I teach cybersecurity. And I genuinely don't know what to tell my students after this one. Federal reviewers spent years trying to get basic encryption documentation from Microsoft for its GCC High government cloud. They couldn't get it. One reviewer called the system a "pile of spaghetti pies," with data traveling from point A to point B the way you'd get from Chicago to New York: a bus to St. Louis, a ferry to Pittsburgh, and a flight to Newark. Each leg is a potential hijacking. They knew this. They said this out loud in writing. Then they approved it anyway in December 2024, because too many agencies were already using it. 🔐 That's not a security review. That's a hostage negotiation. Two things in this story should make every CISO and CIO uncomfortable:

🧩 Microsoft built its federal cloud on top of decades of legacy code that it apparently can't fully document itself
👮 "Digital escorts" often ex-military with minimal software engineering backgrounds are the firewall between Chinese engineers working on the system and classified U.S. networks 🤦🏻‍♂️

The scariest line in the whole ProPublica investigation isn't the "pile of shit" quote. It's this: FedRAMP determined that refusing authorization wasn't feasible because agencies were already using the product. Read that again. The security review process reached a conclusion based on sunk cost, not risk. Ex Post Facto Fallacy

If that logic holds, the compliance framework is just documentation theater. And right now, CISA is being hollowed out, so there are fewer people left to even run the theater.

arstechnica.com/information-te…
#Cybersecurity #Microsoft #FedRAMP #Leadership #RiskManagement #security #privacy #cloud #infosec

Simon Willison (@simonw)

보안이 침해된 LiteLLM 패키지가 PyPI에서 격리(quarantined)되었다는 업데이트다. 이제 pip 등으로 해당 악성 업데이트를 설치하는 일이 막혀, 잠재적 공급망 공격 확산을 줄일 수 있게 되었다.

x.com/simonw/status/2036451896…

#litellm #pypi #security #supplychain #llm

It is our honour to announce the release of Vulnerability-Lookup 4.2.0!

This version brings a large number of new CSAF-based vulnerability advisory sources, improvements to the web interface, and several bug fixes.

What's New

New CSAF-based sources

As the number of GNA keeps growing and the interest around the GCVE-EU initiative increases, these UI improvements and filtering
capabilities are becoming essential to efficiently explore the various available sources.

Below is the list of CSAF-based sources available by default. You can enable or disable each feeder via the
config/modules.cfg configuration file. The display in the web interface is also configurable through the
config/website.py configuration file.

• ABB
• ads-tec Industrial IT GmbH
• AUMA Riester GmbH & Co. KG
• Beckhoff Automation GmbH & Co. KG
• Bender GmbH & Co. KG
• Carlo Gavazzi Automation
• CERT-Bund
• CERT@VDE
• CISA
• Cisco
• CODESYS GmbH
• Endress+Hauser AG
• Festo SE & Co. KG
• Frauscher Sensortechnik GmbH
• Helmholz GmbH & Co. KG
• HIMA Paul Hildebrandt GmbH
• ifm electronic GmbH
• Janitza electronics GmbH
• Lenze SE
• MB connect line GmbH
• Mettler-Toledo GmbH
• Microsoft
• Miele & Cie KG
• Murrelektronik GmbH
• NCSC-NL
• Nozomi Networks
• Open-Xchange
• OpenSuse
• Pepperl+Fuchs SE
• Phoenix Contact GmbH & Co. KG
• Pilz GmbH & Co. KG
• Red Hat
• Sauter AG
• Schneider Electric
• Sick
• Siemens
• SMA Solar Technology AG
• Suse
• SWARCO TRAFFIC SYSTEMS GmbH
• Trumpf SE + Co. KG
• VARTA Storage GmbH
• WAGO GmbH & Co. KG
• Weidmueller Interface GmbH & Co. KG
• Welotec GmbH
• Wiesemann & Theis GmbH

