Remote Code Execution Vulnerability in Fooocus

오픈소스 AI 이미지 생성 WebUI인 Fooocus에서 원격 코드 실행(RCE) 취약점이 발견되었다. 이 취약점은 이미지 EXIF 메타데이터에 포함된 JSON을 eval 함수로 처리하는 과정에서 임의의 파이썬 코드가 실행될 수 있는 문제로, Fooocus를 인터넷에 노출하면 공격자가 시스템을 제어할 수 있다. Fooocus는 2024년 8월부터 제한적 장기 지원 모드에 들어갔으며, 2025년 9월 이후로는 유지보수가 중단된 상태라 보고된 취약점이 6개월간 패치되지 않았다. AI 개발자들은 공개된 취약점 내용을 참고해 Fooocus 사용 시 주의가 필요하다.

https://mrbruh.com/fooocus/

#security #rce #fooocus #opensource #python

The React2Shell Story

2025년 11월, 보안 연구원 Lachlan Davidson은 React 기반 Next.js의 React Server Components 통신 프로토콜인 Flight에서 원격 코드 실행 취약점 'React2Shell'을 발견해 Meta에 보고했다. Flight 프로토콜은 JSON 확장 형태로 복잡한 객체와 참조를 주고받을 수 있는데, 프로토타입 체인에 있는 함수 참조를 검증하지 않는 치명적 결함이 있었다. 이로 인해 공격자가 서버에서 임의 코드를 실행할 수 있었으며, Meta는 신속히 패치를 배포했다. 이 사례는 TypeScript 타입 검증이 런타임에 강제되지 않는 점과 새로운 통신 프로토콜의 보안 검증 중요성을 강조한다.

https://lachlan.nz/blog/the-react2shell-story/

#react #nextjs #flight #security #rce

#LPE — Local Privilege Escalation. A class of vulnerabilities that need a local user account on the target machine to reach higher levels of privilege, up to superuser/root

#RCE — Remote Code Execution. A class of vulnerabilities that can be exploited over unprivileged network connections, giving the attacker privileged access to the target machine.

#CopyFail, #DirtyFrag are LPEs that affect Linux systems. LPEs are typically harder to exploit than RCEs.

Hope this helps to avoid Clickbait.

Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution

A buffer overflow vulnerability in the User-ID Authentication Portal of PAN-OS software allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. Limited exploitation has been observed starting April 9, 2026, by a likely state-sponsored threat cluster. Attackers successfully achieved remote code execution by injecting shellcode into nginx worker processes. Post-exploitation activities included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration using compromised firewall credentials, and systematic log destruction to evade detection. The attackers demonstrated operational discipline with intermittent interactive sessions over multiple weeks, using open-source tools instead of proprietary malware to minimize detection. The vulnerability poses elevated risk when the portal is exposed to untrusted networks or the public internet.

Pulse ID: 69fc45baaffc99649cda5385
Pulse Link: https://otx.alienvault.com/pulse/69fc45baaffc99649cda5385
Pulse Author: AlienVault
Created: 2026-05-07 07:56:42

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #Nginx #Nim #OTX #OpenThreatExchange #RAT #RCE #RemoteCodeExecution #Rust #ShellCode #Vulnerability #Worm #ZeroDay #bot #socks5 #AlienVault

Multi-Stage AiTM Attack Uses Code Of Conduct Phishing Emails

A sophisticated credential theft campaign targeting over 35,000 users across 13,000 organizations was observed between April 14-16, 2026. The operation primarily impacted the United States, particularly healthcare and financial services sectors. Attackers used code of conduct themed phishing emails masquerading as internal compliance communications, sent through legitimate email delivery services from attacker-controlled domains. Victims received polished HTML emails with PDF attachments containing fake disciplinary logs and CAPTCHA gates to evade automated analysis. The multi-stage attack chain ultimately directed users to counterfeit Microsoft authentication pages operating as adversary-in-the-middle infrastructure, enabling real-time interception of credentials and session tokens while bypassing multi-factor authentication defenses.

Pulse ID: 69fb1736879a4a945346b9ba
Pulse Link: https://otx.alienvault.com/pulse/69fb1736879a4a945346b9ba
Pulse Author: AlienVault
Created: 2026-05-06 10:25:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #CAPTCHA #CyberSecurity #Email #HTML #Healthcare #InfoSec #Microsoft #OTX #OpenThreatExchange #PDF #Phishing #RAT #RCE #Troll #UnitedStates #bot #AlienVault

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

SHA 256 is the full text of the code used to create the Open Source operating system (TA), which is based on the open source operating System (OS) and is available to view online.

Pulse ID: 69fc1914c878d5cc2c6d474b
Pulse Link: https://otx.alienvault.com/pulse/69fc1914c878d5cc2c6d474b
Pulse Author: Tr1sa111
Created: 2026-05-07 04:46:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #RCE #RansomWare #bot #Tr1sa111

So, #GitHub is having a rough go of it lately. With significant instability and frequent outages in the last month and platform uptime dropping below 85%.

But the most fun trick? Any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client. (Because their architecture didn’t sterilize semicolons, thus prompt injection.)

On GitHub Enterprise Server, the vulnerability grants full server compromise, including access to all hosted repositories and internal secrets.

GitHub Enterprise Server customers should upgrade ASAP. Wiz dot io data indicates that 88% of instances were still vulnerable.

https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

#infosec #live #githubEnterprise #rce