ThreatPulse — April 19, 2026 | 0 threats, personalised for you
ThreatPulse — April 19, 2026
Personalised for Demo User | Soc Analyst | Detection: KQL
10
Items
2
Critical
7
High
0
CISA KEV
41/100
CVSS 9.8
EPSS 89.4%
github.com
CRITICALKQLCVE-2025-61882
Summary
CVE-2025-61882 (NetVanguard-cmd) is a critical vulnerability with a CVSS score of 9.8 affecting multiple platforms including Windows, Azure, and Docker environments. Detection should focus on identifying exploitation attempts through command execution patterns and suspicious process activity associated with vulnerable NetVanguard components.
Detection Query (KQL)DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine contains "netguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|netguard).*cmd" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, ProcessId, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId, AccountName | union (SecurityEvent | where EventID == 4688 and (CommandLine contains "netvanguard" or CommandLine contains "netguard") | project TimeGenerated, Computer, NewProcessId, CommandLine, ParentProcessName, SubjectUserName)
Detection Logic
Monitor for process creation events containing NetVanguard-cmd references in command lines, focusing on suspicious parent processes and execution contexts. Cross-reference Windows Security Event logs (EventID 4688) and Microsoft Defender for Endpoint process events to identify exploitation attempts. Alert on any execution from non-standard locations or by unexpected service accounts.
Affected ProductsWindows, Azure, Docker, VMware, Cisco, Chrome, Python, Office365
ATT&CK TechniquesT1059.001, T1190, T1203
False Positive NotesLegitimate NetVanguard administrative tools may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out expected system processes and legitimate security software. Tune based on organizational baseline of NetVanguard usage patterns. Consider excluding events from approved administrative workstations and change management systems.
Source: github.com
39/100
CVSS 8.8
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6563
Analysis
CVE-2026-6563: A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoByI
CVEs: CVE-2026-6563
CVSS: 8.8 | EPSS: 0.0% | Priority: 38.7/100
ATT&CK: N/A
Detection language: KQL
Source: nvd.nist.gov -- https://nvd.nist.gov/vuln/detail/CVE-2026-6563
A vulnerability has been found in H3C Magic B1 up to 100R004. The affected element is the function SetAPWifiorLedInfoById of the file /goform/aspForm. The manipulation of the argument param leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source: nvd.nist.gov
38/100
CVSS 8.8
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6560
Summary
CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.
Detection Query (KQL)let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000
Detection Logic
Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.
Affected ProductsH3C Magic B0, H3C Magic B0 100R002
ATT&CK TechniquesT1190, T1133, T1071
False Positive NotesLegitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.
Source: nvd.nist.gov
38/100
CVSS 9.8
EPSS 55.7%
github.com
CRITICALKQLCVE-2026-3055
Summary
CVE-2026-3055 is a critical vulnerability (CVSS 9.8) affecting NetVanguard-cmd with high exploitation probability (EPSS 55.7%). Detection should focus on identifying exploitation attempts and suspicious command execution patterns associated with this vulnerability.
Detection Query (KQL)DeviceProcessEvents | where ProcessCommandLine contains "netvanguard" or ProcessCommandLine matches regex @"(?i)(netvanguard|cve.?2026.?3055)" | where InitiatingProcessName !in ("explorer.exe", "svchost.exe") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessName, InitiatingProcessId | union (SecurityEvent | where EventID == 4688 and CommandLine contains "netvanguard" | project TimeGenerated, Computer, Account, CommandLine, ParentProcessName) | union (CommonSecurityLog | where Activity contains "NetVanguard" or RequestURL contains "netvanguard" | project TimeGenerated, SourceIP, DestinationIP, Activity, RequestURL)
Detection Logic
Monitor for process creation events containing 'netvanguard' or CVE-2026-3055 references in command lines, excluding legitimate system processes. Cross-correlate with network logs for suspicious communication patterns and web requests related to the vulnerability.
Affected ProductsNetVanguard-cmd, Windows, Azure, Office365
ATT&CK TechniquesT1190, T1059
False Positive NotesLegitimate NetVanguard administrative tools and updates may trigger alerts; whitelist known administrative accounts and scheduled maintenance windows. Filter out benign security scanning tools that may reference CVE identifiers in logs.