Improvements

• Enriched CSAF view
  The generic CSAF view now includes severity, vulnerabilities, references, and acknowledgments.
  d528da8
• Enriched OSV view
  Added severity and references to the generic OSV view.
  65de73e
• Date published in CVE records
  If known, the datePublic field of CVE records is now displayed.
  861a082
• Boost recent sightings enabled by default
  The boost recent sightings switch is now checked by default.
  4eed4c4
• New source argument for the full-text indexer
  Added a source argument to the indexer for more targeted indexing.
  d4e6e1f
• Less verbose indexing
  Reduced the verbosity of the full-text search indexing process.
  a563dff
• Configuration improvements
  Reorganized the default SOURCES_TO_SHOW config variable and updated the sample website.py configuration with examples for the new configuration options.
  f699400, 6e8fb6c
• Documentation updates
  Various improvements to the documentation, including GCVE publication as a GNA and Known Exploited Vulnerabilities Catalogs.
  58a4d83, 143f5f5, 1f6d6d3, 52c774f
• Updated Python dependencies
  6e30dc2

Fixes

• Fixed incorrect vulnerability ID passed in various Jinja macros.
  cf1b209
• Fixed the default product option so the form correctly re-submits its value when changing sort/order controls.
  7373f8f
• Suppressed spurious config warnings for disabled features.
  c82e911
• Fixed a variable shadowing issue in parse_vuln_payload() where the local source variable was overriding the function parameter.
  cb03721

Changelog

📂 For the full list of changes, check the GitHub release:
github.com/vulnerability-looku…

🙏 Thank you to all contributors and testers!

Special thanks to Raphaël Vinot for adding the new sources.

Feedback and Support

If you encounter any issues or have suggestions, feel free to open a ticket on our GitHub repository:
github.com/vulnerability-looku…
Your feedback is always appreciated!

Follow Us on Fediverse/Mastodon

You can follow us on Mastodon and get real-time information about security advisories:
social.circl.lu/@vulnerability…

This one might be interesting to anyone interested in computer gaming history.

dec10.uknet.net

I spent the last couple of weeks finally finishing a project I started for Bletchley Park about 20 years ago. Recreating the original MUD and MIST on a mirror of the original Essex University system that finally closed in 1991.

Roy Trubshaw and Richard Bartle wrote the first online multi-user game (MUD) on Essex University's DECSystem-10 in 1978 and it ran till I closed it in 1991. I diligently backed everything up so I could potentially recover it one day, but as far as I can see, all the DECSystem-10's went to the great scrapyard in the sky, my backups were mostly stolen when my first museum was stolen, and I had huge issues recovering the Essex BCPL compiler to compile what I had left when I finally got a decent TOPS-10 emulator running on a VAX for Bletchley Park.

One good thing about being an unemployable whistleblower is free time, so I finally hunkered down to some 90 hour weeks and built a software replica of the Essex system I think reflects it well. It's running on a KS10 not a KL10 but I had to let some things slip.

I put the latest known versions of MUD and MIST on it, and miraculously found ROCK too.

So, to meander to the point, if you want to see and relive exactly what online multi user gaming was like from 1978 to 1991, you can go to:

dec10.uknet.net

Or:

telnet telnet.dec10.uknet.net

(Port 2653 is available for ISPs that block 23)

And then follow the terse instructions from there.

In those days, you were generally faced with a "." prompt and left mostly alone, so for authenticity, I will leave it at that.

I should note that although they were, in their day, wildly popular games with a relatively huge community, this is a museum peice in snapshot-form at the moment. But I will leave them up and running to see what happens and as a useful reference. I wasn't going to, but Richard seemed happy to have MUD running, and former MIST players wanted it back, so...

Pop this a share if you know folks who might be interested.

