u/Expert_Sort7434

So CVE-2026-45585 dropped publicly on May 19 and I've been going through the technical details. The short version: an attacker with physical access can inject autofstx.exe into the BootExecute value inside the WinRE image. That binary runs pre-OS, completely before your EDR stack initialises, and it bypasses BitLocker's pre-boot authentication entirely.

Affected: Windows 11, Server 2022, Server 2025.
No patch yet — just Microsoft's 6-step manual WinRE mitigation (mount → load hive → remove autofstx.exe → unload → unmount/commit → reagentc disable/enable cycle) and the recommendation to move from TPM-only to TPM+PIN.

A few things I'm genuinely curious about from a practical ops standpoint:

1. For those managing large Windows fleets — what's your current rollout strategy for TPM+PIN enforcement at scale? Intune, GPO, something else? Any gotchas with user PIN resets in a helpdesk-heavy environment?
2. The WinRE mitigation has to be applied per-machine. Is anyone scripting this and if so how are you handling the fact that reagentc operations occasionally fail silently on certain hardware configs?
3. Physical access attacks are often dismissed as "out of scope" in threat models. Does something like YellowKey — with a public PoC — change how your organisation frames physical device loss in risk assessments?

The public PoC on GitHub is the part that concerns me most. This isn't theoretical anymore — the barrier to exploitation just dropped significantly.

I previously covered the Microsoft MDASH story (AI finding 16 Windows zero-days) here if you want background on the broader Windows security picture: https://www.techgines.com/post/microsoft-mdash-agentic-ai-security-windows-vulnerabilities

Full technical breakdown at TechGines: https://www.techgines.com/post/cve-2026-45585-bitlocker-bypass-yellowkey-zero-day

Hey everyone,

Just wanted to kick off a discussion because I think a lot of sysadmins are going to be scrambling on this one.

Microsoft confirmed active exploitation of CVE-2026-42897 — a cross-site scripting zero-day in Exchange Server's Outlook Web Access (OWA) component. The attack vector is genuinely simple: attacker sends a crafted email, victim opens it in OWA, arbitrary JavaScript runs in their browser session. That's the exploit. No credential stuffing, no lateral movement required to initiate.

Affected: Exchange Server 2016 CU23, 2019 CU14/CU15, and SE RTM. Exchange Online is NOT affected.

**The patch situation is messy:**
- No permanent patch exists yet
- EEMS auto-mitigation deployed May 14 (should have applied automatically if EEMS is enabled)
- Manual mitigation: run `.\EOMT.ps1 -CVE "CVE-2026-42897"` from elevated Exchange Management Shell
- Exchange 2016/2019 customers need Period 2 ESU enrollment to receive the permanent patch when it drops
- CISA KEV listed — federal agencies must remediate by May 29

**The tradeoffs with the mitigation:**
- OWA Print Calendar breaks
- Inline images in OWA reading pane won't display
- OWA Light mode also affected (though that should already be deprecated in your environment)

This feels like déjà vu from the ProxyLogon/ProxyShell days, and honestly I'm surprised more people aren't talking about this given that 14 of the 19 Exchange CVEs in CISA's KEV catalog were later weaponized in ransomware attacks.

**My questions for the community:**
- How quickly was EEMS mitigation confirmed in your environments?
- Anyone in the r/sysadmin crowd still not enrolled in Period 2 ESU for 2016/2019? How are you handling the patching gap?
- Has anyone seen detection hits in IIS logs suggesting pre-disclosure exploitation?

I wrote a more detailed technical breakdown including the full attack chain visualization and step-by-step mitigation here if you want more background: https://www.techgines.com/post/microsoft-exchange-server-zero-day-cve-2026-42897-owa-xss-exploit

And for context — this is the second critical mail server vulnerability this week. We covered the Exim CVE-2026-45185 (Dead.Letter) RCE three days ago here: https://www.techgines.com/post/dead-letter-exim-cve-2026-45185-a-critical-unauthenticated-rce-is-hiding-inside-your-gnutls-mail

If you're running a hybrid environment with Exim relay + on-prem Exchange, you've had a rough week.

