Six CVSS 10.0 Bugs Hit Wazuh, Step CA, Harbor at Once

◆ DEEP DIVES

1. 01

   Your SIEM Has RCE, Your PKI Issues Rogue Certs, and Langflow Was Owned in 20 Hours

   <h3>The Most Dangerous Vulnerability Week of 2026</h3><p>This is not a normal patch Tuesday cycle. <strong>Six CVSS 10.0 vulnerabilities</strong> dropped simultaneously targeting infrastructure that enterprises treat as trusted foundations — and a separate cluster of 9.0+ CVEs is hitting tools your security team depends on to detect everything else.</p><h4>Your Detection Stack Is the Target</h4><p><strong>Wazuh SIEM</strong> versions 4.0.0–4.14.2 have RCE and privilege escalation (CVE-2026-25769, CVE-2026-25770) allowing an attacker on a compromised worker node to gain <strong>root access on the master node</strong>. If your SIEM is compromised, your entire detection capability collapses. This must be your first patch — everything else on this list becomes invisible if your monitoring is owned.</p><p><strong>Step CA</strong> (Smallstep) has a CVSS 10.0 (CVE-2026-30836) allowing <strong>unauthenticated certificate issuance</strong> via SCEP UpdateReq. If you use Smallstep for internal PKI, an attacker can mint valid certificates without credentials — your entire mTLS trust chain, mutual authentication, and service mesh identity are potentially compromised. <em>Audit every certificate issued via SCEP immediately.</em></p><blockquote>When your SIEM has RCE, your PKI has unauthenticated cert issuance, your container registry has hard-coded credentials, and your web framework silently drops security headers — the attack surface isn't at the perimeter anymore, it's in the foundations.</blockquote><h4>The CVSS 10.0 Roster</h4><table><thead><tr><th>CVE</th><th>Product</th><th>Attack Vector</th><th>Auth Required</th></tr></thead><tbody><tr><td>CVE-2026-22557</td><td>UniFi Network App</td><td>Path traversal → system file access</td><td>None</td></tr><tr><td>CVE-2026-30836</td><td>Step CA (Smallstep)</td><td>SCEP → unauth cert issuance</td><td>None</td></tr><tr><td>CVE-2026-3587</td><td>WAGO Managed Switches</td><td>CLI → unauthenticated remote root</td><td>None</td></tr><tr><td>CVE-2026-32169</td><td>Azure Cloud Shell</td><td>Privilege escalation</td><td>N/A (server-side fixed)</td></tr><tr><td>CVE-2026-33057</td><td>Mesop ≤1.2.2</td><td>Code injection</td><td>None</td></tr><tr><td>Multiple</td><td>Firefox/Thunderbird</td><td>Memory corruption / RCE</td><td>Varies</td></tr></tbody></table><h4>The 20-Hour Exploitation Window</h4><p><strong>Langflow</strong> — an AI pipeline orchestration tool — had three critical CVEs disclosed (CVE-2026-33017, CVE-2026-33309, CVE-2026-33475), including unauthenticated RCE. Sysdig confirmed <strong>exploitation within 20 hours of disclosure</strong>. This matches the accelerating pattern identified in earlier briefings: the gap between CVE publication and weaponization continues compressing toward zero.</p><h4>Enterprise Infrastructure: The 9.0+ Cluster</h4><p>Beyond the 10.0s, four additional critical vulns demand this-week action:</p><ul><li><strong>GoHarbor Harbor ≤2.15.0</strong> (CVE-2026-4404, CVSS 9.4) — <strong>hard-coded credentials</strong> in your container registry. If compromised, your entire container supply chain is poisoned. Audit image push history.</li><li><strong>Spring Security 5.7–7.0</strong> (CVE-2026-22732, CVSS 9.1) — HTTP security response headers <strong>silently not written</strong>. Your Java applications may believe they're enforcing CSP, HSTS, and X-Frame-Options when they're not. Test your apps right now.</li><li><strong>gRPC-Go <1.79.3</strong> (CVE-2026-33186, CVSS 9.1) — Authorization bypass via HTTP/2 path header manipulation. In a microservices mesh, this is a <strong>trust-boundary violation</strong> across 22,844-star framework.</li><li><strong>Rails Active Storage</strong> (CVE-2026-33195/33202, CVSS 9.1–9.8) — Path traversal and injection in file upload handling. Upgrade to 8.1.2.1, 8.0.4.1, or 7.2.3.1.</li></ul><hr><p>The pattern across these vulnerabilities is unmistakable: <strong>the attack surface has moved from the perimeter to the infrastructure your security program depends on</strong>. SIEM, PKI, container registries, security headers, RPC frameworks — these aren't edge-case tools. They're the load-bearing walls of enterprise security architecture.</p>

