Security & IT News

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-04.json strong View CSAF /strong /a /p h2 Summary /h2 p strong An update is available that resolves a vulnerability identified by B amp;Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session. /strong /p p The following versions of ABB B amp;R Automation Runtime are affected: /p ul li Automation Runtime lt;6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 6.1 /td td B amp;R /td td ABB B amp;R Automation Runtime /td td Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Formula Elements in a CSV File /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-3449 /a /h3 div class= csaf-accordion-content p A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B amp;R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-3449 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB B amp;R Automation Runtime /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br B amp;R /div div class= ics-version strong Product Version: /strong br Automation Runtime lt;6.4 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B amp;R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the

p CISA has added two new vulnerabilities to its a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href= https://www.cve.org/CVERecord?id=CVE-2025-34291 target= _blank CVE-2025-34291 /a Langflow Origin Validation Error Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-34926 target= _blank CVE-2026-34926 /a Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href= https://www.cisa.gov/known-exploited-vulnerabilities specified criteria /a . nbsp; /p

Flipper Devices, the maker of the Flipper Zero pentesting tool, is asking the community to help build Flipper One, an open Linux platform for connected devices. [...]

Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. The former, tracked as CVE-2026-41091, is rated 7.8 on the CVSS scoring system. Successful exploitation of the flaw could allow an attacker to gain SYSTEM privileges. "Improper link resolution before file access ('link following') in Microsoft Defender

Consider a cached access key on a single Windows machine. It got there the way most cached credentials do - a user logged in, and the key stored itself automatically. Standard AWS behavior. No one misconfigured anything or violated a policy. Yet that single key, which was easily accessible to a minor-league attacker, could have opened a path to some 98% of entities in the company's cloud

Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents, covering

In this article Why we are investing in this RAMPART: Continuous safety testing for agentic AI Clarity: Helping check software engineering assumptions RAMPART and Clarity available now The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing your email, retrieving records from your CRM, writing and executing code, and taking actions on your behalf across dozens of connected systems. That shift from “generate text” to “do things in the world” changes the safety equation entirely, because an agent that can act can also potentially act in ways nobody intended. Today Microsoft is open-sourcing two tools designed to help engineers: Microsoft RAMPART , an agent test framework for encoding adversarial and benign scenarios as repeatable tests that can run in CI, making it easy to turn red-team findings and AI incidents into lasting regression coverage; and Clarity , a structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code. We built these tools because we believe that AI safety has to become a continuous engineering discipline rather than a periodic checkpoint, and we think the best way to make that happen is to put practical, open tools in the hands of the people doing the building. Why we are investing in this Helping teams think through the “why,” before the “how” of software building: In the vibe coding era, execution is easy and the harder question is the “why.” The most expensive safety failures we see almost always trace back to design mistakes that nobody questioned early enough, long before any adversary got involved — say, when a product team decided their agent should have access to a tool, or handle a particular user flow, without fully working through what could go wrong. By the time a red team engagement surfaces the issue, the system is largely built, and addressing it means going back to the drawing board. We wanted to give product managers and engineers a way to pressure-test their assumptions at the start of a project, when changing course is cheap and the right conversation can save months of rework. Scaling the lessons of red teaming across the industry. The techniques that uncover vulnerabilities in one agentic product almost always shed light on another. A cross-prompt injection attack that works against one system will often work, with minor variations, against a customer service agent or a coding assistant. But those lessons tend to stay locked inside individual engagement reports. Our goal was to build a system where the lessons of red teaming exercises can be turned into runnable engineering assets. Making incidents reproducible and mitigations verifiable. If something goes wrong in production AI systems, the team responding needs to do two things quickly: replicate the incident

Identity checks alone can't stop attackers using stolen session tokens and compromised devices. Specops Software outlines why Zero Trust strategies increasingly depend on continuous device verification. [...]

