DLL search order to load a malicious DLL (`ark.x64.dll`) from the local directory 【1】.
* **Payload:** A Cobalt Strike Beacon is decrypted and loaded directly into memory, avoiding traditional on-disk executable drops 【1】.

#### Security Implications
The campaign highlights a sophisticated approach to social engineering and infrastructure management. The actor, UNG0002, has demonstrated a deliberate rotation of C2 infrastructure—shifting from Tencent Cloud in previous campaigns to Alibaba Cloud—to evade ASN-based blocking 【1】. The use of in-memory execution significantly reduces forensic visibility 【1】.

#### What Defenders Should Know
Defenders should prioritize monitoring for the following techniques and indicators:

| Category | Key Techniques/Indicators |
| :--- | :--- |
| **Initial Access** | Spear-phishing attachments (T1566.001) 【1】 |
| **Execution** | Malicious LNK files, VBScript (T1059.005), and DLL Side-Loading (T1574.002) 【1】 |
| **Evasion** | Anti-debugging (T1622), Sandbox Evasion (T1497), and Reflective Code Loading (T1620) 【1】 |
| **Monitoring** | Unauthorized DLL loading in application directories and suspicious outbound network traffic to cloud infrastructure 【1】 |
Webworm: New burrowing techniques - ESET

This precis summarizes the 2025 activity of the China-aligned advanced persistent threat (APT) group **Webworm**, as analyzed by ESET researchers 【1】.

### What Happened
Webworm, a group previously known for targeting Asian organizations, has shifted its focus toward Europe and South Africa 【1】【1】. The group has evolved its tactics by moving away from traditional backdoors toward stealthier custom proxy tools and leveraging legitimate cloud services for command-and-control (C&C) and data exfiltration 【1】【1】.

### Who Is Affected
The 2025 campaigns primarily targeted:
* **Governmental organizations** in Belgium, Italy, Serbia, and Poland 【1】.
* **Educational institutions**, specifically a university in South Africa 【1】.

### Security Implications
* **Infrastructure Hijacking:** Webworm compromises third-party cloud infrastructure (such as Amazon S3 buckets) to stage tools and exfiltrate data, effectively forcing victims to host the attacker's malicious operations 【1】.
* **Stealthy Persistence:** By using legitimate services like Discord and Microsoft Graph API for C&C, the group blends malicious traffic with normal network activity, making detection significantly more difficult 【1】【1】.
* **Hidden Networks:** The group’s complex proxy tools (WormFrp, ChainWorm, SmuxProxy, and WormSocket) suggest they are building a large, hidden network by tricking victims into running these proxies, which can then be chained for lateral movement 【1】【1】.

### Technical Details
* **New Backdoors:**
* **EchoCreep:** Uses Discord for C&C and is executed via a scheduled task named `MicrosoftSSHUpdate` 【1】【1】.
* **GraphWorm:** Uses Microsoft Graph API for C&C and persists via registry Run keys 【1】【1】.
* **Reconnaissance:** The group uses open-source tools like `nuclei` (vulnerability scanning) and `dirsearch` (web path brute-forcing) to identify entry points 【1】【1】.
* **Tool Staging:** Malware is often staged in GitHub repositories for direct download onto victim machines 【1】.

### What Defenders Should Know
* **Monitor Cloud Usage:** Be vigilant for unauthorized access or misconfigurations in cloud storage (e.g., S3 buckets) and unusual API activity (e.g., Microsoft Graph API) 【1】【1】.
* **Scan for Web Reconnaissance:** Monitor web server logs for activity associated with `nuclei` and `dirsearch`, which are clear indicators of pre-compromise reconnaissance 【1】.
* **Review Scheduled Tasks and Registry:** Regularly audit Windows scheduled tasks (specifically looking for `MicrosoftSSHUpdate`) and registry Run keys for suspicious entries 【1】.
* **Network Traffic Analysis:** Look for traffic patterns involving Discord or Microsoft Graph API that do not align with standard organizational usage, as these are primary C&C channels for the group 【1】.
Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident | Grafana Labs - Grafana Labs

This security incident involved a targeted breach of Grafana Labs' GitHub environment, stemming from a broader, coordinated software supply chain attack. Below is a detailed precis of the event.

### What Happened
On May 11, 2026, Grafana Labs detected unauthorized access to its internal GitHub repositories 【5】. The intrusion was traced back to a malicious supply chain attack targeting the **TanStack** npm ecosystem, part of a wider campaign dubbed "**Mini Shai-Hulud**" orchestrated by the threat actor group **TeamPCP** 【3】【1】.

The attackers successfully compromised 84 npm package artifacts within the TanStack namespace, which were published to the npm registry on May 11 【2】. By May 16, 2026, the threat actors issued a ransom demand, threatening to disclose stolen data 【3】.

