Suriq Blog

Suriq BlogDeep-dives, comparisons, and incident replays from the engineers building autonomous defense.https://suriq.io/en-usThree requests, no password, a webshell: the JCE flaw hitting Joomla hosts nowhttps://suriq.io/blog/joomla-jce-unauthenticated-rce/https://suriq.io/blog/joomla-jce-unauthenticated-rce/Unauthenticated RCE (CVSS 10, CVE-2026-48907) in JCE, the most-installed Joomla editor. KEV-listed and exploited. Patch to 2.9.99.6 and hunt for webshells.Wed, 17 Jun 2026 05:20:51 GMTSecurity newsNoam AlumA Linux backdoor moved into the Windows kernel, and the detection window closes at driver loadhttps://suriq.io/blog/sprysocks-windows-kernel-driver/https://suriq.io/blog/sprysocks-windows-kernel-driver/SprySOCKS, a China-nexus Linux backdoor, now ships a Windows kernel-driver variant that hides itself from the host. Here is where defenders can still catch it.Tue, 16 Jun 2026 19:40:47 GMTSecurity newsNoam AlumLiteSpeed's cPanel plugin gave shared-hosting tenants root twice in 2026. CageFS didn't help.https://suriq.io/blog/litespeed-cpanel-plugin-root-escalation/https://suriq.io/blog/litespeed-cpanel-plugin-root-escalation/CVE-2026-54420 and CVE-2026-48172 let shared-hosting tenants reach root through the LiteSpeed cPanel plugin. Why CageFS isolation failed and what to patch now.Tue, 16 Jun 2026 07:13:38 GMTSecurity newsDeep diveNoam AlumAwesome Motive's WordPress CDN backdoor only fired for logged-in admins. Your scanner missed it.https://suriq.io/blog/awesome-motive-wordpress-cdn-backdoor/https://suriq.io/blog/awesome-motive-wordpress-cdn-backdoor/OptinMonster, TrustPulse and PushEngage served a backdoor that ran only for logged-in WordPress admins, evading visitor scanners. How to scope and hunt it.Mon, 15 Jun 2026 20:32:28 GMTSecurity newsNoam AlumSearchLeak in Microsoft 365 Copilot: prompt injection as a new door to old bugshttps://suriq.io/blog/searchleak-copilot-prompt-injection/https://suriq.io/blog/searchleak-copilot-prompt-injection/SearchLeak chained prompt injection, an HTML render race, and Bing SSRF to steal Microsoft 365 Copilot data in one click. What it means for detection.Mon, 15 Jun 2026 19:25:51 GMTSecurity newsNoam AlumWhy we built Suriq on Wazuh instead of writing our own detection enginehttps://suriq.io/blog/why-suriq-built-on-wazuh/https://suriq.io/blog/why-suriq-built-on-wazuh/Suriq runs on Wazuh because a detection engine is a decade of decoders, CVE feeds, and agents you should never rebuild. Here is the reasoning behind the bet.Mon, 15 Jun 2026 07:42:14 GMTThought leadershipDeep diveJack of SuriqIvanti Sentry's CVE-2026-10520: patch the gateway, then hunt for the breachhttps://suriq.io/blog/ivanti-sentry-patched-still-breached/https://suriq.io/blog/ivanti-sentry-patched-still-breached/Ivanti Sentry CVE-2026-10520 is an unauthenticated root RCE under active attack. CISA's new 3-day patch rule applies; patched gateways were already breached.Sun, 14 Jun 2026 07:06:06 GMTSecurity newsDeep diveJack of SuriqPeopleSoft's PSEMHUB zero-day turns the patch service into the breachhttps://suriq.io/blog/peoplesoft-psemhub-zero-day/https://suriq.io/blog/peoplesoft-psemhub-zero-day/CVE-2026-35273 sits in PeopleSoft's Updates Environment Management module. Mandiant ties active exploitation to ShinyHunters, with 100+ orgs already breached.Sat, 13 Jun 2026 18:38:12 GMTSecurity newsDeep diveJack of SuriqVelvet Ant's PAM-OpenSSH decade is an auth-stack blind spot, not a Linux bughttps://suriq.io/blog/velvet-ant-auth-stack-blind-spot/https://suriq.io/blog/velvet-ant-auth-stack-blind-spot/Sygnia found nine backdoored pam_unix.so variants and four trojanized OpenSSH binaries on one victim. Why auth-stack integrity is the SIEM-invisible gap.Sat, 13 Jun 2026 17:01:32 GMTSecurity newsDeep diveJack of Suriq