Hackers Targeted PraisonAI Vulnerability Hours After Disclosure
Attackers began probing for CVE-2026-44338, a PraisonAI authentication bypass flaw, less than four hours after public disclosure. The issue affects PraisonAI versions 2.5.6 through 4.6.33 when the legacy Flask API server is exposed with authentication disabled by default. This matters because exposed AI agent frameworks can trigger configured workflows, and the impact depends on what those agents are allowed to access or do. Organizations using PraisonAI should update to version 4.6.34 and confirm agent APIs aren’t reachable without authentication.
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
Researchers disclosed CVE-2026-42945, a critical heap buffer overflow in the NGINX rewrite module that has existed for 18 years. The flaw can be triggered through crafted HTTP requests and may allow unauthenticated remote code execution or denial of service under certain conditions. This is worth prioritizing because NGINX is widely used in internet-facing web infrastructure, reverse proxies, ingress controllers, and application delivery stacks. Teams should update affected NGINX and F5 components and review rewrite rules that use unnamed captures.
Windows BitLocker zero-day gives access to protected drives, PoC released
A researcher released proof-of-concept exploits for two unpatched Windows issues named YellowKey and GreenPlasma. YellowKey can bypass BitLocker protection in certain TPM-only configurations by abusing Windows Recovery Environment behavior, while GreenPlasma is a privilege escalation issue tied to Windows CTFMON. The practical concern is that public exploit code can move quickly from research into attacker testing, especially since prior leaks from the same researcher were later exploited in the wild. Security teams should track Microsoft guidance, review BitLocker configurations, and avoid relying on TPM-only protection for high-risk systems.
Sandworm Activity in Industrial Environments: What the Data Reveals
Nozomi Networks analyzed more than 5.5 million alerts from 10 industrial organizations and identified 29 confirmed Sandworm-related events. The research found that affected systems often produced weeks or months of warning signs before Sandworm activity, including EternalBlue, Cobalt Strike, RAT activity, and Log4Shell indicators. The key takeaway for OT and critical infrastructure teams is that Sandworm doesn’t need zero-days when environments already have unresolved compromise paths, and detection alone isn’t enough if containment is slow.
FamousSparrow APT Targets Azerbaijani Oil and Gas Industry
Bitdefender reported a multi-wave espionage campaign against an Azerbaijani oil and gas company, attributed with moderate-to-high confidence to the China-linked FamousSparrow threat group. The attackers repeatedly returned through the same vulnerable Microsoft Exchange entry point and deployed Deed RAT and Terndoor across multiple waves. This matters for energy sector defenders because the incident shows how incomplete remediation can leave the original access path open, allowing a capable actor to return with new tooling after defenders remove the visible malware.
The post InfoSec News Nuggets 05/14/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