** Update: New web client that works better.

** Another update - I added a telnet client.

Historically, the telnet connection is much more true to the traditional experience, where you were connecting to a working machine that didn't care about the MUD Guests, so there were no pointers at all. Just rumour and hearsay :)

If any of you Unix/Security people notice I messed up something, please tell me. I left "^], !sh" open on the telnet link for about 2 minutes and nearly had a heart-attack once I spotted it :D

#history #digital #retrogaming #retrocomputing #games #mud #muds #mist #rock #computers #emulation #emulators #vms #tops10 #museum #history #bletchleypark #simh #essex #uk #computinghistory #36bit #engineering #Linux #Security

(don't try this on a phone!)

New research shows that behaviors that occur at the very lowest levels of the network stack make encryption—in any form, not just those that have been broken in the past—incapable of providing client isolation, an encryption-enabled protection promised by all router makers, that is intended to block direct communication between two or more connected clients.

The isolation can effectively be nullified through AirSnitch, the name the researchers gave to a series of attacks that capitalize on the newly discovered weaknesses. Various forms of AirSnitch work across a broad range of routers, including those from Netgear, D-Link, Ubiquiti, Cisco, and those running DD-WRT and OpenWrt.

AirSnitch “breaks worldwide Wi-Fi encryption, and it might have the potential to enable advanced cyberattacks,” Xin’an Zhou, the lead author of the research paper, said in an interview. “Advanced attacks can build on our primitives to [perform] cookie stealing, DNS and cache poisoning. Our research physically wiretaps the wire altogether so these sophisticated attacks will work. It’s really a threat to worldwide network security.” Zhou presented his research on Wednesday at the 2026 Network and Distributed System Security Symposium.

Unlike previous Wi-Fi attacks, AirSnitch exploits core features in Layers 1 and 2 and the failure to bind and synchronize a client across these and higher layers, other nodes, and other network names such as SSIDs (Service Set Identifiers). This cross-layer identity desynchronization is the key driver of AirSnitch attacks.

The most powerful such attack is a full, bidirectional machine-in-the-middle (MitM) attack, meaning the attacker can view and modify data before it makes its way to the intended recipient. The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP. It works against small Wi-Fi networks in both homes and offices and large networks in enterprises.

With the ability to intercept all link-layer traffic (that is, the traffic as it passes between Layers 1 and 2), an attacker can perform other attacks on higher layers. The most dire consequence occurs when an Internet connection isn’t encrypted—something that Google recently estimated occurred when as much as 6 percent and 20 percent of pages loaded on Windows and Linux, respectively. In these cases, the attacker can view and modify all traffic in the clear and steal authentication cookies, passwords, payment card details, and any other sensitive data. Since many company intranets are sent in plaintext, traffic from them can also be intercepted.

Even when HTTPS is in place, an attacker can still intercept domain look-up traffic and use DNS cache poisoning to corrupt tables stored by the target’s operating system. The AirSnitch MitM also puts the attacker in the position to wage attacks against vulnerabilities that may not be patched. Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

Wi-Fi has always been a risky proposition, and AirSnitch only expands the potential for malice. Then again, the new capabilities may mean little in the real world, where evil twin attacks accomplish many of the same objectives with much less hassle.

Introduction

This vulnerability report has been generated using data aggregated on
Vulnerability-Lookup,
with contributions from the platform’s community.

It highlights the most frequently mentioned vulnerability for February 2026, based on sightings collected from various sources,
including MISP, Exploit-DB, Bluesky, Mastodon, GitHub Gists,
The Shadowserver Foundation, Nuclei,
SPLOITUS, Metasploit, and more.
For further details, please visit this page.

The Month at a Glance

February 2026 was led by CVE-2026-1731, a Critical-severity issue affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA), with 158 sightings. It was followed closely by CVE-2026-2441 in Google Chrome with 143 sightings.

