LodeHQSubscribe →

SonicWall zero-days, ServiceNow RCE, Cursor IDE exploit

Infosec · 2026-07-15

Vulnerabilities & Exploits
SonicWall SMA 1000 Appliances Compromised by Two Active Zero‑Days, One Grants Full Admin Access5 MIN

SonicWall confirmed that two zero‑day flaws in its SMA 1000 series, CVE‑2026‑15409 (critical SSRF, CVSS 10) and CVE‑2026‑15410 (code injection), are being exploited in the wild. Chaining the bugs lets an unauthenticated attacker execute arbitrary commands with admin privileges. SonicWall issued emergency patches; users must upgrade now to secure remote access.

Unauthenticated RCE in ServiceNow via GlideRecord Sandbox Escape11 MIN

Researchers discovered a pre-authentication remote code execution flaw in ServiceNow's GlideRecord API. By injecting JavaScript into query filters, they escaped the JS sandbox and seized full control of the instance and linked proxy servers. The bug enables anyone on the internet to compromise ServiceNow deployments without credentials.

Cursor IDE auto‑executes malicious git.exe from repo roots, enabling silent code execution7 MIN

Cursor on Windows runs any git.exe found in a repository’s root when the project is opened, without prompts or user consent. This lets an attacker ship a poisoned repo that executes arbitrary code with the user’s privileges, exposing millions of developers to silent compromise.

Threats & Malware
OAuth Client ID Spoofing Lets Attackers Validate Entra Credentials Stealthily8 MIN

Proofpoint uncovered OAuth client ID spoofing in Microsoft Entra ID, where attackers send ROPC token requests with forged client IDs to verify usernames and passwords without creating a successful sign‑in event. The technique lets threat groups enumerate accounts at scale while evading typical log‑based alerts, forcing defenders to monitor for sign‑ins lacking a known application ID.

AI‑aided TuxBot v3 Evolution botnet spawns malformed code and massive IoT threats32 MIN

Researchers uncovered TuxBot v3 Evolution, a modular IoT botnet built with AI assistance that left safety warnings in the code and malfunctioning features. The framework can hijack thousands of devices via Telnet brute‑force, deploy DDoS attacks, and uses a sophisticated multi‑channel C2. Its AI‑aided creation hints at a new shortcut for malware developers, raising the threat surface for IoT ecosystems.

OkoBot injects fake Ledger and Trezor windows to steal seed phrases16 MIN

Kaspersky’s GReAT team reports that the OkoBot framework, active since April 2025, uses a SeedHunter module to watch for Ledger Live and Trezor Suite on Windows PCs. It injects a fake recovery‑phrase window inside the genuine app, captures the seed phrase and forwards it to a moonsand.store C2, putting crypto holders worldwide at risk.

Privacy, Policy & Governance
ETH Zurich’s ‘Fourier Pixel’ Turns Any Display Into a Hidden Camera1 MIN

ETH Zurich researchers unveiled a “Fourier pixel” that lets a screen emit and capture light simultaneously, effectively turning any display into a camera. This tech could covertly transform ordinary monitors into surveillance devices, raising immediate privacy concerns for both consumers and enterprises.

Research & Tools
Little Snitch for Linux offers macOS‑style firewall in open source1 MIN

Objective Development released the open‑source component of Little Snitch for Linux, a macOS‑inspired network monitor and personal firewall. The repo ships eBPF kernels, Rust crates, and a web UI, letting Linux users inspect outbound connections and block hosts without buying a proprietary product.

Context bombs slash AI attack success 90% in simulated AWS range4 MIN

Tracebit showed that planting a single “context bomb”, a short safety‑trigger string, inside a canary secret reduces autonomous AI agents’ success in an AWS red‑team simulation by about 90% across five leading models. The technique converts decoys into active guards, offering a practical, low‑overhead defense against misaligned agents.

Bind Links Let Attackers Blind EDRs via File, Process and Silo Tricks22 MIN

Bitdefender Labs identified three bind‑link techniques, File‑Binding, Process‑Binding, and Silo‑Binding, that let an admin‑level attacker redirect trusted paths, run malicious code unnoticed, and present clean files to outside scans. This undermines EDR sensors, AMSI, AppLocker and forensic tools, expanding the Windows attack surface.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