core-jmp

CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED)

CVE-2026-20182: Unauthenticated vHub Bypass in the Cisco Catalyst SD-WAN Controller

CVE-2026-20182 (CVSS 10.0, CWE-287) is a critical authentication bypass in the Cisco Catalyst SD-WAN Controller’s vdaemon DTLS service (UDP 12346). By presenting “device_type = 2” (vHub) during the CHALLENGE_ACK phase, an unauthenticated remote attacker hits a fall-through in “vbond_proc_challenge_ack()” that unconditionally sets “authenticated = 1” — from there it’s a short hop to “MSG_VMANAGE_TO_PEER” SSH-key injection into “/home/vmanage-admin/.ssh/authorized_keys” and full NETCONF control of the SD-WAN fabric. Discovered by Rapid7’s Stephen Fewer and Jonah Burgess; a Metasploit module ships with this post. Cisco has fixed it — upgrade now.

Windows Kernel EoP vulnerability CVE-2026-40369

CVE-2026-40369: Arbitrary Kernel Address Increment via NtQuerySystemInformation

CVE-2026-40369 is a Windows kernel bug in “nt!ExpGetProcessInformation” that lets any unprivileged process — including one inside Chrome’s renderer sandbox — increment three DWORDs at an attacker-chosen kernel address per syscall, with no race condition, no heap spray, and 100% determinism. This deep dive walks Ori Nimron’s full exploit chain: KASLR via the prefetch side-channel, arbitrary kernel “read” via “CmpLayerVersions” type confusion (built on the Windows UTF-8 conversion path), token-privilege bitmask increment to grant SeDebugPrivilege, code injection into a SYSTEM process, and a clean restore of “CmpLayerVersionCount” at the end. Rewritten from the canonical pwn2nimron.com writeup with all original IDA decompilations and the PoC reproduced verbatim.

Initial Ghidra interface before loading the shellcode sample

Ghidra Basics: Reverse-Engineering Cobalt Strike Shellcode and Extracting the C2 Server

A practical walkthrough of using Ghidra and x32dbg to disassemble a Cobalt Strike beacon shellcode, identify the PUSH/CALL EBP hash-then-dispatch pattern, resolve API hashes such as “0x726774c” (LoadLibraryA), “0xa779563a” (InternetOpenA) and “0xc69f8957” (InternetConnectA), recognise ROR13 as the hashing algorithm, and extract the C2 IP “195.211.98[.]91” from the decoded calls. Original rewrite of Matthew’s tutorial on embeeresearch.io with all 56 original screenshots preserved.

A ZTE Wi-Fi router similar in family to the ZXHN H168N affected by CVE-2021-21735

CVE-2021-21735: From Unauthenticated Information Leak to Full Admin Compromise on ZTE ZXHN H168N

A deep dive into CVE-2021-21735 on the ZTE ZXHN H168N home gateway, where two unauthenticated wizard endpoints (wizard_pppoe_lua.lua and wizard_wlan_config_lua.lua) leaked PPPoE identifiers, SSID data, and Wi-Fi passphrases — converting a “low-severity” information disclosure into a full administrative and WLAN takeover path. Includes the root-cause analysis, request/response patterns, the disclosure timeline, and the ZTE vs. NVD severity split.

The epoll UAF: A Same-CPU Preemption Race in fs/eventpoll.c on Linux 6.6+

Deep-dive writeup on a Linux kernel use-after-free in “fs/eventpoll.c”. A 2023 optimisation traded a global “epmutex” for per-instance reference counting in epoll’s graph-walking code, but left the walkers running under “rcu_read_lock()” while “ep_free()” kept calling plain “kfree(ep)” with no RCU deferral — opening a same-CPU preemption race that yields a constrained write through a freed “struct eventpoll”. Fixed in commit “07712db80857″by switching to “kfree_rcu(ep, rcu)”. Affects Linux 6.6+ including Android (Pixel 10 tested).

A restrained technical diagram of memory regions, stack frames, and control flow for Gargoyle

Gargoyle, A Decade Later: Josh Lospinoso’s Memory-Scanning Evasion Idea, Refreshed for 2026

The 2017 Windows research demo that flipped page protections so a shellcode region was non-executable at scan time and executable only during brief work windows. The 2026 refresh keeps the original Win32/x86 proof of concept central, adds x64, ARM64, and ARM64EC sibling demonstrations, fixes a subtle “SetWaitableTimer” “SleepEx” APC validation error, and reframes the whole exercise as a measurement problem about temporal memory state rather than a hiding trick.

Script output showing character-by-character session ID extraction via SSRF

CVE-2026-41873: Apache Pony Mail OAuth SSRF + Lua CRLF Smuggling = Unauthenticated Account Takeover

STAR Labs’ advisory on CVE-2026-41873 in Apache Pony Mail by Li Jiantao and Tevel Sho (disclosed 28 April 2026). Two independent bugs reach the same outcome — full admin takeover — without any authentication. In the modern Foal (Python) build, an attacker-supplied “oauth_token” URL drives a blind SSRF against the local Elasticsearch SQL endpoint, leaking the admin session cookie character-by-character (CVSS 9.1). In the legacy Lua build (now retired, no patch), a single unescaped query parameter in “email.lua” lets the attacker inject CRLF bytes into the Elasticsearch HTTP request and smuggle a second request that creates an admin account outright.

OpenTrafficMap ESP32-C5 C-ITS receiver board overlaid on OpenStreetMap visualization

OpenTrafficMap’s €20 ESP32-C5 Board Turns 802.11p V2X Into a Public Map of Traffic Lights and Buses

CNX Software write-up on the OpenTrafficMap project — a €20 open-source ESP32-C5 receiver board that taps the 5.9 GHz 802.11p ITS-G5 V2X stack used by European traffic lights, buses, trams, trucks and connected vehicles, decodes CAM/DENM/SPATEM/MAPEM messages, and publishes them to a public map via NATS. Twenty units already deployed; group-buy of 450 boards shipping. Includes the original board photos, the deployment shot with a Mikrotik 4G uplink, the pole-mount enclosure, and the Graz Linux Days 2026 talk video.

Google Threat Intelligence website banner

CVE-2026-5426: Mandiant Catches ViewState RCE Against KnowledgeDeliver LMS in Japan

Disclosure of CVE-2026-5426: an ASP.NET ViewState deserialization RCE in Digital Knowledge’s KnowledgeDeliver LMS, caused by identical hardcoded “machineKey values” shipped to every customer. Pre-Feb-24-2026 deployments are exploitable as a zero-day. Mandiant observed BLUEBEAM (Godzilla-class) in-memory web shells, JavaScript tampering for follow-on social engineering, and Cobalt Strike BEACON keyed to the victim’s name — with Application Event ID 1316 (code 4009) as the primary detection signal.

z386: An Open-Source FPGA 80386 Driven by the Original Intel Microcode

Open-source FPGA recreation of Intel’s 80386 that runs the original recovered Intel microcode rather than re-implementing instruction behaviour from scratch. The result is an 8 K-line, 18 K-ALUT, 85 MHz core that boots DOS, runs DOS/4GW and DOS/32A extenders, and plays Doom and Doom II — with detailed comparison against 486 and a clear silicon-archaeology angle relevant to reverse engineers and hardware security researchers.