ITSEC Newsletter 2026-01-22

Author

Henrik Falk
January 22, 2026

Wait, Why is my WebClient Started?: SCCM Hierarchy Takeover via NTLM Relay to LDAP

During automatic client push installation, an SCCM site server automatically attempts to map WebDav shares on clients, starting WebClient when installed. This allows an adversary to coerce both high-privilege siteserver machine account NTLM authentication and client push installation account HTTP NTLM authentication and perform an NTLM relay to LDAP for SCCM or (sometimes) Active Directory takeover.

When The Gateway Becomes The Doorway: Pre-Auth RCE in API Management

Discover how a decade-old vulnerability class leads to pre-authentication Remote Code Execution (RCE) in an enterprise API management platform. This article details the end-to-end compromise of an API Gateway, from initial subdomain reconnaissance and API fuzzing to achieving an interactive reverse shell via unsafe Java deserialization in unauthenticated cluster sync endpoints.

principlebreach.com/lab/when-the-gateway-becomes-the-doorway-pre-auth-rce-in-api-management

SCADA (ICS) Hacking and Security: Hacking Nuclear Power Plants - Part 1

Part 1 establishes the foundation by explaining how nuclear power plants operate, how safety is enforced through layered engineering and physical principles, and also how digital control systems support these protections. By looking at reactor control logic, trust assumptions in safety architectures, and the realities of legacy industrial design, it becomes clear that cybersecurity risk comes not from a single vulnerability, but from the interaction of multiple small decisions over time. These elements on their own do not cause failure, but they shape an environment in which trust can be misused.

hackers-arise.com/scada-ics-hacking-and-security-how-nuclear-plants-are-hacked-in-under-an-hour-part-1