dbugs

1/4 dbugs LIVE dbugs.ptsecurity.com — vulnerabilities’ home See trends, discover more, read AI summaries, have all references at hand, and your profile with all your CVEs and CVSS score on a leaderboard. ⬇️ See thread: what’s live + what’s next ⬇️

Copy Fail: 732 Bytes to Root on Every Major Linux Distribution. CVE: CVE-2026-31431 PT ID: PT-2026-34274 Vendor: Linux Product: Linux CVSS: 7.8 Credits: n/a Description: In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algif_aead since the source and destination come from different mappings. Get rid of all the complexity added for in-place operation and just copy the AD directly. References: • dbugs.ptsecurity.com/vulnerability/… • git.kernel.org/stable/c/fafe0… • git.kernel.org/stable/c/ce42e… • git.kernel.org/stable/c/a664b… • xint.io/blog/copy-fail… #dbugs_vuln

Sale of a 0-day exploit for cPanel, a web-based hosting control panel For informational purposes only. Vulnerability type: Information Disclosure Price: $1,000 The seller claims that the exploit can be used to obtain data related to website access via cPanel, including the website URL, username, and password. The issue is said to affect 13,522 cPanel servers across 94 countries -> (pastebin.com/9BNFdTxv), including the United States and EU member states. cPanel -> (cpanel.net) is a popular commercial web-based hosting control panel used by hosting providers, VPS owners, and website administrators to manage server infrastructure through a browser. It allows users to configure domains and subdomains, email accounts, databases, FTP accounts, SSL certificates, website files, and backups. According to 2026 data -> (webpros.com/navigating-the…) from WebPros International LLC and CloudLinux, cPanel accounts for 64% of the global market. #dbugs_darkweb

🆕 Graph-Based Analysis of FreeIPA with IPAHound The article published by the PT SWARM team explores the use of a graph-based model for analyzing FreeIPA infrastructures. Instead of sequentially examining accounts, roles, and configurations, the approach focuses on building a graph of relationships between entities: users, groups, services, policies, and certificates. The IPAHound -> (github.com/IPAHound/IPAHo…) tool collects data via LDAP and constructs a clear structure of these relationships, enabling the identification of complex privilege escalation chains and lateral movement paths caused by misconfigurations and excessive permissions. The practical value of the article lies in demonstrating a shift from analyzing individual elements to analyzing their interactions. This approach simplifies the detection of vulnerable configurations that are difficult to identify through traditional review of permission lists and settings. 📎 Article: swarm.ptsecurity.com/thinking-in-gr… #dbugs_attacks

🧑‍🚒 Our researcher Mikhail Sukhov shares his knowledge and experience in analyzing FreeIPA environments. He also introduces his new tool, IPAHound 💪 Go ’n see the details ➡️ swarm.ptsecurity.com/thinking-in-gr…