### Who Is Affected
* **Grafana Labs:** The primary target of this specific breach, resulting in unauthorized access to both public and private source code repositories 【1】.
* **Other Organizations:** The "Mini Shai-Hulud" campaign was widespread, also impacting other high-profile entities such as OpenAI and Mistral AI 【4】【6】.
* **Customers:** Grafana Labs has stated that there is no evidence that customer production systems or operations were compromised 【1】.

### Security Implications
The incident highlights the severe risks posed by software supply chain vulnerabilities. By compromising widely used open-source libraries (such as `@tanstack/react-router`), attackers can gain a foothold in the development environments of downstream users 【2】. In this case, the breach of Grafana's GitHub environment exposed internal source code, creating potential risks for intellectual property theft and future exploitation of the codebase 【1】.

### Technical Details
* **Attack Vector:** The malicious npm packages contained a credential-stealing payload specifically designed to target CI/CD systems, including GitHub Actions 【2】.
* **Mechanism:** The "Shai-Hulud" worm was used to automate the compromise of open-source packages 【6】.
* **Access:** The attackers leveraged a "missed token" (likely an exposed or overly permissive CI/CD secret) to gain access to Grafana's repositories 【1】.

### What Defenders Should Know
* **Supply Chain Vigilance:** Organizations should implement strict dependency management, including pinning versions, using lockfiles, and scanning third-party packages for malicious code before integration.
* **CI/CD Security:** This incident underscores the necessity of securing CI/CD pipelines. Defenders should rotate secrets frequently, use short-lived tokens, and apply the principle of least privilege to service accounts and GitHub Actions tokens.
* **Monitoring:** Teams should monitor for unusual activity in development environments and CI/CD logs, as these are prime targets for supply chain attacks aimed at gaining broader network access.
Compromised Nx Console version 18.95.0 - Nrwl

This precis summarizes the security incident involving the Nx Console VS Code extension, based on the official advisory.

### Executive Summary
A malicious version of the Nx Console extension (v18.95.0) was published to the Visual Studio Marketplace and OpenVSX for a brief period, leading to a significant supply-chain attack. The malware was designed to harvest a wide array of sensitive credentials from infected developer machines and exfiltrate them to an attacker-controlled server.

### What Happened
* **Incident:** A malicious version of Nx Console (18.95.0) was published to the Visual Studio Marketplace and OpenVSX.
* **Timeline:** The malicious version was available on the Visual Studio Marketplace for approximately 18 minutes (12:30 PM – 12:48 PM UTC) and on OpenVSX for approximately 36 minutes (12:33 PM – 13:09 PM UTC) 【1】.
* **Root Cause:** A developer's GitHub credentials were leaked via the GitHub CLI (`gh`) due to a separate supply-chain compromise involving Tanstack. This allowed the attacker to impersonate the developer and publish the malicious extension as a contributor 【1】.

### Who is Affected
* **Scope:** While official marketplace download metrics suggested a low impact, internal analytics indicate that thousands of users were affected. Approximately 6,000 extension activations were recorded from VS Code and one from Cursor in the days following the attack 【1】.

### Security Implications & Technical Details
The malicious extension acted as a sophisticated credential harvester. Once installed, it fetched an obfuscated payload that targeted:
* **Credentials:** Vault tokens, npm tokens, AWS credentials (including IAM and Secrets Manager), GitHub tokens/secrets, 1Password vault contents, and local filesystem secrets (private keys, connection strings, Docker/GCP credentials) 【1】.
* **Exfiltration:** Data was exfiltrated via HTTPS, the GitHub API, and DNS 【1】.
* **Persistence:** On Linux systems, the malware attempted to inject into `sudoers` to maintain persistence 【1】.

### What Defenders Should Know
If you suspect your environment was compromised, you must take immediate action:

| Action | Details |
| :--- | :--- |
| **Update** | Immediately update Nx Console to version **18.100.0 or later** 【1】. |
| **Kill Processes** | Terminate any `cat.py` processes or processes with `__DAEMONIZED=1` in their environment 【1】. |
| **Cleanup** | Delete persistence artifacts (e.g., `~/.local/share/kitty/cat.py`, `~/Library/LaunchAgents/com.user.kitty-monitor.plist`, `/var/tmp/.gh_update_state`). On macOS, ensure the LaunchAgent is unloaded via `launchctl` before deletion 【1】. |
| **Rotate Secrets** | **Rotate every credential** that was accessible from the affected machine (tokens, SSH keys, cloud secrets) and audit access logs for suspicious activity 【1】. |

For a full list of file-based Indicators of Compromise (IoCs), refer to the [official advisory](https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w#38-58).
From Y2K to Patch Tuesday 2025: 25 Years of Bugs in the Windows 2000 Source Tree - Matt Suiche

This precis summarizes the findings from the security audit of the leaked Windows 2000 source code, as detailed in the article by M. Suiche.

