from the field

insights & updates

Threat intelligence, best practices, compliance guidance, and analysis from the CrowdSOC team. Written for security-conscious leaders, not just security professionals.

threat intelligence

Januscape (CVE-2026-53359): A 16-Year-Old KVM Flaw Lets a Guest VM Reach the Host

Januscape (CVE-2026-53359) is a 16-year-old use-after-free in the Linux kernel's KVM shadow MMU that lets a guest virtual machine crash or, in the worst case, take over the host it runs on. It is the first guest-to-host KVM escape shown to work on both Intel and AMD hardware, and it was already used as a zero-day in Google's kvmCTF program before disclosure.

July 7, 2026 10 min read
read article
Januscape (CVE-2026-53359): A 16-Year-Old KVM Flaw Lets a Guest VM Reach the Host
all threat intelligence best practices compliance incident response security operations industry news crowdsoc news tutorials
Cisco Unified CM WebDialer Flaw (CVE-2026-20230): From SSRF to Root Webshell
threat intelligence
Cisco Unified CM WebDialer Flaw (CVE-2026-20230): From SSRF to Root Webshell

CVE-2026-20230 is an unauthenticated SSRF vulnerability in Cisco Unified Communications Manager's WebDialer service that attackers are now chaining into arbitrary file writes and root-level webshells. Active exploitation was confirmed in June 2026, and the flaw has since been added to CISA's Known Exploited Vulnerabilities catalog. Patch now, or disable WebDialer if you cannot.

July 1, 2026 9 min read
Cisco SD-WAN Root Escalation (CVE-2026-20245): A Zero-Day Exploited Months Before Anyone Knew It Existed
threat intelligence
Cisco SD-WAN Root Escalation (CVE-2026-20245): A Zero-Day Exploited Months Before Anyone Knew It Existed

CVE-2026-20245 is a root-level command injection flaw in Cisco Catalyst SD-WAN Manager, Controller, and Validator. Mandiant has confirmed it was exploited as a zero-day for months before Cisco disclosed it, as part of an attack chain that also leveraged two earlier, maximum-severity SD-WAN authentication bypass flaws. Patch now; no workaround exists.

July 1, 2026 9 min read
DirtyClone (CVE-2026-43503): The Fourth Linux Root Exploit in a Family That Won't Stop Growing
threat intelligence
DirtyClone (CVE-2026-43503): The Fourth Linux Root Exploit in a Family That Won't Stop Growing

DirtyClone (CVE-2026-43503) is the fourth Linux kernel privilege escalation in a family that began with Copy Fail in April. It lets any local user gain root by manipulating cloned network packets, with no trace left on disk or in the logs. A patch has existed since May 24; a public proof of concept arrived June 25.

July 1, 2026 8 min read
CVE-2026-55200: Remote Code Execution in libssh2, the SSH Library Hidden Inside Your Stack
threat intelligence
CVE-2026-55200: Remote Code Execution in libssh2, the SSH Library Hidden Inside Your Stack

CVE-2026-55200 is a critical integer overflow in libssh2 that allows a remote attacker to corrupt heap memory and execute arbitrary code, with no authentication required. A public proof-of-concept is available and CISA has updated its assessment to reflect PoC-stage exploitation. A patch exists as a committed fix but no official release has been tagged yet; check your distribution's package repository for backported updates now.

June 30, 2026 10 min read
FFmpeg PixelSmash (CVE-2026-8461): When a Video File Becomes a Weapon
threat intelligence
FFmpeg PixelSmash (CVE-2026-8461): When a Video File Becomes a Weapon

PixelSmash (CVE-2026-8461) is a heap out-of-bounds write in FFmpeg's MagicYUV decoder. A 50 KB video file is enough to crash any application that links FFmpeg, and researchers demonstrated full remote code execution against Jellyfin and Nextcloud. Patch to the latest FFmpeg now.