   Action items

   • Patch Wazuh SIEM (versions 4.0.0–4.14.2) for CVE-2026-25769/25770 immediately. Segment worker-to-master communication as defense-in-depth.
   • Patch or take Langflow offline within 4 hours. Forensically review running instances and rotate all accessible credentials.
   • Verify Step CA version and audit all certificates issued via SCEP if using Smallstep for internal PKI.
   • Check Harbor version — rotate all credentials and audit image push history if running ≤2.15.0.
   • Test Spring Security header enforcement across all Java apps running versions 5.7–7.0 by inspecting actual HTTP responses.
   • Scan all microservices for gRPC-Go <1.79.3 including transitive dependencies using SBOM tooling and upgrade to 1.79.3+.

   Sources:Six CVSS 10.0s, Langflow exploited in 20 hours, and your SIEM might be the entry point · Your NetScaler appliances, your CI/CD pipelines, your Cisco switches — all under active threat today

2. 02

   Seven Sources, One Message: Google's 2029 PQC Deadline Means Harvest-Now-Decrypt-Later Is Already Stealing Your Future

   <h3>The Strongest Cross-Source Signal of the Day</h3><p>When seven independent intelligence sources all report the same development within 24 hours, that's not coincidence — it's a consensus event. <strong>Google has publicly committed to migrating all infrastructure to post-quantum cryptography by 2029</strong>, six years ahead of NIST's federal 2035 baseline. Google cited <strong>faster-than-expected advances in quantum hardware, error correction, and factoring algorithms</strong> — and explicitly warned that harvest-now-decrypt-later (HNDL) attacks are already active.</p><blockquote>When the company building the quantum computers tells you the timeline is compressing by 40%, it's a data-driven decision, not marketing.</blockquote><h4>The Timeline Contradiction That Proves the Threat</h4><p>Sources diverge on exactly when quantum breaks crypto, but the spread itself is informative:</p><table><thead><tr><th>Benchmark</th><th>PQC Target</th><th>Source</th><th>Implication</th></tr></thead><tbody><tr><td>NIST Federal Baseline</td><td>2035</td><td>Published standard</td><td>What most compliance teams plan to</td></tr><tr><td>White House Under Review</td><td>2030</td><td>Active discussions</td><td>FedRAMP/CMMC impact if adopted</td></tr><tr><td>Google Internal</td><td>2029</td><td>Public commitment (7 sources)</td><td>Vendor ecosystem will follow</td></tr><tr><td>Android 17 Beta</td><td>2026 (now)</td><td>PQC keys shipping</td><td>Mobile supply chain already transitioning</td></tr></tbody></table><p>The critical nuance: <strong>the threat is not 2029 — it's today</strong>. Nation-state adversaries are intercepting and storing encrypted traffic now, planning to decrypt it once quantum capability arrives. Any data you transmit or store today with RSA/ECC that must remain confidential beyond 2029 is at risk <em>right now</em>. Financial records, healthcare data, trade secrets, M&A communications, classified material — all harvestable today, decryptable tomorrow.</p><h4>Industry Already Moving</h4><p><strong>Android 17 beta</strong> is shipping PQC key support for app signing and signature verification, meaning the mobile software supply chain is already transitioning. Bitcoin developers are working on quantum-resistant upgrades (<strong>BIP 360</strong>), with <strong>6.8 million BTC</strong> sitting in addresses vulnerable to quantum attacks. Google is deploying NIST-vetted algorithms: <strong>ML-KEM</strong> (CRYSTALS-Kyber) for key exchange, <strong>ML-DSA</strong> (CRYSTALS-Dilithium) for digital signatures, and <strong>SLH-DSA</strong> for hash-based signatures.</p><h4>What Your Migration Actually Requires</h4><p>Enterprise PQC migration typically takes <strong>5–7 years</strong>. Google's 2029 deadline gives you roughly 3. The math doesn't work unless you've already started. The migration path:</p><ol><li><strong>Cryptographic inventory</strong> — Map every system using RSA, ECC, DH/ECDH. Tools like IBM Quantum Safe Explorer can accelerate this. Target: complete in 90 days.</li><li><strong>Data classification by sensitivity horizon</strong> — Anything confidential past 2029 is priority one for HNDL protection.</li><li><strong>Hybrid deployment</strong> — Start with TLS 1.3 hybrid key exchange (X25519+ML-KEM-768). Chrome and Firefox already support this. Low risk, high reward.</li><li><strong>Vendor pressure campaign</strong> — Ask Palo Alto, Fortinet, Cisco, Zscaler for their PQC roadmaps. No roadmap = material vendor risk finding.</li></ol><hr><p>Chinese quantum breakthroughs are the unnamed accelerant behind both Google's move and the White House's reconsideration. Multiple sources confirm this is geopolitically driven, not just technically motivated. The <strong>NSA CNSA 2.0 suite already requires PQC for national security systems</strong> — commercial mandates will follow, and auditors are already asking about quantum readiness.</p>