### Overview
The audit involved using an AI agent to analyze a 75 MB tarball of Windows 2000 source code (leaked in 2004) against 25 years of public vulnerability research. The investigation revealed that critical vulnerabilities present in the original 1999/2000 codebase persisted in subsequent Windows versions for periods ranging from 6 to 25 years before being patched 【1】.

### Who is Affected
Users of Windows operating systems ranging from Windows 2000 through modern versions were potentially exposed to these long-lived vulnerabilities until the respective patches were released 【1】.

### Security Implications
The research highlights that the "half-life" of Windows kernel bugs is measured in decades, with vulnerabilities often remaining hidden in plain sight. In some instances, developer comments within the code served as "receipts" for the flaws. The study also notes that incomplete source code—specifically missing headers—can obscure bugs from auditors, and that many vulnerabilities remain "latent" until a researcher eventually discovers a method to weaponize them 【1】.

### Technical Details
The audit identified 45 candidate findings, 11 of which were confirmed as high-confidence bugs. Four of these map directly to public CVEs:

| CVE | Description | Duration |
| :--- | :--- | :--- |
| **CVE-2025-24993** | Heap-based buffer overflow in the NTFS Log File Service (LFS) 【1】 | Since RTM |
| **CVE-2023-21746** | "LocalPotato": NTLM Elevation of Privilege (EoP) involving a hard-coded session key and missing transport checks 【1】 | 23 years |
| **CVE-2013-3196** | Out-of-bounds (OOB) read in the NTVDM subsystem 【1】 | 13 years |
| **CVE-2006-5583** | Pre-authentication remote heap overflow in the SNMP service 【1】 | 6 years |

### What Defenders Should Know
* **Detection Strategy:** Defenders must tailor their approach based on the attack surface:
* **Boundary-scannable:** Threats involving network packets (e.g., SNMP, NTLM) or volume images (e.g., NTFS/FAT) can be inspected at the boundary before reaching the kernel 【1】.
* **Non-boundary-scannable:** Kernel-state threats, such as syscall-driven OOB indices, are difficult to scan at the boundary and require kernel-side guards or runtime instrumentation (e.g., kCFI, KASAN) 【1】.
* **Audit Value:** Auditing internal or leaked source trees is highly effective for identifying long-lived bugs. It is equally important to document "negative results" (what is *not* a bug) to optimize future audit cycles 【1】.
* **Provenance:** While AI agents can map patterns, the actual discovery and weaponization of these vulnerabilities remain the result of human research over the past 25 years 【1】.
How a single image takes control of a Mac understanding an ExifTool vulnerability (CVE-2026-3102) - AO Kaspersky Lab

This precis details the command injection vulnerability (CVE-2026-3102) identified in ExifTool, as documented by Kaspersky’s Global Research and Analysis Team (GReAT).

### What Happened
In February 2026, researchers discovered a command injection vulnerability in ExifTool, a widely used utility for metadata manipulation 【1】. The flaw allows an attacker to execute arbitrary shell commands on a host system by embedding malicious instructions within the metadata of an image file 【1】.

### Who Is Affected
The vulnerability affects macOS systems running ExifTool version 13.49 and earlier 【1】. This includes standalone command-line applications and any software that embeds the vulnerable ExifTool library 【1】.

### Security Implications
Successful exploitation allows an attacker to execute arbitrary shell commands with the privileges of the user running the ExifTool utility 【1】. This can lead to a full system compromise, depending on the permissions of the user invoking the tool 【1】.

### Technical Details
* **The Sink:** The vulnerability targets the `system()` function, which is used to execute system commands 【1】.
* **The Flaw:** The issue resides in the `SetMacOSTags` function, which handles macOS file creation dates (`MDItemFSCreationDate` or `$FileCreateDate`) 【1】. When parsing an image, ExifTool extracts metadata into a variable (`$val`) that is passed to `SetMacOSTags` without proper sanitization 【1】.
* **Exploitation:** An attacker can inject single quotes into the metadata field to break the command structure and execute arbitrary code 【1】. This is triggered by using the `-tagsFromFile` feature to copy a malicious string into the `FileCreateDate` tag 【1】.
* **The Patch:** Version 13.50 addresses the flaw by replacing fragile string concatenation with a secure, list-based API call for the `system()` function, removing the need for manual escaping 【1】.