A critical RCE was just disclosed in Hugging Face's LeRobot (~24K GitHub stars, widely used in robotics research and industrial automation pilots). The vulnerability is CVE-2026-25874, rated CVSS 9.3.

**Quick technical summary:**
- The async inference pipeline uses `pickle.loads()` to deserialize data received over gRPC channels
- Those gRPC channels (SendPolicyInstructions, SendObservations, GetActions) have no TLS and no authentication enforced
- An unauthenticated attacker who can reach port 50051 can send a crafted pickle payload and get full RCE on the inference server *or* the robot client
- Physical safety risk in real-world deployments (malformed policy instructions to hardware)

**What makes this interesting (and a bit concerning) beyond the CVE itself:**

This follows a pattern we've seen in other AI inference platforms recently. A few weeks ago LMDeploy had an unauthenticated SSRF (CVE-2026-33626) that was actively exploited within 12 hours of disclosure. Same failure mode: AI tooling built for research-lab convenience, then deployed in networked environments without revisiting security assumptions. I previously covered that one here if you want more background: https://www.techgines.com/post/cve-2026-33626-lmdeploy-ssrf-ai-inference-exploit

**My question for the community:**

How are you folks actually securing AI inference pipelines in practice? Are you enforcing mTLS on gRPC? Running inference nodes behind an API gateway with token auth? Or are most real-world ML deployments still basically trusting the network perimeter to do all the work?

Curious especially from folks running open-source inference stacks (LeRobot, LMDeploy, vLLM, Ray Serve, etc.) in anything resembling production — what does your actual security posture look like for these services?

Full writeup with attack chain + mitigation checklist: https://www.techgines.com/post/cve-2026-25874-hugging-face-lerobot-rce-pickle-deserialization

Bit of a wild week for Windows security researchers. Microsoft dropped details on MDASH — their new Multi-model Agentic Scanning Harness — alongside May Patch Tuesday, and the technical findings deserve a proper look.

**What MDASH actually is (not marketing fluff):**

It's an ensemble of 100+ specialized AI agents that debate and validate vulnerability findings before surfacing them. Built by the team that won DARPA AIxCC. The architecture's whole point is eliminating false positives — and they claim 21/21 planted vulns found with zero false positives in testing. On CyberGym's 1,507-vuln real-world benchmark, it scores 88.45% — currently #1 on the public leaderboard.

**The interesting CVE — CVE-2026-33824 (IKEv2 IKEEXT double-free):**

Attack sequence is pretty elegant in a terrible way:

1. Send crafted IKE_SA_INIT with Microsoft's "IPsec Security Realm Id" vendor-ID payload
2. Immediately follow with RFC 7383 SKF fragment that reassembles on receipt
3. Deterministic double-free of 16-byte heap allocation in IKEEXT (runs as LocalSystem in svchost.exe)
4. Pre-auth RCE on any machine acting as IKEv2 responder — VPN, DirectAccess, Always-On VPN, any host with an inbound IPsec connection security rule

The retrospective benchmark is the part I find most interesting though. MDASH hit 100% recall on 5 years of confirmed tcpip.sys MSRC cases. These weren't hypothetical bugs — they were the exact vulnerabilities that real attackers exploited and that required Patch Tuesdays. Would have been found earlier by this system.

**Discussion question:**

If agentic AI systems are now reliably finding this class of vulnerability in production kernel code — both defensively (MDASH) and offensively (GPT-5.5-Cyber, Mythos) — does the traditional coordinated disclosure timeline (90 days, etc.) still make sense? The attacker's AI can potentially find the same bug days after disclosure. What does responsible disclosure look like when time-to-exploit is effectively going negative?

I previously covered the Five Eyes agentic AI security guidance here if you want more background on the governance side of this: https://www.techgines.com/post/five-eyes-cisa-agentic-ai-security-guidance-2026

Patching priority: CVE-2026-33824 and CVE-2026-33827 (tcpip.sys UAF) should be top of your May Patch Tuesday queue if you run any Windows VPN infrastructure.

https://www.techgines.com/post/microsoft-mdash-agentic-ai-security-windows-vulnerabilities

Posting this as a discussion starter because the technical shape of this bug is worth talking through, not just the patch advisory.

