sig9.ch

Hacker Wars - May 21, 2026

Your daily dose of infosec chaos

---

Supply chain attacks are back on the menu, zero-days are getting patched faster than you can say "CVE" and someone found a nine-year-old kernel bug hiding in plain sight. Just another Thursday in infosec.

---

GitHub Got Breached Through a VS Code Extension

Hackers compromised GitHub's internal repositories by poisoning the Nx Console VS Code extension, which an employee had installed. The malicious extension gave attackers access to 3,800 internal repos, because apparently we're still trusting random extensions with our crown jewels.

**What to do:** Audit your VS Code extensions list and remove anything you don't actively use. Implement extension allowlisting for corporate environments.

---

Microsoft Patches Defender Zero-Days Being Exploited in the Wild

Microsoft rushed out patches for two Defender vulnerabilities that attackers were already exploiting in real-world attacks. The zero-days allow attackers to bypass security protections, which is ironic considering Defender is supposed to be the thing protecting you.

**What to do:** Update Windows Defender immediately and check that your endpoint protection definitions are current.

---

Nine-Year-Old Linux Kernel Bug Finally Discovered

Researchers found CVE-2026-46333, a privilege escalation vulnerability in the Linux kernel that's been sitting there for nine years with a CVSS score of 5.5. It allows unprivileged local users to access sensitive information, because why fix bugs when you can just... not find them?

**What to do:** Check your Linux kernel version and apply patches from your distro. Consider running kernel hardening tools like grsecurity.

---

SonicWall VPN MFA Bypassed Through Incomplete Patching

Attackers brute-forced VPN credentials and bypassed MFA on SonicWall Gen6 SSL-VPN appliances to deploy ransomware tools. Turns out the patches SonicWall released earlier didn't fully address the vulnerabilities, which is a fancy way of saying "we tried."

**What to do:** If you're running SonicWall Gen6 SSL-VPN, apply the latest patches and consider switching to certificate-based authentication instead of passwords.

---

That's the chaos for today. Stay sharp out there.

---

Brought to you by sig9 - http://
sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 15, 2026

Your daily dose of infosec chaos

---

Another day, another CVSS 10.0 zero-day actively eaten in the wild - this time Cisco's SD-WAN gets the honors. Microsoft Exchange also decided to join the party with an XSS zero-day, because apparently Patch Tuesday wasn't enough excitement this week. Oh, and a student shut down bullet trains with a radio. You know, just a normal Thursday.

---

Cisco SD-WAN Zero-Day Grants Full Admin Access (CVE-2026-20182)

Cisco confirmed that a maximum-severity authentication bypass in the Catalyst SD-WAN Controller is being exploited in the wild, handing attackers administrative control over affected devices. This is the second CVSS 10.0 flaw in Cisco's SD-WAN stack exploited this year - which is a pattern, not a coincidence.

**What to do:** Patch your SD-WAN controllers immediately. If you can't patch today, restrict management interface access to trusted networks only.

---

Microsoft Exchange XSS Zero-Day Targets Outlook Web Users

Microsoft published mitigations for a high-severity cross-site scripting flaw in Exchange Server that's already being weaponized against Outlook on the web users. Attackers can execute arbitrary code in the victim's browser context - classic stored XSS, but in your mail server.

**What to do:** Apply Microsoft's recommended mitigations and monitor Exchange logs for unusual OWAscript.aspx requests.

---

Pwn2Own Berlin Day One: 24 Zero-Days, Half a Million in Payouts

Security researchers walked away with $523,000 on day one of Pwn2Own Berlin after demonstrating 24 unique zero-days against Windows 11, Microsoft Edge, and other targets. The highlights included full system compromises that would make any red team proud.

**What to do:** Nothing actionable yet, but expect a flood of patches from Microsoft and friends in the coming weeks. Stay tuned.

---

Student With Software-Defined Radio Shuts Down Taiwan Bullet Trains

A Taiwanese student experimenting with software-defined radio technology managed to halt three high-speed trains for nearly an hour, triggering an anti-terrorism response. The incident exposed glaring gaps in rail system cybersecurity - specifically, the lack of signal authentication in critical transit infrastructure.

**What to do:** If you operate ICS or OT environments, assume radio-frequency attacks are within reach of motivated amateurs. Review your physical-layer security.

---

WordPress Burst Statistics Plugin Has Actively Exploited Auth Bypass

A critical authentication bypass vulnerability in the Burst Statistics WordPress plugin is being exploited to gain admin-level access to websites. If you run WordPress and this plugin sounds familiar, this is your wake-up call.

**What to do:** Update Burst Statistics immediately. If you're not using it, audit your WordPress plugins for anything you don't recognize.

---

That's all for now. Patch your stuff and don't click suspicious links.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*

Hacker Wars - May 14, 2026

Your daily dose of infosec chaos

---

Kernel vulns, mail server disasters, and ransomware gangs getting doxxed by their own sloppy OPSEC. Just another Wednesday in infosec.

---

New Fragnesia Linux Flaw Gives Attackers Root Access

A fresh kernel vulnerability dubbed "Fragnesia" (CVE-2026-46300) lets local attackers escalate to root on affected Linux systems. Distros are already pushing patches, but if you're running unpatched kernels in production, congratulations - you're a sitting duck.

**What to do:** Patch your Linux kernels immediately. Check your distro's security advisories and prioritize internet-facing hosts.

---

Critical Exim RCE Flaw Threatens Mail Servers Worldwide

The Exim mail transfer agent has a critical remote code ex*****on bug that doesn't even require authentication to exploit. If you're running Exim in certain configurations, an attacker can execute arbitrary code on your mail server without credentials. That's about as bad as it gets.

**What to do:** Update Exim to the latest patched version. If you can't patch right now, consider restricting access to your SMTP ports and reviewing your Exim configuration for affected options.

---

West Pharmaceutical Confirms Ransomware Attack With Data Theft

West Pharmaceutical Services disclosed a cyberattack where hackers both stole data and encrypted systems - the classic double extortion playbook. The healthcare/pharma sector continues to be a favorite target, because nothing says "pay up" like threatening to leak sensitive data.

**What to do:** Review your organization's incident response plan and ensure backups are air-gapped and tested. If you're in healthcare, assume you're a target.

---

MuddyWater Expands Espionage Campaign Across Asia

Iran's MuddyWater group has been busy - at least nine organizations across multiple countries and sectors got hit in a broad cyber-espionage campaign. A major South Korean electronics manufacturer was among the targets. State-sponsored groups don't take days off.

**What to do:** Review network segmentation and monitor for known MuddyWater TTPs, including suspicious use of legitimate remote management tools.

---

The Gentlemen RaaS Gang Gets a Taste of Their Own Medicine

In a delightful turn of events, an OPSEC failure exposed the internal workings of "The Gentlemen" ransomware-as-a-service operation. The leak reveals their affiliate model, tactics, and organizational structure. Turns out even cybercriminals struggle with operational security sometimes.

**What to do:** Use the leaked IOCs and TTPs to update your threat detection rules. If you're tracking ransomware groups, this is a goldmine of intel.

---

Catch you tomorrow. In the meantime, go check your attack surface.

---

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

*This bulletin is provided for informational purposes. Contact us for tailored security analysis.*