CrowdStrike Was Just Lecturing About Windows Defender Vulnerabilities. They Quietly Patched a CVSS 9.8 in Their Own Product This Weekend.
- Patrick Duggan
- 6 minutes ago
- 3 min read
CrowdStrike published an urgent advisory for CVE-2026-40050 this week. CVSS 9.8. Critical. Unauthenticated. A remote attacker can read arbitrary files from a LogScale Self-Hosted server's filesystem with no credentials at all, by hitting an exposed cluster API endpoint. They patched it in 1.235.1, 1.234.1, 1.233.1, and 1.228.2 LTS. SaaS customers were quietly protected by network-layer blocks before the public could see the advisory.
LogScale is the same product CrowdStrike acquired Humio for in 2021 to compete with Splunk. It is the SIEM where CrowdStrike's enterprise customers send their logs. This is the box that watches everything else. And until this week, anyone who could reach a Self-Hosted cluster's API endpoint could read whatever was on the underlying server. No login required.
Affected versions: LogScale Self-Hosted GA 1.224.0 through 1.234.0 inclusive, plus LogScale Self-Hosted LTS 1.228.0 and 1.228.1. If you ran any of these on the open internet, you had an unauthenticated file-disclosure primitive sitting on top of your detection-and-response stack.
Here is the part that matters. Last week we published two posts about CrowdStrike. One was titled "CrowdStrike Is Now Giving Advice on Windows Defender Vulnerabilities. Read That Again." The other was "CrowdStrike Wants to Warn You About OpenClaw. CrowdStrike Crashed 8.5 Million Devices." The thesis of both was the same: a vendor that crashed 8.5 million Windows machines in July 2024 has a credibility problem when it lectures other vendors about security posture.
This week's CVE is the credibility problem made concrete. CVSS 9.8 unauthenticated path traversal in their flagship SIEM. Saturday-morning advisory drop, the week after their press cycle was all about how Microsoft Defender is dangerous. The story tells itself.
We are not surprised, and you should not be either. Vendor credibility is not a function of how loud they market. It is a function of what is actually shipped. We track that. We index every CVE, every advisory, every quiet fix. We score it on AIPM. CrowdStrike is currently sitting at 63 out of 95 on the AIPM leaderboard. Sentinel One is at 62. Sophos at 32. Trellix at 32. These are not arbitrary numbers — they are how an independent five-model AI council perceives each vendor's brand against its claims, audited weekly.
You can run any of those vendors against AIPM yourself at aipmsec.com/audit. You can paste the LogScale CVE number, your own vendor's domain, or any IOC you have lying around at aipmsec.com/lookup and see what we know. Free, email-gated, no anonymous freeloading.
If you operate a LogScale Self-Hosted cluster, patch immediately. The fixed versions are 1.235.1, 1.234.1, 1.233.1, and 1.228.2 LTS. If you cannot patch immediately, restrict the cluster API endpoint to known internal IP ranges only. If your LogScale instance was internet-reachable in the affected window, assume read access happened and rotate any secret that ever lived on that filesystem.
For everyone else, the lesson is the one we have been writing every week: the vendors that lecture loudest are the vendors with the most to hide. Score them yourself. Read their advisories. Pay attention to which day of the week they drop critical CVEs. Saturday morning is not an accident.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
We tracked the CrowdStrike OpenClaw drama on April 17. We covered the Windows Defender advice on April 17. We had the "CrowdStrike Crashed 8.5 Million Devices" angle filed before any of that. We are running a public ledger of vendor accountability and we publish every receipt we have.
CrowdStrike is welcome to publish their own advisory about us at any time.
Sources: CrowdStrike Tech Alert for CVE-2026-40050, NVD CVE-2026-40050, runZero asset enumeration guidance, Cyprus National CSIRT critical alert, Cybersecurity News write-up, The420 analysis.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.
How do AI models see YOUR brand?
AIPM has audited 250+ domains. 15 seconds. Free while still in beta.