Seclog - #176

In this week's Seclog, the cybersecurity landscape is marked by a flurry of critical vulnerability disclosures across diverse platforms, highlighting pervasive risks from hypervisors to web applications. Remote Code Execution (RCE) flaws continue to dominate, affecting critical infrastructure like Citrix XenServer, GitHub Enterprise Server, and ActiveMQ, often via API exploitation or complex chaining of vulnerabilities in image processing libraries like ImageMagick and Ghostscript. Concurrently, the evolving threat surface of Artificial Intelligence is becoming a central theme, with analyses of prompt injection attacks and Google's adjustment of its Vulnerability Reward Programs to reflect AI-era security challenges. Furthermore, detailed threat actor profiles and spyware discoveries underscore the persistent and sophisticated nature of modern adversaries, while explorations into secure operational relay techniques and the inherent difficulties of sanitizing complex file formats like SVGs provide valuable technical insights for defenders and researchers alike.

📰 SecLinks #

Citrix XenServer XAPI Vulnerabilities Disclosed - moksha.dk

A comprehensive disclosure details 89 independently exploitable vulnerabilities, including 5 Critical and 28 High severity flaws, in Citrix XenServer's hypervisor management platform (XAPI). Affecting 8 different XAPI object types, this research highlights significant attack surface exposure in critical virtualization infrastructure. Immediate attention for patching and mitigation strategies is warranted to prevent exploitation.

Challenges in SVG Sanitization Explored - muffin.ink

This article delves into the inherent difficulties and complexities associated with effectively sanitizing SVG files. It implicitly argues that improper SVG sanitization can introduce various security risks, such as XSS or other client-side vulnerabilities, due to the format's rich scripting and linking capabilities. Security professionals should review their SVG processing pipelines and consider robust, multi-layered sanitization techniques.

Handala Hack Team Profiled by Intelligence - outpost24.com

Threat intelligence research provides a profile of the "Handala Hack Team," an actor group linked to multiple high-profile cyber-attacks. Understanding the TTPs, motivations, and targeting patterns of such groups is crucial for proactive defense and threat hunting efforts. Organizations should integrate this intelligence into their defensive postures to anticipate and defend against potential attacks from this specific group.

GitHub Enterprise Server RCE Vulnerability - wiz.io

This report details an RCE vulnerability (CVE-2026-3854) in GitHub Enterprise Server, rated CVSS 8.7. The flaw permits remote code execution, posing a severe risk to organizations using GHES for code management and CI/CD pipelines. Security teams should urgently identify and patch all vulnerable GHES instances to prevent compromise and potential supply chain attacks.

AI Prompt Injection Threats Analyzed - security.googleblog.com

Google's Threat Intelligence teams analyze the current landscape of AI threats, specifically focusing on prompt injection attacks on web applications integrating Large Language Models (LLMs). This research highlights the evolving attack surface presented by LLMs in public-facing services. Defenders need to develop new strategies and validation mechanisms to mitigate risks like data exfiltration or system manipulation.

AI's Impact on CTF Competitions - blog.includesecurity.com

This article examines the growing influence of AI, specifically LLMs, in solving Capture The Flag (CTF) challenges, observing shifts in winning strategies towards orchestrated AI pipelines. It highlights how lighter-weight models efficiently handle easier tasks while heavier models apply advanced reasoning to complex problems. Despite their CTF success, the authors caution that LLMs' effectiveness doesn't fully translate to real-world professional security assessments.

OpSec Safe Relay Techniques for Operations - turtlesec.io

This research explores "Man-In-The-Service" techniques, focusing on achieving highly OpSec-safe relay methods. This is critical for red teams and penetration testers to maintain stealth and prevent detection during engagements. Understanding these advanced relay strategies can help blue teams better identify and defend against sophisticated adversaries using similar covert communication channels.

Morpheus Spyware Linked to IPS Intelligence - osservatorionessuno.org

A new spyware, named "Morpheus," has been identified and linked to IPS Intelligence, signaling the emergence of another sophisticated surveillance tool. This discovery suggests its likely employment by state-sponsored or advanced persistent threat (APT) actors. Organizations should update their threat intelligence feeds and detection mechanisms to identify indicators of compromise (IoCs) related to Morpheus spyware.

Enterprise Audiovisual Hardware Vulnerabilities Found - spaceraccoon.dev

This research details the process of discovering vulnerabilities within enterprise audiovisual (AV) hardware, highlighting an often-overlooked attack surface within corporate environments. Networked AV equipment can introduce significant security risks. Security professionals should expand their scope of penetration testing and vulnerability assessments to include specialized hardware like AV systems, as these devices can be entry points for network compromise.

Bug Bounty's Role in CTF Future - blog.krauq.com

This piece explores the potential evolution of Capture The Flag (CTF) competitions, suggesting a future where bug bounty programs play a more central role. It implicitly argues that real-world application security testing and vulnerability disclosure, as practiced in bug bounties, offer more relevant skills than traditional CTFs. This perspective encourages security practitioners to bridge the gap between theoretical CTF skills and practical vulnerability research.

Google Support Data Leak via Hacking - michaeldalton.au

A detailed write-up describes how a vulnerability in Google Support led to the potential leakage of millions of customer records, earning a $14k bounty. This highlights the critical importance of secure customer support portals, which often handle sensitive data and can be a lucrative target for attackers. The case serves as a reminder for organizations to rigorously test and secure all public-facing applications.

ActiveMQ RCE via Jolokia API Exploit - horizon3.ai

This disclosure details CVE-2026-34197, an RCE vulnerability in ActiveMQ that exploits the Jolokia API to execute remote commands. This flaw can lead to complete system compromise if an attacker gains access to a vulnerable ActiveMQ instance, enabling arbitrary code execution. Organizations using ActiveMQ must immediately identify affected versions, apply patches, and implement detection mechanisms for post-exploitation activity.

iOS Deep Link Attack Surfaces Explained - 8ksec.io

This article introduces the concept of deep link attack surfaces in iOS applications, covering URL schemes and universal links. It aims to help security researchers identify common misconfigurations that can lead to vulnerabilities in how iOS apps handle external links. Developers and security testers should review their deep link implementations for potential exploitation vectors, such as unauthorized data access or functionality bypasses.

Elementor Stored XSS via REST API - cryptocat.me

This provides a root cause analysis of CVE-2026-6127, a stored XSS vulnerability in Elementor Website Builder. The flaw allows Contributor-level users (or higher) to bypass _elementor_data sanitization via form-encoded REST API requests, injecting malicious scripts. This highlights the importance of comprehensive input validation and sanitization across all API endpoints, especially for CMS plugins that grant broad content modification privileges.

SVG to RCE via ImageMagick, Ghostscript - blog.deephacking.tech

This article details "ImagePanick," an exploit chain demonstrating how a crafted SVG file can lead to arbitrary file write and RCE. The attack abuses weak default policies in ImageMagick and vulnerabilities in Ghostscript 10.06.0, completely bypassing its SAFER mode. Organizations processing user-uploaded images, particularly SVGs, must critically review their ImageMagick and Ghostscript configurations and ensure all components are patched.

Google VRPs Evolve for AI Era - bughunters.google.com

Google is updating its Android & Chrome Vulnerability Reward Programs (VRPs) to reflect the changing security landscape, particularly concerning AI. The changes involve adjusting reward amounts and bonuses to prioritize bug categories that offer the most significant security value in the current threat environment. This signals an increasing focus on novel attack vectors and vulnerabilities emerging from AI integration.