June 25, 2026 10 min read
AryStinger: The Botnet Built on Forgotten Hardware
threat intelligence
AryStinger: The Botnet Built on Forgotten Hardware

AryStinger is a newly discovered botnet that has quietly compromised more than 4,300 end-of-life routers by exploiting decade-old vulnerabilities. With no patches available for these devices, the only reliable fix is replacement. If you have legacy networking equipment still connected to the internet, this campaign is a direct illustration of the risk it poses.

June 24, 2026 8 min read
Two More Critical NGINX Vulnerabilities: CVE-2026-42530 and CVE-2026-42055
threat intelligence
Two More Critical NGINX Vulnerabilities: CVE-2026-42530 and CVE-2026-42055

F5 issued an out-of-band advisory on June 17, 2026 for two critical NGINX vulnerabilities, CVE-2026-42530 and CVE-2026-42055. Neither has been confirmed exploited in the wild yet, but NGINX Rift went from advisory to active exploitation in days last month. Patch now, or apply the interim mitigations immediately.

June 24, 2026 10 min read
FortiBleed: Inside the Campaign That Turned 430,000 Fortinet Firewalls Into Credential Harvesters
threat intelligence
FortiBleed: Inside the Campaign That Turned 430,000 Fortinet Firewalls Into Credential Harvesters

FortiBleed is a large-scale, financially motivated campaign that has targeted more than 430,000 FortiGate firewalls since February 2026, using a custom sniffer to harvest over 110 million credentials. CISA has issued a hardening advisory; here's what happened and what to do about it.

June 24, 2026 10 min read
usbliter8: An Unpatchable Hardware Flaw in Apple's A12 and A13 Chips
threat intelligence
usbliter8: An Unpatchable Hardware Flaw in Apple's A12 and A13 Chips

usbliter8 is a hardware flaw in the USB controller built into Apple's A12 and A13 chips. Because the bug lives in silicon, not software, it cannot be patched, and a public proof-of-concept exploit is already available. Here is what it means, who is affected, and what you can actually do about it.

June 20, 2026 9 min read
CVE-2026-48907: Unauthenticated RCE in Joomla's Most Popular Editor Extension
threat intelligence
CVE-2026-48907: Unauthenticated RCE in Joomla's Most Popular Editor Extension

CVE-2026-48907 is a maximum-severity, unauthenticated remote code execution flaw in the JCE (Joomla Content Editor) extension, one of the most widely installed editors in the Joomla ecosystem. Active exploitation is confirmed, CISA has added it to its KEV catalog, and even the official Joomla project sites were taken offline by it. Patch to the most current JCE now.

June 19, 2026 10 min read
Fortinet FortiSandbox: Three Critical Vulnerabilities Under Active Attack (CVE-2026-39808, CVE-2026-39813, CVE-2026-25089)
threat intelligence
Fortinet FortiSandbox: Three Critical Vulnerabilities Under Active Attack (CVE-2026-39808, CVE-2026-39813, CVE-2026-25089)

Three critical FortiSandbox vulnerabilities (CVE-2026-39808, CVE-2026-39813, CVE-2026-25089) are under active exploitation. All three allow unauthenticated attackers to run commands or bypass authentication, and FortiSandbox is the system other Fortinet products trust to decide what's safe. Patch now.

June 19, 2026 8 min read
CVE-2026-5027: Path Traversal in Langflow Enables Unauthenticated File Write and Remote Code Execution
threat intelligence
CVE-2026-5027: Path Traversal in Langflow Enables Unauthenticated File Write and Remote Code Execution

CVE-2026-5027 is a high-severity path traversal flaw in the Langflow AI development platform that allows unauthenticated attackers to write files anywhere on an exposed server, with remote code execution already confirmed in the wild. Upgrade to version 1.10.0 immediately.

June 18, 2026 9 min read
RoguePlanet (CVE-2026-50656): A Microsoft Defender Zero-Day With No Patch Yet
threat intelligence
RoguePlanet (CVE-2026-50656): A Microsoft Defender Zero-Day With No Patch Yet

RoguePlanet (CVE-2026-50656) is an unpatched race condition in Microsoft Defender that grants SYSTEM-level access on fully patched Windows 10 and 11 machines. Released by researcher Nightmare Eclipse hours after June 2026 Patch Tuesday, it is the seventh zero-day in an ongoing feud with Microsoft. No patch is available yet; here's what to do in the meantime.

