The mother of all CitySecs, coming to you (very not) live from Chicago, IL. Woman-run security meetup. See also infosec dot exchange forward slash at chisec
Here goes nginx-quicburst (CVE-2026-42530), a new RCE in Nginx discovered by our security agent VEGA and demonstrated by Nebula Security.
This is only the third NGINX vulnerability since 2014 to receive NGINX’s “major” severity rating. If you use Nginx 1.31 with QUIC enabled, we recommend upgrading to the latest version.
This bug has been patched in the latest Nginx release. We will publish the technical writeup, including the ASLR bypass, on July 18 together with the previous nginx-poolslip writeup.
Annoying nagging reminder, Tuesday Version, that ChiSec is THIS THURSDAY (18 June) at 18:30 (ish) at Kaiser Tiger (1415 W Randolph) in the Bier Garten.
ChiSec is tomorrow at Kaiser Tiger. 1415 W Randolph. 18:30. I am too tired to say something perky so you can imagine whatever level of enthusiasm suits your current mood.
Looking forward to seeing everyone <3
See you day after tomorrow at Kaiser Tiger (1415 W Randolph). We'll be in the Beer Garden starting around 18:30. Forecasted high for Thursday is 61F. Bring a jacket.
my company got breached
the attacker had access for 11 days
on day 3 he emailed our IT helpdesk
complained that the VPN was slow
our helpdesk reset his password
upgraded his access tier to fix the "connectivity issue"
and closed the ticket as resolved
CSAT score: 5 stars
we found this in the logs during forensics
the attacker had rated our IT support
excellent