Curated security advisories and detection engineering for financial infrastructure. We track, verify, and republish vulnerabilities relevant to payments, settlement, and treasury operations.https://imfamericas.com/enhttps://imfamericas.com/advisories/2024-03-29-cve-2024-3094-xz-utils-backdoor/https://imfamericas.com/advisories/2024-03-29-cve-2024-3094-xz-utils-backdoor/xz-utils 5.6.0 and 5.6.1 ship a deliberate backdoor that compromises sshd via the libsystemd → liblzma load path. An attacker holding the actor's private key gains pre-authentication RCE as root.Wed, 29 Apr 2026 00:00:00 GMTadvisorycriticalCVE-2024-3094https://imfamericas.com/advisories/2024-04-03-cve-2024-30255-envoy-http2-continuation-flood/https://imfamericas.com/advisories/2024-04-03-cve-2024-30255-envoy-http2-continuation-flood/Envoy's HTTP/2 codec processes CONTINUATION frames without effective rate limiting. A remote unauthenticated client can stream CONTINUATION frames indefinitely, exhausting CPU on the target. Part of the wider 2024 HTTP/2 CONTINUATION flood disclosure class.Wed, 29 Apr 2026 00:00:00 GMTadvisorymediumCVE-2024-30255https://imfamericas.com/advisories/2024-07-01-cve-2024-6387-openssh-regresshion/https://imfamericas.com/advisories/2024-07-01-cve-2024-6387-openssh-regresshion/A signal handler race condition in sshd, dubbed regreSSHion, permits unauthenticated remote code execution as root on glibc-based Linux. The flaw is a regression of CVE-2006-5051. Exploitation is non-trivial but demonstrated.Wed, 29 Apr 2026 00:00:00 GMTadvisoryhighCVE-2024-6387https://imfamericas.com/papers/2026-04-29-adversarial-attacks-against-financial-ml/https://imfamericas.com/papers/2026-04-29-adversarial-attacks-against-financial-ml/Financial institutions are deploying ML systems into the parts of their stack that matter most: fraud detection, anti-money-laundering screening, credit decisioning, transaction monitoring, and customer-service LLMs. These systems carry an attack surface that traditional cyber-security controls do not address. This paper defines six adversarial attack classes specific to financial-sector ML, maps them to malicious-actor goals, and proposes a starting threat model for the institutions we work with.Wed, 29 Apr 2026 00:00:00 GMTpaperanalysisadversarial-machine-learningfraud-detectionaml-kyctransaction-monitoringllm-securityhttps://imfamericas.com/papers/2026-04-22-payment-fraud-telemetry-bad-metrics/https://imfamericas.com/papers/2026-04-22-payment-fraud-telemetry-bad-metrics/Most fraud-detection programmes report on the wrong things. Volume-of-alerts and mean-time-to-resolution measure the work that the platform produces, not the work that catches an attacker. This paper looks at four metrics we routinely see harming fraud detection in the institutions we work with, and proposes four replacements.Wed, 22 Apr 2026 00:00:00 GMTpaperanalysisdetection-engineeringfraudmetricsSOChttps://imfamericas.com/papers/2026-04-15-business-just-wired-money-to-a-fraudster/https://imfamericas.com/papers/2026-04-15-business-just-wired-money-to-a-fraudster/A short, prioritised checklist of the actions that materially affect whether the funds can be recovered. The first sixty minutes matter most; by the end of the working day the realistic recovery probability is meaningfully lower. Read this once before you need it.Wed, 15 Apr 2026 00:00:00 GMTpaperresponseincident-responsebusiness-payment-fraudresponse-guidehttps://imfamericas.com/papers/2026-04-08-shell-company-tpp-exploitation-joint-advisory/https://imfamericas.com/papers/2026-04-08-shell-company-tpp-exploitation-joint-advisory/We are issuing this joint advisory together with five sector partners to draw attention to a sustained pattern of shell-company onboarding through third-party payment processors. The pattern moves between jurisdictions on a weekly cycle, exploits inconsistencies in beneficial-ownership data, and is currently observed against small-and-mid-sized payment processors in particular.Wed, 08 Apr 2026 00:00:00 GMTpaperadvisoryjoint-advisoryfinancial-crimethird-party-payment-processingshell-companyhttps://imfamericas.com/blog/2026-04-01-detection-engineering-against-low-and-slow/https://imfamericas.com/blog/2026-04-01-detection-engineering-against-low-and-slow/When the dwell time is measured in months rather than minutes, the detection problem stops being about signatures and becomes about baselines. Notes from a year of working financial-sector telemetry.Wed, 01 Apr 2026 00:00:00 GMTeditorialdetection-engineeringbaselinesfinancial-sectorhttps://imfamericas.com/blog/2026-03-15-on-disclosure-timelines/https://imfamericas.com/blog/2026-03-15-on-disclosure-timelines/The default coordinated-disclosure window of ninety days exists for reasons that are sometimes load-bearing and sometimes vestigial. A practitioner's view from inside financial-sector vulnerability work.Sun, 15 Mar 2026 00:00:00 GMTeditorialdisclosurecoordinated-vulnerability-disclosureeditorial