惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
S
SegmentFault 最新的问题
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
C
Cisco Blogs
博客园 - 叶小钗
P
Privacy International News Feed
Jina AI
Jina AI
Apple Machine Learning Research
Apple Machine Learning Research
T
Threatpost
IT之家
IT之家
博客园 - 聂微东
Know Your Adversary
Know Your Adversary
Help Net Security
Help Net Security
罗磊的独立博客
I
Intezer
S
Schneier on Security
博客园_首页
C
CERT Recently Published Vulnerability Notes
雷峰网
雷峰网
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
TaoSecurity Blog
TaoSecurity Blog
MyScale Blog
MyScale Blog
P
Privacy & Cybersecurity Law Blog
T
The Exploit Database - CXSecurity.com
PCI Perspectives
PCI Perspectives
Security Latest
Security Latest
H
Heimdal Security Blog
S
Secure Thoughts
Hacker News: Ask HN
Hacker News: Ask HN
Y
Y Combinator Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Microsoft Security Blog
Microsoft Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
SecWiki News
SecWiki News
The GitHub Blog
The GitHub Blog
A
Arctic Wolf
A
About on SuperTechFans
aimingoo的专栏
aimingoo的专栏
T
Threat Research - Cisco Blogs
Engineering at Meta
Engineering at Meta
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC

Cisco Talos Blog

Begun, the Patch Wars have The Hunter's Paradox: Is it time to embrace automated threat hunting? UAT-11795 deploys novel Starland RAT and bespoke WLDR C2 implant in financially motivated campaign Microsoft Patch Tuesday for July 2026 — Snort rules and prominent vulnerabilities [Video] Where protection starts: Cisco Talos Intelligence Integrations The serpent’s tongue: Luring the Python out of its den WolfSSL, GeoVision, VTK vulnerabilities Winning 54% of the time UAT-7810 continues building ORB networks using new malware Catan and Mouse Martin Lee: Running through the Arctic (and the threat landscape) ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365 Beyond IOCs: AI-enabled threat intelligence Introduction to COM usage by Windows threats Close Encounters of the Human Kind Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model A tale of two eras Microsoft Patch Tuesday for June 2026 — Snort rules and prominent vulnerabilities Reporting from Vegas: Networking, AI, and good boys Winning the cyber marathon with Tony Giandomenico Hypotheses, telemetry, and human judgment: Inside Cisco Talos Threat Hunting DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap MediaArea heap-based buffer overflow vulnerabilities Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake The art of being ungovernable TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat The time of much patching is coming Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities Breaking things to keep them safe with Philippe Laulheret Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities State-sponsored actors, better known as the friends you don’t want Unplug your way to better code Insights into the clustering and reuse of phone numbers in scam emails UAT-8302 and its box full of malware
Less panic patching, more precision
Thorsten Rosendahl · 2026-05-29 · via Cisco Talos Blog

Welcome to this week's edition of the Threat Source newsletter. 

Recently, Martin closed his introduction with a warning: Ready or not, the time of much patching is coming. I've been chewing on that one for a while because I'm rethinking my own enrichment pipelines along these lines, and the questions Martin raised are the ones I keep running into — with one or two ideas on what practitioners can actually do about it. 

Honestly speaking, most of us are still prioritising the wrong way. CVSS has been the default for over a decade — but it only answers one question: How bad could this be in theory? It's a severity score, not a risk score. A CVSS 9.8 on something nobody is exploiting (and nobody ever will) is a very different problem from a CVSS 7.2 that's being weaponised in the wild this morning. If your patch queue is sorted purely by CVSS, you'respending finite operations capacity on hypotheticals. 

This is where 

EPSS

 (Exploit Prediction Scoring System) earns its place next to CVSS. EPSS is a probability — between 0 and 1 — that a given CVE will be exploited in the next 30 days, based on real-world signals. The two answer different questions:

Feature 

CVSS 

EPSS 

Focus 

Severity (impact) 

Risk (likelihood of exploitation) 

Nature 

Static (usually) 

Dynamic (updated daily) 

Output 

0.0 to 10.0 score 

0.0 to 1.0 probability 

Primary use 

Assesses technical impact 

Prioritizes remediation 

CVSS tells you how bad it would be if exploited. EPSS tells you how likely it is to actually happen to you soon. Used together, a high CVSS and a high EPSS is your "drop everything" pile, while a high CVSS and a very lowEPSS can probably wait behind a medium with an EPSS of 0.7. That single change in triage logic can meaningfully shrink the patch backlog without weakening your posture. 

The second ingredient is knowing what is actually being exploited — and here, many teams default to CISA's KEV catalog. KEV is excellent, and I've quoted KEV numbers in this newsletter more times than I can count. CISA contributes as an Authorized Data Publisher (ADP) in the CVE Program, enriching records alongside the original CNA's data. That model works well, but it's also why KEV is structurally centralized, conservative in what it admits, and naturally scoped to what U.S. federal visibility surfaces. For a global practitioner — and writing this from Germany, I notice — "Is this being exploited?" deserves a broader lens. 