Source: github.com
34/100
CVSS 7.3
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6577
Analysis
# THREAT BRIEFING: CVE-2026-6577 – DjangoBlog Authentication Bypass
## SUMMARY
CVE-2026-6577 is an unauthenticated remote code execution vulnerability in DjangoBlog ≤2.1.0.0 affecting the `/owntracks/views.py` logtracks endpoint, allowing attackers to bypass authentication and manipulate application logic. Public exploits exist and the vendor has not responded to disclosure, making active exploitation likely in the wild.
## TRIAGE
**Severity: HIGH** – CVSS 7.3, publicly exploitable, no vendor patch available. Prioritize immediate inventory of DjangoBlog instances and network segmentation of affected systems.
## DETECTION
**Query 1: Identify DjangoBlog instances and logtracks endpoint access**
**Query 2: Detect unauthenticated HTTP requests to logtracks endpoint (missing auth headers)**
**Query 3: Monitor for suspicious process execution from web application context**
## MITRE ATT&CK
- **T1190** – Exploit Public-Facing Application
- **T1589** – Gather Victim Identity Information
- **T1566** – Phishing (if chained with email delivery)
## ACTION
1. **Immediate:** Inventory all DjangoBlog instances via network scanning and application discovery tools; isolate any running version ≤2.1.0.0 from production traffic.
2. **Within 24h:** Upgrade to DjangoBlog 2.1.1+ (if available) or apply vendor security patch; if unavailable, implement WAF rule blocking `/owntracks/` and `/logtracks/` endpoints.
3. **Ongoing:** Monitor logs for exploitation attempts using Query 2 above; correlate with failed authentication events in SecurityEvent table (EventID 4625).
union DeviceNetworkEvents, CloudAppEvents
| where RemoteUrl has "owntracks" or RemoteUrl has "logtracks" or InitiatingProcessFileName has "django"
| where ActionType in ("ConnectionSuccess", "ConnectionAttempted") or isnotempty(RemoteUrl)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, AccountName
| where Timestamp > ago(7d)
| limit 1000
CloudAppEvents
| where Timestamp > ago(7d)
| where ObjectName has "owntracks" or ObjectName has "logtracks"
| where RawEventData has_any ("401", "403") == false
| where RawEventData !has "Authorization" or RawEventData !has "Cookie"
| project Timestamp, AccountName, ObjectName, IPAddress, UserAgent, RawEventData
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ("python", "django", "uwsgi", "gunicorn")
| where ProcessCommandLine has_any ("bash", "cmd", "powershell", "sh", "/bin/")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountName, ProcessId
| limit 1000
Source: nvd.nist.gov
33/100
CVSS 7.3
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6574
Analysis
# THREAT BRIEFING: CVE-2026-6574 – osuuu LightPicture Hard-Coded Credentials
## SUMMARY
CVE-2026-6574 affects osuuu LightPicture ≤1.2.2 and exposes hard-coded credentials via the `/public/install/lp.sql` API upload endpoint. Remote unauthenticated attackers can exploit this to gain unauthorized access; public exploit code exists and vendor has not responded.
## TRIAGE
**Severity: HIGH** – CVSS 7.3, public exploit, hard-coded credentials enable account takeover. Immediate investigation required if LightPicture is deployed in your environment.
## DETECTION
**Query 1: Detect HTTP requests to vulnerable LightPicture endpoint**
**Query 2: Detect file access to LightPicture installation directory**
**Query 3: Detect suspicious process execution from web application context (LightPicture exploitation)**
## MITRE ATT&CK
- **T1078.001** – Valid Accounts (hard-coded credential abuse)
- **T1190** – Exploit Public-Facing Application
- **T1552.007** – Unsecured Credentials (hard-coded in code/config)
## ACTION
1. **Immediate:** Identify all systems running osuuu LightPicture ≤1.2.2 via asset inventory or network scan.
2. **Urgent:** Upgrade to LightPicture >1.2.2 or disable the `/public/install/` endpoint via WAF/reverse proxy rules.
