Security & IT News

As bad actors weaponize AI to exploit software vulnerabilities at unprecedented speed, companies are increasingly recognizing the need to bolster their cybersecurity defenses. The round valued the three-year-old startup at $725 million.

RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.

Sabeen Malik is VP, Global Government Affairs and Public Policy at Rapid7. ⠀ Security teams need a better way to connect what they detect, what they fix, and what they can prove. The pace of modern security operations no longer works in defenders’ favor. IBM’s Cost of a Data Breach Report 2025 found that the mean time to identify and contain a breach is now 241 days, even as AI and automation help defenders move faster. At the same time, Rapid7’s 2026 Global Threat Landscape Report shows how quickly attacker behavior is compressing the response window: exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the median time from publication to CISA KEV inclusion fell from 8.5 days to 5.0 days. This is not a future risk. It is today’s operational reality. It also exposes a governance problem most security programs were not built to solve. Security teams are expected to demonstrate, continuously, that controls are working, that risk is being reduced, and that security investments are delivering measurable outcomes. Point-in-time audit evidence, assembled quarterly, is structurally incompatible with an environment where the threat picture changes in minutes. The underlying issue is not a lack of effort, but a disconnect. Security data lives in one place, remediation happens in another, and evidence for auditors is assembled somewhere else. When leadership asks what changed, what was fixed, and what risk remains, teams are left stitching the story together manually producing reports that reflect where the organization was, not where it is. Cyber GRC closes that gap by bringing governance, risk management, and compliance closer to the security data and workflows teams already rely on. Why security operations and compliance need connected data For years, security operations and GRC have run in parallel. One team manages threats, exposures, and remediation. Another manages policies, controls, audits, and evidence. Both aim to reduce risk, but typically without shared context or shared data. That separation is no longer sustainable. Vulnerability exploitation rose 34% year-over-year and now accounts for 20% of all breaches, with a median of zero days between critical vulnerability publication and mass exploitation (Verizon DBIR 2025). Supply chain breaches doubled, now representing 30% of all incidents. Ransomware appeared in 44% of breaches – up 37% from the prior year. Security leaders operating in this environment face an expectation that compliance teams were not designed to meet alone: continuous proof that controls are effective against adversaries who operate at machine speed. When AI agents can autonomously chain every phase of an attack with minimal human oversight, a quarterly audit cycle is not an assurance, but a historical record. Why Cyber GRC matters now Boards are no longer satisfied with compliance status reports. They want dollarized risk scenarios and e

Sabeen Malik is VP, Global Government Affairs and Public Policy at Rapid7. ⠀ Security teams need a better way to connect what they detect, what they fix, and what they can prove. The pace of modern security operations no longer works in defenders’ favor. IBM’s Cost of a Data Breach Report 2025 found that the mean time to identify and contain a breach is now 241 days, even as AI and automation help defenders move faster. At the same time, Rapid7’s 2026 Global Threat Landscape Report shows how quickly attacker behavior is compressing the response window: exploited high and critical severity vulnerabilities more than doubled year over year, increasing 105% from 71 in 2024 to 146 in 2025, while the median time from publication to CISA KEV inclusion fell from 8.5 days to 5.0 days. This is not a future risk. It is today’s operational reality. It also exposes a governance problem most security programs were not built to solve. Security teams are expected to demonstrate, continuously, that controls are working, that risk is being reduced, and that security investments are delivering measurable outcomes. Point-in-time audit evidence, assembled quarterly, is structurally incompatible with an environment where the threat picture changes in minutes. The underlying issue is not a lack of effort, but a disconnect. Security data lives in one place, remediation happens in another, and evidence for auditors is assembled somewhere else. When leadership asks what changed, what was fixed, and what risk remains, teams are left stitching the story together manually producing reports that reflect where the organization was, not where it is. Cyber GRC closes that gap by bringing governance, risk management, and compliance closer to the security data and workflows teams already rely on. Why security operations and compliance need connected data For years, security operations and GRC have run in parallel. One team manages threats, exposures, and remediation. Another manages policies, controls, audits, and evidence. Both aim to reduce risk, but typically without shared context or shared data. That separation is no longer sustainable. Vulnerability exploitation rose 34% year-over-year and now accounts for 20% of all breaches, with a median of zero days between critical vulnerability publication and mass exploitation (Verizon DBIR 2025). Supply chain breaches doubled, now representing 30% of all incidents. Ransomware appeared in 44% of breaches – up 37% from the prior year. Security leaders operating in this environment face an expectation that compliance teams were not designed to meet alone: continuous proof that controls are effective against adversaries who operate at machine speed. When AI agents can autonomously chain every phase of an attack with minimal human oversight, a quarterly audit cycle is not an assurance, but a historical record. Why Cyber GRC matters now Boards are no longer satisfied with compliance status reports. They want dollarized risk scenarios and e

Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module),

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves publicly reported vulnerability. An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service (DoS), or potentially remote code execution. /strong /p p The following versions of ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax are affected: /p ul li AC500 V3 PM5xxx 3.9.0, 3.9.0_HF1 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td ABB /td td ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax /td td Out-of-bounds Write /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-15467 /a /h3 div class="csaf-accordion-content" p When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-15467" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br ABB AC500 V3 PM5xxx Firmware Version 3.9.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 ABB recommends that customers apply the update at earliest

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-02.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of these vulnerabilities could allow an authenticated attacker to expose sensitive information or cause a CRLF injection. /strong /p p The following versions of Subnet Solutions PowerSYSTEM Center are affected: /p ul li PowerSYSTEM Center 2020 lt;=5.28.x (CVE-2026-35504) /li li PowerSYSTEM Center 2020 gt;=5.8.x| lt;=5.28.x (CVE-2026-26289) /li li PowerSYSTEM Center 2020 gt;=5.11.x| lt;=5.28.x (CVE-2026-33570) /li li PowerSYSTEM Center 2024 gt;=6.0.x| lt;=6.1.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) /li li PowerSYSTEM Center 2026 7.0.x (CVE-2026-26289, CVE-2026-35555, CVE-2026-35504) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.2 /td td Subnet Solutions Inc. /td td Subnet Solutions PowerSYSTEM Center /td td Incorrect Authorization, Improper Neutralization of CRLF Sequences ('CRLF Injection') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Canada /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-26289 /a /h3 div class="csaf-accordion-content" p PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-26289" View CVE Details /a /p hr h4 Affected Products /h4 h5 Subnet Solutions PowerSYSTEM Center /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Subnet Solutions Inc. /div div class="ics-version" strong Product Version: /strong br Subnet Solutions Inc. PowerSYSTEM Center 2020: gt;=5.8.x| lt;=5.28.x, Subnet Solutions Inc. PowerSYSTEM Center 2024: gt;=6.0.x| lt;=6.1.x, Subnet Solutions Inc. PowerSYSTEM Center 2026: 7.0.x /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Subnet Solutions recommends users update to the latest version of PowerSYSTEM Center PSC 2020 Update 29, PSC 2024 Update 2, and PSC 2026 GA Hotfix. /p p strong Mitigation /strong br For assistance in upgrading, users should contact a Subnet Solutions System Integration team member or customer support team at (403)

p CISA and the Group of Seven (G7) international partners—Germany, Canada, France, Italy, Japan, the United Kingdom, and the European Union—have released joint guidance, a href="https://bsi.bund.de/SharedDocs/Downloads/EN/BSI/KI/SBOM-for-AI_minimum-elements.html" target="_blank" em Software Bill of Materials for AI – Minimum Elements /em /a , to help public and private sector stakeholders improve transparency in their artificial intelligence (AI) systems and supply chains. /p p A nbsp; a href="https://www.cisa.gov/sbom" software bill of materials /a (SBOM) acts as an “ingredients list” for software that better positions organizations to understand their supply chains and make risk-informed decisions about how to protect their critical systems. The guidance builds on CISA’s previous work with federal and international partners to establish nbsp; a href="https://www.cisa.gov/resources-tools/resources/shared-vision-software-bill-materials-sbom-cybersecurity" a shared vision for a software bill of materials /a and nbsp;provides recommendations on minimum elements that should be included in an SBOM for AI. Because AI systems are software systems, these recommendations should be considered in addition to the general nbsp; a href="https://www.cisa.gov/resources-tools/resources/2025-minimum-elements-software-bill-materials-sbom" minimum elements for an SBOM /a . nbsp; /p p While not exhaustive or mandatory, the supplemental minimal elements outlined in this guidance reflect the consensus of G7 experts and will expand over time to keep pace with the rapid advancement of AI technology. nbsp; /p div class="c-text-cta" div class="l-constrain c-text-cta__inner" div class="c-text-cta__content" h2 Please share your thoughts! /h2 div class="c-text-cta__summary" div class="c-text-cta__summary" p We welcome your feedback. /p /div /div p a class="c-button c-button--on-dark" href="https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/resources-tools/resources/software-bill-materials-ai-minimum-elements" CISA Product Survey /a /p /div /div /div

