A few quick notes on the Erlang OTP SSHd RCE (CVE-2025-32433): 1. Cisco confirmed that ConfD and NSO products are affected (ports 830, 2022, and 2024 versus 22) 2. Signatures looking for clear-text channel open and exec calls will miss exploits that deliver the same payloads after the key exchange. 3. If you find a machine in your environment and can't disable the service, running the exploit with the payload `ssh:stop().` will shut down the SSH service temporarily.
runZero
Erlang/OTP SSH critical vulnerability: How to find affected versions
Some versions of the Erlang/OTP embedded SSH server contain a highly critical vulnerability (CVE-2025-32433) in their handling of SSH protocol mess...
Today, Wiz (Woogle?) released an advisory detailing an attack chain they’ve dubbed IngressNightmare, which, if left exposed and unpatched, can be exploited to achieve remote code execution by unauthenticated attackers. The advisory, covering five separate vulnerabilities, was published after a brief embargo period, once the Kubernetes folks got their patches together. You can find a brief writeup and search queries for runZero at:
runZero
IngressNightmare: Find affected Ingress-NGINX controller instances
IngressNightmare is a set of four injection flaws linked by a fifth issue, forming an attack chain. Here’s how to find any impacted services usin...
 image
The researchers who found the Next.js middleware vulnerability (CVE-2025-29927) have released the full paper:
zhero_web_security
Next.js and the corrupt middleware: the authorizing artifact
CVE-2025-29927
 Notable is that the auth bypass requires the x-middleware-subrequest value to be one of these two forms: middleware:middleware:middleware:middleware:middleware OR src/middleware:src/middleware:src/middleware:src/middleware:src/middleware
Next.js dropped a CVSS 9.1 authentication bypass vulnerability (CVE-2025-29927) over the weekend. This flaw is trivially exploitable by sending the header `x-middleware-subrequest: true` and causes the request to skip all middleware processing, including any authentication steps. Shodan reports over 300,000 services with the `X-Powered-By: Next.js` header alone. You can find links to the advisory and queries for runZero at:
runZero
Next.js vulnerability CVE-2025-29927: How to find affected assets
On March 22nd, Next.js disclosed an authentication bypass vulnerability. Here's how to find Next.js systems on your network.
The worst part of the Unciphered story isn't that accused-rapist Morgan Marquis-Boire was a co-founder and only his alias "Frank Davidson" was known to employees; it is that Eric Michaud co-founded the company with him and conspired to keep the team from knowing about it. Infosec has its pariahs for a reason (Cap'n Crunch, Jacob Applebaum, Morgan Marquis-Boire, and to a lesser degree Christopher Hadnagy): https://archive.ph/IQ7SK
The first episode of Where Warlocks Stay Up Late is out! >Digital Jesus/o.0, aka Matt Harrigan, turned a telecommunication product release into a 0-day, tipped off drug dealers about government surveillance, and emerged as a cybersecurity founder and CEO.
Where Warlocks Stay Up Late (WWSUL): Cybersecurity Interviews
If the NSA[1], GrapheneOS[2], and Apple[3] all believe that rebooting your mobile phone regularly is something that protects your data, you might consider doing it more often. Shortcuts on iOS make this super easy to setup. 1.
NSA Mobile Device Best Practices
National Security Agency
 2.
GrapheneOS Mastodon
GrapheneOS (@GrapheneOS@grapheneos.social)
Our auto-reboot feature starts a timer after the device is locked which will reboot the device is it isn't unlocked successfully before the timer e...
 3.
404 Media
Apple Quietly Introduced iPhone Reboot Code Which is Locking Out Cops
On Thursday 404 Media reported that police were freaking out about mysteriously rebooting iPhones. Now multiple experts have found that Apple intro...
 image