Suriq Blog

Suriq BlogDeep-dives, comparisons, and incident replays from the engineers building autonomous defense.https://suriq.io/en-usOlder iPhones just got a flaw Apple can't patch, and a cable is all it takeshttps://suriq.io/blog/usbliter8-apple-bootrom-unpatchable-exploit/https://suriq.io/blog/usbliter8-apple-bootrom-unpatchable-exploit/usbliter8 is an unpatchable boot-chain exploit for Apple A12 and A13 devices. Here is the real enterprise risk, why remote wipe will not help, and what to do.Mon, 22 Jun 2026 15:31:48 GMTSecurity newsSuriq's JackPaperCut's Windows print client can be tricked into giving a local attacker total controlhttps://suriq.io/blog/papercut-print-deploy-local-takeover/https://suriq.io/blog/papercut-print-deploy-local-takeover/CVE-2026-6645 lets a local attacker plant a file that PaperCut's Print Deploy client runs with full system rights on Windows. Update to version 1.10.4178.Mon, 22 Jun 2026 04:25:17 GMTSecurity newsSuriq's JackRun Central Dogma across servers? It may be guarding your config with a password printed in its source codehttps://suriq.io/blog/central-dogma-default-secret-cluster-takeover/https://suriq.io/blog/central-dogma-default-secret-cluster-takeover/Central Dogma before 0.84.0 silently uses a public default secret when ZooKeeper replication runs without one set, letting nearby attackers seize the cluster.Mon, 22 Jun 2026 03:10:10 GMTSecurity newsNoam AlumYour Squid proxy can leak other users' passwords, and the 7.6 update won't fix ithttps://suriq.io/blog/squidbleed-squid-proxy-credential-leak/https://suriq.io/blog/squidbleed-squid-proxy-credential-leak/Squidbleed (CVE-2026-47729) leaks memory from Squid proxies in default config, including login credentials. A public exploit is out, and 7.6 does not patch it.Mon, 22 Jun 2026 00:08:18 GMTSecurity newsNoam AlumThat decade-old router you forgot is now scanning networks for attackershttps://suriq.io/blog/arystinger-router-botnet-recon-scanning/https://suriq.io/blog/arystinger-router-botnet-recon-scanning/A botnet called AryStinger hijacked over 4,300 end-of-life D-Link and Linksys routers into a distributed scanning grid for reconnaissance, not DDoS. What to do.Sun, 21 Jun 2026 18:35:49 GMTSecurity newsSuriq's JackMillions of hacked TV boxes now rent attackers a trusted home IP. Your blocklist can't see it.https://suriq.io/blog/popa-residential-proxy-ip-reputation-account-takeover/https://suriq.io/blog/popa-residential-proxy-ip-reputation-account-takeover/Researchers linked the Popa botnet of 2 million hacked TV boxes to a residential proxy service. Here is why IP reputation no longer stops account takeovers.Sun, 21 Jun 2026 16:52:26 GMTSecurity newsSuriq's JackPrinz Eugen ransomware hits your newest files first and never leaves a notehttps://suriq.io/blog/prinz-eugen-ransomware-no-ransom-note/https://suriq.io/blog/prinz-eugen-ransomware-no-ransom-note/Prinz Eugen ransomware encrypts your most recently changed files first and drops no ransom note, defeating canary traps and note-based SOC alerts. What to do.Sun, 21 Jun 2026 11:51:28 GMTSecurity newsDeep diveNoam AlumEaseUS Partition Master left a Windows driver that lets any user seize the whole PChttps://suriq.io/blog/easeus-partition-master-driver-escalation/https://suriq.io/blog/easeus-partition-master-driver-escalation/A signed driver in EaseUS Partition Master (CVE-2026-12781) lets any standard Windows user read and overwrite the whole disk to reach SYSTEM. Patch and blockSun, 21 Jun 2026 09:55:36 GMTSecurity newsSuriq's JackYour AI agent trusts your own computer. One web page turns that into a takeover.https://suriq.io/blog/autojack-ai-agent-localhost-rce/https://suriq.io/blog/autojack-ai-agent-localhost-rce/Microsoft's AutoJack shows how one web page an AI browsing agent visits can run code on the host. The bug is a near miss. The architecture lesson is not.Sun, 21 Jun 2026 