Valtik Studios
Security Research

From the lab

Vulnerability deep-dives, attack chain breakdowns, compliance work, and the weekly threat cycle. Every post is original research.

Search 197 posts

News 15

Breaking breaches, zero-day disclosures, platform incidents, and what to do about them this week.

Weaver
critical
2026-05-0515 min

Weaver E-cology CVE-2026-22679: a 9.8 RCE actively exploited since mid-March. The patch + IR runbook.

CVSS 9.8 unauthenticated RCE in Weaver E-cology via /papi/esearch/data/devops/ — actively exploited since mid-March 2026, weeks before today's public disclosure. Affects E-cology 10.0 prior to build 20260312. E-cology is the dominant OA platform across China and a hidden footprint in Western multinationals via their Chinese subsidiaries. Owning E-cology = owning every contract, HR record, and approval that flowed through the company. Detection commands, exact patch order, JSP webshell hunting, database compromise audit, PIPL/GDPR/state-law notification obligations, and the Tre-pattern-recognition take on enterprise admin platforms exposed to the public internet.

cve-2026-22679weavere-cology
Read

Threat Intelligence 18

Active breaches, APT operations, CVE digests, and the weekly patch cycle.

Cisco Catalyst SD-WAN
critical
2026-05-1713 min

cisco SD-WAN CVE-2026-20182: a missing else-if branch gave UAT-8616 god-mode over the corporate WAN fabric of every Catalyst customer that didn't patch in 3 days

CVE-2026-20182 in Cisco Catalyst SD-WAN Controllers is CVSS 10.0 / pre-auth / unauthenticated / remote. The bug is a missing else-if branch in the vdaemon peering authentication service that handles device_type messages on UDP/12346 (DTLS). The switch statement handles vBond, vSmart, vEdge — but the device_type=2 (vHub) case has no verification branch, so the controller unconditionally flips the authenticated flag for anyone who claims to be a vHub. From there: SSH key injection into /home/vmanage-admin/.ssh/authorized_keys, NETCONF on TCP/830 as the high-priv internal vmanage-admin account, then root. CISA KEV added 2026-05-14 with the tightest federal mitigation window of 2026 (3 days, due May 17, ED 26-03). Attribution: UAT-8616 — the threat cluster that has been camping on Cisco SD-WAN since 2023, previously caught burning CVE-2026-20127 / 20133 / 20128 / 20122. Blast radius is the entire enterprise WAN fabric: OMP route tables, TLOC entries, branch-to-branch segmentation, policy distribution. A single controller pop = god-mode over every cEdge/vEdge in the overlay. This post: full bug walkthrough, affected versions and patches (20.9 → 20.18 and 26.1), hunt indicators across SSH/NETCONF/DTLS/config-plane/webshell layers, pre-patch mitigations (no Cisco workaround so perimeter ACL + management-plane lockdown), the post-patch credential rotation list, and Snort SIDs 66482-66483 for IPS detection.

cve-2026-20182ciscocisco sd-wan
Read
</>
Microsoft Exchange Server
high
2026-05-1712 min

exchange CVE-2026-42897: every news outlet is calling this "RCE." it isn't. it's OWA XSS — and the threat model is completely different.

CVE-2026-42897 in on-prem Microsoft Exchange Server is being reported as RCE across every major security outlet this week. It is not RCE. CWE-79 — Cross-Site Scripting in Outlook Web Access. The bug fires when a victim opens a crafted email in OWA. Javascript executes in the victim's authenticated browser session, not on the Exchange server. That distinction completely changes the response playbook: the box is not owned, the user's session is. Patch posture: no permanent fix for Exchange 2016/2019 unless you're enrolled in the Period 2 paid Extended Security Updates program. Exchange SE will receive the public patch. Exchange Online: not affected. This post: why every outlet has the framing wrong, what the post-XSS hunt actually looks like (inbox-rule abuse, EWS post-message-read patterns, MSExchange Management event log), the EEMS M2 mitigation everyone should already have auto-applied, the manual EOMT path for air-gapped boxes, and the PowerShell block to hunt persistence in the last 24 hours. CISA KEV due date for federal mitigation: 2026-05-29.

