- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #109
🎓️ Vulnerable U | #109
SignalGate, Next.js auth vuln, Kubernetes major RCE bug, Chinese shell companies hiring laid off gov employees, and much more!
Read Time: 8 minutes

Brought to you by:
Howdy friends!
Coming back from being sick/spring break, I’m trying to remember what I do for a living. The pile got big fast. Hope some of you out there got some time to recharge.
This week was insane for security news. SignalGate drowned out a lot of other stories, but there is a ton to get to this week, so let’s dive in.
ICYMI
🖊️ Something I wrote: Spy got tricked by a honeypot and implicated the most senior leaders at the victim's biggest competitors.
🎧️ Something I heard: 21-year old dev destroys LeetCode, gets kicked out of school...
🎤 Something I said: Ran through this slick browser extension hack where legit extensions can transform into malicious ones.
🔖 Something I read: Oh I’m obsessed. New audiobook series that has broken my rating scale by being so good. Any Dungeon Crawler Carl fans? Think Ready Player One but R-Rated.
Vulnerable News
This one is nuts. Auth was just completely bypassable on Next.js sites for the last few years, in an entirely trivial manor of adding a header with a specific value.
x-middleware-subrequest: middleware
Thats it. Just add that header to your request and it ignored auth. Nuts!
The exploit works across ALL versions from 11.1.4 onward, affecting potentially millions of deployments.
What makes this particularly nasty is that middleware is commonly used for critical security functions like authorization and CSP headers. The researchers demonstrated real-world exploits against production systems, bypassing admin restrictions and content security policies with ease. For newer Next.js versions, the payload is just "middleware" repeated five times with colons between them. Vercel patched it in versions 15.2.3 and 14.2.25, but older versions need manual fixes at the web server level to block that header. Given Next.js is downloaded nearly 10M times weekly and used across banking and blockchain apps, this one's going to cause some headaches. (read more)
Chinese cyber espionage has shifted from stealing trade secrets to mass surveillance and pre-positioning within America’s critical infrastructure.
In the new podcast, To Catch a Thief, bestselling author and former New York Times cybersecurity and digital espionage reporter, Nicole Perlroth, explores China’s rise from “the most polite, mediocre hackers in cyberspace” to today’s “apex predator.”
Featuring guest experts in national security and threat intelligence, including:
Kevin Mandia, CEO, Mandiant
Jen Easterly, Former Director, CISA
David Barboza, Pulitzer Prize Winner
*Sponsored
When I read “Over 40% of cloud environments are vulnerable to RCE, likely leading to a complete cluster takeover.” I listen immediately.
Wiz ruined a lot of weeks with "IngressNightmare" - a set of four critical RCE vulnerabilities in Ingress NGINX Controller for Kubernetes. These bad boys (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) scored a 9.8 CVSS and could lead to complete cluster takeover. Wiz’s data shows about 43% of cloud environments are vulnerable, including over 6,500 public-facing clusters at Fortune 500 companies.
The attack exploits the admission controller component, which lacks authentication by default. Attackers can inject malicious NGINX configs via crafted ingress objects, ultimately gaining full access to all secrets across namespaces. Patch immediately to versions 1.12.1 or 1.11.5, and check if your admission webhook is exposed externally. If you can’t patch consider enforcing strict network policies or temporarily disabling the admission controller component. (read more)
SignalGate
What a cluster. TL;DR if you somehow missed it. Group text on Signal of the top national security personnel and the VP started discussing top secret attack details. They didn’t realize they accidentally added a journalist. Original report from The Atlantic: The Trump Administration Accidentally Texted Me Its War Plans and then their follow up after the administration tried to play down the info leaked. Here Are the Attack Plans That Trump’s Advisers Shared on Signal
Kaspersky just caught another APT in the wild using a fresh Chrome zero-day (CVE-2025-2783). The exploit was pretty slick - just clicking a phishing link in Chrome was enough to get compromised, no additional user interaction needed. The vulnerability allowed attackers to completely bypass Chrome's sandbox through what Kaspersky describes as "a logical error at the intersection of Google Chrome's sandbox and the Windows operating system."
The campaign, dubbed "Operation ForumTroll," targeted Russian media, educational institutions, and government orgs with personalized phishing emails masquerading as invitations to the "Primakov Readings" forum. Google patched the vulnerability on March 25 after Kaspersky's report. This was just the first stage of an exploit chain - there was apparently a second exploit for remote code execution that Kaspersky couldn't capture. The attackers' malware appears to be espionage-focused and exhibits signs of a state-sponsored operation. (read more)
Security teams must rely on efficient processes that handle vulnerabilities without overwhelming their resources, and automation is key.
Register for this Tines webinar on April 9 to learn:
How security and IT ops teams can collaborate for a streamlined vulnerability lifecycle
How to gradually adopt automation
How LivePerson automates key vulnerability management processes to improve efficiency
*Sponsored
Well here is a whole other risk to mass government layoffs. Report uncovered a Chinese recruitment operation targeting laid-off US government workers. The network of fake consulting and headhunting firms shares websites and server infrastructure, posts job listings on LinkedIn and Craigslist, and specifically targets former feds who might be feeling financial pressure after recent government cuts. When Reuters investigated, they found a lot of breadcrumbs leading to dead ends - phone numbers that don't work, addresses that are empty lots, and mysteriously disappearing job listings.