07:46:22 GMTSecurity newsNoam AlumThis login library let a stranger sign in as you with just your emailhttps://suriq.io/blog/ash-authentication-email-account-takeover/https://suriq.io/blog/ash-authentication-email-account-takeover/CVE-2026-49757 (CVSS 9.2) let attackers take over accounts in Elixir apps built on ash_authentication by matching users on email instead of identity. UpdateSun, 21 Jun 2026 07:24:16 GMTSecurity newsSuriq's JackYour Fortinet password reset won't lock the FortiBleed attacker outhttps://suriq.io/blog/fortibleed-cisa-alert-session-reset/https://suriq.io/blog/fortibleed-cisa-alert-session-reset/CISA declared FortiBleed an emergency on June 18 after 86,644 Fortinet devices were hit. Resetting passwords is not enough: kill live sessions and fix theSun, 21 Jun 2026 03:18:09 GMTSecurity newsDeep diveNoam AlumvLLM's earlier patch only hid this AI-server bug. Re-enable embeddings and you are still exposedhttps://suriq.io/blog/vllm-prompt-embeds-tensor-validation-flaw/https://suriq.io/blog/vllm-prompt-embeds-tensor-validation-flaw/CVE-2026-56340 lets a crafted tensor crash vLLM (CVSS 8.8) with a path to memory corruption. It only bites if you re-enabled prompt embeds. Fix is 0.13.0.Sun, 21 Jun 2026 02:55:23 GMTSecurity newsSuriq's JackGravity SMTP's 'medium' bug leaks live email API keys to anyone. Patching alone will not save you.https://suriq.io/blog/gravity-smtp-credential-leak-cve-2026-4020/https://suriq.io/blog/gravity-smtp-credential-leak-cve-2026-4020/Gravity SMTP's CVE-2026-4020 hands live Amazon SES, Google, and OAuth keys to unauthenticated visitors on 100,000 WordPress sites. Patching alone will not undoSat, 20 Jun 2026 16:51:58 GMTSecurity newsNoam AlumPolice scrubbed SocGholish from 15,000 WordPress sites. The way in is still wide open.https://suriq.io/blog/socgholish-operation-endgame-wordpress-takedown/https://suriq.io/blog/socgholish-operation-endgame-wordpress-takedown/Operation Endgame seized 106 SocGholish servers and cleaned 14,971 WordPress sites. The takedown hit an access broker, not the entry vector. Here is what toSat, 20 Jun 2026 12:19:16 GMTSecurity newsNoam AlumOne tracing header can make a LangSmith server hand over its fileshttps://suriq.io/blog/langsmith-tracing-header-file-read/https://suriq.io/blog/langsmith-tracing-header-file-read/LangSmith SDK before 0.8.18 lets a crafted tracing header read arbitrary files off any server running TracingMiddleware. Upgrade now; it is the second such bug.Sat, 20 Jun 2026 09:09:23 GMTSecurity newsSuriq's JackA USB worm swaps your crypto address mid-paste, and no breach alarm ever fireshttps://suriq.io/blog/usb-worm-clipper-crypto-clipboard/https://suriq.io/blog/usb-worm-clipper-crypto-clipboard/Microsoft found a USB worm that hijacks the clipboard to swap crypto wallet addresses and hides its command channel in Tor. Here is why it beats your controls.Sat, 20 Jun 2026 07:43:38 GMTSecurity newsDeep diveSuriq's JackThe app you're testing can hijack the AI agent testing it: Appium MCP's XSS flawhttps://suriq.io/blog/appium-mcp-locator-xss-agent-hijack/https://suriq.io/blog/appium-mcp-locator-xss-agent-hijack/An XSS flaw in Appium's official MCP server let a hostile test app hijack the AI agent driving it and call its tools. Patch appium-mcp to 1.85.10 now.Sat, 20 Jun 2026 07:10:40 GMTSecurity newsNoam AlumEDR evasion is now a shipped product. Your agent's silence is the only alarm left.https://suriq.io/blog/gentlemen-edr-killer-byovd-detection/https://suriq.io/blog/gentlemen-edr-killer-byovd-detection/The Gentlemen ransomware gang ships a standardized EDR killer to affiliates using BYOVD. Here is why driver-name hunting fails and what to detect instead.Sat, 20 Jun 2026 04:42:29 GMTSecurity newsDeep diveNoam AlumBranda fixed this WordPress account takeover in January. It is back, and a public exploit is circulating.https://suriq.io/blog/branda-wordpress-account-takeover-cve-2026-11551/https://suriq.io/blog/branda-wordpress-account-takeover-cve-2026-11551/CVE-2026-11551 is a CVSS 9.8 unauthenticated account takeover in the Branda WordPress plugin (versions up to 3.4.29). A public exploit is out. Update to 3.4.31Sat, 20 Jun 2026 03:56:36 GMTSecurity newsSuriq's JackA WordPress form plugin lets a stranger delete your site, the moment an admin lookshttps://suriq.io/blog/wordpress-form-entries-file-deletion-rce/https://suriq.io/blog/wordpress-form-entries-file-deletion-rce/CVE-2026-9843 lets an unauthenticated visitor plant a form entry that deletes WordPress files when an admin opens it. Update the CRM Perks entries plugin toSat, 20 Jun 2026 02:40:19 GMTSecurity newsNoam AlumA single rigged document can turn Langflow's file reader into full server takeoverhttps://suriq.io/blog/langflow-rag-file-read-rce/https://suriq.io/blog/langflow-rag-file-read-rce/A crafted document in a Langflow RAG pipeline (CVE-2026-55447, CVSS 9.6) reads any file, forges a login token, then runs code. Upgrade to 1.9.2 or later.Sat, 20 Jun 2026 01:25:41 GMTSecurity newsSuriq's JackOne Langflow account can now run every other user's AI workflowhttps://suriq.io/blog/langflow-idor-cross-user-flow-execution/https://suriq.io/blog/langflow-idor-cross-user-flow-execution/A critical IDOR in Langflow (CVE-2026-55255, CVSS 9.9) lets any logged-in user run another user's AI flow. Upgrade to 1.9.1. The real problem is the pattern.Fri, 19 Jun 2026 23:53:51 GMTSecurity newsSuriq's JackMastra's npm packages passed inspection, then turned hostile a day laterhttps://suriq.io/blog/mastra-npm-supply-chain-compromise/https://suriq.io/blog/mastra-npm-supply-chain-compromise/Attackers hijacked a dormant maintainer account to poison 140+ Mastra npm packages with a wallet-stealing payload. Here is who is exposed and what to rotateFri, 19 Jun 2026 22:55:50 GMTSecurity newsNoam AlumCoreWCF's SAML check trusted a forged identity as your admin. There is no workaround, only the patch.https://suriq.io/blog/corewcf-saml-signature-bypass/https://suriq.io/blog/corewcf-saml-signature-bypass/CVE-2026-54782 lets an attacker forge a SAML token and impersonate anyone, admins included, on CoreWCF federation services. No workaround. Patch to 1.8.1 orFri, 19 Jun 2026 21:55:54 GMTSecurity newsSuriq's JackQuarkus fixed a semicolon auth bypass in May. Its encoded cousin just reopened it.https://suriq.io/blog/quarkus-encoded-path-auth-bypass/https://suriq.io/blog/quarkus-encoded-path-auth-bypass/Quarkus fixed a semicolon authorization bypass in May, but CVE-2026-50559 reopens it with URL-encoded characters. What to patch now and how to detect abuse.Fri, 19 Jun 2026 20:56:09 GMTSecurity newsNoam AlumDragonForce hides its C2 inside Microsoft Teams relays. Your network sensors see a clean call.https://suriq.io/blog/dragonforce-teams-relay-c2-backdoor-turn/https://suriq.io/blog/dragonforce-teams-relay-c2-backdoor-turn/DragonForce's Backdoor.Turn routes C2 through Microsoft Teams TURN relays, so network sensors see only Microsoft. Here is where the detectable seam actuallyFri, 19 Jun 2026 19:34:51 GMTSecurity newsDeep diveSuriq's JackYour Salesforce wasn't breached. A connected app handed over the data.https://suriq.io/blog/klue-oauth-salesforce-connected-app-breach/https://suriq.io/blog/klue-oauth-salesforce-connected-app-breach/The Icarus group stole Salesforce CRM data through Klue's connected app, not a Salesforce flaw. Why OAuth integration tokens are the unmonitored attack surface.Fri, 19 Jun 2026 14:50:51 GMTSecurity newsSuriq's JackYour JetBrains Hub 2FA protected nothing. The recovery codes were predictable.https://suriq.io/blog/jetbrains-hub-predictable-recovery-codes/https://suriq.io/blog/jetbrains-hub-predictable-recovery-codes/JetBrains Hub generated predictable 2FA recovery codes (CVE-2026-56141, CVSS 9.8), allowing pre-auth account takeover. Patch