CrowdStrike fixed CVE-2026-40050 in LogScale self-hosted, a critical flaw allowing unauthenticated file access via path traversal.

CrowdStrike recently disclosed a critical vulnerability, tracked as CVE-2026-40050, affecting its LogScale self-hosted product. The flaw enables unauthenticated path traversal, which could allow a remote attacker to read arbitrary files from the server filesystem.

“CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers.” reads the advisory published by the cybersecurity firm. “The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication.”

CrowdStrike LogScale is a log management and observability platform designed to help organizations collect, search, and analyze large volumes of machine data in real time.

It ingests logs from systems, applications, cloud services, and security tools, then makes them searchable almost instantly using a high-performance indexing architecture. This is particularly useful for security operations centers (SOCs), where fast investigation of alerts and incidents matters.

CrowdStrike confirmed that Next-Gen SIEM customers are not affected. LogScale SaaS users were protected on April 7, 2026 through network-layer mitigations applied across all clusters. The company is not aware of attacks exploiting this vulnerability. However, self-hosted LogScale customers must urgently upgrade to a patched version. The flaw was discovered internally through continuous product testing, highlighting proactive security monitoring.

Defensive platforms themselves are high-value targets.

Security tools like LogScale sit at a privileged position inside an organization’s infrastructure. Because of this central role, any weakness in these systems can have a disproportionate impact compared to vulnerabilities in ordinary applications. In this case, a path traversal flaw could potentially expose configuration files, credentials, or internal data that would otherwise remain protected.

Defensive software must be treated with the same rigor as the systems it protects. There is often an assumption that security products are inherently safer or more resilient because they are built for protection. In reality, they are equally susceptible to coding errors, design flaws, and configuration issues, sometimes with greater consequences when something goes wrong.

A vulnerability in a monitoring or detection platform can be especially dangerous because it can undermine visibility. Attackers who gain access to such systems may be able to disable alerts, suppress logs, or quietly observe security operations without being detected. In some cases, they may even use the platform itself as a stepping stone to escalate privileges or move laterally across networks.

This is why timely patching and proactive vulnerability management in defensive software is critical. Organizations often prioritize updates for operating systems, web applications, or exposed services, but security infrastructure should receive equal or higher priority. If the tools designed to detect threats are compromised, the entire security posture becomes unreliable.

The CrowdStrike case also reflects a positive aspect of modern security research: the fact that the issue was identified internally and responsibly disclosed. This suggests mature security practices and reduces the likelihood that attackers had early access to exploit the flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-40050)

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.

The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.

Last week, the SLSH Telegram channel featured an offer to recruit and reward “insiders,” employees at large companies who agree to share internal access to their employer’s network for a share of whatever ransom payment is ultimately paid by the victim company.

SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).

The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies.

Members of SLSH have traditionally used other ransomware gangs’ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.

A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators.

Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.

On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.

“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” the FBI said.

Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.

WHO IS REY?

According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle “Hikki-Chan” on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they said they received that included their email address and password.

The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.

“Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.”

A message posted to Telegram by Rey/@wristmug.

In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.

O5TDEV

Searching on @wristmug’s rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: cybero5tdev@proton.me. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user’s device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA).

Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.

Rey/o5tdev’s defacement pages. Image: archive.org.

A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.

“Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,” SentinelOne reported. “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”

The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog].

‘I’M A GINTY’

Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.

Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname “Ginty.”

Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint.

Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.

The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.

MEET SAIF

The infostealer data makes clear that Rey’s full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.

Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.

“I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.”

Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn’t just suddenly quit the group.

“Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said.

The former Hellcat ransomware site. Image: Kelacyber.com

He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.”

Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.

“I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.”

Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.

“A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”

Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.

“I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,” Saif said.

To the naked eye, organizations are independent entities trying to make their individual mark on the world. But that was never the reality. Companies rely on other businesses to stay up and running. A grocery store needs its food suppliers; a tech company relies on the business making semiconductors and hardware. No one can go it alone.

