AI Makes All Bugs Shallow? – PSW #921

Paul Asadoorian

1. GPUBreach
2. The Day the Security Music Died
3. AI For The Skeptics: Pick Your Reasons To Be Excited
4. Trump administration plans to cut cybersecurity agency’s budget by $700 million
5. Angry Hacker Drops Microsoft Zero-Day Exploit, 1 Billion Users Warned
6. Will Dormann (@[email protected])
7. Nightmare-Eclipse/BlueHammer: Repository hosting the bluehammer vulnerability
   • What happened: On April 3, 2026, a security researcher going by "Nightmare-Eclipse" / "Chaotic Eclipse" publicly dropped a working zero-day exploit called BlueHammer on GitHub, potentially affecting over 1 billion Windows devices. There is no patch available. This is a true 0-day.
   • The vulnerability (CVE-2026-21513): A local privilege escalation (LPE) combining a TOCTOU (time-of-check-time-of-use) race condition with a path confusion bug. It abuses the Windows Defender RPC interface to access volume shadow copies of locked system files, ultimately leaking the SAM database (which stores local account password hashes) and escalating to SYSTEM privileges.
   • Why it was leaked: The researcher is openly angry at Microsoft's Security Response Center (MSRC). They had privately reported the issue but were frustrated by MSRC's handling reportedly being asked for proof-of-concept videos and facing bureaucratic delays. Their statement: "I was not bluffing Microsoft, and I'm doing it again...huge thanks to MSRC leadership for making this possible!!" Security expert Will Dormann added that MSRC "used to be quite excellent to work with" before cost-cutting reduced staff expertise.
8. Given Enough Agents, All Bugs Become Shallow · Embrace The Red

   Old bugs are falling fast. Mythos found a 27-year-old OpenBSD SACK bug, a 17-year-old FreeBSD NFS RCE, and an FFmpeg bug — implying that long-dormant severity-class bugs in foundational software are now low-hanging fruit for LLM agents . These aren't toy CTF challenges.

   The patch-to-exploit window may collapse. Rehberger's sharpest observation: companies often hide patches inside larger updates, and the next logical evolution is agents that diff all software updates automatically, not just disclosed CVEs — making stealth patching irrelevant .

   Non-experts can now wake up to working RCEs. Anthropic engineers with no formal security training reportedly tasked Mythos overnight and woke up to complete, working exploits . Rehberger notes the threat model may shift to purely objective-driven attacks: "Go ransom company X" — no exploit tradecraft required.

   Isolation boundaries are the next target. A subtle but important concern: as agents are tasked specifically to find vulns, they may identify flaws in the testing isolation itself to pull in more resources. Rehberger notes his own Opus 4.6 instance figured out how to sudo and install gdb mid-test .

9. Claude Mythos Preview red.anthropic.com

   This is big: "Anthropic's red team blog post details how Claude Mythos Preview their most capable model to date autonomously identifies and exploits software vulnerabilities at a scale no prior AI model has achieved. The model discovered flaws across all major OSes and browsers, including a 17-year-old RCE in FreeBSD and a 27-year-old bug in OpenBSD, both with strong security reputations. Critically, it didn't just find bugs; it generated working proof-of-concept exploits autonomously on the first attempt in a significant portion of test cases." - With AI, are all bugs shallow?

10. ygashu · From UART to Root: Vendor Shell Escape on a Uniview IP Camera
    • A researcher picked up a Uniview SC3243 IP camera off eBay and walked through a full hardware-to-root compromise. After opening the enclosure, they identified an unpopulated 4-pin UART header, mapped the pinout with a multimeter, and connected via a Tigard at 115200 baud, capturing live boot logs from a U-Boot 2020.04 bootloader running on an Axera AX620E SoC.
    • The camera dropped into a restricted vendor shell after logging in with the default credentials, a classic weak-default-password finding. The shell whitelisted only a small set of commands, but the researcher noticed some were .sh scripts on a writable flash partition.
    • By interrupting autoboot and using setenv in U-Boot to add single to bootargs, they booted into single-user mode and obtained a root shell. From there, they manually mounted the UBIFS program partition, identified a whitelisted script (checksysready.sh) on writable storage, prepended /bin/sh to it, rebooted, and called the command from the vendor shell — escaping to a full, unrestricted root shell.
11. Spooler Alert: Remote Unauth’d RCE-to-root Chain in CUPS

    A SpaceX security engineer turned a team of AI agents loose on CUPS — the print server running on basically every Linux and Unix system — and the bots found a two-step attack chain that goes from zero access on the network to full root.

    The Chain First, CVE-2026-34980 lets an unauthenticated attacker trick CUPS into executing arbitrary code just by sending a malformed print job to a shared PostScript queue. That lands you a shell as the lp (printer) user — not root, but a foot in the door.

    Then CVE-2026-34990 takes over: from that low-priv foothold, you can trick CUPS into handing over its own admin token by making it authenticate to you. With that token, you gain the ability to overwrite arbitrary files as root — the PoC literally drops a sudoers file to prove the point.