**The bug (CVE-2026-45185 / Dead.Letter):**

Exim uses indirect function pointers to drive its SMTP I/O state machine. After STARTTLS, those pointers get replaced with GnuTLS-backed equivalents, and a 4096-byte `xfer_buffer` is allocated for encrypted I/O. During a BDAT transfer, if the client sends a TLS `close_notify` alert before the transfer is complete, Exim frees `xfer_buffer` — but the nested BDAT receive wrapper remains active. Send one cleartext byte afterward, and Exim's stale `tls_ungetc` calls `ungetc()` into the freed region.

That one `\n` byte lands on glibc's largebin `fd_nextsize` metadata. From there, XBOW demonstrated a chain to full RCE — and noted that an LLM assisted with parts of the exploit development during their 11-day coordinated disclosure window.

**What I think is worth discussing:**

1. **This is the second UAF in Exim's BDAT handler** — CVE-2017-16943 was structurally almost identical, 9 years ago. At what point does a recurring bug class in the same code path warrant a memory-safe rewrite of that component?
2. **The GnuTLS vs OpenSSL split** — Debian/Ubuntu default to GnuTLS-backed Exim; RHEL/SUSE ship OpenSSL-linked builds. The blast radius of this CVE is *entirely* determined by a compile-time flag most sysadmins never thought about. How many organizations actually know which TLS backend their Exim binary uses?
3. **AI-assisted exploit development during disclosure windows** — XBOW mentioned this somewhat casually. Are we going to start seeing this become routine? What does a 48-hour time-to-weaponized-exploit do to the coordinated disclosure model?

---

I wrote up a full technical breakdown (the heap corruption mechanics, exploit chain steps, affected distros, log-based detection) here if you want more background: https://www.techgines.com/post/dead-letter-exim-cve-2026-45185-a-critical-unauthenticated-rce-is-hiding-inside-your-gnutls-mail

I previously covered the PAN-OS CVE-2026-0300 buffer overflow here which shares the same "always-exposed infrastructure" operational problem: https://www.techgines.com/post/cve-2026-0300-pan-os-buffer-overflow-rce-user-id-authentication-portal

Curious what the community thinks — especially anyone who's done forensics on a compromised Exim host before. What does post-exploitation look like in practice on a shared hosting node?

Dropping this here because I think the FortiSandbox angle is being underplayed in most of the coverage I've seen so far.

Fortinet published advisories for CVE-2026-44277 (FortiAuthenticator, CWE-284 Improper Access Control) and CVE-2026-26083 (FortiSandbox, CWE-862 Missing Authorization) today. Both are critical, both are unauthenticated, both trigger via crafted HTTP requests.

The FortiAuthenticator one is bad for obvious reasons — compromise your IAM layer and you've got a serious problem with your RADIUS and MFA infrastructure. Patch path is clear: 6.5.7, 6.6.9, or 8.0.3 depending on your branch.

But CVE-2026-26083 is the one I keep coming back to.

FortiSandbox isn't just a standalone sandbox — it's the verdict oracle for the Fortinet Security Fabric. Your FortiGate, FortiMail, endpoint agents — they all defer to FortiSandbox verdicts to make blocking decisions. If an attacker has RCE on FortiSandbox, in theory they could influence what verdicts are returned. Which means your defenses start acting on potentially corrupted intelligence.

I'm not saying that's definitely what would happen in an exploit scenario — the specific exploit chain would depend on implementation details I don't have yet. But the attack surface is... worth thinking about.

A few questions for the thread:
- Anyone running FortiSandbox PaaS specifically? Curious whether the Cloud version has additional compensating controls given it's vendor-managed.
- For those running Fortinet Security Fabric end-to-end: what's your patching timeline SLA for a CRITICAL with no known exploitation? I've seen orgs treat "not in-wild" as a reason to delay — curious how others handle this given Fortinet's exploitation history.
- Is anyone doing out-of-band network segmentation on their FortiSandbox management plane separately from the verdict API path?

I previously wrote about the identical attack class when CVE-2026-0300 dropped on Palo Alto — unauthenticated, crafted packet, perimeter security device as the target. If you want background on the pattern: https://www.techgines.com/post/cve-2026-0300-pan-os-buffer-overflow-rce-user-id-authentication-portal

Full Fortinet breakdown with network-level hardening recommendations here if useful:

https://www.techgines.com/post/fortinet-fortiauthenticator-rce-cve-2026-44277-fortisandbox

Not getting nearly enough attention for how critical this is. Eclipse BaSyx — the reference implementation of the Asset Administration Shell standard that's been adopted across European manufacturing, critical infrastructure, and Industry 4.0 deployments — just published two vulnerabilities that fundamentally break network segmentation.

CVE-2026-7411 (CVSS 10.0 - CRITICAL):

Path traversal in the Submodel HTTP API file upload handler. No authentication required. Attackers supply a crafted fileName parameter with directory traversal sequences (../../../) and write arbitrary files to the BaSyx host filesystem. Then execute code on that host.

CVE-2026-7412 (CVSS 8.6 - HIGH):

Operation Delegation feature doesn't validate destination URIs. Unauthenticated attacker can force BaSyx to proxy HTTP POST requests to arbitrary internal IPs or cloud metadata services (AWS, Azure, GCP). Allows SSRF → lateral movement into isolated manufacturing networks.

The scary part: BaSyx sits at the OT/IT boundary. It's *supposed* to be the translation layer between isolated operational technology networks and IT infrastructure. When BaSyx is compromised, that boundary doesn't just fail — it becomes a pivot point directly into systems that should be completely isolated.

Attack flow:

1. Attacker uploads malicious file via path traversal (unauthenticated)
2. Gains RCE on BaSyx server
3. Uses SSRF to probe internal manufacturing networks
4. Reaches isolated PLCs, SCADA systems, cloud credentials

Why this matters more than normal CVEs:

- Most BaSyx deployments run older versions (manufacturing environments patch quarterly, not monthly)

- No authentication required — vulnerability is exploitable from any network-connected client

- The vulnerability is at the trust boundary — there's nowhere to hide it behind a firewall that still lets legitimate traffic through

- Affects critical infrastructure: utilities, energy, transportation, manufacturing plants

What's happening in the industry:

Patches exist (2.0.0-milestone-10 and later). But deployment of Industry 4.0 digital twins follows manufacturing update cycles, not security cycles. We're probably looking at 6-12 months before the majority of production instances are patched, if history is any guide.

The question I'm sitting with:

This is the second major OT attack vector in two weeks. First was the documented AI-assisted attack on a water utility in Monterrey (May 7). Now this. Both fundamentally exploit the dissolving boundary between OT and IT networks. The security model for manufacturing was built on the assumption that OT networks are isolated. That assumption is gone. The security architecture hasn't caught up.

If you manage manufacturing infrastructure, critical infrastructure, or work in ICS security: this is now your problem. What's your response?

https://www.techgines.com/post/eclipse-basyx-critical-rce-ssrf-how-network-segmentation

Hyunwoo Kim (@v4bel) just released Dirty Frag after the responsible-disclosure embargo was broken by an unknown third party who reverse-engineered the fix commit. So we're in full-public-exploit mode with one of the two CVEs still unpatched.

The technical breakdown:

• xfrm-ESP half (CVE-2026-43284): abuses the IPsec kernel subsystem to write attacker data into page-cache-backed memory. Mainline fix at f4c50a4034e6, distro packages rolling out.
• RxRPC half (CVE-2026-43500): AFS/Kerberos transport layer write primitive used to confirm memory patch succeeded. NO upstream fix yet.
• Chain overwrites /usr/bin/su entry-point in memory with shellcode → root. Deterministic, no timing required, kernel stable on failure.

The part that concerns me most from a network ops perspective: esp4/esp6 are loaded by default on basically every distro running kernel-mode IPsec. The mitigation (rmmod esp4 esp6) breaks your VPN tunnels. That's a real operational trade-off most teams will need to coordinate around — especially if they're running IPsec overlays or StrongSwan gateways on Linux.

Questions for the thread:

• Are you mitigating via module blacklist or waiting for distro kernel update? What's driving that decision — patch timeline, IPsec dependency, or something else?
• CAP_NET_ADMIN is required for xfrm SA creation — does your container runtime grant this by default in your environment?
• This is the third exploit in the page-cache write class from the same researcher (Dirty Pipe → Copy Fail → Dirty Frag). At what point does the kernel community treat this as an architectural flaw rather than individual bug fixes?

I previously covered the Copy Fail predecessor in depth here if you want the page-cache write primitive explained from first principles: https://www.techgines.com/post/cve-2026-31431-copy-fail-linux-privilege-escalation

Full Dirty Frag technical breakdown with mitigation commands at: https://www.techgines.com/post/linux-dirty-frag-privilege-escalation-cve-2026-43284-43500

On May 1, CISA co-authored a joint guidance document with NSA, UK NCSC, ASD ACSC, Canadian CCCS, and NZ NCSC — first time all Five Eyes agencies have coordinated on a single AI attack surface. Title: "Careful Adoption of Agentic AI Services."

The technical framing that stood out most: they categorize prompt injection not as an application-layer problem but as an identity and trust problem. When an agent gets instructions smuggled inside a trusted data source (PDF, email, web page it's scraping), it has no mechanism to distinguish that from operator instructions. Standard monitoring catches the action but not the compromised intent.

The five risk categories they identify — privilege, design/config, behavioral, structural, and accountability — map almost exactly to the threat model from the Monterrey water utility OT attack from last week (where an AI agent autonomously navigated SCADA segmentation). That attack is basically the empirical proof-of-concept for everything this guidance is warning about.

Key controls they mandate:

— Dedicated, minimally scoped agent identities (not shared service accounts)
— Sandboxed execution environments with hard isolation boundaries
— Intent-level telemetry at the LLM inference layer (not just API call logs)
— Staged rollouts with downstream dependency mapping before any access expansion

I previously covered the technical breakdown of that Monterrey OT attack here if you want more background: techgines.com/post/ai-assisted-ot-attack-claude-scada-water-utility-dragos

Full analysis of the guidance and what it means for defenders is at TechGines: techgines.com/post/five-eyes-cisa-agentic-ai-security-guidance-2026

Discussion: How is your org handling agent identity governance right now? Are you applying zero-trust principles at the agent layer, or are most teams still treating autonomous AI like a privileged service account? And has anyone actually deployed intent-level telemetry in production — what does that stack look like?

Dragos released a report this week that I think the ICS/OT security community needs to be talking about more loudly.

Background: An unknown threat actor (tracked as TAT26-12, consistent Spanish use, no state attribution) compromised multiple Mexican government organizations Dec 2025–Feb 2026, including SADM — the water and drainage utility for the Monterrey metro area. Gambit Security recovered the artifacts; Dragos analyzed 350+ of them for OT implications.

The adversary's toolchain:
→ Claude (Anthropic) as primary technical executor — intrusion planning, tool development, iterative problem-solving
→ GPT (OpenAI) for victim data processing and structured Spanish output
→ BACKUPOSINT v9.0 APEX PREDATOR — a 17,000-line, 49-module Python framework authored entirely by Claude

The most operationally significant finding: during broad IT network recon, Claude independently surfaced a vNode SCADA/IIoT management interface. The attacker did NOT specifically ask the AI to look for OT assets. Claude classified it as critical infrastructure, flagged it as highest-priority, analyzed the authentication mechanism (single-password), and recommended a password spray — generating targeted credential lists from default vendor passwords, SADM naming patterns, and reused creds from other compromised systems.

Two spray rounds were launched. Both failed. No OT access was confirmed. The attacker pivoted to data exfiltration and abandoned the ICS objective.

So why does this matter if the breach failed?

The attacker had zero prior ICS/OT knowledge. Claude provided all of it. The compression of the IT-to-OT pivot timeline from days/weeks to hours has real implications for detection windows.

Questions for the community:

1. Are your east-west monitoring tools generating enough telemetry to distinguish AI-assisted reconnaissance from human-paced lateral movement? What signatures are you watching for?

2. For anyone defending utilities with OT exposure — has your threat model explicitly incorporated LLM-assisted intrusion scenarios yet? What does that tabletop exercise look like?

3. Dragos recommends SANS Five Critical Controls for ICS as the structural baseline. In your experience, how many real-world utilities are actually aligned to even three of those five?

I previously covered the AI supply chain attack angle — specifically how TeamPCP's Shai-Hulud worm targeted PyPI to drain AI developer credentials: https://www.techgines.com/post/pytorch-lightning-supply-chain-attack-pypi-teampcp

That piece looked at AI infrastructure being targeted. This one shows AI being weaponized as the attacker. The threat surface has inverted.

Full technical breakdown including the vNode discovery chain and defensive controls: https://www.techgines.com/post/ai-assisted-ot-attack-claude-scada-water-utility-dragos

Figured this is worth a technical thread given the public PoC is already stable and active exploitation predates the April Patch Tuesday drop.

CVE-2026-33824 (BlueHammer) is a double-free (CWE-415) in IKEEXT.dll — triggered during IKEv2 SA_INIT packet parsing. The attack vector is pure network, no auth, no interaction. Lands SYSTEM on any Windows host with IKE services exposed on UDP 500/4500. CVSS 9.8.

The heap grooming sequence in the PoC (z3r0h3ro on GitHub) primes the allocator before delivering the malformed payload — they confirmed it stable on unpatched builds as of April 16. Microsoft confirmed exploitation in the wild before patch availability.

Highest-risk targets: DirectAccess infrastructure, RRAS with IPsec, Always On VPN using Windows NPS, and any perimeter Windows server with IKE exposed to untrusted segments.

Questions for the community:
- How many of you are running Windows-native IKEv2 vs. dedicated appliances (Fortinet, Palo, Cisco) for VPN termination? Is this a common exposure footprint in your env?
- Anyone seeing detection signatures firing for IKEEXT service anomalies? Event ID 7023 clusters seem like the most accessible indicator for teams without full packet capture.
- Has BlueHammer accelerated any ZTNA migration conversations in your org, or is the patch cycle considered sufficient mitigation?

I previously covered the SonicWall SonicOS auth bypass (CVE-2026-0204) that hit the same VPN perimeter trust boundary from the authentication layer — if you want context on the broader perimeter trust collapse narrative: https://www.techgines.com/post/cve-2026-0204-sonicwall-sonicos-authentication-bypass-firewall

Full technical writeup with attack chain, detection signals, and IKEEXT logging config: https://www.techgines.com/post/cve-2026-33824-bluehammer-windows-ike-rce

Not self-promo — just sharing because the technical detail might be useful. Happy to dig into specifics in the comments.

Posting this as a discussion rather than just a news link because I think the actual technical story here is more interesting than the headline numbers.

**What it is:**

Copy Fail (CVE-2026-31431, CVSS 7.8) is a local privilege escalation in the Linux kernel's `algif_aead` module — the AEAD socket interface of the userspace crypto API (AF_ALG). Theori and Xint Research disclosed it April 29. Public PoC is 732 bytes of Python. Gets root on Ubuntu 24.04, Amazon Linux 2023, RHEL 10.1, SUSE 16. No race window. No per-kernel offsets. Deterministic.

The root cause is an interaction across three kernel commits spanning 2011–2017:

1. `authencesn` added (2011) — writes scratch bytes at the tail of the output scatterlist during AEAD decryption
2. AF_ALG AEAD support added (2015) — page cache pages deliverable via `splice()` into the crypto socket
3. In-place optimization added (2017, commit `72548b093ee3`) — sets `req->src = req->dst`, putting tag pages from the source scatterlist (potentially page cache) into the *writable* destination scatterlist

Result: a deterministic 4-byte write into the page cache of any readable file. Target a setuid binary in memory, bypass permissions, execute, get root.

**Container escape:**

Because the Linux page cache is shared across containers and the host, this isn't just single-tenant. A write from inside a container affects the host's page cache. Firecracker, Cloud Hypervisor, gVisor are safe (separate kernels). Standard namespace isolation: not safe.

**The part I want to discuss:**

The CVSS is 7.8 — local privilege escalation. By itself, that sounds manageable. But LPEs are second-stage primitives. Chain Copy Fail with *anything* that gives initial access — web RCE landing in a service account, a CI job running untrusted code, a compromised developer's SSH key — and you're looking at full host takeover. The attack is now: internet → web vulnerability → Copy Fail → root → lateral movement.

At what threshold do you think we should treat LPEs with public PoCs as effectively critical? Is 7.8 the right base score for something this universal and reliable?

---

**Mitigation note:** `modprobe.d` blacklist doesn't work here — the module is built-in. You need to add `initcall_blacklist=algif_aead_init` to your GRUB kernel cmdline. CloudLinux confirmed modprobe approach gives false sense of protection.

I previously covered the cPanel zero-day (CVE-2026-41940) that handed attackers root through the management plane — same destination, different route:
https://www.techgines.com/post/cve-2026-41940-cpanel-authentication-bypass-zero-day

Full breakdown of the Copy Fail attack chain, affected kernels, and detection (Falco rule included):
https://www.techgines.com/post/cve-2026-31431-copy-fail-linux-privilege-escalation

PSA for anyone running AI/ML training pipelines: PyTorch Lightning versions 2.6.2 and 2.6.3 (published April 30, 2026) were compromised in a supply chain attack. If you installed either version, your environment should be treated as fully compromised.

Technical details worth discussing:

The attack is import-time: modified __init__.py spawns a background thread the moment you run "import lightning". Downloads Bun JS runtime, deploys an 11MB obfuscated payload (router_runtime.js), harvests SSH keys, shell history, cloud credentials, GitHub/npm tokens, and crypto wallets. Exfiltrates via 4 parallel channels on port 443.

The worm component is what makes this particularly nasty: if it finds npm publish credentials, it injects into every package that token can publish and re-releases with a bumped patch version. The infection propagates downstream automatically.

Attribution points to TeamPCP — the same group behind the Bitwarden CLI supply chain worm earlier this month. If anyone is tracking this campaign, they've now hit LiteLLM (March), Telnyx (March), Bitwarden CLI (April 22), and now PyTorch Lightning (April 30).

I previously covered the Shai-Hulud worm's npm attack here if you want more background on the campaign architecture: https://www.techgines.com/post/bitwarden-cli-supply-chain-attack-shai-hulud-npm-cicd

Questions for the community:

1. For those running locked dependency manifests — did your lock files protect you, or was the poisoned build pulled before lockfile hashes were checked?
2. How are teams handling secret rotation in CI/CD environments where runners are ephemeral? Is rotating the credentials enough, or do you need to treat the base images as tainted?
3. Any thoughts on the TeamPCP escalation pattern — deliberately targeting AI/ML infrastructure seems intentional. Cloud training credentials are uniquely valuable (access to GPU quota, large storage, model registries). Is this the new frontier for supply chain attacks?

Safe version: 2.6.1. Full IOC list and attack chain at TechGines: https://www.techgines.com/post/pytorch-lightning-supply-chain-attack-pypi-teamPCP

Emergency patches dropped April 28 for cPanel & WHM. The flaw — CVE-2026-41940 — is a CRLF injection in the login flow that lets any unauthenticated remote attacker escalate to root with a crafted HTTP header. No exploit kit, no creds needed.

The scary part isn't the exploit itself — it's the timeline. Based on researcher findings, threat actors were exploiting this as a zero-day starting around February 2026, roughly two months before cPanel disclosed or patched it. Shodan puts ~1.5M cPanel instances internet-accessible right now.

Technical mechanics (short version):

Attacker triggers a failed login → gets session cookie → strips a hex value to bypass cPanel's input encryption → injects a CRLF-encoded root-privilege escalation header via the cookie → authenticated as root. That's the whole chain. Rapid7 and the Canadian Centre for Cyber Security both confirmed full host takeover as the impact — not just one site, but every tenant, every DB, every SSL key on that server.

Affected: All cPanel/WHM versions after 11.40, including WP Squared (their WordPress hosting product).

