Notable Security News & Advisories
A maintained reference of critical vulnerabilities, security incidents, and industry shifts covered on this site. Organized by year. Each entry has the essential facts, current status, and what to do about it.
2026
CVE-2026-24061 — GNU InetUtils telnetd Authentication Bypass (February 2026)
Severity: 9.8 Critical · Status: Patched in inetutils 2.7-2 · Exploited in the wild: Yes
A single environment variable (USER="-f root") gave unauthenticated attackers a root shell on any system running GNU InetUtils telnetd ≤ 2.7. CISA added it to the KEV catalog on January 26, 2026. GreyNoise documented active exploitation within 24 hours, with 83% of attempts targeting root. SafeBreach traced the flaw to 2015 — 11 years unreviewed.
The injection chain: during telnet option negotiation, telnetd reads the USER environment variable and passes it directly to login(1). Setting USER to -f root triggers login's pre-authentication flag — skip the password check. Root shell, no credentials.
Shodan data from CyCognito showed approximately 1 million devices listening on port 23 at time of disclosure.
Fix: sudo apt-get update && sudo apt-get install inetutils-telnetd (version 2.7-2+), or disable entirely:
sudo systemctl disable --now telnetd
If you can't name a specific operational reason telnet needs to run, SSH handles every remote shell use case with actual encryption.
Sources: NIST NVD · CISA KEV · SafeBreach root cause · GreyNoise telemetry · CyCognito Shodan
CVE-2026-1357 — WPvivid Backup Unauthenticated RCE (March 2026)
Severity: 9.8 Critical · Status: Patched in 0.9.124 · Affected installs: ~800,000
Unauthenticated attacker uploads a PHP webshell to any WordPress site running WPvivid Backup ≤ 0.9.123 with "receive backup" enabled. One HTTP POST, no credentials, full server access.
The exploit chain: RSA decryption fails on garbage input → phpseclib converts false to 16 null bytes as the AES key → attacker pre-encrypts payload with that predictable key → plugin writes file to /wp-content/uploads/ without path or extension validation → webshell accessible via URL.
The "receive backup from another site" feature is off by default but stays enabled after migrations. Anyone who used WPvivid to move a site and didn't manually disable receive mode is exposed.
Wordfence reported 14 public PoCs indexed by time of disclosure.
Fix: Update to 0.9.124. If you can't patch immediately: disable "receive backup from another site" in WPvivid settings. Check access logs for POST requests to wpvivid_action=send_to_site. Check /wp-content/uploads/ for unexpected .php files.
A server-level IPS like CrowdSec catches exploit attempts by pattern-matching the request structure. Restricting PHP execution in upload directories limits blast radius if a webshell does land. Both belong in any baseline VPS configuration.
Sources: Wordfence disclosure · NIST NVD · OP-C technical writeup
2024
CVE-2024-45387 — Apache Traffic Control SQL Injection (December 2024)
Severity: 9.9 Critical · Status: Patched in ATC 8.0.2
SQL injection in Apache Traffic Control's Traffic Ops component. Authenticated users with low-privilege roles (admin, federation, operations, portal, steering) could execute arbitrary SQL against the backend database via a crafted PUT request. Low-profile infrastructure component, straightforward flaw, years of unreviewed exposure.
Fix: Upgrade to Apache Traffic Control 8.0.2+.
Sources: NIST NVD · Apache advisory
2023
CVE-2023-23397 — Outlook NTLM Credential Theft (March 2023)
Severity: 9.8 Critical · Status: Patched March 2023 · Exploited: Yes (Russian state-sponsored)
Zero-interaction vulnerability in Microsoft Outlook for Windows — a specially crafted email steals NTLM credentials when Outlook processes it, even in preview. No user click required. Attributed to Russian state-sponsored actors targeting government and defense organizations.
Fix: All current Outlook versions are patched. This is a 2023 vulnerability — included here for historical reference.
Sources: Microsoft advisory
CVE-2023-2136 — Chrome Skia Integer Overflow (April 2023)
Severity: High · Status: Patched in Chrome 112.0.5615.137 · Exploited: Yes
Integer overflow in Chrome's Skia graphics library enabled remote code execution via crafted HTML. Part of an exploit chain with CVE-2023-2033 (V8 type confusion). Google confirmed active exploitation.
Fix: All current Chrome versions are patched.
Sources: Chrome releases · NIST NVD
Industry News (Archived)
Skiff Shutting Down — Acquired by Notion (February 2024)
Skiff — the end-to-end encrypted workspace (mail, docs, drive, calendar) — was acquired by Notion and ceased operations entirely. Users had until March 2024 to export data. The encrypted email service, which positioned itself as a Proton Mail alternative, is gone.
For encrypted email alternatives: Proton Mail with a custom domain.
Fedora Asahi Remix 39 on Apple Silicon (December 2023)
First mainstream Linux distribution with full desktop support on M1/M2 Apple hardware — GPU acceleration, audio, Bluetooth via the Asahi project. Relevant for privacy-focused users who want to run Linux without macOS.
Starlink Launch in Africa (2023)
SpaceX expanded Starlink satellite broadband to multiple African countries. Relevant to internet access and censorship resistance, though Starlink's US jurisdiction and cooperation with law enforcement requests makes it a connectivity tool rather than a privacy tool.
This page is updated periodically. For the latest posts: Security · News