3. **Forensic:** Run detection queries above; if hits found, reset all credentials associated with LightPicture service accounts and audit access logs for the past 30 days.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "/public/install/lp.sql" or RemoteUrl has "/public/install/" and InitiatingProcessFileName has_any ("curl", "wget", "powershell", "python")
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("/public/install", "\\public\\install") and FileName has_any ("lp.sql", "install.sql")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| project Timestamp, DeviceName, FolderPath, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("sql", "credential", "password", "key") and (InitiatingProcessFileName has_any ("apache", "nginx", "iis", "php") or FolderPath has "/public/")
| project Timestamp, DeviceName, ProcessCommandLine, ProcessId, InitiatingProcessFileName, AccountName, ProcessIntegrityLevel
| limit 1000
Source: nvd.nist.gov
33/100
CVSS 7.3
EPSS 0.1%
nvd.nist.gov
HIGHKQLCVE-2026-6569
Analysis
# THREAT BRIEFING: CVE-2026-6569 KodExplorer Authentication Bypass
## SUMMARY
A remote authentication bypass vulnerability exists in KodExplorer versions up to 4.52, affecting the `fileGet` endpoint in `/app/controller/share.class.php` via improper validation of the `fileUrl` parameter. Attackers can bypass authentication to access or manipulate files without valid credentials, potentially leading to unauthorized data access or system compromise.
## TRIAGE
**Severity: HIGH**
CVSS 7.3 with remote attack vector and no authentication required. Immediate investigation required if KodExplorer is deployed in your environment. Low EPSS (0.1%) suggests limited current exploitation, but vulnerability is trivial to exploit once weaponized.
---
## DETECTION
**Query 1: Detect KodExplorer fileGet Endpoint Abuse**
**Query 2: Detect Unauthenticated File Access via fileUrl Parameter**
**Query 3: Detect KodExplorer Process Execution with Suspicious Arguments**
---
## MITRE ATT&CK
- **T1190**: Exploit Public-Facing Application (remote code/auth bypass via web endpoint)
- **T1566**: Phishing (if weaponized for initial access)
- **T1078**: Valid Accounts (authentication bypass enables unauthorized access)
---
## ACTION
1. **Immediate**: Inventory all KodExplorer instances in your environment and confirm versions ≤4.52.
2. **Urgent**: Upgrade to KodExplorer 4.53+ or apply vendor patch if available; if unavailable, disable the `/app/controller/share.class.php` endpoint or restrict access via WAF rules blocking requests with `fileUrl` parameter.
3. **Monitor**: Run Detection Query 1 and 2 daily for 30 days post-remediation to confirm no exploitation occurred.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "/app/controller/share.class.php" or RemoteUrl has "fileGet"
| where ActionType == "ConnectionSuccess" or ActionType == "ConnectionAttempted"
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl matches regex @"(?i)(fileGet|fileUrl|share\.class\.php)" and RemoteUrl contains "fileUrl="
| where RemoteIPType == "Public" or RemoteIPType == "Internet"
| summarize AccessCount=count(), UniqueIPs=dcount(RemoteIP), UniqueDevices=dcount(DeviceName) by RemoteUrl, InitiatingProcessFileName
| where AccessCount > 5
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("kodexplorer", "share.class.php", "fileGet") or FolderPath has "kodexplorer"
| where ProcessCommandLine contains "fileUrl" or ProcessCommandLine contains "improper"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, ProcessId, ParentProcessFileName
| limit 1000
Source: nvd.nist.gov
33/100
CVSS 7.3
EPSS 0.1%
nvd.nist.gov
HIGHKQLCVE-2026-6568
Analysis
# THREAT BRIEFING: CVE-2026-6568 – KodExplorer Path Traversal
## SUMMARY
KodExplorer versions up to 4.52 contain a path traversal vulnerability in the Public Share Handler (`share.class.php::initShareOld`) that allows unauthenticated remote attackers to access arbitrary files on the server. This vulnerability is publicly disclosed with active exploit code available, creating immediate risk for any organization running vulnerable versions.
## TRIAGE
**Severity: HIGH** – CVSS 7.3, publicly exploited, unauthenticated remote access. Prioritize immediate inventory and patching of all KodExplorer instances.
## DETECTION
**Query 1: Detect KodExplorer HTTP requests with path traversal patterns**
**Query 2: Detect file access anomalies from web server processes targeting sensitive paths**
**Query 3: Detect web server process spawning suspicious child processes (post-exploitation)**
## MITRE
- **T1190** – Exploit Public-Facing Application
- **T1083** – File and Directory Discovery
- **T1021** – Remote Services (via path traversal to sensitive files)
## ACTION
1. **Immediate:** Identify all KodExplorer instances running version ≤ 4.52 via network scan or asset inventory.
2. **Urgent:** Upgrade to KodExplorer 4.53+ or disable the `/app/controller/share.class.php` endpoint via web server rules (block requests containing `share.class.php` in URL path).
