The Blog

A race condition in OpenSSH's GSSAPI key exchange timeout handler causes async-signal-unsafe glibc heap functions to execute inside a SIGALRM context. Heap grooming via thousands of concurrent partial connections produces a controlled free-chunk corruption leading to pre-authentication root RCE — a variant that bypasses the CVE-2024-6387 patch.

Sonatype Nexus Repository Manager 3 running with default credentials exposes a Groovy script execution API that yields a shell as the nexus service account. A plaintext admin password in the data directory is reused as an SSH credential for a local user; that user's sudo policy granting passwordless vim access is bypassed in two keystrokes to produce an interactive root shell.

A regression in Rails 7.1.x causes secret_key_base to silently fall back to a static predictable value when no credentials file is present. Combined with the legacy Marshal cookie serialiser common in Rails 3/4 upgrade paths, this allows an attacker to forge a signed Marshal gadget chain cookie and achieve pre-authentication remote code execution as the Rails process user.

PHP local file inclusion with no sanitisation reads Nginx access logs directly. Injecting a PHP webshell into the User-Agent poisons the log and executes it on the next include. World-readable SSH private key in the developer's home pivots to a real user; membership of the docker group provides a volume-mount container escape to the host root filesystem.

An integer truncation in GlobalProtect's DTLS ClientHello parser allocates a heap buffer from only the lower 8 bits of a 16-bit length field, then copies up to 65535 bytes into it. Pre-authentication heap overflow achieves root-level RCE on PAN-OS with no credentials — CVSS 10.0, in-the-wild exploitation observed against defence contractors.

UNION-based SQL injection on an intranet search portal dumps user hashes, cracking to a WinRM foothold. Kerberoasting a backup service account yields a crackable TGS — the cracked password reveals LAPS_Readers membership. Reading the ms-Mcs-AdmPwd attribute on the DC returns the local Administrator password for full domain compromise.

Appending a semicolon-delimited extension to the iControl REST URI tricks Apache's LocationMatch auth filter into exempting the request as a static asset. Tomcat strips the semicolon suffix before routing — delivering the request to the bash execution endpoint unauthenticated. Direct root OS command execution in one request.

An unauthenticated REST diagnostic endpoint performs server-side HTTP probes to any attacker-supplied URL. Pointing the SSRF at the appliance's loopback management daemon — which accepts OS commands via a maintenance API with no auth of its own — yields pre-authentication RCE as root via out-of-band command exfiltration.

A Node.js Express app accepts raw Pug template strings at an unauthenticated preview endpoint — RCE via the child_process module. Database credentials hardcoded in config.json reuse as the OS user's SSH password for foothold, then a sudo entry granting wildcard access to a Python backup script yields root through os.system() argument injection.

A live macro preview endpoint in Confluence 7.19+ evaluates the spaceKey parameter through the OGNL expression engine before performing an authentication check. A single unauthenticated POST request with a Runtime.exec() payload achieves RCE as the Confluence service account — CVSS 9.8, mass-exploited within 24 hours of disclosure.

Tomcat's partial PUT handler constructs a temp-file path by appending the attacker-controlled JSESSIONID to the work directory without canonicalisation. Path traversal in the session ID lets an unauthenticated attacker write a JSP webshell directly to the webroot — critical on any deployment where DefaultServlet has readonly set to false.

XXE in a corporate document portal coerces NTLM authentication from the IIS service account, leaking a crackable Net-NTLMv2 hash for initial foothold. BloodHound reveals GenericWrite over a Domain Admin user — a Shadow Credentials attack writes a key credential to the target, PKINIT retrieves the NT hash, and DCSync yields every domain credential.

An internal Next.js routing header (x-invoke-path) is not stripped from external requests, allowing unauthenticated clients to skip the entire middleware chain and access any protected route or API endpoint. Affects every self-hosted Next.js 13–15 application that relies on middleware.ts for authentication. CVSS 9.1.

A missing authentication check on the vROPS plugin upload servlet allows any unauthenticated attacker to upload a JSP webshell to the vCenter web root and execute commands as the vsphere-ui service account. Actively exploited in the wild. CVSS 9.8.

SQL injection on an internal HR portal yields a low-privilege domain account. That account holds WriteProperty over an ADCS certificate template — ESC4. Modify the template to enable enrollee-supplied SAN, enroll a certificate for Administrator, authenticate via PKINIT, and extract the NT hash to achieve SYSTEM.

A heap out-of-bounds write in FortiGate's SSL-VPN portal request parser allows unauthenticated code execution on the firewall appliance. Actively exploited in the wild for credential harvesting, config exfiltration, and lateral movement into protected networks. CVSS 9.8.

