Backdoor in xz-utils 5.6.0–5.6.1 (liblzma) compromises sshd
xz-utils 5.6.0 and 5.6.1 ship a deliberate backdoor that compromises sshd via the libsystemd → liblzma load path. An attacker holding the actor's private key gains pre-authentication RCE as root.
- CVE
- CVE-2024-3094
- CVSS
- 10.0 (3.1)
- Severity
- CRITICAL
- Disclosed
- 2024-03-29
Three things, done seriously
- 01 / 03 Threat intelligence
-
We track adversaries that target payment, settlement, and treasury infrastructure. Output is curated, sourced, and timestamped — not branded reports. Subscribers receive new findings the same day they are validated, with confidence levels stated in IC analytic terms.
Read more - 02 / 03 Incident response
-
On retainer or on call. We work the technical containment and the regulatory clock in parallel, because a breach inside a regulated institution is two crises that share a phone line. Every engagement ships a forensic timeline, a remediation roadmap, and a written briefing that survives auditor scrutiny.
Read more - 03 / 03 Security engineering
-
Detections, controls, and architecture review for the systems your customers rely on. We build to your stack rather than ours: SIEM rules in your SIEM, IaC patches in your repository, runbooks in your wiki. The work outlasts the engagement.
Read more
What we are tracking
- CVE-2024-6387 · 2024-07-01 · HIGH
Signal handler race in OpenSSH sshd allows pre-auth RCE on glibc Linux
A signal handler race condition in sshd, dubbed regreSSHion, permits unauthenticated remote code execution as root on glibc-based Linux. The flaw is a regression of CVE-2006-5051. Exploitation is non-trivial but demonstrated.
CVSS 8.1 OpenSSH 8.5p1 through 9.7p1 (inclusive) on glibc-based Linux +1 - CVE-2024-30255 · 2024-04-03 · MEDIUM
Envoy HTTP/2 CONTINUATION frame flood causes CPU exhaustion DoS
Envoy's HTTP/2 codec processes CONTINUATION frames without effective rate limiting. A remote unauthenticated client can stream CONTINUATION frames indefinitely, exhausting CPU on the target. Part of the wider 2024 HTTP/2 CONTINUATION flood disclosure class.
CVSS 5.9 Envoy < 1.26.8 +3 - CVE-2024-3094 · 2024-03-29 · CRITICAL
Backdoor in xz-utils 5.6.0–5.6.1 (liblzma) compromises sshd
xz-utils 5.6.0 and 5.6.1 ship a deliberate backdoor that compromises sshd via the libsystemd → liblzma load path. An attacker holding the actor's private key gains pre-authentication RCE as root.
CVSS 10.0 xz-utils 5.6.0 +2
Notes from the practice
Detection engineering against low-and-slow operations
When the dwell time is measured in months rather than minutes, the detection problem stops being about signatures and becomes about baselines. Notes from a year of working financial-sector telemetry.
By IMF Research
EDITORIAL · 2026-03-15On disclosure timelines: when ninety days is too long, when it is too short
The default coordinated-disclosure window of ninety days exists for reasons that are sometimes load-bearing and sometimes vestigial. A practitioner's view from inside financial-sector vulnerability work.
By IMF Research
A small practice, working only on the parts of security that matter to financial infrastructure.
International Money Flow is a research and engagement practice for banks, payment processors, and the institutions that clear and settle their transactions. We do not run a SOC, sell a platform, or authoritatively pronounce on the threat landscape. We track public vulnerabilities that affect the systems our clients run, work incidents when those clients have them, and write detection and architecture work that survives the engagement.
About the practice