📊 Industrial Automation Threat Landscape in Asia: Q4 2025 Researchers from Kaspersky ICS CERT released -> (ics-cert.kaspersky.com/publications/r…) a report analyzing threats targeting industrial control systems (ICS) across Asia in Q4 2025. The study is based on telemetry from security solutions and covers South, Southeast, East, and Central Asia, as well as the Caucasus. It highlights prevalent attack vectors, threat activity, and regional exposure patterns. Key Findings 🔍 ICS environments across the region continued to experience sustained malicious activity, underscoring persistent exposure of industrial infrastructure. 🌐 Primary infection vectors remain the internet, email, removable media, and network shares. While the internet serves as the dominant initial access channel, network resources are frequently leveraged for internal propagation and lateral movement. 🦠 Observed threats are dominated by phishing, malicious scripts, and downloaders commonly used in early-stage intrusion chains. 📎 Multiple cases were identified involving malicious files masquerading as engineering documents (e.g., AutoCAD-related files), used as delivery mechanisms via web and email channels. 🔗 Web-based threats account for a significant share of detections, with ICS users frequently exposed to malicious content through online resources. Regional Breakdown 🔻 South Asia Web-based threats and phishing remain dominant. Removable media and shared network folders are also widely used for secondary propagation of malicious activity within environments. 🔻 Southeast Asia Multiple concurrent threat categories were observed, including malicious scripts, downloaders, self-propagating threats, and web-based cryptominers. The region also ranks among the highest globally for blocked malicious web resources and attacks delivered via engineering-related files. 👉 Vietnam stands out, with up to 4.72% of ICS systems exposed to malicious web resources — among the highest rates in the region. 🔻 East Asia Spyware remains the most prevalent threat category in ICS environments, indicating frequent success of initial access vectors such as phishing, malicious attachments, and removable media. Continued activity is also observed via USB devices and shared network folders, suggesting weak OT perimeter controls. 🔻 Central Asia & South Caucasus Key risks are associated with removable media and software execution in ICS environments. USB-based propagation of worms, spyware, and Windows miners remains widespread. The region also ranks among the global leaders for ransomware activity delivered via internet, email, and removable media. ICS environments across Asia continue to converge with external networks, significantly expanding the attack surface and increasing the number of viable entry points. Initial access continues to be driven by internet-based vectors, email phishing, and user-enabled execution paths, while internal spread is primarily facilitated through removable media and network shares. Regional variation indicates that threat exposure is strongly correlated with OT security maturity and overall digitalization level. Despite differences in intensity and composition, commodity intrusion techniques — phishing, malicious scripts, and downloader-based chains — remain consistently effective across the industrial threat landscape. #dbugs_analytics

🔒 Microsoft brings passkeys to Windows via Entra Microsoft continues its shift toward passwordless authentication by introducing -> (learn.microsoft.com/en-us/entra/id…) passkey support for Microsoft Entra on Windows devices. "Microsoft Entra is a cloud-based identity and access management platform, formerly known as Azure AD, used to control access to corporate and cloud services." ⚙️ How it works Authentication is performed through Windows Hello, which acts as a local identity verification factor. During registration, a cryptographic key pair is generated using the FIDO2 -> (microsoft.com/en-us/security…) standard. The private key is stored on the device in secure hardware, such as a Trusted Platform Module (TPM), while the public key is sent to the service. When signing in, the user confirms their identity via Windows Hello using facial recognition, a fingerprint, or a PIN. The system then unlocks the private key locally, which is used to cryptographically sign the authentication request. The key itself is never transmitted. ❓ Why Microsoft is moving away from passwords Attackers can steal passwords through phishing and data breaches and reuse them across different services. Passkeys address this by binding credentials to a specific device, validating the domain, and eliminating shared secrets. This makes them resistant to AiTM attacks and most modern account compromise techniques. Even if an attacker intercepts traffic, they cannot reproduce the authentication without access to the user’s device and biometric verification. #dbugs_tech

🔄 MITRE has released the scheduled ATT&CK Matrix v19 update. It’s a major release that significantly reshapes the familiar Enterprise matrix. The headline change is the long-awaited split of the Defense Evasion tactic. Defense Evasion has been divided into two tactics and then deprecated. 1. Stealth (TA0005) — behavior where an attacker hides and attempts to blend malicious activity into “normal” operations. Security tools keep running but fail to detect the threat. 2. Defense Impairment (TA0112) — behavior aimed at disrupting security mechanisms: disabling, shutting down, altering or deleting logs, modifying logging processes, impacting MFA, and so on. The split is based on attacker intent. Some techniques appear in both tactics since real-world actions aren’t always clear-cut. The most visible structural change is “T1562: Impair Defenses revoked.” T1562, T1562.001, and T1562.006 have been merged into a new parent technique, T1685: Disable or Modify Tools, while the remaining sub-techniques have been reassigned new IDs. To assist migration, MITRE published a crosswalk in JSON -> (attack.mitre.org/docs/subtechni…) and CSV -> (attack.mitre.org/docs/subtechni…). AI and Social Engineering New techniques have been added to reflect current realities: T1682: Query Public AI Services — using public AI services for reconnaissance and attack planning. T1683: Generate Content with sub-techniques “Written Content” and “Audio-Visual Content” — content generation (manually, via intermediaries, or with AI assistance). T1684: Social Engineering — a new parent technique covering manipulation through any communication channel (email, voice, helpdesk, messengers). Impersonation and Email Spoofing are now its sub-techniques. MITRE’s approach focuses on behavior rather than specific tools. AI makes attacks faster and cheaper, but the underlying actions remain the same. Other Domains ICS — sub-techniques have finally arrived. Five parent techniques were restructured: Modify Firmware, Block Communications, Remote System Discovery, Program Download, and the new Insecure Credentials. Mobile — Detection Strategies are now included here as well. Each strategy is vendor-agnostic, with separate analytics for Android and iOS. Release: attack.mitre.org/resources/upda… Changelog: attack.mitre.org/docs/changelog… New Version: attack.mitre.org #dbugs_analytics