Erlang's SSH daemon processes connection-layer messages before authentication completes. An attacker who completes key exchange can open a channel and execute arbitrary commands without supplying any credentials. Affects RabbitMQ, ejabberd, CouchDB, and any Elixir/Erlang application embedding an SSH server. CVSS 10.0.

XML Signature Wrapping against a python3-saml SSO portal to authenticate as administrator, then S4U2Self + S4U2Proxy via a service account's constrained delegation rights to obtain a Kerberos ticket for Administrator on the domain controller and achieve SYSTEM.

A Grape router trailing-slash bypass lets unauthenticated attackers trigger GitLab's webhook test handler, causing the server to issue HTTP requests to internal services. Cross-protocol smuggling against the unauthenticated Redis instance injects a Sidekiq job that executes arbitrary commands as the git user on every GitLab 17.x installation up to 17.11.1.

BinaryFormatter deserialization on an unauthenticated WCF endpoint in Veeam B&R's internal API service (TCP 9401) allows any attacker on the network to achieve SYSTEM-level code execution without credentials. Actively exploited by ransomware operators to destroy backups before payload deployment.

A TOCTOU race in Windows Defender's threat remediation engine lets unprivileged users redirect Defender's privileged file operations via NTFS junctions paused on oplocks — turning the antivirus itself into an exploit primitive that yields arbitrary read of the SAM database and SYSTEM privileges. Leaked zero-day, weaponised PoC within days, CISA KEV deadline 6 May.

A flaw in PaperCut's SecurityRequestFilter class lets unauthenticated attackers bypass the login check on the management interface — extracting user records, payment card data and hashed passwords from the print management server. Added to CISA KEV on 20 April 2026 following a fresh wave of exploitation against orgs that patched the 2023 RCE but left the information-disclosure bug unfixed.

A flaw in Quest KACE Systems Management Appliance's SSO handler lets any unauthenticated attacker impersonate arbitrary users — including admin — with no credentials. CVSS 10.0, in-the-wild exploitation confirmed from March 2026, post-exploitation includes fleet-wide command execution via KPluginRunProcess and Mimikatz deployment. CISA KEV April 20.

A 13-year-old flaw in Apache ActiveMQ's Jolokia HTTP-to-JMX bridge lets attackers force the broker to fetch and instantiate a remote Spring XML config — arbitrary code execution in the broker JVM. Default admin:admin credentials make it trivially exploitable; 6,400 vulnerable instances remain internet-exposed. CVSS 8.8, CISA KEV April 30 deadline.

Simply opening a malicious PDF is enough — embedded JavaScript exploits prototype pollution in the Acrobat Reader JS engine to achieve arbitrary code execution, with in-the-wild exploitation confirmed since December 2025. CVSS 8.6, CISA KEV deadline 27 April 2026. Emergency patch APSB26-43 available now.

Three Cisco Catalyst SD-WAN Manager flaws added to CISA KEV on April 20, 2026, with a 72-hour federal deadline — improper API access control (CVSS 8.8), passwords stored in recoverable format (CVSS 7.5), and unauthenticated information disclosure (CVSS 6.5). Chained together they go from a single low-privilege credential to full fabric control and plaintext integration secrets.

A double-free in Windows IKEv2 packet processing gives unauthenticated attackers SYSTEM over UDP 500/4500 — no credentials, no user interaction. Exploited as a zero-day by threat group BlueHammer before the April 2026 Patch Tuesday fix, with a confirmed exploit chain bypassing CFG and CET via heap grooming and ROP. CVSS 9.8.

Two high-severity flaws patched in Keycloak 26.5.7 — an unauthenticated denial of service against the OIDC token endpoint via an oversized scope parameter, and an authorisation bypass that lets any authenticated user inject access policies onto resources owned by other users. Both are exploitable in default Keycloak deployments.

Threat group TeamPCP used compromised Aqua Security credentials to push malware into Trivy — the most widely-used cloud-native security scanner — trojanising 76 GitHub Actions tags and DockerHub images. Every CI/CD pipeline that ran Trivy between 19–22 March silently exfiltrated AWS keys, Kubernetes tokens, and SSH keys while appearing to scan normally. CVSS 9.4, added to CISA KEV.

A missing authentication check on nginx-ui's MCP endpoint lets any remote attacker take complete control of the Nginx service in two HTTP requests — rewriting configs, redirecting traffic, and stealing credentials. CVSS 9.8, actively exploited against ~2,700 internet-exposed instances, fixed by adding a single line of middleware in version 2.3.4.