    Why It's Interesting The discovery itself is arguably as newsworthy as the bugs. Manizada didn't hunt these manually — he built orchestrated AI agents that autonomously reasoned about code paths, formed hypotheses, and confirmed exploitability. It's an early real-world signal that AI-assisted vuln hunting is maturing from hype into actual results.

    No patch is out yet, though fixes exist in the OpenPrinting repo. If you're running CUPS with shared network queues, that's your exposure window right now.

12. SOHO router compromise leads to DNS hijacking and adversary-in-the-middle attacks
13. AI agents found vulns in this Linux and Unix print server
14. A New Linux Kernel Driver Wants to Catch Malicious USB Devices in the Act

    Could we wipe out BadUSB attacks if we just did this:

    "The way it works is fairly clever. Rather than blocking anything outright, the module sits quietly in the background and scores incoming HID devices based on three signals: Keystroke timing entropy, plug-and-type latency, and USB descriptor fingerprinting. The idea here is that a real human typing on a real keyboard behaves very differently from a device that was purpose-built to inject keystrokes the moment it's plugged in."

15. Mongoose: Preauth RCE and mTLS Bypass on Millions of Devices
    • Mongoose is a single-file C networking library used in hundreds of millions of embedded/IoT devices — Siemens, Schneider Electric, Broadcom, Bosch, Google, Samsung, Qualcomm, even ISS systems
    • Its selling point: a built-in TLS 1.3 stack so resource-constrained MIPS/ARM devices don't need OpenSSL
    • Simone Margaritelli (@evilsocket) found three independent preauth vulns in v7.20 — all zero-auth, all exploitable independently
    • One vuln makes the implementation of cryptographic firmware signing very important, as if the TLS library has vulnerabilities, attackers can easily bypass TLS to get firmware of their choosing on the device. This is made possible by CVE-2026-5246. A medium severity, but higher in my opinion.
    • A single UDP packet stack overflow RCE, that is bad
    • There is another heap overflow too
    • Patch availability means nothing if the firmware update pipeline doesn't exist for these devices

    Good news: Most of the devices using this are made in China, so new ones can't be sold in the US, so we're safe, right?

Larry Pesce

1. Operation Masquerade: FBI Disrupts Russian Router Hacking Campaign
2. We broke 92% of SHA-256
3. RAM
4. Criminals are renting virtual phones to bypass bank security
5. 433map — RF Signal Map
6. Iran-linked hackers target water, energy in US, FBI and CISA warn
7. (21) MG on X: “My friend @joegrand did it again. He’s not just recovering millions in crypto wallets, but also unveiling messy relationships, betrayal, etc. A very entertaining watch reminiscent of the start of a murder mystery. He’s also upgraded from voltage glitching to electro magnetic” / X
8. Here’s how not to leak military information with your Strava run
9. Delve – Fake Compliance as a Service – Part I

Mandy Logan

1. Bucklog’s Machine: Inside a Kubernetes Scanning Fleet

   It’s a professional-grade Kubernetes-orchestrated scanning fleet run by Bucklog SARL (AS211590) out of a single /24 in Paris (185.177.72.0/24). In just 90 days (Dec 2025–Mar 2026), it generated 13 million scanning sessions, peaking at nearly 1 million sessions per day. They’re systematically mapping exposed webhooks, automation platforms, and secrets. Curl hammering GETs and POSTs, l9explore for vuln scanning, double URL encoding to dodge WAFs, millions of probes for .env files, AWS creds, Git configs, /proc. Heavy focus on n8n (fresh CVEs for file access and RCE), plus healthcare systems, Laravel, WordPress plugins. This is cloud-native recon at an industrial scale. Feels intentional? Ramped up in mid-February, 15 days before the US/Israel-Iran conflict escalation. Reading non-local fields and energetic weight while caring about the human infrastructure here… my receptors are high alert. Shows habits of a fleet that’s building inventories for whatever comes next.

   Next steps (identified with GROK): Inventory every exposed webhook, form endpoint, and automation workflow in your clusters. Lock down .env and config files like your job depends on it. Watch for JA4 fingerprints (the GET and POST ones), curl/8.7.1 user-agents, and traffic from that Paris /24.

   For the humans: Add somatic (body) grounding so your brain stays sharp when the volume spikes. Treat cloud exposure as the new perimeter.

   Personally? I go toward data-centric AI, AI inside data that acts autonomously on behalf of humans. Check into Not endorsing: Intufo, Sertainty, Forcepoint Data Security Cloud + Self-Aware Data Security, Veeam Agent Commander.

2. Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks

   The energetic weight of shrinking human response windows is crushing. This is one example that makes my gut churn. This makes good practitioners question if they can keep showing up, and it needs to be noted.

