A CVSS 9.8 stack-based buffer overflow in Windows Netlogon gives an unauthenticated attacker code execution on a domain controller. Microsoft called exploitation ‘less likely.’ Belgium’s CCB says it’s happening now.
System-preferred authentication is moving to the first factor, the password prompt is about to vanish for passkey holders, and break-glass accounts are not exempt from mandatory MFA. Here’s what that actually changes for Entra defenders and home users.
A defender’s view of indirect prompt injection in MCP-connected and tool-calling LLM agents — what the telemetry actually looks like, where detections originate noise, and how to map containment to 800-53.
CIFSwitch is a local-root flaw in the Linux kernel’s CIFS client that a researcher surfaced with AI-assisted analysis after it sat untouched since 2007. The kernel piece is real, but whether it touches you is a configuration question, not a kernel-version one.
Chinese state actors have been inside major U.S. carrier networks for months to years. Here is what enterprise defenders should actually do about it — detection logic, SIEM specifics, and the control updates that matter.
Wildcarded sub claims in IAM trust policies for GitHub Actions OIDC are still the most common cloud-CI footgun in 2026. Here’s the detection that actually catches it, and the tuning round that has to happen before the SOC stops ignoring the alert.
Image-mode RHEL moves the host into an ostree-backed, container-built world. The threat model shifts up the stack, and most detection content built for traditional EL hosts quietly stops working.
CVE-2026-48095 is a heap buffer overflow in 7-Zip’s NTFS handler reachable from any file extension because of signature-based fallback parsing. The fix shipped in 26.01 three days after the private report; public disclosure came 25 days later. PoC is public, the trigger is a one-line undefined shift, and the exploitable vtable sits 304 bytes from the overflow site. The patch is uncomplicated. The deployment surface isn’t.
Microsoft Defender’s new Preview adds automatic Isolate device to the attack disruption stack — distinct from the Device contain action that’s been auto-firing since 2023. The distinction matters operationally. So does Microsoft’s stated 99%+ confidence threshold, the 3-day offline retry window, the workstation-only scope, and the exclusion model defenders need to wire up before flipping this on.
A defender-oriented look at the SharePoint ToolShell chain (CVE-2025-53770 / 53771) — what the telemetry actually looks like in a real SIEM, where the first round of tuning breaks, and which assumptions about your SharePoint farm change the answer.