Today, the software supply chain interconnects companies across a wide range of industries. Software applications and operating systems depend on segments of the software supply chain to offer improved functionality. But while the software supply chain has improved efficiency and productivity for most organizations, it also means that if there is a vulnerability or a glitch in the software, it can halt business operations at hundreds or thousands of companies. Even the security programs that are used to protect users from cyberattacks can release exploitable software or an update with a coding mistake that can result in anything from massive data breaches to canceled flights to shutting down medical facilities because they can’t access patient records.

These software supply chain failures don’t just hurt the company. Millions of people are impacted. So why do software vendors have such deep access to an individual organization’s system so that one problem could create a nightmare scenario?

The evolution of computing

To understand why systems are so interconnected, you have to look at the evolution of both computing and software applications, according to Shiv Ramji, President of Customer Identity with Okta.

“We started from a world where programmers write on mainframes, and then we went from mainframes to the cloud and a distributed computing model,” Ramji explained during a conversation at the Oktane conference.

The benefit is that companies can now deploy applications faster, and they can be scaled with elasticity. Applications in the cloud are faster. There are a lot of benefits to architecting applications embedded in the cloud and network systems.

However, says Ramji, this also means that the application stack becomes more complicated and more sophisticated.

“The classic example would be if I had to store if I had an app that was a social media app or photo sharing,” explained Ramji. If the user relied on a single data center and single storage mechanism, scaling would become more difficult and expensive.

“But today, you can scale this really fast because you can use S3 from Amazon for storage, and you can scale your compute,” Ramji adds. “And so, it doesn’t matter if I have two users or end up having 200 million users; I’m able to address the needs.”

This evolution in computing has brought application stacks that have become much more complex, with a lot of interdependencies across the system. Cloud computing services, security services and networking capabilities work seamlessly because they are able to be embedded into an organization’s infrastructure.

Locking in with a vendor

These interdependencies are increasingly making organizations overly reliant on specific vendors and applications to keep their business operations running smoothly. The upside to this is having third-party partnerships that integrate with your infrastructure and can be built out seamlessly. The downside is added costs from not shopping around for better deals and the greater risk of a security flaw taking down your system without warning. One bad piece of code due to an embedded vendor application can cause irreparable damage.

According to research from Dashdevs, “vendor lock-in is proven to lead to unanticipated costs and technical debt.” Reliance on these embedded applications is “proven to increase risks and vendor-specific vulnerabilities.”

When these embedded applications have a flaw — a vulnerability exploited or misconfigured code, for example — the fix can be complex. It might look as easy as deleting the bad file or applying a patch, but what happens if the problem doesn’t allow you access to the system at all? To do that, you have to identify which program is causing the problem and where within your system it is located. Is it a problem that can be fixed once via the cloud and will automatically change across all devices, or will it require updating individual machines? Finally, what is the communication between the vendor and your organization? Is the problem something you discovered or was it revealed to you, and how willing and quick is the third party able to take responsibility?

Unfortunately, there are no easy answers. It will come down to the individual situation — the type of vendor, how the application is embedded into your network and the problem that it causes.

“Some of those systems, some of those controls that you have in place have the potential from a resiliency standpoint to mean the difference between your customers having your service being on and available or having a complete destruction caused by an outage similar to what we’ve seen with other vendors recently,” says Charlotte Wylie, Deputy CSO with Okta.

How vendors can keep customers secure

Vendors can take steps to protect their customers from a software breakdown, beginning with recognizing their role inside their customers’ infrastructure. Wylie provided the following tips on how vendors and customers can work together to add security to embedded applications:

• Implement access with least privilege permissions on both sides
• Have controls and protocols in place if there is a degradation of service
• Have well-managed accounts that are maintained and secured with your organization’s IAM team

“I think least privilege and having the right identity is super important,” says Wylie. “And then testing that on a regular basis so you have the right enterprise resiliency in place and know that your disaster recovery plan is ready to go — these are your backup plans when you have a collaboration of vendors.”

Every organization has become more reliant on the software supply chains and applications used across their complex network architecture. It’s almost impossible to run a business efficiently today without this interdependence on third parties who have deep access to not just your system directly but also through the other applications and software you use. Failure will happen. Being prepared with a recovery plan for any worst-case scenario and thinking about how to best architect networks with third-party vendors to work through failure will prevent the downtime from turning into a news event.

The post Why do software vendors have such deep access into customer systems? appeared first on Security Intelligence.