Intelligence archive
Every Decryption Digest edition, catalogued. Deep-dive threat briefings covering the zero-days, ransomware campaigns, and nation-state operations that matter most to security teams.
Get the latest edition in your inbox
Free weekly briefings — no spam, no vendor pitches.
26 editions published
RSS FeedNorth Korea Hid 1,700 Malicious Packages Inside Your Dev Team's Tools
Socket Security has documented 1,700+ malicious packages tied to North Korea's Contagious Interview campaign across five package ecosystems. Separately, UNC1069 compromised the Axios npm maintainer via social engineering, injecting a backdoor into a library present in an estimated 80% of cloud environments. Here's the full attack chain, WAVESHAPER.V2 IOCs, and what to do now.
Chrome's 4th Zero-Day of 2026 Was Already in the Wild
Google shipped an emergency patch for CVE-2026-5281, a use-after-free in Chrome's Dawn/WebGPU component confirmed exploited in the wild. CISA added it to KEV the next day with an April 15 deadline. Here's what happened, why renderer-compromise-required is not reassuring, and what your fleet needs right now.
Qilin Found a Way to Blind Your EDR Before You Know They're Inside
Cisco Talos and Trend Micro confirm Qilin ransomware is using BYOVD to systematically disable 300+ EDR products before deploying ransomware. Here's the full attack chain and what to do about it.
CVE-2023-20198 Explained: Cisco IOS XE Web UI Zero-Day and the 50,000-Device Compromise
CVE-2023-20198 is a critical unauthenticated privilege escalation vulnerability in Cisco IOS XE software's web UI feature. Exploited as a zero-day before Cisco published any advisory, attackers used it to create administrator accounts and then chained it with CVE-2023-20273 to deploy a persistent Lua-based implant on over 50,000 network devices. No authentication or user interaction required.
CVE-2023-23397 Explained: The Outlook Zero-Click NTLM Hash Theft Vulnerability
CVE-2023-23397 is a critical privilege escalation and credential theft vulnerability in Microsoft Outlook for Windows. A specially crafted calendar invitation with a UNC path in the reminder sound field causes Outlook to automatically connect to an attacker-controlled SMB server, leaking the victim's NTLM authentication hash. No user interaction is required — the exploit fires when the reminder triggers, even if the meeting invitation is never opened.
CVE-2022-41040 and CVE-2022-41082 Explained: ProxyNotShell, the Microsoft Exchange Chain
CVE-2022-41040 and CVE-2022-41082, collectively called ProxyNotShell, are chained vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. CVE-2022-41040 is a server-side request forgery flaw that, when chained with CVE-2022-41082, enables an authenticated attacker to achieve remote code execution. Both were exploited in the wild before Microsoft released patches.
CVE-2022-30190 Explained: Follina, the Zero-Click Microsoft Office RCE
CVE-2022-30190 (Follina) is a critical RCE vulnerability in the Microsoft Support Diagnostic Tool (MSDT) triggered via the ms-msdt:// URI scheme from within a malicious Office document. Attackers achieve code execution with no macro prompts, and in some configurations previewing the file in Windows Explorer alone triggers the exploit.
CVE-2022-26134 Explained: Confluence Server Critical OGNL Zero-Day
CVE-2022-26134 is a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center, enabling unauthenticated remote code execution. Disclosed as a zero-day on June 2, 2022 with active exploitation already confirmed, this vulnerability scores 10.0 CVSS. Within hours of technical details becoming public, mass scanning and exploitation began across the internet.
CVE-2022-22965 Explained: Spring4Shell, the Spring Framework RCE Vulnerability
CVE-2022-22965 (Spring4Shell) is a critical remote code execution vulnerability in the Spring Framework's data binding component. By manipulating HTTP request parameters to abuse Java's ClassLoader mechanism, an attacker can write a JSP web shell to a Tomcat-served directory and achieve persistent remote code execution. Affects Spring Framework 5.3.x before 5.3.18 and 5.2.x before 5.2.20 running on JDK 9+.
CVE-2021-44228 Explained: Log4Shell, the Most Critical Vulnerability in a Decade
CVE-2021-44228 — Log4Shell — is a critical remote code execution vulnerability in Apache Log4j 2 scoring a perfect 10.0 CVSS. A single malicious string sent to any log field triggers JNDI injection, allowing an attacker to execute arbitrary code on the vulnerable server with no authentication required.
CVE-2021-40444 Explained: The MSHTML Remote Code Execution Vulnerability
CVE-2021-40444 is a remote code execution vulnerability in the MSHTML (Trident) browser engine built into Windows. A malicious Office document embedding a specially crafted ActiveX control causes MSHTML to download and execute a malicious DLL from an attacker-controlled server. No macros are used. No Enable Content prompt appears. The exploit was used in targeted attacks before Microsoft patched it.
CVE-2021-26084 Explained: Confluence Server OGNL Injection and Mass Exploitation
CVE-2021-26084 is a server-side template injection vulnerability in Atlassian Confluence Server and Data Center. An unauthenticated attacker can inject OGNL expressions via query parameters, achieving remote code execution on the Confluence server. The vulnerability was exploited at mass scale within hours of public PoC release, with ransomware groups and nation-state actors among the first adopters.
CVE-2021-34473 Explained: ProxyShell, the Pre-Auth Exchange RCE Chain
CVE-2021-34473 is the first link in the ProxyShell exploit chain — three Microsoft Exchange Server vulnerabilities that together enable unauthenticated remote code execution. Chained with CVE-2021-34523 and CVE-2021-31207, an attacker can reach Exchange's backend PowerShell endpoint without credentials, impersonate any mailbox user, and write arbitrary files to Exchange's web root to deploy a web shell.
