RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: crowdstrike (4 articles)Clear
threat
2026-05-01

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

cordial-spidersnarky-spidercrowdstrikemandiantunc6661unc6671shinyhuntersvishingssoaitmsaas-extortionthe-comblackfile-overlap
Check
Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected
Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix
Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.
threat
2026-04-30

Anthropic launches 'Claude Security' for enterprises - the first major defensive product designed to keep up with AI-powered exploits that compress the time-to-attack to minutes

Anthropic launched Claude Security in public beta yesterday, an enterprise tool that scans code repositories for vulnerabilities, rates each finding's severity and confidence, and generates patch instructions that engineers can apply through Claude Code. The launch is direct response to Mythos and similar AI-driven offensive tools that have been compressing the time between vulnerability disclosure and active exploitation - LiteLLM was exploited 36 hours after disclosure last week, LMDeploy in 13 hours the week before. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, Trend, and Wiz are integrating Claude Opus 4.7 into their platforms.

anthropicclaude-securityclaude-opus-4-7mythosai-defensetime-to-exploitenterprisecrowdstrikemicrosoftpalo-altosentinelonewiz
Check
If your organization holds a Claude Enterprise subscription, evaluate Claude Security against your existing static analysis tools this week.
Affected
Claude Enterprise customers can access Claude Security in public beta now via claude.ai/security or the Claude.ai sidebar. No API integration required. Team and Max access is coming soon. The deeper relevance is for any security team facing the new exploitation cadence: AI-driven offense has shrunk the patch window for several recent disclosures.
Fix
Pilot Claude Security on a non-critical repository first - point it at a side project before pointing it at production code. Scheduled scans give ongoing coverage rather than one-off audits. Pair the output with Claude Code on the Web to work through patches in a single session. For organizations not on Claude Enterprise: evaluate Aisle, Wiz Code, or GitHub Copilot Autofix on confidence rating and false positive rate.
vulnerability
CVE-2026-0204CVE-2026-0205CVE-2026-0206
2026-04-29

SonicWall patches three SonicOS firewall flaws after CrowdStrike disclosed them - the worst lets attackers reach the management interface without logging in (CVE-2026-0204)

SonicWall released emergency firmware updates for Gen 6, Gen 7, and Gen 8 firewalls after CrowdStrike's research team disclosed three SonicOS flaws on April 29. The worst is CVE-2026-0204 (CVSS 8.0), a weak authentication bug in the management interface that lets an attacker on an adjacent network reach management functions without logging in - and from there change firewall rules, disable security protections, or open new holes. The other two are post-authentication: CVE-2026-0205 is a path traversal that breaks out of restricted directories, and CVE-2026-0206 is a buffer overflow that crashes the firewall. No public exploits yet.

sonicwallsonicosfirewallauthentication-bypasscrowdstrikegen6-7-8management-interfacessl-vpn
Check
Patch every SonicWall Gen 6, Gen 7, and Gen 8 firewall to the latest firmware today, and confirm no SonicWall management interface or SSL-VPN is reachable from the public internet.
Affected
Gen 6 firewalls (TZ 300/400/500/600, NSA, SM, SOHO) running 6.5.5.1-6n or older. Gen 7 firewalls and NSv (TZ270-TZ670, NSa 2700-6700, NSsp, NSv on ESX/KVM/Hyper-V/AWS/Azure) running 7.0.1-5169 or 7.3.1-7013 or older. Gen 8 (TZ80-TZ680, NSa 2800-5800) running 8.1.0-8017 or older.
Fix
Upgrade to Gen 8 firmware 8.2.0-8009, Gen 7 firmware 7.3.2-7010, or Gen 6 6.5.5.2-28n. Until patched, disable HTTP and HTTPS firewall management on all interfaces, disable SSL-VPN, and restrict management to SSH only from trusted IPs. Take a full configuration backup before upgrading Gen 6 - downgrading from 6.5.5.2-28n deletes all LDAP users and resets MFA.
vulnerability
CVE-2026-40050
2026-04-21

Critical unauthenticated path traversal in CrowdStrike LogScale lets remote attackers read any file on the server (CVE-2026-40050, CVSS 9.8)

CrowdStrike disclosed CVE-2026-40050 on April 21, a critical unauthenticated path traversal in a specific cluster API endpoint of self-hosted LogScale (formerly Humio). CVSS 9.8. A remote attacker who can reach the endpoint can read arbitrary files from disk - including config files, certificates, embedded credentials, and the very logs the platform was deployed to protect. CrowdStrike found the bug through internal product testing and applied network-layer blocks across all SaaS clusters on April 7. Self-hosted customers must patch themselves. There is no evidence of in-the-wild exploitation yet.

crowdstrikelogscalehumiopath-traversalunauthenticatedsiemcritical
Check
Check every self-hosted CrowdStrike LogScale instance today and patch immediately - and verify the cluster API endpoint is not reachable from anywhere it shouldn't be.
Affected
CrowdStrike LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 inclusive, plus LTS versions 1.228.0 and 1.228.1. CVE-2026-40050, CVSS 9.8 (CWE-22 path traversal plus CWE-306 missing authentication). LogScale SaaS deployments and Next-Gen SIEM customers are not exposed - SaaS was already mitigated April 7 at the network layer.
Fix
Upgrade to LogScale Self-Hosted 1.235.1+ (GA) or 1.228.2 (LTS). Restrict the cluster API endpoint to internal management networks - it should never be internet-facing or general-VLAN reachable. Audit web-access logs for traversal patterns (..%2F, ../, encoded variants). Rotate any credentials, certificates, or tokens that may have been on disk on the LogScale host during the vulnerable window.