Subscribe Share Full episode and show notes Vulnerability Management , AI/ML , AI benefits/risks Trolling Microsoft With Vulnerabilities – PSW #930 In the security news: Trolling Microsoft With Vulnerabilities, Fable 5 loves guardrails , Binwalk vulnerability, EMBA and local models, EDRChoker, AI worms, Interesting Arista vulnerability added to KEV, BOD 26-04 and stakeholder specific vulnerability categorization, Bring your own execution environment, Homelab tips, MikroTik routers as interceptors, Ivanti Sentry and irony, Smart TV botnets, Privacy laws, Solarwinds Serv-U lives on, More Cisco SD-WAN fun!, Russia can jam GPS, No nudes for you says UK Government, “Why would someone want to learn code when AI does it better and faster?”. June 11, 2026 Full Segment Notes In the security news: Trolling Microsoft With Vulnerabilities Fable 5 loves guardrails Binwalk vulnerability EMBA and local models EDRChoker AI worms Interesting Arista vulnerability added to KEV BOD 26-04 and stakeholder specific vulnerability categorization Bring your own execution environment Homelab tips MikroTik routers as interceptors Ivanti Sentry and irony Smart TV botnets Privacy laws Solarwinds Serv-U lives on More Cisco SD-WAN fun! Russia can jam GPS No nudes for you says UK Government "Why would someone want to learn code when AI does it better and faster?" Hosts Paul Asadoorian @0offset https://securitypodcaster.com David Johnson Lee Neely Mandy Logan @survivatrix#0613 Sam Bowne https://samsclass.info/ Announcements If you’re in the SOC, you already know the pain. Too many alerts, not enough context, and attackers slipping through the cracks. Now add AI-driven attacks and increasingly complex environments. At the AI for Next-Gen SOC Virtual Cybersecurity Summit on June 24th, learn how to actually apply AI for detection engineering, threat hunting, and reducing false positives without breaking your workflows. Security Weekly listeners can register for free at https://securityweekly.com/nextgensoc using the promo code: CSS26-SW List of Articles Paul Asadoorian Fwupd 2.1.5 Improves Firmware Updates on Dual-Boot Linux Systems You shouldn't dual boot, its a PITA. Also, updating your DB on the fly like this is interesting and also potentially dangerous... How The 2020s Chip Crisis Led To A Buggy Saleae Analyzer In 2026 Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges Anthropic rolls out Claude Fable 5, but it’s available for a limited time Fable 5 stinks, too many guardrails and too many tokens. Try again Anthropic. As cybersecurity researchers guardrails just slow us down... Release EMBA – v2.0.2 – Party the big 2k · e-m-b-a/emba I am interested in trying this, EMBA can now use local AI models... UK weakens proposed telecoms defenses against Chinese hackers after industry pushback Dear telecoms, you should be wicked secure. Oh, that's too hard? Okay, nevermind... EDRChoker: Choking The Telemetry Stream to Bypass Defenses Such a cool idea: "The post describes a new red‑team technique and tool, EDRChoker, that “chokes” EDR telemetry by abusing Windows policy‑based QoS to throttle EDR agent traffic to unusably low bandwidth instead of outright blocking it. EDRChoker targets the inherent dependency of cloud‑managed EDR agents on reliable client‑server connectivity: if you break that channel, you strip away most detection, response, and command‑and‑control capabilities while leaving the agent technically “running.” Instead of Windows Firewall/WFP rules, it uses Policy‑based QoS (pacer.sys) to cap outbound bandwidth for EDR processes to as low as 8 bits per second, which forces TLS handshakes and telemetry uploads to time out, effectively isolating the agent from its backend." “AI Worms”, researchers demonstrate autonomous malware capable of adapting to any online device Why wouldn't we have AI worms? I think we've already seen behavior similar to this. U.S. CISA adds Cisco Catalyst SD-WAN, Arista Extensible Operating System (EOS), and Google Chromium V8 flaws to its Known Exploited Vulnerabilities catalog The Arista one is interesting: Arista published the advisory with a CVE, but it took a while before it showed up in the CVE databases, which means if you were just looking at CVE data, you would not find this Arista wrote in the original advisory that it was being exploited in the wild It took some time, weeks, for it to show up on the CISA KEV (too slow) There is a public PoC exploit: https://github.com/fevar54/CVE-2026-7473---Arista-EOS-Tunnel-Decapsulation-Bypass Arista explicitly says “no software upgrade path is planned” and are only providing configuration-based mitigations (primarily ACLs around tunnel decap IPs) - which means your vuln scanner will most likely miss this as its not based just on version, but configuration, so hope you are doing configuration audits, which if you read the advisory are not easy to detect the vulnerable vs. not vulnerable configuration Helping Federal Agencies Meet CISA’s Accelerated Remediation