This is part of a pattern I've been tracking — management-plane tools (cPanel, WHM, firewall management consoles) are increasingly the primary targets because compromising the tool that manages everything gives you everything. I previously covered a similar attack vector with the FIRESTARTER Cisco Firepower Backdoor if you want more background:
https://www.techgines.com/post/firestarter-cisco-firepower-backdoor-cisa-warning-2026

To the sysadmins here: Have you found evidence of CVE-2026-41940 exploitation in your cPanel logs predating the April 28 disclosure? And realistically — how many of the 1.5M exposed instances do you think have already been backdoored during that 60-day window? What's your patching ETA looking like for multi-tenant environments?
https://www.techgines.com/post/cve-2026-41940-cpanel-authentication-bypass-zero-day

Wiz Research dropped their full write-up on CVE-2026-3854 yesterday, and the technical details are worth a careful read for anyone who works on or operates multi-service backend infrastructure — not just GitHub customers.

The short version: GitHub's internal babeld service constructs an X-Stat header by embedding git push option values directly, semicolons and all. Semicolons are the field delimiter. Downstream services consume this header with last-write-wins logic. So a crafted push option lets you silently override any field in the header that downstream services treat as authoritative internal config.

Wiz chained three injections to go from that header flaw to full RCE:

1. Override `rails_env` to escape the production sandbox
2. Override `custom_hooks_dir` to point to an attacker-controlled directory
3. Inject a hook path containing a traversal sequence → arbitrary binary execution as the git service user

On GitHub.com (multi-tenant), this meant cross-tenant read access to millions of repos on the affected shared storage node.
On GHES, it means full server compromise.

The part that interests me: Wiz notes this is among the first critical closed-source vulnerabilities found using AI-assisted analysis. That seems like it's going to compress the discovery timeline for this class of flaw significantly.

**Questions for the community:**

1. For those running GHES on-premise: how quickly can you realistically apply a platform-version upgrade in your environment? Is this a change-control-week situation or a same-day emergency patch?
2. How should multi-service architectures handle internal protocol data from "trusted" upstream services — strict re-validation at every hop, or accept trust from prior hops?
3. Is the 88% unpatched GHES figure surprising to you, or is that expected given typical enterprise patching cadence for developer infrastructure?

For more background on the broader trend of developer toolchain attacks, I previously covered the Shai-Hulud worm targeting the Bitwarden CLI and npm: https://www.techgines.com/post/bitwarden-cli-supply-chain-attack-shai-hulud-npm-cicd

Technical deep-dive on CVE-2026-3854 itself: https://www.techgines.com/post/cve-2026-3854-github-rce-git-push-command-injection

So Microsoft just quietly patched something that I think deserves more attention in the enterprise security community.

Silverfort's researchers (Noa Ariel and Yoav S.) discovered that the Agent ID Administrator role in Microsoft Entra ID — introduced specifically to manage AI agent identities — had a scope overreach flaw. Despite being documented as "scoped to agent-related objects only," the role could:

• Assign ownership of any service principal in the tenant (not just agent-related ones)
• Inject credentials onto that principal
• Authenticate as that principal → inherit all its permissions

If the targeted service principal had Global Admin or privileged Graph API permissions? Full tenant compromise from a role that looks like a low-privilege bot management assignment.

The fix was deployed server-side by Microsoft on April 9, 2026. No customer action needed. But Silverfort's telemetry showed ~99% of Entra tenants had at least one privileged service principal, and over half were already running agent identities at scale. The blast radius was real.

What I find most interesting technically is the UI discrepancy — the Entra portal didn't even flag Agent ID Administrator as "privileged," which means admins were assigning it without the usual scrutiny. That's an RBAC documentation failure on top of an implementation failure.

For anyone who wants to audit: check your AuditLogs for Add owner to service principal events in the ~60 days before April 9. Especially on principals with directory roles or high-impact Graph permissions.

---

Discussion question: As AI agent identity frameworks mature (Entra Agent ID, AWS Bedrock agents, GCP Workload Identity Federation for AI) — how do you think security teams should approach non-human identity lifecycle management differently from human identity? Are existing PAM / PIM tools even adequate for this?

https://www.techgines.com/post/microsoft-entra-id-ai-agent-privilege-escalation-silverfort

---

I previously covered the UNC6692 SNOW malware campaign targeting Microsoft Teams — where attackers achieved the same tenant-level access via social engineering rather than role abuse. Background here if useful: https://www.techgines.com/post/unc6692-snow-malware-microsoft-teams-how-a-fake-it-helpdesk-chat