On-Prem Red Team AI — engineering notes from the front line
Deep dives, comparisons and field reports on autonomous red team AI, generative pentesting, deep-packet traffic intelligence, NIS2/DORA, and how to operate them air-gapped.
- ShareFileNIS2 Breach ReportingData Exfiltration
ShareFile Shutdown: Reporting a Breach With No CVE, No Patch, No IOCs
Progress told ShareFile admins to power off their Storage Zone Controllers over a credible threat — no CVE, no patch, no IOCs. How to hunt, contain, and file a NIS2 breach report while blind.
9 min read - ZimbraWebmail XSSData Exfiltration
Zimbra Webmail XSS: The Crafted Email That Empties the Mailbox
Google TAG flagged a stored XSS in Zimbra's Classic Web Client, fixed in ZCS 10.1.19. No CVE, no CVSS — and the crafted email is not the part you'll catch. Here's the runbook.
8 min read - JoomlaFile Upload RCEWeb Shell
Joomla Page Builder RCE: CVE-2026-48908 and the Web Shell You Already Have
Two CVSS 10.0 file-upload bugs in Joomla page builders (CVE-2026-48908, CVE-2026-56290) are mass-exploited to drop web shells and hidden admins — patching won't evict them.
8 min read - Gitea CVE-2026-20896Auth BypassSupply Chain Security
Gitea CVE-2026-20896: One HTTP Header Owns Your Source-Control Server
CVE-2026-20896 lets an unauthenticated attacker spoof a single HTTP header and impersonate any Gitea admin — reading private repos, committed secrets and deploy keys. Here is the fix.
8 min read - RMM SecurityMSP Supply ChainCISA KEV
SimpleHelp RMM CVE-2026-48558: The Forged Token That Becomes Your Technician
CVE-2026-48558 lets attackers forge an OIDC token and mint a privileged SimpleHelp RMM technician — the one identity your EDR is built to trust. Why patching alone leaves the door open.
7 min read - AI RansomwareAgentic AILangflow
JADEPUFFER: Agentic Ransomware That Ran the Whole Attack Itself
JADEPUFFER is the first documented agentic ransomware — an AI agent ran recon, pivot, and encryption end-to-end, fixing a failed login in 31 seconds. Here is the runbook.
8 min read - CitrixBleedNetScalerSession Hijacking
CitrixBleed Again: CVE-2026-8451 and the Token You Already Lost
CVE-2026-8451 is a pre-auth NetScaler memory overread exploited within 24 hours. Patching stops the leak — it does not evict the session tokens attackers already stole.
8 min read - Avalon MalwareCrownX RansomwareEDR Evasion
Avalon and CrownX: the ransomware built to blind every EDR you own
Blackpoint Cyber found Avalon, an AI-assisted modular framework that hides from nine EDR products, then wipes recovery and runs CrownX ransomware. Why the wire still sees what the endpoint can't.
8 min read - Linux KernelPrivilege EscalationBad Epoll
Bad Epoll (CVE-2026-46242): a 6-instruction race that hands any Linux user root
Bad Epoll (CVE-2026-46242) is a Linux kernel use-after-free that gives any unprivileged user root — on servers and Android. A patch existed since April but stayed silent for 70 days. Here is the fix runbook.
7 min read