Threat intelligence, best practices, compliance guidance, and analysis from the CrowdSOC team. Written for security-conscious leaders, not just security professionals.
Januscape (CVE-2026-53359) is a 16-year-old use-after-free in the Linux kernel's KVM shadow MMU that lets a guest virtual machine crash or, in the worst case, take over the host it runs on. It is the first guest-to-host KVM escape shown to work on both Intel and AMD hardware, and it was already used as a zero-day in Google's kvmCTF program before disclosure.
read article
CVE-2026-20230 is an unauthenticated SSRF vulnerability in Cisco Unified Communications Manager's WebDialer service that attackers are now chaining into arbitrary file writes and root-level webshells. Active exploitation was confirmed in June 2026, and the flaw has since been added to CISA's Known Exploited Vulnerabilities catalog. Patch now, or disable WebDialer if you cannot.
CVE-2026-20245 is a root-level command injection flaw in Cisco Catalyst SD-WAN Manager, Controller, and Validator. Mandiant has confirmed it was exploited as a zero-day for months before Cisco disclosed it, as part of an attack chain that also leveraged two earlier, maximum-severity SD-WAN authentication bypass flaws. Patch now; no workaround exists.
DirtyClone (CVE-2026-43503) is the fourth Linux kernel privilege escalation in a family that began with Copy Fail in April. It lets any local user gain root by manipulating cloned network packets, with no trace left on disk or in the logs. A patch has existed since May 24; a public proof of concept arrived June 25.
CVE-2026-55200 is a critical integer overflow in libssh2 that allows a remote attacker to corrupt heap memory and execute arbitrary code, with no authentication required. A public proof-of-concept is available and CISA has updated its assessment to reflect PoC-stage exploitation. A patch exists as a committed fix but no official release has been tagged yet; check your distribution's package repository for backported updates now.
PixelSmash (CVE-2026-8461) is a heap out-of-bounds write in FFmpeg's MagicYUV decoder. A 50 KB video file is enough to crash any application that links FFmpeg, and researchers demonstrated full remote code execution against Jellyfin and Nextcloud. Patch to the latest FFmpeg now.
AryStinger is a newly discovered botnet that has quietly compromised more than 4,300 end-of-life routers by exploiting decade-old vulnerabilities. With no patches available for these devices, the only reliable fix is replacement. If you have legacy networking equipment still connected to the internet, this campaign is a direct illustration of the risk it poses.
F5 issued an out-of-band advisory on June 17, 2026 for two critical NGINX vulnerabilities, CVE-2026-42530 and CVE-2026-42055. Neither has been confirmed exploited in the wild yet, but NGINX Rift went from advisory to active exploitation in days last month. Patch now, or apply the interim mitigations immediately.
FortiBleed is a large-scale, financially motivated campaign that has targeted more than 430,000 FortiGate firewalls since February 2026, using a custom sniffer to harvest over 110 million credentials. CISA has issued a hardening advisory; here's what happened and what to do about it.
usbliter8 is a hardware flaw in the USB controller built into Apple's A12 and A13 chips. Because the bug lives in silicon, not software, it cannot be patched, and a public proof-of-concept exploit is already available. Here is what it means, who is affected, and what you can actually do about it.
CVE-2026-48907 is a maximum-severity, unauthenticated remote code execution flaw in the JCE (Joomla Content Editor) extension, one of the most widely installed editors in the Joomla ecosystem. Active exploitation is confirmed, CISA has added it to its KEV catalog, and even the official Joomla project sites were taken offline by it. Patch to the most current JCE now.
Three critical FortiSandbox vulnerabilities (CVE-2026-39808, CVE-2026-39813, CVE-2026-25089) are under active exploitation. All three allow unauthenticated attackers to run commands or bypass authentication, and FortiSandbox is the system other Fortinet products trust to decide what's safe. Patch now.
CVE-2026-5027 is a high-severity path traversal flaw in the Langflow AI development platform that allows unauthenticated attackers to write files anywhere on an exposed server, with remote code execution already confirmed in the wild. Upgrade to version 1.10.0 immediately.