cve-2026-42897exchangeexchange server
Read
npm / TanStack ecosystem
critical
2026-05-1114 min

tanstack npm supply-chain compromise: 84 malicious package versions, a self-spreading worm, and a file-watcher wiper that triggers if you try to revoke your tokens

On May 11 2026 at 19:20 UTC the TanStack ecosystem on npm was compromised. 42 packages, 84 malicious versions, published in a six-minute window with valid Sigstore provenance. The attacker chained three GitHub Actions vulnerabilities — pull_request_target pwn-request, cache poisoning, and runner-process OIDC token extraction — to mint a valid npm publish token and ship malicious releases of @tanstack/react-router, @tanstack/start, @tanstack/solid-router, @tanstack/vue-router and dozens more. The payload harvests AWS / GCP / Kubernetes / Vault / GitHub / npm / SSH credentials and exfils over Session messenger (not HTTP — most egress filters won't catch it). It self-propagates by minting npm tokens for every other package the victim publishes, with forged Sigstore attestations. And it installs a file watcher on the host that detects API-key revocation attempts and triggers a destructive wiper payload — try to clean up from the compromised box and the box gets nuked. This post: full list of 42 affected packages with bad and safe versions, the deobfuscated payload capability matrix, all IOCs (file hashes, persistence locations, network indicators), and the correct air-gap-first remediation order (revoke from a different machine, image before you wipe, block *.getsession.org at the egress). Campaign: Mini Shai-Hulud — same crew that hit Mistral, UiPath, Squawk, Intercom, Lightning AI, SAP CAP. 169+ packages this wave.

tanstacknpmsupply chain
Read
Ivanti EPMM
high
2026-05-1011 min

ivanti EPMM CVE-2026-6973: the 'RCE' everyone's misreading. it's authenticated admin RCE, and that changes the playbook.

Ivanti disclosed CVE-2026-6973 in Endpoint Manager Mobile (EPMM): an authenticated admin RCE actively exploited in the wild. CVSS 7.2. Patched in 12.6.1.1 / 12.7.0.1 / 12.8.0.1. Most news coverage drops the 'authenticated' qualifier and treats this as a generic 0-day RCE. It's not. The auth requirement means your real threat model is 'attacker who has, or can get, admin creds' (phishing, password spray, breach corpus) not 'any internet scanner.' Different posture, different mitigation, different rotation list. This post: who's actually exposed (internet-facing admin consoles), the post-exploit blast radius (full mobile device control plane — push apps, push certs, push VPN configs to every managed device), the detection commands for admin-session anomalies, the patch order across HA pairs, the post-patch credential rotation list most teams skip, and the medium-term architecture fix (admin console off the public internet, period).

cve-2026-6973ivantiepmm
Read
cPanel / WHM
critical
2026-05-1013 min

cPanel CVE-2026-29201, 29202, 29203: arbitrary file read, Perl code injection, DoS. three bugs in one disclosure, and the perl one is RCE.

cPanel disclosed and patched three CVEs on May 8, 2026 affecting cPanel & WHM and the WP Squared platform. CVE-2026-29201 is an arbitrary file read in the cPanel daemon (exposes /etc/userdomains, mysql credentials in ~/.my.cnf, api tokens, and the whostmgr admin secret). CVE-2026-29202 is Perl code injection in the handler dispatcher that lands as the cPanel user, chainable with any kernel local-privesc to escape tenant isolation and pivot across every customer on the box. CVE-2026-29203 is a DoS on the WHM daemon that becomes a force multiplier during IR. The detection runbook for cPanel admins: version check, world-writable Perl handler audit, access log grep for pre-disclosure 0day attempts, the patch order, customer communication template, the long-tail problem of customer-installed Perl scripts that aren't covered by the cPanel patch, and the full IR runbook if you find evidence of compromise.

cve-2026-29201cve-2026-29202cve-2026-29203
Read
Palo Alto Networks
critical
2026-05-0614 min

PAN-OS CVE-2026-0300: an unauthenticated root RCE in the firewall you paid $80K for. Patch order, detection, what to do tonight.