Modern attack surfaces don’t sit still. Cloud expansion, SaaS sprawl, identity complexity, and shadow IT are continuously reshaping organizational risk. For security leaders, visibility isn’t the challenge anymore, but actually operationalizing that visibility is. Surface Command was built to unify asset and identity intelligence across your external attack surface. But translating that intelligence into executive-ready dashboards or operational reporting has often required knowledge of Cypher queries. Today, that changes: We’re introducing filter-based dashboard widgets in Surface Command, enabling teams to build meaningful attack surface management (ASM) dashboards in minutes, without writing a single query. And for CISOs focused on advancing continuous threat exposure management ( CTEM ), this is more than a usability enhancement. It’s an operational accelerator. From filters to dashboards, instantly Security teams already use saved asset and identity filters to answer critical questions: Which internet-facing assets are high risk? Where do privileged identities intersect with exploitable exposures? Which business units own unmanaged cloud infrastructure? What third-party SaaS applications expand our attack surface? Now, those same saved filters can be converted directly into live dashboard widgets. If your team can build a filter table, they can now build a dashboard. There’s no need to understand query syntax or rely on specialized expertise for common reporting needs. With just a few clicks, exposure views become shareable, persistent dashboards built on the same unified data model that powers Surface Command. Figure 1: Creating dashboard “widgets” in the Rapid7 Command Platform Reducing friction in exposure reporting For many organizations, the barrier to effective exposure management isn’t visibility, it’s friction. When dashboard creation requires query expertise, reporting slows down, operational teams depend on a small group of power users, executive visibility lags behind exposure reality, and CTEM initiatives stall under complexity. Filter-based widgets remove that bottleneck. Security teams can now spin up exposure dashboards in minutes, empower analysts and vulnerability teams to self-serve, deliver consistent reporting to leadership, and standardize exposure views across business units. This lowers the barrier to building and maintaining exposure intelligence across the organization, and that matters when “continuous” is the goal. A practical enabler for continuous threat exposure management (CTEM) Beyond a framework, CTEM is a discipline. One that treats exposure management as an ongoing cycle, not a point-in-time project. CTEM is commonly organized into five continuous steps: Scope – Define what you’re focusing on (systems, business services, exposure themes, time horizons). Discover – Identify the assets, identities, and exposures within scope. Prioritize – Determine what matters most based on risk and impact. Validate – Confir

p CISA has added seven new vulnerabilities to its a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href= https://www.cve.org/CVERecord?id=CVE-2008-4250 target= _blank CVE-2008-4250 /a Microsoft Windows Buffer Overflow Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2009-1537 target= _blank CVE-2009-1537 /a Microsoft DirectX NULL Byte Overwrite Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2009-3459 target= _blank CVE-2009-3459 /a Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2010-0249 target= _blank CVE-2010-0249 /a Microsoft Internet Explorer Use-After-Free Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2010-0806 target= _blank CVE-2010-0806 /a Microsoft Internet Explorer Use-After-Free Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-41091 target= _blank CVE-2026-41091 /a Microsoft Defender Elevation of Privilege Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-45498 target= _blank CVE-2026-45498 /a Microsoft Defender Denial of Service Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href= /known-exploited-vulnerabilities data-entity-type= node data-entity-uuid= f2adba9a-0404-494c-a90c-4363a4a5c934 data-entity-substitution= canonical title= Reducing the Significant Risk of Known Exploited

New Industry Data Just Released Suggests Not. On May 19th, 2026, Orchid Security released the results of our Identity Gap: Snapshot 2026. Among the findings, "identity dark matter" (the unseen, unmanaged elements of identity) now overshadows the visible elements 57% vs. 43%. And it couldn't have occurred at a worse time, with enterprises embracing Agent AI with both arms (and unfortunately, as

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]

AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR Typosquatting is no longer a user problem. Attackers now embed lookalike domains inside legitimate third-party scripts.

Verizon DBIR finds 31% of data breaches began with software flaws last year

Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. [...]