June 18, 2026 10 min read
CVE-2026-33829: The Windows Snipping Tool's Hidden Credential Leak — and the Unpatched Sibling Microsoft Won't Fix
threat intelligence
CVE-2026-33829: The Windows Snipping Tool's Hidden Credential Leak — and the Unpatched Sibling Microsoft Won't Fix

CVE-2026-33829 is a patched NTLM credential leakage flaw in the Windows Snipping Tool's URI handler that can expose a user's NTLMv2 hash to an attacker with a single link click. A related primitive in Windows Search remains unpatched. Both are mitigated by blocking outbound SMB.

June 9, 2026 10 min read
HTTP/2 Bomb (CVE-2026-49975): One Connection, 32 GB Gone in Seconds
threat intelligence
HTTP/2 Bomb (CVE-2026-49975): One Connection, 32 GB Gone in Seconds

HTTP/2 Bomb (CVE-2026-49975) is a remote denial-of-service exploit that can crash major web servers - including NGINX, Apache, IIS, Envoy, and Cloudflare Pingora - in under a minute using a single home internet connection. Patches are available for NGINX and Apache. IIS and Envoy users should disable HTTP/2 or place a hard-limiting proxy in front while awaiting vendor fixes.

June 9, 2026 10 min read
CVE-2026-41089: The Zero-Click Netlogon RCE That Hands Attackers the Keys to Your Domain
threat intelligence
CVE-2026-41089: The Zero-Click Netlogon RCE That Hands Attackers the Keys to Your Domain

CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon with a CVSS score of 9.8. No authentication is required to exploit it, active exploitation of domain controllers has been confirmed in the wild, and there is no mitigation short of patching. Apply the May 2026 Patch Tuesday update now.

June 8, 2026 8 min read
CVE-2026-0257: GlobalProtect Authentication Bypass Puts VPN Access at Risk
threat intelligence
CVE-2026-0257: GlobalProtect Authentication Bypass Puts VPN Access at Risk

CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect that allows unauthenticated attackers to establish unauthorized VPN connections by forging authentication override cookies. Active exploitation was confirmed from May 17, with a second wave on May 21. CISA added it to KEV on May 29. Patch immediately, or disable authentication override cookies.

May 30, 2026 8 min read
DirtyDecrypt (CVE-2026-31635) and ssh-keysign-pwn (CVE-2026-46333): Sorting Out May's Linux LPE Pair
threat intelligence
DirtyDecrypt (CVE-2026-31635) and ssh-keysign-pwn (CVE-2026-46333): Sorting Out May's Linux LPE Pair

DirtyDecrypt (CVE-2026-31635) is a page-cache write primitive in the Linux kernel's rxgk subsystem affecting distros with CONFIG_RXGK enabled. Published alongside ssh-keysign-pwn (CVE-2026-46333), the pair add to a remarkable month for Linux kernel privilege escalation disclosures.

May 22, 2026 9 min read
NGINX Rift (CVE-2026-42945): An 18-Year-Old Flaw in the World's Most Deployed Web Server
threat intelligence
NGINX Rift (CVE-2026-42945): An 18-Year-Old Flaw in the World's Most Deployed Web Server

NGINX Rift (CVE-2026-42945) is an 18-year-old heap buffer overflow in the NGINX rewrite module with a CVSS score of 9.2. A public PoC is available and active exploitation was confirmed within three days of disclosure. Patch now, or reconfigure affected rewrite directives immediately.

May 19, 2026 9 min read
BitUnlocker (CVE-2025-48804): The BitLocker Patch That Wasn't Enough
threat intelligence
BitUnlocker (CVE-2025-48804): The BitLocker Patch That Wasn't Enough

A public proof-of-concept for BitUnlocker, a downgrade attack rooted in CVE-2025-48804, can defeat BitLocker on fully patched Windows 11 machines in under five minutes — because the patch alone was never enough.