   Action items

   • Launch a cryptographic inventory and PQC readiness assessment this quarter. Catalog every system using quantum-vulnerable algorithms, prioritized by data sensitivity and retention period.
   • Deploy TLS 1.3 hybrid key exchange (X25519+ML-KEM-768) on edge infrastructure and internal services within 60 days.
   • Classify data by confidentiality horizon — flag everything that must remain secret past 2029 as HNDL-vulnerable and prioritize for early PQC migration.
   • Add PQC readiness to your next vendor review cycle. Request PQC roadmaps from VPN, firewall, HSM, and certificate authority vendors.

   Sources:TeamPCP chained Trivy→Checkmarx→LiteLLM into a single supply chain kill chain · Your crypto is on the clock: Google's 2029 PQC sprint signals your migration timeline just compressed by 6 years · Google just moved Q Day to 2029 — your PKI has 3 years before quantum breaks it · Google says 'harvest now, decrypt later' is active — is your crypto migration plan ready for 2029? · Your employees are building AI bots that access files and impersonate them — Meta just normalized it · Google just moved your post-quantum migration deadline to 2029 — is your crypto inventory ready?

3. 03

   APT28's 500-Day Zero-Click Arsenal Exposed, SmartApeSG's 4-RAT Kill Chain, and GSocket: The C2 Channel Your SOC Can't See