RoguePlanet (CVE-2026-50656) is an unpatched race condition in Microsoft Defender that grants SYSTEM-level access on fully patched Windows 10 and 11 machines. Released by researcher Nightmare Eclipse hours after June 2026 Patch Tuesday, it is the seventh zero-day in an ongoing feud with Microsoft. No patch is available yet; here's what to do in the meantime.
CVE-2026-33829 is a patched NTLM credential leakage flaw in the Windows Snipping Tool's URI handler that can expose a user's NTLMv2 hash to an attacker with a single link click. A related primitive in Windows Search remains unpatched. Both are mitigated by blocking outbound SMB.
HTTP/2 Bomb (CVE-2026-49975) is a remote denial-of-service exploit that can crash major web servers - including NGINX, Apache, IIS, Envoy, and Cloudflare Pingora - in under a minute using a single home internet connection. Patches are available for NGINX and Apache. IIS and Envoy users should disable HTTP/2 or place a hard-limiting proxy in front while awaiting vendor fixes.
CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon with a CVSS score of 9.8. No authentication is required to exploit it, active exploitation of domain controllers has been confirmed in the wild, and there is no mitigation short of patching. Apply the May 2026 Patch Tuesday update now.
CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect that allows unauthenticated attackers to establish unauthorized VPN connections by forging authentication override cookies. Active exploitation was confirmed from May 17, with a second wave on May 21. CISA added it to KEV on May 29. Patch immediately, or disable authentication override cookies.
DirtyDecrypt (CVE-2026-31635) is a page-cache write primitive in the Linux kernel's rxgk subsystem affecting distros with CONFIG_RXGK enabled. Published alongside ssh-keysign-pwn (CVE-2026-46333), the pair add to a remarkable month for Linux kernel privilege escalation disclosures.
NGINX Rift (CVE-2026-42945) is an 18-year-old heap buffer overflow in the NGINX rewrite module with a CVSS score of 9.2. A public PoC is available and active exploitation was confirmed within three days of disclosure. Patch now, or reconfigure affected rewrite directives immediately.
A public proof-of-concept for BitUnlocker, a downgrade attack rooted in CVE-2025-48804, can defeat BitLocker on fully patched Windows 11 machines in under five minutes — because the patch alone was never enough.
Three Linux kernel local privilege escalation vulnerabilities in three weeks! Fragnesia (CVE-2026-46300) is a separate bug from Dirty Frag, but it shares the same mitigation, so if you already applied it then you are already covered until patches arrive.
A working proof-of-concept for a BitLocker bypass, called YellowKey, affecting Windows 11 and Windows Server 2022/2025 was published publicly this week with no patch available.
A second major Linux privilege escalation vulnerability was disclosed this week, days after Copy Fail, with a working public exploit already circulating. Here's what Dirty Frag means for your organization, in plain terms.
A critical memory corruption flaw in Apache HTTP Server's HTTP/2 implementation allows remote attackers to crash or fully compromise any server running version 2.4.66.
A newly disclosed Linux vulnerability lets any local user become root in under a second — no hacking experience required. Here's what that means for your organization, in plain terms.
Introducing the updated CrowdSOC blog — where we share threat intelligence insights, security operations best practices, and platform updates for the organizations we protect.
Ransomware groups have refined their targeting strategy. Smaller organizations with thinner security coverage and higher urgency to restore operations are increasingly in scope. Here is what the data shows and what you can do about it.
The updated Cybersecurity Framework brings new governance functions and an expanded scope. We break down the practical implications for county and municipal IT teams who need to do more with less.
Comprehensive security feels overwhelming when you're short on budget and staff. The data is clear that focused foundational controls provide outsized protection. Start here.
The decisions made in the first few hours of an incident have an outsized impact on outcome. A practical, step-by-step guide for non-security teams facing a possible breach.
Understanding the business model behind modern ransomware groups helps organizations understand how they think about targeting — and how to make themselves a less attractive target.
Free tools, federal programs, and prioritization strategies for county and local government IT teams working to improve security posture without meaningful budget increases.
Insurance questionnaires are becoming de facto security frameworks for small businesses. Understanding what's really being asked — and what a policy will and won't cover — matters.