### What Defenders Should Know
* **Update Immediately:** Ensure all photo processing workflows, asset management platforms, and scripts are updated to ExifTool version 13.50 or later 【1】.
* **Check Dependencies:** Verify that software does not contain embedded, outdated copies of the ExifTool library 【1】.
* **Isolation:** Isolate the processing of untrusted files within dedicated machines or virtual environments that have strictly limited network and storage access 【1】.
* **Monitoring:** Utilize security solutions to monitor the software supply chain for vulnerable open-source components and enforce endpoint protection policies on devices accessing corporate networks 【1】.
CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path - Qualys

This precis summarizes the details of CVE-2026-46333, a critical Linux kernel vulnerability discovered by the Qualys Threat Research Unit (TRU).

### What Happened
Qualys TRU identified a logic flaw in the Linux kernel’s `__ptrace_may_access()` function that allows an unprivileged local user to escalate privileges to root or disclose sensitive information 【1】. The vulnerability has existed in the mainline Linux kernel since November 2016 (v4.10-rc1) 【1】.

### Who Is Affected
The vulnerability affects a wide range of Linux distributions and environments, including enterprise fleets, cloud images, and container hosts that have been running vulnerable kernel versions for the past nine years 【1】. Specific testing confirmed the exploit works on default installations of Debian 13, Ubuntu 24.04/26.04, and Fedora 43/44 【1】.

### Security Implications
The impact is severe because it effectively collapses the security boundary between an unprivileged user and the root account 【1】. An attacker can:
* **Disclose sensitive files:** Read `/etc/shadow` or exfiltrate SSH host private keys 【1】.
* **Execute arbitrary commands:** Gain root-level execution via targets like `pkexec` or `accounts-daemon` 【1】.

### Technical Details
The vulnerability is a race condition involving a privileged process that is dropping its credentials. During this transition, the process remains reachable via ptrace-family operations even though its "dumpable" flag should have restricted access 【1】. By pairing this race with the `pidfd_getfd()` syscall, an attacker can capture open file descriptors and authenticated inter-process channels from the dying privileged process and reuse them under their own UID 【1】.

### What Defenders Should Know
* **Patch Immediately:** Apply kernel updates provided by your Linux distribution vendor as soon as possible 【1】.
* **Interim Mitigation:** If patching is not immediately possible, set `kernel.yama.ptrace_scope` to `2`. This blocks the exploit path by requiring `CAP_SYS_PTRACE` for the `pidfd_getfd()` operation 【1】【1】.
* **Post-Compromise Review:** On systems where untrusted users had access, assume that SSH host keys and locally cached credentials may have been disclosed. Rotate these keys and review administrative material that may have been exposed 【1】.
New Age of Collisions: Reading Arbitrary Files Pre-Auth as root in cPanel (CVE-2026-29205) - Searchlight Cyber

This precis outlines the critical vulnerability CVE-2026-29205 affecting cPanel, as detailed in the research by SLCyber.

### What Happened
CVE-2026-29205 is a pre-authentication path traversal vulnerability found in the cPanel CalDAV daemon (`cpdavd`). It allows an unauthenticated attacker to read arbitrary files on the underlying filesystem with root privileges 【1】.

### Who Is Affected
The vulnerability affects cPanel & WHM instances running the vulnerable version of the `cpdavd` service. Exploitation requires the attacker to know a valid email address registered as a "virtual user" on the target cPanel instance 【1】.

### Security Implications
Because the vulnerability executes with root privileges, it grants an attacker unrestricted access to any file on the server, regardless of ownership or filesystem permissions. This can lead to full system compromise, including the theft of sensitive configuration files, credentials, and user data.

### Technical Details
The vulnerability stems from two primary flaws:

* **Path Traversal via Regex Bypass:** The `cpdavd` managed attachment GET handler validates URIs using a regular expression *before* URL decoding. An attacker can use encoded characters (e.g., `%2F` for `/`) to bypass the regex check. Once the URI is decoded by `URI::Escape::uri_unescape()`, the encoded slash becomes a functional directory separator, enabling path traversal 【1】.
* **Improper Privilege Dropping:** The code attempts to drop privileges using a `ReducedPrivileges` module that relies on Perl’s RAII (Resource Acquisition Is Initialization) pattern. Because the object is not stored, it is treated as a temporary and destroyed at the end of the statement, causing the effective UID to revert to 0 (root) before the file read operation occurs 【1】.
* **Exploitation Vector:** Attackers can trigger the necessary directory structure by sending an email to a valid user with a `+` alias (e.g., `{localpart}+x-attachment-1-y@{domain}`). Dovecot creates predictable directory paths based on this alias, which the attacker then targets via the traversal 【1】.

### What Defenders Should Know
* **Patch Immediately:** cPanel has released a security update to address this vulnerability. Administrators should apply the patch provided in the official [cPanel advisory](https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026) immediately 【1】.
* **Exposure:** Instances with `cpdavd` ports (2079/2080) exposed to the public internet are at the highest risk 【1】.