CVE-2021-34527 Explained: PrintNightmare and RCE via Windows Print Spooler
CVE-2021-34527 (PrintNightmare) is a critical vulnerability in the Windows Print Spooler service enabling remote code execution with SYSTEM privileges. A proof-of-concept was accidentally published publicly on June 29, 2021, triggering emergency out-of-band patches and immediate mass exploitation.
CVE-2021-21985 Explained: VMware vCenter Server Remote Code Execution
CVE-2021-21985 is a critical remote code execution vulnerability in VMware vCenter Server's vSphere Client web interface. An unauthenticated attacker with network access to vCenter's HTTPS port can send a specially crafted request to the Virtual SAN Health Check plugin — enabled by default — to achieve RCE with root or SYSTEM privileges on the vCenter server. Compromise of vCenter means control over every virtual machine in the managed infrastructure.
CVE-2021-26855 Explained: ProxyLogon and the Microsoft Exchange Mass Exploitation Event
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server allowing an unauthenticated attacker to bypass authentication and impersonate the Exchange server. Chained with CVE-2021-27065, it achieves pre-authentication RCE. Over 250,000 Exchange servers were compromised within days of public disclosure.
CVE-2021-27101 Explained: Accellion FTA SQL Injection and the CLOP Ransomware Campaign
CVE-2021-27101 is a critical SQL injection vulnerability in Accellion FTA (File Transfer Appliance) that allows unauthenticated remote code execution. Exploited by the CLOP ransomware group beginning in December 2020, the vulnerability was used to steal sensitive files from over 100 organizations including government agencies, universities, law firms, and financial institutions, without deploying ransomware encryption.
CVE-2020-1472 Explained: Zerologon and Instant Active Directory Domain Compromise
CVE-2020-1472 (Zerologon) is a 10.0 CVSS critical vulnerability in the Windows Netlogon Remote Protocol. A cryptographic flaw allows an attacker with network access to a domain controller to set the machine account password to empty, then impersonate the DC to achieve instant domain compromise in approximately 10 seconds.
CVE-2020-5902 Explained: F5 BIG-IP TMUI Remote Code Execution
CVE-2020-5902 is a critical remote code execution vulnerability in the F5 BIG-IP Traffic Management User Interface (TMUI). An unauthenticated attacker with network access to the TMUI can execute arbitrary system commands, create or delete files, enable or disable services, and fully compromise the BIG-IP device. With a CVSS score of 10.0, this vulnerability was exploited within hours of F5's advisory.
CVE-2020-0796 Explained: SMBGhost, the Wormable Windows 10 Kernel Vulnerability
CVE-2020-0796 (SMBGhost) is an integer overflow vulnerability in the SMBv3 compression feature introduced in Windows 10 1903. An unauthenticated attacker can achieve remote code execution in kernel context by sending a specially crafted compressed SMBv3 packet. No credentials or user interaction are required, making it wormable across any network where port 445 is reachable.
CVE-2019-11510 Explained: Pulse Secure VPN Arbitrary File Read and Credential Theft
CVE-2019-11510 is a pre-authentication arbitrary file read vulnerability in Pulse Connect Secure VPN appliances. An unauthenticated attacker can retrieve the VPN's configuration file and stored credentials — including plaintext passwords and cached Active Directory credentials — from any affected device reachable on the internet. Widely exploited by ransomware groups, APTs, and credential brokers.
CVE-2018-13379 Explained: Fortinet FortiGate VPN Path Traversal and Credential Exposure
CVE-2018-13379 is a pre-authentication path traversal vulnerability in the Fortinet FortiOS SSL VPN web portal. An unauthenticated attacker can read system files from the VPN appliance by crafting a malicious URL, including session files that contain plaintext credentials. Credentials from over 87,000 FortiGate devices were published publicly in 2021 — many from devices patched but with credentials never rotated.
CVE-2019-0708 Explained: BlueKeep, the Wormable RDP Vulnerability in Legacy Windows
CVE-2019-0708 (BlueKeep) is a critical pre-authentication RCE vulnerability in Windows Remote Desktop Services affecting Windows XP, Vista, 7, and Server 2003/2008. Like EternalBlue, it is wormable — requiring no credentials or user interaction — and was rated 9.8 CVSS by NVD.
CVE-2017-0144 Explained: EternalBlue, the NSA Exploit Behind WannaCry and NotPetya
CVE-2017-0144 is the SMBv1 remote code execution vulnerability exploited by the EternalBlue exploit, originally developed by the NSA and leaked by the Shadow Brokers in April 2017. It powered both WannaCry and NotPetya — two attacks that caused a combined $30+ billion in global damages.
CVE-2017-5638 Explained: The Apache Struts Flaw Behind the Equifax Breach
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts 2's Jakarta Multipart parser. By injecting an OGNL expression into the Content-Type header of an HTTP POST request, an unauthenticated attacker can execute arbitrary OS commands. The vulnerability was actively exploited to breach Equifax, exposing 147 million records.
CVE-2014-0160 Explained: Heartbleed and the Vulnerability That Broke the Internet
CVE-2014-0160 (Heartbleed) is a critical information disclosure vulnerability in OpenSSL 1.0.1 through 1.0.1f. It allows attackers to read up to 64KB of server memory per request — including private SSL keys, session cookies, and credentials — with zero authentication and no server-side logging.
Full archive including older editions available on Beehiiv
View full archive on Beehiiv →