Some more information from the author of PackageKit on https://www.openwall.com/lists/oss-security/2026/04/22/6 too.
Expect to see reliable (public) exploits pretty soon.
CVE-2026-32604 and CVE-2026-32613 are both 10.0 severity vulnerabilities in Spinnaker, which allow attackers to execute arbitrary code and access production cloud environments and source control.
They provide an easy path from a compromised workstation to more sensitive areas.
Our blog post contains a comprehensive technical breakdown and working POCs.
Perforce is source control software used in games, entertainment, and a few engineering sectors. It's particularly useful when large binary assets need to be stored alongside source code. It handles binary assets much better than Git, IMO. However, its one weakness is its terrible security defaults. You will die a bit inside when you see the out-of-the-box behaviour: "Don't have an account? Let me make one for you!" and "Oh, you didn't know by default there is a hidden, read-only 'remote' user that allows read access to everything? Oops!"
I scanned 6,122 public Perforce servers last year. 72% were exposing source code, 21% had passwordless accounts, and 4% had unprotected superusers (which allow RCE). The vendor patched the largest issue, but a significant portion are still vulnerable.
Full write-up and methodology: https://morganrobertson.net/p4wned/
Tools repo, including Nuclei templates to scan your infra: https://github.com/flyingllama87/p4wned
Hardening is a pain, but here it is summed up: p4 configure set security=4 # disables the built-in 'remote' user + strong auth p4 configure set dm.user.noautocreate=2 # kills auto-signup p4 configure set dm.user.setinitialpasswd=0 # users cannot self-set first password p4 configure set dm.user.resetpassword=1 # force password reset flow p4 configure set dm.info.hide=1 # hide server license, internal IP, root path p4 configure set run.users.authorize=1 # user listing requires auth p4 configure set dm.user.hideinvalid=1 # no hints on bad login p4 configure set dm.keys.hide=2 # hide stored key/value pairs from non-admins p4 configure set server.rolechecks=1 # prevent P4AUTH misuse
Happy to answer any questions on the research!
[ Removed by Reddit on account of violating the content policy. ]
We analysed almost 100 UK charity websites and found that ~1 in 6 are running vulnerable JavaScript dependencies.
What stood out more though:
- Some vulnerabilities were 10+ years old, including high and critical ratings
- Same jQuery CVE (2015-9251) appearing across multiple organisations
Weβve now seen similar patterns in the HE/FE and also hospitality sectors as well.
Are we right in thinking that this feels like a visibility problem alongside budget issues more than anything else?
How are you tracking dependencies effectively in your organisations?
Full write-up if useful: https://cybaa.io/blog/2026-04-20/uk-health-charity-website-security-2026
Most writeups of BlueHammer describe what it does. I read the actual PoC (FunnyApp.cpp, ~100KB of C++) and the most important line isn't in the oplock setup, the NT object namespace redirect, or the Cloud Files freeze. It's a comment.
The filestoleak array ships with one target active and two commented out:
Loginconst wchar\_t\* filestoleak\[\] = { {L"\\\\Windows\\\\System32\\\\Config\\\\SAM"} /\*,{L"\\\\Windows\\\\System32\\\\Config\\\\SYSTEM"},{L"\\\\Windows\\\\System32\\\\Config\\\\SECURITY"}\*/ }; SAM alone is a partial dump. The hashes are encrypted with the boot key β which lives in SYSTEM. Without SYSTEM you have ciphertext. With SAM + SYSTEM you have NTLM hashes you can pass-the-hash or crack offline. SECURITY adds LSA secrets: service account credentials, cached domain logon hashes, DPAPI master keys.
The complete credential package is two uncommented lines away from the published PoC. The author wrote both lines and chose what to ship.
Full analysis walks the actual code: the batch oplock on RstrtMgr.dll (not the EICAR file β that's what most writeups get wrong), the NtCreateSymbolicLinkObject swap in the session object namespace (not NTFS symlinks β a different layer entirely), the Cloud Files freeze via a fake OneDrive sync provider named IHATEMICROSOFT, and the undocumented IMpService RPC endpoint that triggers the chain with no elevated privilege required.
Two day intrusion. RDP brute force with a company specific wordlist, Cobalt Strike, and a custom Rust exfiltration platform (RustyRocket) that connected to over 6,900 unique Cloudflare IPs over 443 to pull data from every reachable host over SMB.
Recovered the operator README documenting three operating modes and a companion pivoting proxy for segmented networks.
Personalized extortion notes addressed by name to each employee with separate templates for leadership and staff.
Writeup includes screen recordings of the intrusion, full negotiation chat from their Tor portal, timeline, and IOCs.
u/albinowax βs work on request smuggling has always inspired me. Iβve followed his research, watched his talks at DEFCON and BlackHat, and spent time experimenting with his labs and tooling.
Coming from a web security background, Iβve explored vulnerabilities both from a black-box and white-box perspective β understanding not just how to exploit them, but also the exact lines of code responsible for issues like SQLi, XSS, and broken access control.
Request smuggling, however, always felt different. It remained something I could detect and exploit⦠but never fully trace down to its root cause in real-world server implementations.
A few months ago, I decided to go deeper into networking and protocol internals, and now, months later, I can say that I βmightβ have figured out how the internet worksπ
This research on HAProxy (HTTP/3, standalone mode) is the result of that journey β finally connecting the dots between protocol behavior and the actual code paths leading to the bug.
(Yes, I used AI π )