Timelines outlined in CISA BOD 26-04 A bit of a sales pitch, but some good insights from Vulncheck: "CISA’s new BOD 26‑04 hard‑codes SSVC – Stakeholder‑Specific Vulnerability Categorization – into federal patching: you don’t just look at CVSS anymore, you look at whether the asset is exposed, whether the vuln is actively exploited, whether the attack can be automated, and whether the impact is partial or total, and that combo drives how fast you have to remediate. VulnCheck points out that CISA’s own “Vulnrichment” only has SSVC data for about 46% of CVEs, so agencies would be stuck manually rating exploitation, automatability, and impact on the rest; their answer is to auto‑generate SSVC decisions – with around 90% coverage and earlier exploit intel than CISA KEV – so you can plug those fields straight into BOD 26‑04 timelines rather than building your own SSVC pipeline from scratch." BOD 26-04: Prioritizing Security Updates Based on Risk BOD 26-04 is CISA’s new playbook telling federal agencies: “stop patching everything by CVSS or KEV date alone, and instead prioritize updates based on how exposed the asset is and how it’s actually being exploited in the real world.” It replaces the old “patch every KEV by this deadline” mindset with a structured risk model and pushes agencies toward continuous, automated, risk‑based remediation. ** Asset exposure – Is the system internet‑facing, on the edge, or internal only? ** Vulnerability characteristics – Exploitability, availability of weaponized exploits, complexity, required privileges, etc. ** Threat activity – Is the vuln being widely exploited, targeted at specific sectors, or just PoC‑only chatter? ** Potential impact – Mission criticality, data sensitivity, and blast radius if the asset is compromised. Agencies must build processes and tooling that pull these signals together and use them to sequence mitigations, rather than just racing to clear KEVs by due date. Locked in heated rivalry with researcher, Microsoft fixes 0-day they disclosed A few of my news articles relate to this topic, let's see if we can't break it down: Nightmare Eclipse (also known as Chaotic Eclipse or Dead Eclipse) is an anonymous researcher who has been on a relentless, retaliatory zero-day disclosure campaign against Microsoft since early April 2026, releasing exploits timed to coincide with Patch Tuesday for three consecutive months. The grudge reportedly stems from Microsoft allegedly leaving the researcher "homeless with nothing" — the community is split on whether they're a whistleblower or a threat actor. Just hours after June 2026 Patch Tuesday, Nightmare Eclipse published RoguePlanet, a PoC exploiting a race condition in Microsoft Defender to spawn a SYSTEM-level shell on fully patched Windows 10 and 11. The researcher posted on X taunting Microsoft: "Someone tell Microsoft they forgot to add RoguePlanet." ThreatLocker independently reproduced the exploit, confirming it's real, though their Application Allowlisting blocked it by default. June Patch Tuesday patched two prior Nightmare Eclipse disclosures — GreenPlasma (CVE-2026-45586, CVSS 7.8, CTF/CTFMON LPE) and MiniPlasma (CVE-2020-17103, a regression of a 2020 vuln in the Cloud Filter driver). CVE-2026-45586 is rated "Exploitation More Likely" by Microsoft and was publicly disclosed pre-patch, making it a true zero-day. RoguePlanet remains unpatched GitHub and GitLab removed Nightmare Eclipse's repos after the exploit releases. The researcher responded by standing up independent hosting infrastructure and continues to distribute code through alternate platforms — a new GitHub repo hosting RoguePlanet has already appeared. Here is a table: | Exploit | CVE | Target | Impact | |-------------|------------------|---------------------------------|----------------| | BlueHammer | TBD | Windows | LPE | | RedSun | TBD | Windows | LPE | | GreenPlasma | CVE 2026-45586 | CTFMON/CTF Framework | LPE to SYSTEM | | YellowKey | CVE-2026-50507 | BitLocker | Bypass | | MiniPlasma | CVE-2020-17103 | Cloud Filter Driver (cldflt.sys)| LPE to SYSTEM | | RoguePlanet | Unpatched | Microsoft Defender | LPE to SYSTEM | Centurion: Bring Your Own Execution Environment Centurion is Praetorian’s experimental “stealth environment” for running red‑team payloads: instead of letting Windows execute their code directly, they bring along a tiny custom virtual machine and run the payload inside that, like sneaking a small computer into a bigger one so defensive tools never see normal Windows code or APIs being used. This makes it much harder for EDR to recognize or analyze what is happening, because almost everything interesting happens inside Centurion’s private little world rather than in standard Windows processes and libraries. Centurion’s VM does not run a full operating system like Windows or Linux. It is closer to a tiny, purpose-built “embedded runtime” that runs your payload code and a small set of libraries (loader, networking, TLS, etc.)