May 17, 2026 9 min read
Fragnesia (CVE-2026-46300): Linux LPE the Third (in Three Weeks)
threat intelligence
Fragnesia (CVE-2026-46300): Linux LPE the Third (in Three Weeks)

Three Linux kernel local privilege escalation vulnerabilities in three weeks! Fragnesia (CVE-2026-46300) is a separate bug from Dirty Frag, but it shares the same mitigation, so if you already applied it then you are already covered until patches arrive.

May 17, 2026 8 min read
YellowKey: BitLocker Bypass Zero-Day with Public Exploit and No Patch
threat intelligence
YellowKey: BitLocker Bypass Zero-Day with Public Exploit and No Patch

A working proof-of-concept for a BitLocker bypass, called YellowKey, affecting Windows 11 and Windows Server 2022/2025 was published publicly this week with no patch available.

May 17, 2026 8 min read
Dirty Frag (CVE-2026-43284): Local Privilege Escalation...Again
threat intelligence
Dirty Frag (CVE-2026-43284): Local Privilege Escalation...Again

A second major Linux privilege escalation vulnerability was disclosed this week, days after Copy Fail, with a working public exploit already circulating. Here's what Dirty Frag means for your organization, in plain terms.

May 10, 2026 9 min read
Apache Double-Free (CVE-2026-23918): Why the possibilities are dangerous
security operations
Apache Double-Free (CVE-2026-23918): Why the possibilities are dangerous

A critical memory corruption flaw in Apache HTTP Server's HTTP/2 implementation allows remote attackers to crash or fully compromise any server running version 2.4.66.

May 5, 2026 11 min read
Copy Fail (CVE-2026-31431): What It Is, Who It Affects, and What To Do Right Now
threat intelligence
Copy Fail (CVE-2026-31431): What It Is, Who It Affects, and What To Do Right Now

A newly disclosed Linux vulnerability lets any local user become root in under a second — no hacking experience required. Here's what that means for your organization, in plain terms.

May 3, 2026 8 min read
crowdsoc news
Welcome to the NEW CrowdSOC Blog

Introducing the updated CrowdSOC blog — where we share threat intelligence insights, security operations best practices, and platform updates for the organizations we protect.

May 3, 2026 1 min read
threat intelligence
why small business is the new frontline in ransomware campaigns

Ransomware groups have refined their targeting strategy. Smaller organizations with thinner security coverage and higher urgency to restore operations are increasingly in scope. Here is what the data shows and what you can do about it.

January 15, 2025 8 min read
policy & compliance
NIST CSF 2.0 — what changed and what it means for local government

The updated Cybersecurity Framework brings new governance functions and an expanded scope. We break down the practical implications for county and municipal IT teams who need to do more with less.

December 10, 2024 6 min read
best practices
the five security controls that protect against 85% of attacks

Comprehensive security feels overwhelming when you're short on budget and staff. The data is clear that focused foundational controls provide outsized protection. Start here.

November 12, 2024 5 min read
incident response
the first 24 hours: what to do when you think you've been breached

The decisions made in the first few hours of an incident have an outsized impact on outcome. A practical, step-by-step guide for non-security teams facing a possible breach.

October 8, 2024 7 min read
threat intelligence
the ransomware-as-a-service economy — how attackers have industrialized

Understanding the business model behind modern ransomware groups helps organizations understand how they think about targeting — and how to make themselves a less attractive target.

September 17, 2024 9 min read
best practices
cybersecurity on a public sector budget — a practical guide

Free tools, federal programs, and prioritization strategies for county and local government IT teams working to improve security posture without meaningful budget increases.

August 20, 2024 8 min read
compliance
what cybersecurity insurance actually requires — and what it doesn't tell you

Insurance questionnaires are becoming de facto security frameworks for small businesses. Understanding what's really being asked — and what a policy will and won't cover — matters.

July 9, 2024 6 min read