The headline zero-day in Microsoft's record-breaking April 2026 Patch Tuesday (167 CVEs). Unauthenticated spoofing via improper input validation in on-premises SharePoint Server — exploited in the wild before the fix existed, added to CISA KEV with a 14-day remediation deadline. Affects SharePoint 2016, 2019 and Subscription Edition.

A trusted-proxy header spoofing flaw in Fortinet's endpoint management control plane — unauthenticated attackers could inject X-SSL-CLIENT-VERIFY headers to sidestep all API authentication, leading to privilege escalation and command execution. Added to CISA KEV within days of disclosure.

A public flow build endpoint in Langflow accepted attacker-controlled Python code and passed it directly to exec() with no sandboxing — achieving unauthenticated RCE with a single curl command. Exploited in the wild within 20 hours of disclosure, affecting all versions up to 1.8.1.

A chained exploit combining an authentication bypass via a forged Referer header with a file-write and MachineKey extraction to achieve fully unauthenticated RCE on on-premises SharePoint Server. Automated exploitation at scale within days of PoC release — CVSS 9.8.

A real-world Apache Struts path traversal (CVE-2024-53677) in the file upload action lets me drop a JSP webshell into Tomcat for a shell as tomcat. Plaintext credentials in tomcat-users.xml pivot to james, and a sudo rule on tcpdump is abused via the -z postrotate flag to drop a SUID bash copy — root in three stages, each a genuine enterprise-realistic misconfiguration.

Error-based Cypher injection in the login API chains into a custom APOC procedure with OS command injection for a shell as neo4j. Credentials in a bash history file pivot to graphasm, who holds a NOPASSWD sudo rule for the BBOT OSINT framework — a malicious Python module loaded at runtime closes out root.

MSSQL EXECUTE AS LOGIN impersonation exposes a PBKDF2 hash that cracks to a password reused over WinRM, landing a shell as svc_eighteen. Privilege escalation abuses BadSuccessor — the newly disclosed dMSA migration technique — setting msDS-ManagedAccountPrecededByLink to point at Administrator and obtaining a PAC-laden ticket without any KDC verification.

A malicious Chrome extension uploaded to a headless browser testing service uses its background service worker to SSRF an internal Flask app. Bash arithmetic expansion injection via the a[$(cmd)] pattern gives a shell as larry, then a world-writable __pycache__ directory lets us plant a poisoned .pyc file imported by a sudo-privileged Python script for root.

IKEv1 aggressive mode leaks the gateway's pre-shared key hash without completing authentication — hashcat mode 5400 cracks it in minutes and the PSK is reused as the SSH password. A sudo rule permitting -h <hostname> -i escalates to root by adding the target hostname to /etc/hosts pointing at localhost, causing sudo to execute the root login shell locally.

Two real CVEs chained end-to-end. CVE-2026-27944 exposes an unauthenticated Nginx UI backup endpoint that leaks an AES decryption key in the response header and a SQLite database with a crackable admin hash — giving a shell via the admin panel. CVE-2026-3888 then exploits a TOCTOU race in snapd's snap-confine to poison the dynamic linker and land root.

XSLT injection in a file conversion web app leveraged to write a Python script into a cron-watched directory — achieving code execution as www-data. Credentials in the app config led to lateral movement, then needrestart CVE-2024-48990 with a NOPASSWD sudo rule closed out root.

An accessible .git directory on a web server exposed database credentials and user emails in the commit history. Credential reuse unlocked the BackdropCMS admin panel, where an authenticated RCE module install gave a shell — and a NOPASSWD sudo rule on the Backdrop CLI bee wrapped up root.

A malicious .library-ms file inside a ZIP upload weaponised CVE-2025-24071 to coerce NTLMv2 from a service account with zero interaction. Three chained AD DACL misconfigurations — AddSelf, ForceChangePassword, PSRemoting — walked the chain to the DC. Checkmk CVE-2024-0670 via MSI repair abuse closed out SYSTEM.

An assumed breach Windows environment with NTLM disabled. An Excel hash cracked off an SMB share gave context, WriteSPN rights enabled targeted Kerberoasting on a service account for lateral movement, then a DPAPI-protected credential blob decrypted to reveal domain admin credentials.

IDOR in a PHP file storage app exposed other users' uploaded files and leaked valid usernames. A command injection vulnerability in the file processing function gave a shell as www-data, SQLite hash cracking moved us to tobias, and ISPConfig CVE-2023-46818 handed over root.