Attacks & Vulnerabilities
|
Canvas Breach Disrupts Schools & Colleges Nationwide (3 minute read)
ShinyHunters defaced Canvas login pages with a ransom note threatening to leak data tied to 275 million users at nearly 9,000 institutions, forcing Instructure to pull Canvas offline during finals while calling it "scheduled maintenance." Stolen data includes names, emails, IDs, and messages.
|
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now (2 minute read)
cPanel shipped fixes for three flaws in cPanel and WHM that allow arbitrary file read, Perl code execution via the create_user API, and unsafe chmod via symlinks (CVE-2026-29201/2/3, two rated 8.8). Patches land across multiple 11.x branches plus WP Squared, with a direct 110.0.114 build for CentOS 6 and CloudLinux 6 holdouts. No in-the-wild abuse yet, but this comes right after a separate cPanel zero-day (CVE-2026-41940) that was used to drop Mirai variants and the Sorry ransomware.
|
A DoD Contractor's API Flaw Exposed Military Course Data and Service Member Records (3 minute read)
Schemata, an AI-powered virtual training platform for military and defense settings, exposed sensitive DoD data due to missing authorization checks in its API. The exposed data includes user listings, organization records, course information, training metadata, and direct links to documents from Schemata's AWS environment. The researchers were able to use a low-privileged account to request high-value data belonging to other customers via the API.
|
|
Getting LLMs Drunk to Find Remote Linux Kernel OOB Writes (and More) (16 minute read)
The researcher uses a homegrown swarm of LLM-powered agents to hunt for real-world bugs in core infrastructure such as the Linux kernel's ksmbd server, Docker, OpenSSL, CUPS, HAProxy, Caddy, Traefik, CoreDNS, and more. The system starts with documentation and source code, generates vulnerability hypotheses, and iterates on proofs of concept in isolated VMs, with a separate grader model checking severity and novelty before human review. Over a few months, this setup found 20+ assigned CVEs, including remote unauthenticated OOB writes in ksmbd and practical auth and access‑control bypasses in widely deployed network services.
|
You Don't Need a 0-Day for RCE: A Real-World Kill Chain (5 minute read)
A pentester walked through a real-world kill chain against a Cloudflare-protected ASP.NET portal, using OSINT (historical SSL certificates via Censys, favicon hashes, and Google Analytics IDs) to unmask the Origin IP, then routed traffic directly via curl --resolve and Burp host overrides to bypass the WAF entirely. Once on the naked IIS backend, an authenticated avatar upload endpoint accepted a .aspx web shell disguised with Content-Type: image/png, yielding RCE as iis apppool\webapp_worker because validation lived only at the WAF perimeter. Defenders should enforce Authenticated Origin Pulls (mTLS between the WAF and the backend), restrict origin firewall ingress to published WAF IP ranges, and validate uploads on the backend via extension allowlists and magic-byte checks rather than relying on Content-Type or perimeter blocks.
|
AI-Powered Honeypots: Turning the Tables on Malicious Agents (4 minute read)
Honeypots are a technique used by defenders to create systems that impersonate vulnerable targets to observe threat actors' tactics. Defenders can leverage generative AI to quickly produce convincing honeypots for AI-driven attacks. The author employs a handler that requires a threat actor to exploit a vulnerability, then directs the attacker's request to a ChatGPT prompt that informs the AI about the system it is supposed to masquerade as.
|
|
Introducing deepsec: The security harness for finding vulnerabilities in your codebase (3 minute read)
Vercel open-sourced deepsec, a coding-agent-driven security harness that runs locally (or fans out to 1,000+ Vercel Sandboxes for parallelism) and chains scan → investigate → revalidate → enrich → export to surface vulnerabilities in large codebases, using Claude Opus 4.7 at max effort and GPT-5.5 at xhigh reasoning via existing Claude or Codex subscriptions. The workflow starts with regex-based static analysis to flag security-sensitive files, then agents trace data flows and check mitigations, with a second-pass revalidate step to cull false positives (Vercel reports a 10–20% FP rate) and a plugin system for custom regex matchers tuned to a team's auth model or data layer. Best suited for applications and services rather than libraries.
|
|
Mozilla says 271 vulnerabilities found by Mythos have "almost no false positives" (3 minute read)
Mozilla used Anthropic's Mythos AI model to find 271 Firefox security flaws in two months. The breakthrough came from a custom harness that wraps the LLM, gives it access to Firefox's build tools, and runs it in a loop with clear success signals. When analyzing code for memory safety issues, Mythos crafts test cases against Firefox's sanitizer build. If it crashes, a second LLM verifies the finding. Of the 271 bugs, 180 were sec-high (exploitable through normal browsing), 80 sec-moderate, and 11 sec-low.
|
Meta U-turns on encryption push for Instagram as DMs go plaintext (2 minute read)
Meta removed the option for end-to-end encrypted Instagram DMs after low opt-in, steering users to WhatsApp instead. Child protection groups had opposed wider encryption, while privacy groups and Proton warn users now face greater exposure and unclear handling of past encrypted chats. Meta already uses private AI interactions for ad targeting, and has not ruled out similar use of Instagram messages.
|
Security in a Post-Mythos World (6 minute read)
Powerful tools such as Anthropic's Mythos will allow security researchers to scale up their operations to uncover new vulnerabilities while working in tandem with AI. However, vulnerability management was never about finding bugs but about fixing them, and current AI tooling lags in this regard. Threat modeling is an area where AI tooling excels, and security teams should leverage it.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
|
|