That broader lens is starting to take shape with GCVE (Global CVE), a decentralized approach to vulnerability identification and enrichment. Two properties matter for the surge that's coming: 

  1. Speed of enrichment. Because GCVE is decentralized, enrichment data — references, affected products, exploit indicators — doesn't have to wait in a single queue. In practice, actionable context arrives meaningfully faster than the traditional NVD pipeline, which has visibly struggled with backlog over the past two years. 
  2. Broader exploitation signal. Rather than a single authoritative list of what is being exploited, GCVE makes room for multiple sources of exploitation evidence to surface against the same identifier. That gives defenders outside the U.S. (and frankly, inside it too) a more complete picture than KEV alone. 

Pair that with EPSS on top of CVSS, and you end up with a triage stack that is faster, broader, and probability-informed rather than only severity. 

None of this removes the patching workload that is coming, but it does change which patches you sprint on at 2:00 a.m. and which ones can ride the normal cycle. Before the surge arrives, that's a worthwhile thing to get right.

The one big thing 

Cisco Talos released EvidenceForge, a new open-source tool designed to generate highly realistic, correlated synthetic security logs. This tool solves the chronic shortage of high-quality, labeled datasets needed to train threat hunters and validate detection logic. By using a single canonical event model and AI-assisted scenario authoring, EvidenceForge ensures causal and temporal consistency across more than 20 log formats. 

Why do I care? 

Relying on heavily scrubbed public datasets or red team engagements often leaves security teams with incomplete telemetry. While most synthetic generators spit out independent events that fail to tell a coherent story, EvidenceForge injects realistic background noise, red herrings, and proper causal sequencing into the mix. This allows your team to work with synchronized datasets that (more) accurately mimic real-world network visibility without the compliance headaches of using production data. 

So now what? 

Security teams can head over to GitHub to clone the EvidenceForge repository and use its guided conversation feature to build custom attack scenarios. Defenders can then use these newly generated datasets to build robust SOC analyst training programs, stress-test a new SIEM, and validate detection pipelines before they touch a production environment. You can find the full details and the link to the open-source repository in the blog post

Top security headlines of the week 

Lawmakers demand answers as CISA tries to contain data leak 
Lawmakers are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after a contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. (KrebsOnSecurity

Over 5,500 GitHub repositories infected in “Megalodon” supply chain attack 
The campaign relies on GitHub Actions workflows containing a payload designed to steal credentials, keys, tokens, and other secrets. The workflows were injected through over 5,700 malicious commits pushed to the impacted repositories on May 18. (SecurityWeek

Authorities seized 800 servers of hosting company used to launch cyber attacks 
The investigation centers on a web hosting company established on Feb. 10, 2022, weeks before Russia invaded Ukraine. The infrastructure was allegedly used to support cyber attacks, disinformation campaigns, and sanctions evasion linked to Russia. (CyberSecurityNews

Content delivery exploit opens websites to brand hijacking 
The Underminr domain-fronting attack allows threat actors to modify web requests and leverage trusted websites to cloak malicious activity. (Dark Reading

Cisco’s risk-based vulnerability disclosure in the age of AI 
Cisco is adapting its vulnerability disclosure practices, focusing on increasing the visibility of detailed technical information for vulnerabilities that are critical, actively exploited, or have a higher likelihood of exploitation. (Cisco blog

Can’t get enough Talos? 

DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap 
Hospitals rely on DICOM-based PACS systems, and those systems often automatically ingest files received over the network. Our latest white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. 

MediaArea heap-based buffer overflow vulnerabilities 
MediaArea produces digital media analysis open-source software, as well as support tools for file investigation. Talos discovered four vulnerabilities in MediaInfoLib, which provides a UI for technical and tag data for video and audio media files.

Breaking things to keep them safe with Philippe Laulheret 
From his memorable experiment using a green onion to bypass a biometric fingerprint reader to his experience on the frontlines of cybersecurity, Philippe shares the journey that led him to vulnerability research. 

Upcoming events where you can find Talos 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Example Filename: VID001.exe  
Detection Name: Win.Worm.Coinminer::1201** 

SHA256: 9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
MD5: 38de5b216c33833af710e88f7f64fc98  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f 
Example Filename: sample.exe  
Detection Name: Win.Tool.Procpatcher::1201 

SHA256: 5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
MD5: a2cf85d22a54e26794cbc7be16840bb1 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe 
Example Filename: a2cf85d22a54e26794cbc7be16840bb1.exe  
Detection Name: W32.5E6060DF7E-100.SBX.TG 

SHA256: afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
MD5: cc4d231df34e57f59eb970353c7d9de2 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=afc8a00883a4ea07df2dc1d4ed02f8a23b35c9456413b438a2d9ce3ae5076638 
Example Filename: AutoPico.exe 
Detection Name: PUA.Win.Tool.Kmsactivator::1201