   <h3>Three Distinct Threat Actor Developments in One Week</h3><p>A rare intelligence windfall, an active multi-RAT campaign, and an emerging C2 technique converge this week to shift your detection priorities.</p><h4>APT28/FancyBear: The Exposed C2 Server</h4><p>An OPSEC failure by FancyBear (APT28/GRU Unit 26165) exposed an <strong>open-directory C2 server</strong> revealing a <strong>500+ day espionage campaign</strong> targeting government and military entities across Ukraine, Romania, Bulgaria, Greece, Serbia, and North Macedonia. The haul discovered by Ctrl-Alt-Intel: <strong>2,800+ exfiltrated emails</strong> and <strong>240+ credential sets with TOTP 2FA secrets</strong>.</p><p>The most alarming finding: a <strong>modular, multi-platform zero-click exploitation toolkit</strong> that achieves full compromise when a victim simply <em>opens</em> a malicious email — no clicks required. The attack chain delivers credential theft, <strong>2FA bypass</strong> (TOTP secrets captured), email exfiltration, and <strong>silent forwarding rule establishment that persists indefinitely</strong>, surviving password resets.</p><blockquote>The TOTP 2FA secrets in APT28's stolen credential sets confirm that time-based OTP is not sufficient against state-level threat actors. FIDO2/passkeys are the only phishing-resistant option.</blockquote><h4>SmartApeSG: 4 RATs in 2.5 Hours via ClickFix</h4><p>Brad Duncan at ISC documented the <strong>SmartApeSG</strong> (ZPHP/HANEYMANEY) infection chain using the <strong>ClickFix technique</strong> — fake browser CAPTCHA pages tricking users into running malicious scripts. The kill chain is deliberately staggered over 2.5 hours to defeat sandbox analysis windows:</p><ul><li><strong>Remcos RAT</strong> deployed at T+1 minute — immediate remote access</li><li><strong>NetSupport RAT</strong> at T+4 minutes — redundant access channel</li><li><strong>StealC</strong> at T+1 hour — credential harvesting after sandbox windows close</li><li><strong>Sectop RAT</strong> at T+2.4 hours — persistent backup backdoor</li></ul><p>Each payload serves a distinct purpose, and the staggered timeline defeats sandbox analysis that typically monitors for 5–15 minutes. This is <strong>professionally designed operational security</strong> in a commodity crimeware campaign.</p><h4>GSocket: Peer-to-Peer C2 That Evades IP-Based Detection</h4><p>Xavier Mertens documented <strong>GSocket/gs-netcat</strong> being deployed as a backdoor with characteristics that make it exceptionally difficult to detect: it uses <strong>shared secrets instead of IP addresses</strong> for communication, with both endpoints connecting outbound to a global relay network. No inbound ports, no static C2 IPs, no DNS resolution to block. With only <strong>17 antivirus detections on VirusTotal</strong>, and the deployment script being unobfuscated with comments, this is the rare combination of <em>effective evasion with low sophistication</em> — accessible to any threat actor.</p><hr><h4>Detection Gaps These Expose</h4><table><thead><tr><th>Threat</th><th>What Your SOC Misses</th><th>Detection Approach</th></tr></thead><tbody><tr><td>APT28 zero-click email</td><td>No user interaction = no click telemetry</td><td>Audit for unauthorized mail forwarding rules; block auto-loading remote content</td></tr><tr><td>SmartApeSG staggered deployment</td><td>Sandbox windows too short for later-stage payloads</td><td>Extend sandbox monitoring to 3+ hours; correlate multi-stage behavioral indicators</td></tr><tr><td>GSocket C2</td><td>No inbound connections, no static IPs, no DNS to block</td><td>Behavioral detection for gs-netcat binaries, persistent outbound tunnels, and relay infrastructure connections</td></tr></tbody></table>

   Action items

   • Audit all mailboxes for unauthorized forwarding rules this week. Disable auto-loading of remote content in email clients across the organization.
   • Verify phishing-resistant MFA (FIDO2/passkeys) deployment status and accelerate rollout. TOTP is confirmed compromised in APT28's toolkit.
   • Deploy behavioral detections for GSocket/gs-netcat: monitor for gs-netcat binaries, unexpected outbound relay connections, and Bash scripts establishing persistent tunnels. Hunt retroactively in EDR telemetry.
   • Brief security awareness teams on the ClickFix fake CAPTCHA technique and update phishing simulations to include this social engineering pattern.

   Sources:Six CVSS 10.0s, Langflow exploited in 20 hours, and your SIEM might be the entry point · Trivy & LiteLLM compromised during RSAC week — check your pipelines now, then read how AWS's own AI pentester got owned