🔼PhantomRPC: A New Windows RPC Vulnerability Enables Privilege Escalation The PhantomRPC technique is related to architectural characteristics of the Microsoft Windows RPC (Remote Procedure Call) mechanism. The core issue is that an attacker can deploy a rogue RPC server that intercepts requests from the system or services while impersonating a legitimate component. By exploiting the impersonation mechanism, an attacker with limited privileges can escalate them to the SYSTEM level. The vulnerability is not tied to any single specific component and may potentially affect multiple versions of Windows. 📎 Article: securelist.com/phantomrpc-rpc… #dbugs_attacks

🇰🇵 Inside the ecosystem of North Korea’s fake developers Back in 2024, it became known -> (microsoft.com/en-us/security…) that North Korean IT specialists were getting jobs at companies worldwide (in the U.S., China, Russia, and elsewhere) under fake identities — both for cyber‑espionage and to funnel earnings back home. A new investigation -> (group-ib.com/blog/dprk-fake…) by Group‑IB shows this isn’t a set of isolated actors but rather a fully developed operational ecosystem. ✍️ The same GitHub repositories, email addresses, portfolios, and résumés were reused for multiple “candidates”. Such pre‑made templates let operators scale the creation and management of fake identities. ✍️ Analysts also uncovered a centralized support infrastructure for the hiring process: prewritten job‑application responses, employer reply templates, and interview guides. AI was part of the toolkit as well: ChatGPT was used to make answers in English sound more natural. ✍️ Investigators also identified connections to previous attempts to buy verified Upwork accounts (a freelance platform) in 2021. The attackers’ materials also mentioned other legitimate platforms such as LinkedIn and Freelancer. Using well‑known platforms increases trust in these “candidates” and boosts their chances of being hired. The shift to remote work — without revisiting hiring procedures — greatly contributed to the spread of this scheme. It shows that initial access to corporate infrastructure isn’t always gained through exploiting vulnerabilities or phishing; it can also come via seemingly legitimate means. In this context, it’s crucial to raise threat awareness not only among technical staff but also within HR teams interacting with applicants. #dbugs_analytics

Sale of an Exploit Kit for Polymarket -> (polymarket.com) For informational purposes only. According to the seller, the exploit kit allows you to: • collect information about Polymarket’s architecture • identify known vulnerabilities in Polymarket’s web infrastructure #dbugs_darkweb

🧩 MCPwned — a Burp Suite extension for testing Model Context Protocol servers The extension is designed to examine servers implementing the Model Context Protocol (MCP) standard — a mechanism that enables LLM agents to interact with external systems. MCPwned integrates into Burp Suite and allows analysts to inspect HTTP traffic between MCP clients and servers, identifying protocol implementation flaws. Features: 📍 Analyze and test MCP servers directly through the Burp Suite interface. 📍 Automatically detect MCP endpoints and their parameters. 📍 Integrate with existing Burp modules for request interception and modification. 📍 Support manual and semi‑automated fuzzing of MCP interfaces. 📎 Tool: fenrisk.com/mcpwned-burp-s… #dbugs_tools

