The Dustin Childs

[ZDI-26-124|CVE-2025-15060] claude-hovercraft executeClaudeCode Command Injection Remote Code Execution Vulnerability (CVSS 9.8; Credit: Peter Girnus of Trend Research) zerodayinitiative.com/advisories/Z...

Former L3Harris Trenchant boss jailed for selling hacking tools to Russian broker | TechCrunch Peter Williams, the former head of U.S. hacking tools maker L3Harris Trenchant, was sentenced to seven years in prison for stealing and selling his former company’s hacking and surveillance tools to a...

NEW: Former L3Harris boss Peter Williams was sentenced to seven years in prison for stealing sensitive company hacking tools, and then selling them to a Russian broker.

Williams, aka Doogie, previously pleaded guilty to stealing and selling eight trade secrets to Russian broker Operation Zero.

Heading to the #[un]prompted conference next week? Be sure to catch @gothburz.bsky.social's talk on "FENRIR: AI Hunting for AI Zero-Days at Scale" His talk shows how we're FENRIR has detected over 100+ CVEs since mid-2025. Don't miss it. unpromptedcon.org

Zero Day Initiative — CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad In this excerpt of a TrendAI Research Services vulnerability report, Nikolai Skliarenko and Yazhi Wang of the TrendAI Research team detail a recently patched command injection vulnerability in the Win...

CVE-2026-20841: Arbitrary Code Execution in the Windows Notepad - The TrendAI Research team takes a deep dive into this recently patched file parsing bug to show you root cause, source code walk through, and provide detection guidance. Read the details at www.zerodayinitiative.com/blog/2026/2/...

Zero Day Initiative — The February 2026 Security Update Review I have survived the biggest Pwn2Own ever, but I’m back in Tokyo for the second Patch Tuesday of 2026. My location never stops Patch Tuesday from coming, so let’s take a look at the latest security pat...

Microsoft report six(!) exploits in the wild while Adobe has a small (and relatively quiet) month. Join @dustinchilds.bsky.social from Tokyo as he breaks down the release and shows you what to watch for. www.zerodayinitiative.com/blog/2026/2/...

A small release from @adobe.com but 6 (yes six!) actively exploited bugs from #Microsoft. I'll have my full thoughts out soon, but get ready for some emergency patching. #PatchTuesday

Zero Day Initiative — CVE-2025-6978: Arbitrary Code Execution in the Arista NG Firewall In this excerpt of a TrendAI Research Services vulnerability report, Jonathan Lein and Simon Humbert of the TrendAI Research team detail a recently patched command injection vulnerability in the Arist...

CVE-2025-6978: Arbitrary Code Execution in the #Arista NG Firewall - our researchers took a deep dive into this recently patched RCE to provide root cause and detection guidance. Read all the details at www.zerodayinitiative.com/blog/2026/2/...

Patches are now available for Office 2016 and 2019. Get to updating them there systems!

Recapping Day Two of Pwn2Own Automotive 2026 YouTube video by TrendAI Zero Day Initiative

Wrapping up Day Two of #Pwn2Own Automotive - we saw some amazing research demonstrated today, some of which had never been seen in public before! Join @dustinchilds.bsky.social as he summarizes the highlights and previews the final day. youtu.be/xKZtfblNrHc

Bold of you to assume I have a WhatsApp number, and thanks for the response on the next day. After six hours, my bags finally showed up - after several AA metal flights that had arrived when we did, or after we did and they've already received their bags. My AirTag says they were't even unloaded.

Wow - Office security feature bypass patched OOB after active exploitation detected. Path now - CVE-2026-21509. At least the Preview Pane isn't an attack vector. msrc.microsoft.com/update-guide...

We landed in DFW at 2:30pm, but thanks to bad weather and @americanair.bsky.social incompetence, here it is 9:30 and we have left customs. Still waiting on bags. *sigh*

Boom! or shall I say Doom? Game On! Aapo Oksman, Elias Ikkelä-Koski and Mikael Kantola of Juurin Oy exploit the Alpitronic HYC50 with a TOCTOU bug - and installed a playable version of Doom to boot. They earn $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OAuto

From Pwn2Own Automotive 2026 Day 2: Synacktiv vs. Autel YouTube video by TrendAI Zero Day Initiative

The a highlight from Day 2 of #Pwn2Own Automotive, the team from @synacktiv.com is at it again. This time, they leverage NFC(!) to exploit the #Autel MaxiCharger with a stack-based buffer overflow. Amazing! We've never seen an NFC exploit like this one before. youtube.com/shorts/eGAMc...

Me too....

Verified! Fuzzware. io (@ScepticCtf, @diff_fusion, @SeTcbPrivilege) chained two vulnerabilities (CWE-306, CWE-347) to achieve code execution on the Autel charger and manipulate the CP signal, earning $50,000 USD and 5 Master of Pwn points. Full win with the add-on. #Pwn2Own #P2OAuto

Confirmed! Taejin Kim (@tae3), Junsu Yeo (@junactually), Sunmin Park (@sunminpark4503), Sungmin Son (@_ssm98), and Hoseok Lee of SKShieldus (@EQSTLab) exploited a hardcoded credential (CWE-798) for code execution via CWE-494 on the Grizzl-E Smart 40A, earning $40,000 and 4 MoP points. #Pwn2Own

Verified! @kiddo_pwn and @freddo_1337 of Team DDOS exploited two bugs, including a command injection, against the ChargePoint Home Flex. Add-on failed, but still earned $40,000 USD and 4 Master of Pwn points. #Pwn2Own #P2OAuto

The exploit in action!

Confirmed! Neodyme AG (@Neodyme) used a stack based buffer overflow to get a root shell on the Alpine iLX-F511, earning $20,000 USD and 2 Master of Pwn points. #Pwn2Own #P2OAuto

There's a story there...for another time ;-]

Zed is learning about sake. I had to apologize for putting him in checked baggage on the way to Tokyo.

Behind the Scenes of Pwn2Own Automotive - Setting Up! YouTube video by Trend Zero Day Initiative

We're in the middle of setting up for #Pwn2Own Automotive, and @dustinchilds.bsky.social and Zed peek behind the scenes to see how it's going. youtube.com/shorts/h8dbY...

Patch Tuesday starts at 3am on Wednesday here. For the record, I don't like it.

Zero Day Initiative — The January 2026 Security Update Review I may be in Tokyo preparing for Pwn2Own Automotive, but that doesn’t stop patch Tuesday from coming. Put aside you broken New Year’s resolutions for just a moment as we review the latest security patc...

He may be in Tokyo prepping for #Pwn2Own Automotive, but Patch Tuesday waits for no one. Join @dustinchilds.bsky.social as he breaks down a big #Microsoft release (w/ 1 CVE in the wild) and a smallish #Adobe release. www.zerodayinitiative.com/blog/2026/1/...

It's a big patch Tuesday with more than 110 CVEs from Microsoft but only 25 from Adobe. There's one info disclosure bug under attack. I'll have my full thoughts out soon.

Google and Apple roll out emergency security updates after zero-day attacks | TechCrunch Apple released patches for all of its flagship devices to fix security flaws under attack. Google also updated Chrome to remediate one vulnerabilty exploited in the attacks.

NEW: Apple and Google have rolled out security updates to fix a series of flaws used in an active hacking campaign.

Google updated Chrome; Apple issued fixes for iPhones, Macs, and more. Apple and Google's TAG were credited with the find. TAG usually tracks goverment-backed threats, like spyware.

Probably - I don't recall (pun intended) seeing any other ones for that ...er... feature. Since they call out "Host Process for Windows Tasks" instead of Recall directly, it's a bit harder to track.

Am I the only one who finds it hysterical that the NSA Exchange bug has a CVE that ends in 666? No? Just me then... msrc.microsoft.com/update-guide...