Palo Alto Networks confirmed today (May 6, 2026) that CVE-2026-0300 — an unauthenticated buffer overflow in the PAN-OS User-ID Captive Portal yielding full root RCE — is being actively exploited in the wild. CVSS 9.3. Patches stagger to May 13/22/28. This post is the defender's runbook: what the captive portal exposes (your SSL decryption keys, GlobalProtect secrets, syslog forwarding), the post-exploitation pattern observed in early IR, detection commands for the management plane, the patch order across HA pairs, the workaround if you can't patch tonight, and what to do if you find evidence of compromise. If you operate Palo Alto firewalls, read this before lunch.

cve-2026-0300pan-ospalo alto networks
Read
M365 / Google Workspace
high
2026-05-0613 min

The new phishing campaign weaponizing Google + Outlook calendar invites — credential theft, OTP interception, and RMM in one click.

GBHackers and a handful of corporate IR teams broke a US-targeting campaign today: fake calendar invites — sent through legitimate Google Calendar / Outlook scheduling APIs — land credential-phishing pages that capture username + password + TOTP, then drop signed RMM agents (ConnectWise, TeamViewer, Atera, Splashtop) for unattended remote access. Calendar invites bypass every gut-check users have been trained on. This post: the exact KQL hunts for unauthorized RMM installs, Exchange Online transport rules to quarantine suspicious invites, OAuth-grant audits in Google Workspace, mandatory hardware-key migration for execs, and the full IR playbook if a workstation has been popped.

phishingcalendar invitermm
Read
Apache HTTP Server
high
2026-05-0613 min

Apache HTTP/2 CVE-2026-23918: a double-free in the protocol everyone runs. The patch order, detection, and why CVSS 8.8 understates the risk.

Apache pushed an HTTP Server security release yesterday (May 5, 2026) patching CVE-2026-23918 — a double-free in mod_http2's stream-reset path that the ASF describes as 'double free and possible RCE.' CVSS 8.8. Apache HTTP runs on 22-31% of internet-reachable web servers and HTTP/2 has been the default since 2.4.17. Detection commands for HTTP/2 advertisement across your fleet, container-image rebuild order, the access-log fingerprint of exploitation, and the simple workaround (disable HTTP/2 with one Protocols line) if you can't patch in 48 hours. The patch matrix across Debian, Ubuntu, RHEL, Amazon Linux, and the cloud-managed Apache services is laid out below.

cve-2026-23918apachehttpd
Read
MetInfo CMS
critical
2026-05-0612 min

MetInfo CMS CVE-2026-29014: a 9.8 PHP code-injection RCE in a CMS most Western admins have never heard of. The detection runbook for the long tail.

VulnCheck published yesterday on CVE-2026-29014 — an unauthenticated PHP code-injection RCE in MetInfo CMS 7.9, 8.0, 8.1. CVSS 9.8. The campaign has been running since April 5 against the Chinese-language SMB CMS that dominates the Asian-diaspora SMB website market in the US, Canada, Australia, and Europe. If you operate shared hosting, you have MetInfo installs in your customer base you don't know about. The detection runbook: find every MetInfo across customer accounts (one find command), version-scan each install, hunt for the campaign's signature webshells, mod_security rules to block the vuln URL pattern at the host level, and the customer-communication workflow for proprietors who don't speak English.

cve-2026-29014metinfocms
Read

Research 44

Vulnerability deep-dives and attack chain breakdowns from real engagements.

Platform Security 30

Cloud, Kubernetes, CI/CD, auth platforms, and enterprise identity hardening.

Compliance 28

PCI DSS, SOC 2, HIPAA, CMMC, NYDFS, and the regulations that drive our work.

AI Security 9

Model security, prompt injection, LLM-specific attack surface, and Anthropic Mythos coverage.