89 vulnerabilities found in XAPI / Citrix XenServer On April 24, 2026, researcher Jakob Wolffhechel published a detailed analysis of vulnerabilities in XAPI, the management component of Citrix XenServer / Citrix Hypervisor and XCP-ng. The report describes 89 vulnerabilities, which the author classifies as a Day-0 disclosure, stemming from five architectural flaws. The core issue is that all writable Map(String, String) fields across eight XAPI object types lack any input validation. As a result, a user with minimal virtual machine management privileges (vm-admin) can gain read and write access to the host filesystem, access data from other virtual machines, tamper with storage traffic, and affect infrastructure operations through ordinary API calls — without exploit code, root access, or triggering security alerts. By severity, the vulnerabilities are distributed as follows: 5 — critical 28 — high 46 — medium 10 — low The full list of disclosed vulnerabilities, technical exploitation details, and detection recommendations are available in the Moksha -> (shittrix.moksha.dk) publication. #dbugs_vuln

🎮 Cisco, Meta, and AWS join the push against post-quantum risks Following earlier announcements from Google and Cloudflare about preparing for quantum threats, Cisco, Meta, and Amazon Web Services have also joined the effort. 🛑 Cisco: infrastructure-level transition Cisco is focusing on -> (blogs.cisco.com/security/prepa…) securing its Secure Firewall solutions. The company is already planning to integrate post-quantum cryptography into key components, including VPN, TLS, device management, and hardware-level secure boot. New algorithms, such as ML-KEM for key exchange and ML-DSA and SLH-DSA for signatures, are expected to be introduced in releases between 2026 and 2027. 🛑 Meta: rethinking internal processes Meta is introducing -> (engineering.fb.com/2026/04/16/sec…) the concept of PQC Migration Levels to manage the complexity of transitioning across different systems and use cases. Key steps include: 🔵prioritizing critical systems; 🔵inventorying all cryptographic assets; 🔵gradual deployment with attention to compatibility and performance; 🔵adopting a hybrid approach combining classical and post-quantum cryptography. 🛑 AWS: protecting secrets Amazon Web Services is focusing on -> (aws.amazon.com/ru/blogs/secur…) protecting data that could be harvested today and decrypted in the future. The company is implementing hybrid post-quantum mechanisms, combining classical cryptography with ML-KEM, in TLS connections within its Secrets Manager service. At the same time, AWS follows a shared responsibility model, in which some protections are implemented automatically, while others remain the responsibility of the customer. #dbugs_tech

Sale of a 0‑day exploit for iOS For informational purposes only. According to the seller, the attack chain includes WebKit JIT vulnerabilities, a sandbox escape, and privilege escalation, providing full access to the /var/mobile directory and the ability to extract photos and videos, SMS/iMessage databases, call history, as well as Keychain contents in plaintext. The exploit’s stability is 95% on clean installations, with PAC/PPL protection bypass included. Type of vulnerability: RCE via iMessage/Safari (JavaScript engine) Affected versions: 26.4.1 (A12–A19 Bionic/ARM64e) Price (exclusive): $17K Price (non‑exclusive): from $900 to $3K #dbugs_darkweb

Plugin for WordPress Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload to RCE via fetch_gravatar_from_remote CVE: CVE-2026-3844 PT ID: PT-2026-34629 Vendor: cloudways Product: Breeze Cache (plugin for WordPress) CVSS: 9.8 Credits: Hung Nguyen Description: The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default. References: • dbugs.ptsecurity.com/vulnerability/… • wordfence.com/threat-intel/v… • #L119" target="_blank" rel="nofollow noopener">plugins.trac.wordpress.org/browser/breeze… • #L89" target="_blank" rel="nofollow noopener">plugins.trac.wordpress.org/browser/breeze… • plugins.trac.wordpress.org/changeset/3511… Exploit: github.com/dinosn/CVE-202… #dbugs_vuln

