Posts

🟠 High | Source: Microsoft Security Response Center CVE-2026-42502 is a vulnerability in the golang.org/x/net/html package affecting how HTML elements in foreign content (such as SVG or MathML) are handled. Incorrect parsing behaviour could potentially be exploited to bypass security controls or cause unintended application behaviour in Go-based services. This is relevant to Azure workloads and any cloud-hosted applications built with Go that rely on this HTML parsing library. Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version immediately. Pay particular attention to services that parse or render user-supplied HTML, as these carry the highest risk of exploitation. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected. Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates. ...

🟡 Medium | Source: Microsoft Security Response Center A buffer over-read vulnerability in Postfix mail transfer agent (versions before 3.8.16, 3.9.10, and 3.10.9) can cause the process to crash when it encounters a malformed enhanced status code missing text after the third numeric segment. This is a denial-of-service risk affecting any system running a vulnerable Postfix version, including those used within Azure-hosted infrastructure. While the vulnerability does not appear to allow remote code execution, an attacker able to deliver a crafted response could disrupt mail delivery services. ...

🟠 High | Source: Microsoft Security Response Center CVE-2026-41140 is a path traversal vulnerability in Poetry, a Python dependency management tool, affecting Python versions 3.10.0–3.10.12 and 3.11.0–3.11.4. The flaw occurs during tar archive extraction, potentially allowing a malicious package to write files outside the intended directory. This could lead to arbitrary file overwrite or code execution on systems that process untrusted Python packages. Architect’s Take: Audit any Azure-hosted pipelines or build environments using Poetry with the affected Python versions and upgrade to patched releases immediately. Pay particular attention to CI/CD systems that install dependencies from external or untrusted sources, as these represent the highest-risk attack surface. ...

🟠 High | Source: Microsoft Security Response Center A vulnerability in OpenSSH versions before 10.3 (CVE-2026-35414) means the authorised_keys principals option is not handled correctly in certain edge cases where a principals list is combined with a Certificate Authority that uses comma characters in specific ways. This could allow unintended principals to authenticate, potentially granting unauthorised SSH access to affected systems. The issue is particularly relevant to cloud environments where certificate-based SSH authentication is used at scale. ...

🟢 Low | Source: Microsoft Security Response Center CVE-2025-1149 is a memory leak vulnerability in the GNU Binutils linker tool (ld), specifically within the xstrdup function in xmalloc.c. While memory leaks can cause service instability or denial of service, this issue has been flagged by Microsoft in the context of Azure, suggesting relevance to workloads or toolchains running on Azure infrastructure. The practical security impact is generally low unless an attacker can trigger repeated allocations to exhaust memory resources. ...

🟠 High | Source: The Register — Security Researchers have demonstrated that freely available open source AI models are sufficient to build self-spreading computer worms capable of exploiting known vulnerabilities at scale across enterprise networks — no expensive or specialised AI tools required. The study shows attackers no longer need cutting-edge proprietary models to automate vulnerability exploitation, dramatically lowering the barrier to entry for large-scale attacks. This represents a meaningful shift in the threat landscape, where mass exploitation of known but unpatched vulnerabilities becomes significantly cheaper and faster to operationalise. ...

🟡 Medium | Source: The Hacker News The US Department of Justice ran a coordinated ‘Disruption Week’ operation from May 2026 targeting Southeast Asian criminal networks running cryptocurrency and cyber-enabled fraud schemes against American victims. The action involved both government agencies and private sector partners, resulting in the takedown of millions of fraudulent social media, email, and internet accounts, and the freezing of $3.8 million in assets. These operations are typically linked to pig butchering and romance scam networks, which increasingly exploit cloud-hosted infrastructure and social engineering at scale. ...

🟠 High | Source: The Register — Security Passwords were found stored in plaintext within Active Directory user and computer description fields, making them trivially accessible to any authenticated user on the network. Because AD description fields are readable by all domain users by default, a low-privilege attacker or compromised account could harvest credentials at scale with a simple LDAP query. This represents a significant credential exposure risk in any hybrid or cloud-connected environment where AD is the identity backbone. ...

🟠 High | Source: The Register — Security Commvault is urging organisations to fundamentally reassess their cyber resilience strategies as AI-powered attackers increasingly target backup and recovery infrastructure, leaving victims unable to restore operations. The concern is that traditional backup plans are insufficient if they are not regularly tested and hardened against modern threat actors who specifically seek to neutralise recovery capabilities. This matters because the failure point is no longer just data loss — it is the complete inability to recover. ...