> infrastructure security
for people who build things
Tracking vulnerabilities, supply chain attacks, and threat intelligence that matters to engineers running real infrastructure.
CVE-2026-32211: Azure MCP Server Ships with No Auth — Your DevOps Secrets Are One Request Away
Critical CVSS 9.1 flaw in Azure MCP Server has zero authentication on critical functions, exposing API keys, tokens, repos, and pipeline configs to unauthenticated attackers. No patch available.
Ubiquiti UniFi Network Application Hit With CVSS 10 Path Traversal — Unauthenticated Account Takeover Possible
CVE-2026-22557 is a maximum-severity path traversal in Ubiquiti UniFi Network Application that enables unauthenticated full account takeover. Chain it with CVE-2026-22558 for admin escalation. Patch to 10.1.89 immediately.
Device Code Phishing Attacks Surge 37x as EvilTokens PhaaS Fuels OAuth Abuse Against Microsoft 365
Device code phishing attacks exploiting the OAuth 2.0 Device Authorization Grant have surged 37x in 2026, driven by turnkey PhaaS kits like EvilTokens that bypass MFA and compromise enterprise M365 tenants.
CVE-2026-4681: CVSS 10.0 Deserialization RCE in PTC Windchill Has German Police Knocking on Doors
A maximum-severity deserialization flaw in PTC Windchill and FlexPLM (CVE-2026-4681, CVSS 10.0) prompted German federal police to physically visit companies and wake up sysadmins. No patch yet. Here's what you need to know.
36 Malicious npm Packages Disguised as Strapi Plugins Deploy Redis Exploits, PostgreSQL Credential Harvesting, and Persistent Implants
A coordinated campaign planted 36 fake Strapi CMS plugins on npm that exploit Redis and PostgreSQL instances, harvest credentials, and install persistent C2 implants targeting production infrastructure.
Severity Drift: Why Your Vulnerability Triage Process Is Working With Bad Data
From silent reclassifications to incomplete patches to NVD enrichment backlogs, the severity data your vuln management program depends on is wrong more often than you think. Here's the proof — and what to do about it.
CVE-2026-33032: Nginx UI MCP Endpoint Lets Anyone Hijack Your Web Server — No Auth Required
Critical 9.8 CVSS flaw in Nginx UI exposes unauthenticated MCP endpoint. Public PoC available, no patch yet. Disable or firewall Nginx UI immediately.
$285M Gone in 12 Minutes: DPRK-Linked Attackers Weaponize Solana Durable Nonces to Gut Drift Protocol
North Korean threat actors drained $285M from Solana's largest perpetual futures exchange by weaponizing durable nonces, fabricating a fake token, and socially engineering governance multisig signers.
Ransomware Hits Minot Water Treatment Plant SCADA System, FBI Investigating
Ransomware compromised the SCADA server at Minot, North Dakota's water treatment plant, forcing 16 hours of manual operations. FBI released a statement today confirming active investigation.
FortiClient EMS Zero-Day Under Active Exploitation — Emergency Hotfixes Released (CVE-2026-35616)
Critical API authentication bypass in FortiClient EMS 7.4.5–7.4.6 is being exploited in the wild. CVSS 9.1. Hotfixes available now.
Ni8mare: CVSS 10.0 Unauthenticated RCE in n8n Workflow Automation (CVE-2026-21858)
A CVSS 10.0 content-type confusion bug in n8n's webhook handler lets unauthenticated attackers read arbitrary files, steal credentials, forge admin sessions, and achieve full RCE. Patch to 1.121.0 immediately.
Progress ShareFile Pre-Auth RCE Chain: CVE-2026-2699 and CVE-2026-2701 Give Attackers Full Server Takeover
Two critical Progress ShareFile flaws chain into a pre-authentication RCE — with ~30,000 Storage Zone Controllers exposed and a public POC now available.
European Commission Confirms Cloud Breach — Trivy Supply Chain Attack Cascades Into 30+ EU Entities
The European Commission confirms a data breach affecting 30+ EU entities after the compromised Trivy scanner leaked AWS API keys to TeamPCP. ShinyHunters published 92 GB of stolen data.
CVE-2026-33186: gRPC-Go Auth Bypass Lets Attackers Skip Deny Rules With a Missing Slash
A critical CVSS 9.1 flaw in gRPC-Go lets unauthenticated attackers bypass path-based authorization by omitting the leading slash from HTTP/2 :path headers.
Langflow's 'Patched' Version Is Still Exploitable — CVE-2026-33017 Deadline Hits April 8
JFrog confirms Langflow 1.8.2 remains vulnerable to CVE-2026-33017 unauthenticated RCE despite being widely reported as fixed. CISA KEV deadline is April 8.
Cisco Patches Two 9.8 CVSS Flaws in IMC and Smart Software Manager — No Workarounds Available
Critical authentication bypass in Cisco IMC (CVE-2026-20093) and unauthenticated root RCE in SSM On-Prem (CVE-2026-20160) both score CVSS 9.8. Patch immediately — no workarounds exist.
CVE-2026-33105: Azure Kubernetes Service RBAC Bypass Scores Perfect 10.0 CVSS
Critical AKS vulnerability allows privilege escalation to cluster admin via RBAC bypass. CVSS 10.0. Patch now.
React2Shell Under Mass Exploitation: 766+ Next.js Hosts Breached in Credential Harvesting Campaign
Threat actor UAT-10608 is mass-exploiting CVE-2025-55182 (React2Shell) to breach Next.js deployments and harvest cloud credentials, SSH keys, and API tokens at scale.
FBI Classifies Salt Typhoon Breach of Wiretap Infrastructure as 'Major Cyber Incident'
The FBI has formally classified the Salt Typhoon compromise of its DCSNet wiretap system as a FISMA major incident, the bureau's first such designation since 2020.
15-Year-Old strongSwan Integer Underflow Lets Unauthenticated Attackers Crash VPN Gateways
CVE-2026-25075 is an integer underflow in strongSwan's EAP-TTLS AVP parser that lets remote, unauthenticated attackers crash the charon IKE daemon — affecting every version since 4.5.0.