🧩 ShareHound — building SMB share access graphs for BloodHound A tool for automated collection and visualization of access rights to network SMB shares in the OpenGraph format compatible with "BloodHound". It helps analyze which users and groups have access to domain shares, simplifying graph generation for attack paths and AD infrastructure audits. Features: 📍 Generates JSON‑formatted graphs based on permissions of SMB resources . 📍 Supports NTLM and Kerberos authentication, as well as Pass‑the‑Hash authentication. 📍 Multithreaded scanning with BFS traversal and filtering via the ShareQL language. 📍 Two implementations: Python (easy to extend) and Go (large‑scale scans of 60 000+ hosts, checkpoint files, ZIP streaming). 📍 Supports CIDR ranges and target list files. Unlike "BloodHound Collectors", "ShareHound" focuses specifically on SMB resource permissions and exports data directly in OpenGraph format. The Go version outperforms standard collectors in scalability and resilience, while the Python implementation is easier to integrate and use in automation or scripting scenarios. 📎 Tool: github.com/p0dalirius/sha… #dbugs_tools

🧩 DLLHijackHunter — automated detection of DLL Hijacking vulnerabilities in Windows A tool for discovering DLL Hijacking vulnerabilities in the local system. It runs a multi‑phase pipeline: from static analysis of binaries and services to verifying exploitability through injection of a canary DLL. Features: 📍 Scans for vulnerabilities in services, scheduled tasks, COM objects, and startup entries. 📍 Analyzes UAC bypass vectors via AutoElevate and application manifests. 📍 Filters false positives. 📍 Confirms vulnerabilities using a safe canary DLL and automatic trigger. 📍 Provides assessment and reporting with likelihood‑based ranking (console + JSON output). Compared to tools like "DLLHijackAuditor" and "PowerUp.ps1", "DLLHijackHunter" goes beyond static detection — it validates actual DLL execution, improving accuracy at the cost of longer analysis time. 📎 Tool: github.com/ghostvectoraca… #dbugs_tools

🧩 TokenSmith — access and refresh token generator for Entra ID A Go-based tool for obtaining "access" and "refresh" tokens for Entra ID (Azure AD). Allows authentication via the standard "authcode" flow and enables the use of retrieved tokens in popular Azure post-exploitation utilities. Useful in scenarios requiring minimal footprint and evasion of corporate access policies. Features: • Entra ID token generation via "authcode" flow • Support for the "--intune-bypass" flag to bypass Intune Conditional Access • Customizable "client_id", "resource", "redirect_uri" and "User-Agent" 📎 Tool: github.com/JumpsecLabs/To… #dbugs_tools

📌Abusing WinGet via the COM API EclipseSec’s research shows how to leverage the WinGet COM API to execute arbitrary code inside a Microsoft‑signed process. Instead of invoking "winget.exe", an attacker can call the COM interface directly, completely avoiding any appearance of "winget.exe", "powershell.exe", or "cmd.exe" in the process tree. This effectively turns WinGet into a living‑off‑the‑land tool that helps evade monitoring solutions. The technique works on Windows 10, Windows 11, or Windows Server 2025 systems where WinGet is installed by default. Exploitation requires a user account that has permission to access the WinGet COM object. 📎 Article: eclipsesec.com/posts/DSCourie… ⚙️ Tool: github.com/DylanDavis1/DS… #dbugs_attacks

JS-inject access to a network of gaming key websites offered for sale For informational purposes only. Geo: 8 domains in the US/EU segment Price: $20k The seller claims that a single API request can be used to execute JavaScript code across all 8 domains of a gaming key store aggregator, which reportedly attracts around 2.5–3.5 million unique visitors per month, primarily from the US, UK, and Germany. Notably, this is allegedly not a third-party injection, but a “legitimate first-party script” that, according to the hacker, is trusted by browsers, AdBlock, and website allowlists. The main audience consists of gamers, mostly Windows users, many of whom reportedly have Steam and PayPal accounts. As a “bonus,” the seller is offering database credentials and application secrets. However, direct infrastructure access appears to be limited based on the description: the ports are firewalled, and local access is required. #dbugs_darkweb