Microsoft-related vulnerabilities were also prominent in the top 10, including CVE-2026-20841 (Windows Notepad) and CVE-2026-21509 (Microsoft 365 Apps for Enterprise). Other heavily sighted entries spanned enterprise recovery and networking products such as Dell RecoverPoint for Virtual Machines (CVE-2026-22769) and Cisco Catalyst SD-WAN Manager (CVE-2026-20127), as well as platform and tooling ecosystems like Apple macOS (CVE-2026-20700), Ivanti Endpoint Manager Mobile (CVE-2026-1281), and n8n (CVE-2026-25049).

February continued to be an active month for known exploited vulnerabilities. The CISA Known Exploited Vulnerabilities catalog added 28 new entries during the month. Notable additions include:

• CVE-2026-1731: BeyondTrust Remote Support (RS) & Privileged Remote Access (PRA)
• CVE-2026-2441: Google Chrome
• CVE-2026-20127: Cisco Catalyst SD-WAN Manager
• CVE-2026-22769: Dell RecoverPoint for Virtual Machines
• CVE-2025-49113: Roundcube Webmail
• CVE-2020-7796: synacor zimbra_collaboration_suite

The CIRCL Known Exploited Vulnerabilities catalog added three entries (CVE-2026-25108, CVE-2026-1340, and CVE-2026-1281), while the ENISA KEV catalog had no new entries in February.

The Ghost CVE Report highlights eight vulnerability identifiers that were observed in sightings despite limited or missing public records. The most frequently sighted were CVE-2023-42344 (5 occurrences) and CVE-2026-1584 (4 occurrences), followed by CVE-2026-23456 (3 occurrences).

Contributor insights this month covered Cisco Catalyst SD-WAN vulnerabilities, an IceWarp command-injection RCE, analysis of CVEs affecting the Svelte ecosystem, TP-Link VIGI IP camera issues, and reporting on UAC-0001 (APT28) activity leveraging CVE-2026-21509.

Top 10 Vendors of the Month

Top 10 Assigners of the Month

Top 10 vulnerabilities of the Month

Known Exploited Vulnerabilities

New entries have been added to major Known Exploited Vulnerabilities catalogs.

CISA

More KEV entries from the CISA Catalog.

CIRCL

More KEV entries from the CIRCL Catalog.

ENISA

No new entry in February.

More KEV entries from the ENISA Catalog.

Top 10 Weaknesses of the Month

Ghost CVE Report

A ghost CVE is a vulnerability identifier that's already popped up in the wild but is still listed as RESERVED or NOT_FOUND in official registries like NVD or MITRE.

Sightings detected between 2026-02-01 and 2026-02-28 that are associated with vulnerabilities without public records.

Insights from Contributors

• Cisco Catalyst SD-WAN Vulnerabilities
• IceWarp14 X-File-Operation Command Injection Remote Code Execution Vulnerability
• MajorDoMo Revisited: What I Missed in 2023
• CVEs affecting the Svelte ecosystem
• TP-Link Systems Inc. VIGI Series IP Camera
• UAC-0001 (APT28) carries out cyberattacks against Ukraine and EU countries using the exploit CVE-2026-21509

Thank you

Thank you to all the contributors and our diverse sources!

If you want to contribute to the next report, you can create your account.

Feedback and Support

If you have suggestions, please feel free to open a ticket on our GitHub repository. Your feedback is invaluable to us!
github.com/vulnerability-looku…

Funding

The main objective of Federated European Team for Threat Analysis (FETTA) is improvement of Cyber Threat Intelligence (CTI) products available to the public and private sector in Poland, Luxembourg, and the European Union as a whole.
Developing actionable CTI products (reports, indicators, etc) is a complex task and requires an in-depth understanding of the threat landscape and the ability to analyse and interpret large amounts of data. Many SOCs and CSIRTs build their capabilities in this area independently, leading to a fragmented approach and duplication of work.

The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents. The organization brings to the table its extensive experience in cybersecurity incident management, threat intelligence, and proactive response strategies. With a strong background in developing innovative open source cybersecurity tools and solutions, CIRCL’s contribution to the FETTA project is instrumental in achieving enhanced collaboration and intelligence sharing across Europe.

Press release