self-hosted Hub now and reset theFri, 19 Jun 2026 13:37:56 GMTSecurity newsNoam AlumPerry's stdlib turned off JWT expiry checks. Logout stopped meaning anything.https://suriq.io/blog/perry-jwt-expiration-bypass/https://suriq.io/blog/perry-jwt-expiration-bypass/CVE-2026-53776: Perry's bundled JWT helper hard-codes validate_exp = false, so expired and revoked tokens stay valid. Patch to 0.5.1166 and rotate signing keys.Fri, 19 Jun 2026 10:59:11 GMTSecurity newsNoam AlumYour Splunk box runs a database sidecar you never configured. Attackers use it for root.https://suriq.io/blog/splunk-postgres-sidecar-preauth-rce/https://suriq.io/blog/splunk-postgres-sidecar-preauth-rce/CVE-2026-20253 is an unauthenticated RCE in Splunk Enterprise 10.x via a bundled PostgreSQL sidecar. On CISA KEV, exploited now. Patch to 10.0.7 or 10.2.4.Fri, 19 Jun 2026 07:42:37 GMTSecurity newsSuriq's JackTwo NGINX bugs scored 9.2. On a default server you get a crash, not a shell.https://suriq.io/blog/nginx-critical-rce-config-triage/https://suriq.io/blog/nginx-critical-rce-config-triage/F5's two critical NGINX flaws (CVE-2026-42530, CVE-2026-42055) score 9.2, but RCE needs ASLR off and a non-default config. Here is what to actually triage.Fri, 19 Jun 2026 03:45:04 GMTSecurity newsDeep diveNoam AlumINC ransomware never used a zero-day. It used your patch backlog.https://suriq.io/blog/inc-ransomware-patch-backlog-edge-devices/https://suriq.io/blog/inc-ransomware-patch-backlog-edge-devices/INC reached top-tier RaaS in 2026 with no zero-days. Every edge-device flaw it exploits was patched months earlier. Here is what to actually fix.Thu, 18 Jun 2026 16:56:17 GMTSecurity newsSuriq's JackClickFix is now shared attack infrastructure, and the lure is the wrong thing to detecthttps://suriq.io/blog/clickfix-shared-delivery-detection/https://suriq.io/blog/clickfix-shared-delivery-detection/Three unrelated crews adopted ClickFix delivery in a single quarter. The lure keeps changing; the execution chain does not. Here is where to detect it.Thu, 18 Jun 2026 12:10:34 GMTSecurity newsNoam AlumCisco called this SD-WAN flaw medium. Attackers used it to take root on your WAN.https://suriq.io/blog/cisco-sd-wan-manager-cve-2026-20262/https://suriq.io/blog/cisco-sd-wan-manager-cve-2026-20262/CVE-2026-20262 is an actively exploited Cisco SD-WAN Manager flaw that escalates a low-privilege login to root. Federal patch deadline is June 29, and why 6.5Thu, 18 Jun 2026 08:11:51 GMTSecurity newsDeep diveSuriq's JackRoguePlanet turns Microsoft Defender into a SYSTEM shell, and switching it off won't save youhttps://suriq.io/blog/rogueplanet-defender-system-zero-day/https://suriq.io/blog/rogueplanet-defender-system-zero-day/RoguePlanet (CVE-2026-50656) is a public-exploit privilege escalation in Microsoft Defender's engine. It hands a local attacker SYSTEM, and disabling DefenderThu, 18 Jun 2026 05:50:21 GMTSecurity newsNoam AlumFortiBleed isn't a Fortinet bug. It's every password you never rotated.https://suriq.io/blog/fortibleed-fortinet-no-cve-to-patch/https://suriq.io/blog/fortibleed-fortinet-no-cve-to-patch/FortiBleed exposed working VPN logins for tens of thousands of Fortinet firewalls. There is no CVE to patch; the fix is rotating credentials and enforcing MFA.Wed, 17 Jun 2026 19:12:55 GMTSecurity newsDeep diveSuriq's JackJetBrains Plugins Are Stealing AI API Keys, and You Find Out From the Billhttps://suriq.io/blog/jetbrains-plugins-steal-ai-api-keys/https://suriq.io/blog/jetbrains-plugins-steal-ai-api-keys/Aikido found 15 JetBrains Marketplace plugins stealing AI API keys across 70,000 installs. Why a stolen metered key shows up as a bill, not an alert, and whatWed, 17 Jun 2026 15:04:54 GMTSecurity newsNoam AlumFortiSandbox Under Attack: The Box That Catches Malware Is Now the Way Inhttps://suriq.io/blog/fortisandbox-flaws-actively-exploited/https://suriq.io/blog/fortisandbox-flaws-actively-exploited/Three