3. **Monitor:** Run Detection Query 1 and 2 continuously for 48 hours post-remediation to confirm
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("share.class.php", "/app/controller/share.class.php")
| where RemoteUrl matches regex @"(\.\./|\.\.\\|%2e%2e|path=.*\.\./)"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName
| limit 1000
DeviceFileEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("php.exe", "php-cgi.exe", "w3wp.exe", "httpd.exe")
| where FolderPath matches regex @"(\.\.\/|\.\.\\|%2e%2e)" or FolderPath has_any ("/etc/", "c:\\windows\\", "c:\\winnt\\")
| where ActionType in ("FileCreated", "FileModified", "FileRead")
| project Timestamp, DeviceName, InitiatingProcessFileName, FolderPath, FileName, ActionType
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("php.exe", "php-cgi.exe", "w3wp.exe", "httpd.exe")
| where ProcessCommandLine matches regex @"(cmd|powershell|bash|sh|nc|curl|wget)" or FileName in~ ("cmd.exe", "powershell.exe", "bash", "sh")
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName, ProcessId
| limit 1000
Source: nvd.nist.gov
33/100
CVSS 7.3
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6562
Analysis
# THREAT BRIEFING: CVE-2026-6562 – Dameng100 MUUCMF SQL Injection
## SUMMARY
A remote SQL injection vulnerability exists in Dameng100 MUUCMF v1.9.5.20260309 via the `getListByPage` function in `/index/Search/index.html`, exploitable through the `keyword` parameter. Public exploits are available and the vendor has not responded to disclosure.
## TRIAGE
**Severity: HIGH** – CVSS 7.3, publicly exploitable, unauthenticated remote attack. Immediate investigation required if Dameng100 MUUCMF is deployed in your environment.
## DETECTION
**Query 1: HTTP POST requests to vulnerable endpoint with SQL injection patterns**
**Query 2: Web application logs for SQL injection attempts against Dameng100**
**Query 3: Outbound connections from Dameng100 application to suspicious destinations**
## MITRE
- **T1190** – Exploit Public-Facing Application
- **T1190.004** – SQL Injection (sub-technique)
- **T1021** – Remote Services (if lateral movement occurs post-exploitation)
## ACTION
1. **Immediate:** Identify all systems running Dameng100 MUUCMF v1.9.5.20260309 via asset inventory and network scanning.
2. **Urgent:**
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "/index/Search/index.html"
| where InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe", "curl.exe", "powershell.exe")
| where RemoteUrl matches regex @"(?i)(keyword|search).*(\bunion\b|\bselect\b|\bfrom\b|\bwhere\b|--|;|'|\")"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| limit 1000
union
(SecurityEvent | where EventID == 4688 and CommandLine has "dameng" or CommandLine has "muucmf"),
(DeviceProcessEvents | where ProcessCommandLine has "dameng" or ProcessCommandLine has "muucmf" or FolderPath has "dameng")
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"(?i)(keyword|search).*(\bunion\b|\bselect\b|\bfrom\b|--|;|')"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessId
| limit 1000
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("java.exe", "dameng.exe", "muucmf.exe")
| where RemoteIPType == "Public"
| where RemotePort in (3306, 5432, 1433, 27017, 6379)
| summarize ConnectionCount=count(), UniqueRemoteIPs=dcount(RemoteIP), RemoteIPList=make_set(RemoteIP) by DeviceName, InitiatingProcessFileName, RemotePort
| where ConnectionCount > 5
| limit 1000
Source: nvd.nist.gov
22/100
CVSS 0.0
EPSS 0.0%
unit42.paloaltonetworks.com
KQLCVE-2023-33538
Analysis
A Deep Dive Into Attempted Exploitation of CVE-2023-33538
CVEs: CVE-2023-33538
CVSS: 0.0 | EPSS: 0.0% | Priority: 2.5/100
ATT&CK: N/A
Detection language: KQL
Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/
<p>CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware.</p>
<p>The post <a href="https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/">A Deep Dive Into Attempted Exploitation of CVE-2023-33538</a> appeared first on <a href="https://unit42.paloaltonetworks.com">Unit 42</a>.</p>
Source: unit42.paloaltonetworks.com
ThreatPulse — Automated Threat Intelligence
Unsubscribe |
Update Preferences
Don't miss what's next. Subscribe to Ethan Andrews: