Red teams are pivoting through Intune to get fleet-wide SYSTEM execution after a single privileged Entra account. Here’s what the abuse looks like in the audit log, what tuning the first detection needs, and where most SOCs miss it.
A defender-oriented analysis of indirect prompt injection in tool-calling agents: where the signal actually lives in the trace pipeline, what the first week of tuning has to fix, and which 800-53 controls the implementation maps to.
CVE-2026-7482 turns Ollama’s /api/create into a heap-read primitive that exfiltrates prompts, system messages, and process environment variables through a crafted GGUF tensor shape. Patch to 0.17.1; everything else is a stopgap.
A defender-focused analysis of how APT29-aligned and Storm-2372-style intrusion sets are abusing device authorization grants and long-lived OAuth consent in Entra ID through 2026 — what to detect, what to revoke, and where it maps to 800-53.
A defender-oriented analysis of firmware- and bootloader-resident implants on perimeter network appliances, what they look like in practice, how to detect them, and how to map the response to NIST 800-53.
Hyunwoo Kim’s Dirty Frag chain extends the Dirty Pipe / Copy Fail class to skb paged fragments. The xfrm ESP receive path provides a deterministic 4-byte page-cache store (CVE-2026-43284); the rxrpc receive path provides a namespace-free trigger (CVE-2026-43500). One PoC, no race, root on Ubuntu, RHEL, CentOS Stream, AlmaLinux, Fedora, and openSUSE — including hosts that already blocklisted algif_aead for Copy Fail.
Immutable base images plus systemd sysext/confext overlays have quietly become the standard for fleet-managed Linux in 2026. They also created a persistence surface most SOCs are not yet watching.
A double-free in Apache httpd 2.4.66’s mod_http2 lets unauthenticated clients crash workers reliably and, on certain builds, opens a path to remote code execution. Here’s the defender-oriented breakdown: mechanism, detection, remediation, and 800-53 mapping.
Model Context Protocol gives agents a clean way to call tools, but it also gives every piece of retrieved content a direct line to those tools. The classic confused deputy problem is back, and most deployments are not handling it.
Model Context Protocol turned every internal API into an LLM-reachable tool. The threat model didn’t catch up. Here’s what tool poisoning looks like in production and how to harden against it.