critical FortiSandbox flaws are under active exploitation, two unauthenticated and one patched a week ago. Why a compromised malware sandbox blinds yourWed, 17 Jun 2026 11:08:44 GMTSecurity newsDeep diveSuriq's JackThree requests, no password, a webshell: the JCE flaw hitting Joomla hosts nowhttps://suriq.io/blog/joomla-jce-unauthenticated-rce/https://suriq.io/blog/joomla-jce-unauthenticated-rce/Unauthenticated RCE (CVSS 10, CVE-2026-48907) in JCE, the most-installed Joomla editor. KEV-listed and exploited. Patch to 2.9.99.6 and hunt for webshells.Wed, 17 Jun 2026 05:20:51 GMTSecurity newsNoam AlumA Linux backdoor moved into the Windows kernel, and the detection window closes at driver loadhttps://suriq.io/blog/sprysocks-windows-kernel-driver/https://suriq.io/blog/sprysocks-windows-kernel-driver/SprySOCKS, a China-nexus Linux backdoor, now ships a Windows kernel-driver variant that hides itself from the host. Here is where defenders can still catch it.Tue, 16 Jun 2026 19:40:47 GMTSecurity newsNoam AlumLiteSpeed's cPanel plugin gave shared-hosting tenants root twice in 2026. CageFS didn't help.https://suriq.io/blog/litespeed-cpanel-plugin-root-escalation/https://suriq.io/blog/litespeed-cpanel-plugin-root-escalation/CVE-2026-54420 and CVE-2026-48172 let shared-hosting tenants reach root through the LiteSpeed cPanel plugin. Why CageFS isolation failed and what to patch now.Tue, 16 Jun 2026 07:13:38 GMTSecurity newsDeep diveNoam AlumAwesome Motive's WordPress CDN backdoor only fired for logged-in admins. Your scanner missed it.https://suriq.io/blog/awesome-motive-wordpress-cdn-backdoor/https://suriq.io/blog/awesome-motive-wordpress-cdn-backdoor/OptinMonster, TrustPulse and PushEngage served a backdoor that ran only for logged-in WordPress admins, evading visitor scanners. How to scope and hunt it.Mon, 15 Jun 2026 20:32:28 GMTSecurity newsNoam AlumSearchLeak in Microsoft 365 Copilot: prompt injection as a new door to old bugshttps://suriq.io/blog/searchleak-copilot-prompt-injection/https://suriq.io/blog/searchleak-copilot-prompt-injection/SearchLeak chained prompt injection, an HTML render race, and Bing SSRF to steal Microsoft 365 Copilot data in one click. What it means for detection.Mon, 15 Jun 2026 19:25:51 GMTSecurity newsNoam AlumWhy we built Suriq on Wazuh instead of writing our own detection enginehttps://suriq.io/blog/why-suriq-built-on-wazuh/https://suriq.io/blog/why-suriq-built-on-wazuh/Suriq runs on Wazuh because a detection engine is a decade of decoders, CVE feeds, and agents you should never rebuild. Here is the reasoning behind the bet.Mon, 15 Jun 2026 07:42:14 GMTThought leadershipDeep diveSuriq's JackIvanti Sentry's CVE-2026-10520: patch the gateway, then hunt for the breachhttps://suriq.io/blog/ivanti-sentry-patched-still-breached/https://suriq.io/blog/ivanti-sentry-patched-still-breached/Ivanti Sentry CVE-2026-10520 is an unauthenticated root RCE under active attack. CISA's new 3-day patch rule applies; patched gateways were already breached.Sun, 14 Jun 2026 07:06:06 GMTSecurity newsDeep diveSuriq's JackPeopleSoft's PSEMHUB zero-day turns the patch service into the breachhttps://suriq.io/blog/peoplesoft-psemhub-zero-day/https://suriq.io/blog/peoplesoft-psemhub-zero-day/CVE-2026-35273 sits in PeopleSoft's Updates Environment Management module. Mandiant ties active exploitation to ShinyHunters, with 100+ orgs already breached.Sat, 13 Jun 2026 18:38:12 GMTSecurity newsDeep diveSuriq's JackVelvet Ant's PAM-OpenSSH decade is an auth-stack blind spot, not a Linux bughttps://suriq.io/blog/velvet-ant-auth-stack-blind-spot/https://suriq.io/blog/velvet-ant-auth-stack-blind-spot/Sygnia found nine backdoored pam_unix.so variants and four trojanized OpenSSH binaries on one victim. Why auth-stack integrity is the SIEM-invisible gap.Sat, 13 Jun 2026 17:01:32 GMTSecurity newsDeep diveSuriq's Jack