This playbook looks awfully familiar to intelligence analysts. It mirrors a 2020 case where a Singaporean national pleaded guilty to recruiting Americans with access to sensitive info through a fake consulting company. The FBI warns that Chinese intelligence often masquerades as think tanks and recruiting firms to target government employees. (read more)
I would’ve put money on this breach wasn’t real.
Despite Oracle flat-out denying that anything happened, BleepingComputer has receipts suggesting otherwise. They've contacted companies listed in the leaked data who confirmed the info is legit. The threat actor (going by "rose87168") claims they've snagged authentication data and encrypted passwords for 6 million users by exploiting a vulnerability in Oracle Fusion Middleware 11g.
The attacker demonstrated they could create files on Oracle's "login.us2.oraclecloud.com" server, and they're claiming they've been in contact with someone from Oracle via ProtonMail (wtf?). Oracle has since taken the server offline but continues to maintain there was no breach. The alleged exploit used was CVE-2021-35587, a known vulnerability that allows unauthenticated attackers to compromise Oracle Access Manager. With 140,621 domains potentially affected, this could get messy if Oracle's denial turns out to be... optimistic. (read more)
Two security researchers at Google's LLM bugSWAT event found a way to exfiltrate parts of Gemini's source code from its Python sandbox. The hack was beautifully simple - they discovered they could run arbitrary Python code in Gemini's sandbox interpreter, then used that access to extract a massive 579MB binary file by chunking it through base64 encoding. When they ran binwalk on the binary, surprise! Internal Google source code spilled out, including directories of Google3 (their internal repo) code and proto files that were never meant for public eyes. (read more)
Turns out stalkerware companies are absolutely terrible at security - who knew? TechCrunch reports at least 25 of these sketchy spyware makers have been hacked or leaked massive amounts of user data since 2017. The latest victim is SpyX, whose breach exposed nearly 2 million victims' private phone data. These companies market themselves to jealous partners wanting to spy on their significant others, but they can't even protect their own servers.
Despite these repeated security disasters, the stalkerware industry keeps chugging along like a cockroach. Of the 25 compromised companies, only 8 have shut down - the rest just rebrand or continue operating. Some hackers specifically target these companies to expose and hopefully destroy the industry, but as EFF's Eva Galperin points out, "when you actually manage to kill a stalkerware company, it comes up like mushrooms after the rain." (read more)
Troy Hunt just got phished, and he's not happy about it. The security expert behind Have I Been Pwned fell victim to a cleverly crafted Mailchimp phishing email while jet-lagged in London. The attackers snagged his credentials, including the OTP verification code, then immediately raided his account and exported his entire 16k subscriber list. He'd literally just been meeting with the UK's National Cyber Security Centre discussing the benefits of phishing-resistant passkeys the day before.
Major kudos to how Troy handled this with immediate transparency, adding the breach to his own HIBP service, and highlighting that even security pros can fall victim to well-timed attacks. He also discovered Mailchimp keeps unsubscribed email addresses (about 7,500 of them), which raises some privacy concerns. The attacker's site was hosted behind Cloudflare and taken down about 2 hours after the attack. Troy's now registered whynopasskeys.com and is using this embarrassing experience as a teachable moment about the limitations of OTP-based 2FA versus physical security keys. (read more)
This is some next-level dangerous phishing. Security researchers at Silent Push uncovered a network of fake websites targeting Russians who are searching for ways to join anti-Putin paramilitary groups like the "Freedom of Russia Legion." They're likely run by Russian intelligence services and designed to identify Russian citizens willing to commit what the Kremlin considers treason. The phishing sites are carbon copies of legitimate recruitment pages, complete with Google Forms asking for name, contact info, military experience, and political views.
When Russians search for these groups on Yandex, DuckDuckGo or Bing, the phishing sites often rank higher than the legitimate ones. Some of these domains were traced back to Stark Industries Solutions, a bulletproof hosting provider with ties to Russian intelligence that appeared just before the Ukraine invasion. Given that Russia has designated these paramilitary groups as terrorist organizations, anyone caught communicating with them faces 10-20 years in prison. (read more)

The FBI is sounding the alarm on those "free file converter" sites, and for good reason. According to their Denver field office, criminals are increasingly setting up fake document converters and downloaders that work as advertised but also slip malware onto your device. You upload your document to convert a PDF to Word (or whatever), and you get your converted file... plus a bonus payload that gives hackers remote access to your computer. These sites can also scrape any sensitive data from documents you upload, like SSNs, banking info, and crypto wallet details.
Security researchers have already caught several of these in the wild, including sites like docu-flex[.]com and pdfixers[.]com that were distributing Windows executables flagged as malware. Some are even running Google ad campaigns to appear at the top of search results. These initial infections can lead to full-blown ransomware attacks, with groups like Gootloader using these fake converters as their initial access method. (read more)
Miscellaneous mattjay

How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay