WireHawk Security’s Post

Threat actors are exploiting a vulnerability in Cursor, an AI-powered code editor, by injecting malicious code via a rogue Model Context Protocol (MCP) server. This enables credential theft and full workstation compromise, posing significant risks to developers. Defenders should immediately review and secure their Cursor installations, focusing on MCP server integrity to prevent credential harvesting and workstation compromise. ⚠️ #ai #cybersecurity #vulnerability https://lnkd.in/gpZMbn9W

AI slop comes to ransomware! Interesting write up about monkey ransomware. The researchers assessed it looked like it was AI written and cobbled together based on a few things: • ELF Linux binary containing Windows-only commands (e.g., vssadmin) — platform mismatch. • Multiple overlapping persistence mechanisms without rationale — redundancy without design intent. • Generic, template-style ransom note text — indistinguishable from boilerplate outputs. • Reused code fragments stitched together without optimization — “slop-assembled” behavior. • String slicing and blob-pattern constants suggest automated generation rather than deliberate engineering. • Authors conclude “most plausibly AI-authored slop glued together without a human’s sense of fit and finish,” expressing an explicit analytic judgment.

A trend to be grateful for? FunkSec's AI-generated ransomware used hardcoded encryption keys—enabling Avast Labs to create a free public decryptor over the summer. Poor key management, good outcome for victims. https://lnkd.in/gxTwEjkD

🌀 Race conditions remain one of the most underestimated threats in modern web applications — and with the advent of HTTP/3 and QUIC, things are getting even more interesting. In our latest paper, recently published in Computers & Security, we analyze how race conditions can emerge in HTTP/3 environments and introduce QUICker, a research tool designed to experimentally study and reproduce these scenarios in a controlled, authorized setting. This work builds on the brilliant ideas behind James Kettle’s Single Packet Attack in HTTP/2, which inspired the design of the QUIC-based approach. Curious to learn more? 📄 Read the full paper here: https://lnkd.in/dvZYCe2J 💻 Explore QUICker on GitHub: https://lnkd.in/d38THGWV A huge thank you to my amazing co-authors: Lorenzo Pisu, Leonardo Regano, Davide Maiorca, and Giorgio Giacinto!

I'm a few days late, but last week's haul for VulnCheck Initial Access Intelligence customers included new #exploits, detections, PCAPs, and more for Tenda AC15 AC1900 devices, Flowise, and LG Simple Editor. The team also shipped a scanner for F5 BIG-IP management interfaces (plus ASM queries) and signatures for Redis CVE-2025-46818 (privesc) and CVE-2025-49844 (use-after-free). Notably, despite the news cycle, none of the public PoC for Redis manages to successfully trigger a crash, let alone get code execution. VulnCheck's research team assesses that the UAF is unlikely to be exploitable at scale, which isn't super surprising. More details and #threat context in the team's release notes! https://lnkd.in/ezJb-FXq

⚠️ .NET Core CVE-2025-55315 – Request Smuggling confirmed in Kestrel. Admins and developers should patch immediately and review proxy configurations. #kestrel #CVE202555315 #DotNet #ThreatIntelligence #CyberXTron #smugglingflaw

🚨 New .NET Core CVE — Request Smuggling confirmed in Kestrel (CVE-2025-55315) CyberXTron Threat Research has validated a critical HTTP Request Smuggling flaw affecting ASP.NET Core’s Kestrel server when deployed behind NGINX and other reverse proxies. 🧩 Root cause:  Ambiguously terminated Transfer-Encoding: chunked payloads on keep-alive connections cause proxy-backend desynchronization. NGINX forwards raw bytes → Kestrel interprets them as a new HTTP request. 🔥 Impact:  • Proxy/WAF bypass  • Session hijacking via shared cookies  • Privilege escalation to admin routes  • Potential data exfiltration and RCE in chained attacks 🧪 Our PoC showed two logical requests (POST + hidden GET) over a single TCP stream — the smuggled request executed silently within the victim’s session context. 🛡 Mitigation:  • Patch to ASP.NET Core 8.0.21 / 9.0.10 / 10.0.0-rc.2  • Align proxy parsing behavior  • Monitor for dual header indicators (Content-Length + Transfer-Encoding) 📜 We’ve also released SIGMA detection rules for request smuggling patterns. Read the complete analysis → 👉 https://lnkd.in/gFvFrqF2 #CVE2025 #AppSec #DotNetCore #Kestrel #NGINX #RequestSmuggling #CyberXTron #ThreatIntel #HTTPDesync #SecurityResearch

🔐 Diving Deep into DNS — TryHackMe: DNS in Detail 🔍 Today I worked through the TryHackMe — DNS in Detail lab to strengthen practical DNS skills that every infosec professional should master. What I practiced and learned: Core DNS concepts: A / AAAA / CNAME / MX / TXT records, TTL, and reverse DNS. Hands-on techniques for DNS enumeration and subdomain discovery. Understanding zone transfers, DNS recursion, and common misconfigurations that lead to information leakage. How DNS plays a role in reconnaissance for both defensive and offensive operations. Tools & techniques commonly used in this kind of lab: dig, nslookup, host for record lookups and troubleshooting Zone transfer testing and subdomain brute-forcing/enumeration Analysis of DNS responses (TTL, authoritative vs non-authoritative answers) Correlating DNS results with passive feeds and public records Why this matters: DNS is the backbone of the internet — misconfigurations and leaked DNS data are rich sources of intelligence for attackers and defenders alike. Practical labs like this convert theory into repeatable investigative techniques that protect organizations and inform red-team strategies. If you’re learning DNS for security, I highly recommend trying the TryHackMe room: https://lnkd.in/dqXnJsa2 #OSINT #CyberSecurity #InfoSec #DNS #ThreatIntelligence #TryHackMe #RedTeam #BlueTeam #NetworkSecurity #DigitalForensics #SecurityResearch

🔥Bypassing SSTI Filters in Web Apps. During a recent lab test, I explored how template filters can be tricked into executing payloads even when the obvious injection vectors are blocked. => Key takeaway: Always validate template input, not just escape => Here’s what worked (and what didn’t) 👇 https://lnkd.in/gBcvSCBS #CyberSecurity #SSTI #BugBounty #WebSecurity #Infosec

I finished the “Publisher” room on TryHackMe — a compact but realistic chain from discovery to root: Exploit severity: Critical — unauthenticated command injection via file upload This Publisher room exploit demonstrates how a single unpatched CMS component (SPIP with a vulnerable multipart upload handler) can let an unauthenticated attacker run OS commands and escalate to full compromise. Steps: > Performed an nmap scan to enumerate services and found Apache + SPIP. > Confirmed a multipart file-upload command-injection in the SPIP version present, then used Metasploit to exploit it and obtain RCE. > Retrieved an RSA private key from the webroot, used it to SSH in, and captured the user flag. > For the second flag I researched a custom SUID binary, inspected the container/script, made a small change to spawn a shell, and obtained the root flag. Practical takeaways: > Patch promptly. Unpatched CMS/plugins are high-risk — automate dependency scanning and patching for web apps. > Harden file uploads. Validate content-type, sanitize filenames, enforce size/type checks, and store uploads outside the webroot. Block multipart parsing abuses at the WAF level where possible. > Protect secrets in the app environment. Private keys and credentials should never be stored in web-accessible paths; use vaults/secret managers and limit file permissions. > Audit SUID and custom binaries. SUID bits and homegrown binaries are frequent escalation paths — treat them as high-priority audit items. > Defense in depth. Combine WAFs, least-privilege containers, runtime detection (EDR), and network segmentation to limit blast radius. > Use tooling with understanding. Exploitation frameworks speed testing, but replicate attacks manually (curl/Burp) to understand the vector and build proper mitigations. #tryhackme #infosec #ctf #pentesting #websecurity #linux