depthfirst
54 posts
@depthfirstlabs
Autonomous Security From Design To Production
Still "Lab", but working fully remotely without any hardcoded offsets, bypassing ASLR on standard Ubuntu + Nginx deployment via an LFI primitive. There's still lots of room for improvement but I'm already out of tea and who cares? Just patch.
🚨 UPDATE: 19 MILLION exposed NGINX instances hit by the 18-year-old NGINX RCE found by AI. Top exposure by country: - United States: 5,340,011 - China: 2,540,008 - Germany: 1,871,780 Note on ASLR as added security: not all of these instances will have ASLR disabled, but every one of them is running a version inside the vulnerable band. The vulnerability is a heap buffer overflow. ASLR randomizes memory layout, which makes reliable RCE much harder because the attacker cannot predict where their payload or useful gadgets land. But the overflow itself still happens. The corrupted memory still causes the NGINX worker process to crash. ASLR-enabled hosts are still trivially DoS-able. ASLR-disabled or non-PIE builds are RCE-able. Either way, patch ASAP!
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift
Today we're launching the Open Defense Initiative: up to $5 million in @depthfirstlabs credits for critical open source projects to find and fix real, exploitable vulnerabilities. The timing matters: frontier models can autonomously discover and exploit vulnerabilities in widely-reviewed codebases. Open source models will catch up soon, and when they do, bad actors will have unfiltered access to these capabilities. We have a narrow window to harden critical software before that happens. This is the time to act, but until today frontier-level security, like what Mythos offers, has been reserved for a handful of large companies who are required to pay a lot for access. depthfirst is not only comparable in performance but also goes significantly beyond surface level findings, highlighting real, exploitable vulnerabilities due to its understanding of the system’s context and ability to verify like an attacker would. depthfirst found vulnerabilities in FFmpeg that Mythos missed, at a tenth of Anthropic's self reported spend. We want every defender to have these capabilities, starting with the open source projects the world runs on. If you maintain a critical open source project, apply for Open Defense credits through the form in the comments.
NGINX rift: We autonomously discovered this 18 yr old heap overflow (CVE-2026-42945) in @nginx impacting version 0.6.27 to 1.30.0. If you use rewrite and set directive, you maybe impacted! Please update your NGINX or change the config to mitigate it. Read more at depthfirst.com/nginx-rift
@depthfirstlabs found a critical vulnerability in @nginx leading to RCE (CVE-2026-42945, CVSS 9.2). We recommend patching to 1.30.1 or 1.31.0 as as possible. Securing the world software is depthfirst mission and NGINX is one of the most widely deployed web server in the world
Thank you @johncoogan and @jordihays at @tbpn for hosting our CEO and co-founder @quantumcastaway to talk about depthfirst and discuss the importance of cybersecurity in the age of AI.
depthfirst has raised an $80M Series B at a $580M valuation. Attackers are using AI to break into systems faster than ever before. depthfirst is on a mission to stop this. RT + Comment “depthfirst” and I’ll send you a FREE vibe coding security agent.
depthfirst has raised an $80M Series B at a $580M valuation. Attackers are using AI to break into systems faster than ever before. depthfirst is on a mission to stop this. RT + Comment “depthfirst” and I’ll send you a FREE vibe coding security agent.
depthfirst has raised an $80M Series B at a $580M valuation. Attackers are using AI to break into systems faster than ever before. depthfirst is on a mission to stop this. RT + Comment “depthfirst” and I’ll send you a FREE vibe coding security agent.
Our agent autonomously found this kernel 0day and its exploit works on the #KCTF target. We are building to find vulnerabilities systematically, not just shadow bugs. See the quoted post below—comment "depthfirst" and we'll send you a free agent to try out.