Langflow / AI tooling
critical
2026-05-1711 min

langflow CVE-2026-33017: the unauth RCE in your team's AI prototyping tool is exfiltrating your AWS keys in under 20 hours flat

Langflow — the visual builder for LLM agent chains used by AI engineers and MLOps teams — had its second unauthenticated RCE in two years pushed through the same exec() call. The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow (note the _public_ — no auth by design), which routes attacker-supplied Python into exec() at src/lfx/src/lfx/custom/validate.py:397 with zero sandboxing. Sysdig honeypots logged the first probe 20 hours after disclosure on 2026-03-17, the first successful credential exfil within 25 hours, and active exploitation has continued through May 2026. The payload is purpose-built for AI infrastructure: dumps os.environ for AWS_*, OPENAI_*, ANTHROPIC_*, HF_TOKEN, PINECONE_*, SUPABASE_*, GITHUB_TOKEN; drops a 9.4MB Go binary (worker-linux-amd64) using utls for TLS fingerprint spoofing + embedded gitleaks for secret scanning; persists as keyhunter-worker.service; joins a NATS-based C2 botnet at 45.192.109.25:14222 subscribing to task.scan_cde, task.scan_web, task.validate_aws, task.validate_ai. Affected ≤ 1.8.1, patched in 1.9.0. NATS-as-C2 is the new technique infostealer botnets are converging on (sysdig writeup). Why AI/ML tooling is the new Jenkins: broad IAM, default-internet-exposed, :latest tags, high-value secrets in env, no auth gate. Full IOCs, the air-gap-first remediation order (the worker can detect revocation CLI invocations), and the IAM/key-rotation list to clean up after compromise.

cve-2026-33017langflowai security
Read
AI-generated web apps
high
2026-05-1013 min

we read 15 vibe-coded apps so you don't have to: 69 vulnerabilities, 5 patterns, one playbook

Tenzai's January 2026 study audited 15 web apps generated by AI tools (Cursor, Claude Code, Replit's agent mode, Devin, OpenAI Codex). Result: 69 distinct vulnerabilities. 0 of 15 had CSRF. 0 had basic security headers. 100% had SSRF. 24.7% of all AI-generated code shipped with a flaw. We replicated the methodology on 8 client codebases and found the same patterns. Five recurring vulns walked through with code: SSRF against AWS IMDS (the canonical exploit), hardcoded service-role keys in NEXT_PUBLIC_ client bundles, missing Supabase RLS policies (tested with one pg_tables query), wide-open CORS reflecting any origin with credentials, and Clerk unsafe_metadata trusted as auth (the privilege-escalation one-liner: window.Clerk.user.update). Why the AI does this (RLHF rewards 'the app works' not 'the app is secure'). The 5-step pre-flight you can run in under 10 minutes before shipping. Plus a downloadable PDF checklist for the email list.

vibe codingai code securitycursor
Read

Privacy 49

Surveillance, data brokers, opsec, and consumer-facing threat models.

Consumer Privacy 2

Voice cloning / deepfake
high
2026-05-1011 min

the $2.3 billion phone call: voice-clone scams are hitting elderly americans at industrial scale in 2026

In 2026 Americans over 65 lost $2.3 billion to phone scams where the voice on the other end was their own grandchild, son, or daughter. It wasn't. It was a voice cloned from three seconds of audio, available from any TikTok, YouTube clip, or voicemail greeting. The fbi logged the number. Average loss per victim: $12,500. Success rate jumped from 12% in 2024 to 34% in 2026. Senator Hassan opened an investigation into ElevenLabs on April 16, 2026. This post: how the scam actually works (the 'grandson in jail' script, the 'lawyer wants bond wired' setup, the 90-minute time pressure that prevents callbacks), the technology layer ($5/month subscription to clone any voice from 3 seconds of audio), the criminal supply chain (industrial pig-butchering compounds in Burma and Cambodia, Telegram script markets), the 5 things every family should agree on TODAY (code word, never-wire-on-voice, the lawyer-call-is-fake rule, brief parents AND kids, test the code word), the IR runbook if it happens (hang up, call back on known number, IC3.gov, freeze accounts), and the CFO version of the same scam (deepfake CEO calls finance team). Designed to be shared.

voice clonedeepfakeelevenlabs
Read
New research published weekly
Newsletter

Get new research in your inbox

Platform security, compliance breakdowns, threat intelligence, and opsec. Published when we have something real to say. One email per post, no drip sequences, no upsell pitches.

We never share your email. Unsubscribe any time.