Mastodawn

released should-i-care, a skill for single-CVE applicability triage.

scanners tell you a product/version matches a CVE. this checks whether the CVE actually applies: deployment model, feature flags, config, distro backport status. it reasons against an environment profile it maintains for you and returns affected / not affected / needs verification, every condition cited to its source.

built and tested on claude code and codex. MIT, keyless.

github.com/moltenbit/should-i-care

#infosec #cve #vulnerabilitymanagement #cybersecurity #security #vulnerability

moltenbit May 27

BrianKrebs May 25

New, by me:

Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia’s intelligence agencies.

https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/

Previous reporting on Stark Industries:

May 2024: Stark Industries Solutions: An Iron Hammer in the Cloud: https://krebsonsecurity.com/2024/05/stark-industries-solutions-an-iron-hammer-in-the-cloud/

July 2024: The Stark Truth Behind the Resurgence of Russia's Fin7: https://krebsonsecurity.com/2024/07/the-stark-truth-behind-the-resurgence-of-russias-fin7/

September 2025: Bulletproof Host Stark Industries Evades EU Sanctions: https://krebsonsecurity.com/2025/09/bulletproof-host-stark-industries-evades-eu-sanctions/

#russia #cybercrime #arrest #sanctions

moltenbit May 20

I audited #OpenReception, a recently released open-source appointment booking platform. Found and reported 16 vulnerabilities, now 16 CVEs assigned.

4 critical:
- WebAuthn passkey injection → account takeover
- tenant admin self-promotes to GLOBAL_ADMIN
- unauth GLOBAL_ADMIN account creation
- staff crypto poisoning breaks the E2E recipient directory

rest: info disclosure, stored XSS, auth and IDOR bugs, all patched before public disclosure.

https://moltenbit.net/disclosures/

#infosec #security #CVE

Disclosures

Security vulnerabilities I have responsibly disclosed. All findings were reported to the affected vendors and patched before public disclosure. CVE / ID Product Summary Severity Date References CVE-2026-48088 OpenReception unauthenticated staff crypto poisoning breaks E2E recipient directory Critical (9.4) 2026-05-20 CVE, GHSA CVE-2026-48087 OpenReception WebAuthn passkey injection allows account takeover Critical (9.8) 2026-05-20 CVE, GHSA CVE-2026-48086 OpenReception tenant admin self-promotes to GLOBAL_ADMIN Critical (9.9) 2026-05-20 CVE, GHSA CVE-2026-48085 OpenReception unauthenticated GLOBAL_ADMIN account creation post-bootstrap Critical (9.8) 2026-05-20 CVE, GHSA CVE-2026-48084 OpenReception passphrase login attempts are not rate-limited High (7.4) 2026-05-20 CVE, GHSA CVE-2026-48083 OpenReception unauthenticated POST /api/log accepts arbitrary content with CRLF injection and no size or rate limits Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48082 OpenReception bootstrap challenge proof-of-work difficulty hardcoded to 16 bits enables abuse rate amplification Low (3.7) 2026-05-20 CVE, GHSA CVE-2026-48081 OpenReception stored click-triggered XSS via javascript: tenant links rendered into patient-facing footer High (8.1) 2026-05-20 CVE, GHSA CVE-2026-48080 OpenReception tenant detail endpoint discloses live PostgreSQL connection string, superuser-scoped in the tested official deployment High (8.0) 2026-05-20 CVE, GHSA CVE-2026-48079 OpenReception logout page clears local access_token before server-side revocation, leaving duplicated tokens valid until expiry High (7.4) 2026-05-20 CVE, GHSA CVE-2026-48078 OpenReception schedule endpoint discloses isPublic=false channels and slot availability to unauthenticated callers Moderate (5.3) 2026-05-20 CVE, GHSA CVE-2026-48077 OpenReception GET appointment by ID returns full appointment record without authorization Moderate (5.3) 2026-05-20 CVE, GHSA CVE-2026-48076 OpenReception bootstrap booking flow allows unauthenticated booking on isPublic=false channels Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48075 OpenReception unauthenticated add-to-tunnel endpoint accepts arbitrary appointment injections Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48074 OpenReception staff deletion removes pending invites cross-tenant by email match Low (2.7) 2026-05-20 CVE, GHSA CVE-2026-48071 OpenReception client PIN challenge throttle is keyed by emailHash only, allowing cross-tenant lockout Moderate (5.8) 2026-05-20 CVE, GHSA CVE-2026-6965 Tutor LMS WordPress Plugin insecure direct object reference leading to authenticated arbitrary post deletion via course GET parameter Moderate (5.3) 2026-05-12 CVE, Wordfence CVE-2026-34782 Zammad missing authorization in AI assistance controller for text tools Moderate (5.3) 2026-04-08 CVE, GHSA, Blog post CVE-2026-34837 Zammad missing authorization in AI assistance controller for context data used in text tools Moderate (5.3) 2026-04-08 CVE, GHSA, Blog post CVE-2026-34721 Zammad cross-site request forgery (CSRF) in OAuth callback endpoints Moderate (5.9) 2026-04-08 CVE, GHSA MSRC Acknowledgment Microsoft Online Services vulnerability in Microsoft Online Services — 2026-03-31 MSRC Acknowledgements CVE-2025-30201 Wazuh bypass of UNC path mitigation in Windows OSQuery via \\?\UNC\ High (7.1) 2025-03-17 CVE, GHSA, Blog post

moltenbit

moltenbit Apr 8

New blog post: I found two authorization bypasses in Zammad's new AI text tools feature, two weeks after 7.0 shipped. Any agent could execute group-restricted tools and pull ticket data from other groups via a single API call.

Patched in 7.0.1, three CVEs from this audit.

https://moltenbit.net/posts/bypassing-zammad-ai-text-tool-authorization-via-rest-api/

#infosec #zammad #cybersecurity #responsibleDisclosure #security

Bypassing Zammad's AI text tool authorization via REST API (CVE-2026-34782 / CVE-2026-34837)

How missing authorization checks in Zammad's REST API let agents execute group-restricted AI text tools and inject unauthorized ticket context into AI prompts.

moltenbit

moltenbit Apr 7

BrianKrebs Apr 6

New, by me: An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. From the story:

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

https://krebsonsecurity.com/2026/04/germany-doxes-unkn-head-of-ru-ransomware-gangs-revil-gandcrab/

moltenbit Mar 17

Found a bypass in Wazuh's UNC path validation for Windows agents.

The existing mitigation (CVE-2025-30201) blocked standard UNC paths like \\server\share, but extended-length UNC paths using the \\?\UNC\ prefix slipped right through. This affects the OSQuery wodle's log_path and config_path fields.

Impact: An attacker who controls the centralized agent config can coerce domain-joined Windows agents into authenticating to an attacker-controlled SMB server, leaking the machine account's NetNTLMv2 hash. From there it's NTLM relay and potentially full Active Directory domain compromise.

Patched in Wazuh 4.14.3. CVSS 7.7 High.

Full writeup with technical details on my blog:
moltenbit.net/posts/wazuh-unc-mitigation-bypass-cve-2025-30201/

#infosec #bugbounty #wazuh #security #cybersecurity #vulnerabilityresearch

moltenbit Mar 4

Show thread

The Shadowserver Foundation Mar 3

Another Iran Internet blackout, this time due to the war, visualized on our Public Dashboard - drop to near zero on 2026-03-01: https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=90&source=population&source=population6&source=scan&source=scan6&geo=IR&geo=IQ&geo=PK&geo=SA&geo=TR&dataset=unique_ips&limit=100&group_by=geo&stacking=overlap&auto_update=on

moltenbit Feb 4

Released a PowerShell IoC triage script for detecting the Notepad++ supply chain attack, including the previously known Rapid7 IoCs and now the newly released IoCs for chains 1 (ProShow) & 2 (Lua/Adobe) published by Securelist (https://securelist.com/notepad-supply-chain-attack/118708/):

https://github.com/moltenbit/NotepadPlusPlus-Attack-Triage

#cybersecurity #vulnerability #incidentresponse #notepadplusplus #supplychainattack

The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.

Kaspersky

moltenbit Jan 27

BrianKrebs Jan 26

New, from me: Who Operates the Badbox 2.0 Botnet?

The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

#infosec #botnet #IoT #Android #Google #threatresearch