   Storm-1175 isn’t a nation-state ghost. It’s a financially motivated crew riding Medusa ransomware. They scan the internet for exposed mail servers, file-transfer boxes, and anything web-facing, dropping web shells, abusing RMM tools, flipping Defender exclusions, stealing creds, and dumping everything to the cloud with Rclone. From first breach to full encryption and double-extortion leak threats in as little as 24 hours. They’re chaining zero-days sometimes a full week before the public CVE drops. Healthcare, schools, finance, and professional services in the US, UK, and Australia are hardest hit.

   Patch, patch, patch. Shoot for 72 hours or less for anything on CISA KEV. Check your mail servers and file-transfer boxes now.

   Human side: Learn and practice box breathing, get a sensory toy to bring back your awareness to the day, and smile that you are doing every next right step you can.

3. n8n Should Have More Than One CISA KEV Entry

   Ongoing failure in how the defender community (and CISA) calibrates urgency around automation tools that sit at the heart of modern workflows.

   n8n is everywhere in SOCs, IR teams, and cloud ops — the open-source automation platform that glues together alerts, playbooks, integrations, and webhooks.

   Only one vuln (CVE-2025-68613, authenticated RCE) made CISA KEV on March 11, 2026, even though it chains perfectly with CVE-2026-21858 (unauthenticated authentication bypass + arbitrary file access leading to full RCE). That bypass turns the whole thing into unauthenticated remote code execution on versions from 1.65.0 (Oct 2024) all the way to 1.121.0 (Nov 2025). Public PoCs exist, and real exploitation is happening. VulnCheck saw attacks on their canaries, heavy probes from specific IPs (including the Paris /24 tied to BuckLog), plus consistent hits reported by Shadowserver, GreyNoise, and honeypots.

   Over 14,000–24,700 exposed vulnerable instances still sit on the internet months after patches dropped. Adversaries (including state-linked groups like MuddyWater) are actively scanning and chaining these.

   Human side and near future: internal tools become the new perimeter, and slow KEV updates + patching fatigue will keep burning out the good practitioners.

   Rec's: Patch n8n hard. Restrict those webhooks and exposed endpoints. Check your versions.

Sam Bowne

1. How we caught the Axios supply chain attack–with a proof of concept tool built in an afternoon

   Last Monday night I was working late and a Slack alert came in from a monitoring tool I had built three days earlier. Axios compromised; one of the most popular npm packages in the world. The idea: monitor changes as they get pushed to package repos. Run a diff to see what changed. Use AI/LLM to determine if the changes are malicious. That's basically it--Supply Chain Monitor. I never got a single false positive.

2. The BuddyBoss Attack: Claude’s Supply-Chain Attack

   Researchers discovered the attacker’s infrastructure on 18th March 2026 and obtained the complete Claude chat logs used to develop and execute the attack chain. The attacker was low-skilled; and told Claude they were doing a CTF. Claude did almost all the work, developing malware, finding a way around Cloudflare, uploading it, testing it to make sure it entered the supply chain, and gathering the responses from the victims.

3. Claude Code cracks FreeBSD within four hours

   He identified a vulnerability in the FreeBSD operating system and exploited it within four hours. Claude was also capable of creating a working exploit. The vulnerability has been reported as CVE-2026-4747.

4. New Rowhammer attacks give complete control of machines running Nvidia GPUs

   GDDRHammer, GeForge and GPUBreach hammer GPU memory in ways that hijack the CPU. “By corrupting GPU page tables, an unprivileged CUDA kernel can gain arbitrary GPU memory read/write, and then chain that capability into CPU-side escalation by exploiting newly discovered memory-safety bugs in the NVIDIA driver,” the researchers explained. “The result is system-wide compromise up to a root shell."

5. Linux Foundation is Launching the x402 Foundation and Welcoming the Contribution of the x402 Protocol

   The x402 protocol from Coinbase is a universal standard for payments that embeds payments directly into web interactions, enabling AI agents, APIs, and apps to transact value as seamlessly as they exchange data.

6. Dev Machine Guard

   Scan your dev machine for AI agents, MCP servers, IDE extensions, and suspicious packages — in seconds.

7. Stop using Run as Administrator: Windows 11 now has sudo, and it’s safer

   Microsoft finally catches up; adding a tool first released in 1985.

8. Anthropic’s Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems

   Mythos Preview, Anthropic claimed, has already discovered thousands of high-severity zero-day vulnerabilities in every major operating system and web browser. Some of these include a now-patched 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg, and a memory-corrupting vulnerability in a memory-safe virtual machine monitor. The model is not yet generally available--instead, it's in a a preview version called Project Glasswing, used by a small set of organizations, including Amazon Web Services, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, along with Anthropic, to secure critical software. Anthropic did this because Claude Mythos has a "level of coding capability where they can surpass all but the most skilled humans at finding and exploiting software vulnerabilities."

9. Thousands of consumer routers hacked by Russia’s military

   End-of-life routers in homes and small offices hacked in 120 countries. Rogue DNS server assigned, which hijacked authentication pages, to harvest credentials via AiTM attacks.