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-06.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of multiple internally discovered vulnerabilities in the WebPro SNMP card PowerValue for the product versions listed as affected in the advisory. Depending upon the vulnerability, an attacker with access to local network who successfully exploited this vulnerability could have - Unauthorized access - Insufficient Session Expiration leading to resource unavailability - Uncontrolled Resource Consumption leading to DOS attack ABB strongly advises customers to update the latest firmware of affected products. /strong /p p The following versions of ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities are affected: /p ul li WebPro SNMP Card lt;=1.1.8.k, 1.1.8.p /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.8 /td td ABB /td td ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities /td td Improper Check for Unusual or Exceptional Conditions, Incorrect Implementation of Authentication Algorithm, Insufficient Session Expiration /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Communications, Critical Manufacturing, Dams, Energy, Healthcare and Public Health, Information Technology, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-4675 /a /h3 div class="csaf-accordion-content" p Modus(slave) protocol was implemented incorrectly in the device, port 502 becomes unstable and Modbus service is unavailable until manual reboot of the device. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-4675" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br ABB WebPro SNMP Card PowerValue lt;=1.1.8.k /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in the following product versions: WebPro SNMP card PowerValue version 1.1.8.p ABB advises users of the affected product versions to reach out to ABB Digital Service Support ([email protected]) for guidance and recommended actions. Additiona

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-04.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. The Windows gateway is accessible remotely by default. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled /strong /p p The following versions of ABB Automation Builder Gateway for Windows are affected: /p ul li Automation Builder lt;2.9.0, 2.9.0 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 5.3 /td td ABB /td td ABB Automation Builder Gateway for Windows /td td Initialization of a Resource with an Insecure Default /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2024-41975 /a /h3 div class="csaf-accordion-content" p The gateway serves as a communication channel for various clients to AC500 PLCs. By default, the gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. How-ever, remote access to the gateway is only required in certain network configurations. Since the gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scan-ning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled. Please note that the gateway for Windows can be installed as a separate setup or as part of other setups such as the CODESYS Development System V3 setup or the CODESYS OPC DA Server setup. /p p a href="https://www.cve.org/CVERecord?id=CVE-2024-41975" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB Automation Builder Gateway for Windows /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br ABB Automation Builder lt;2.9.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br If remote access is not required, check the "LocalAddres

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to elevate privileges from user to system, which may then enable the attacker to cause a temporary denial of service, open files, or delete files. /strong /p p The following versions of Fuji Electric Tellus are affected: /p ul li Tellus 5.0.2 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.8 /td td Fuji Electric /td td Fuji Electric Tellus /td td Exposed Dangerous Method or Function /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Japan /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-8108 /a /h3 div class="csaf-accordion-content" p The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-8108" View CVE Details /a /p hr h4 Affected Products /h4 h5 Fuji Electric Tellus /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Fuji Electric /div div class="ics-version" strong Product Version: /strong br Fuji Electric Tellus: 5.0.2 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br Fuji Electric recommends that Tellus be installed only with administrator privileges. /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/749.html" CWE-749 Exposed Dangerous Method or Function /a /p hr h4 Metrics /h4 div class="csaf-table csaf-metrics-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS Version /th th role="columnheader" Base Score /th th role="columnheader" Base Severity /th th role="columnheader" Vector String /th /tr /thead tbody tr td 3.1 /td td 7.8 /td td HIGH /td td a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H /a /td /tr /tbody /table /div /div /div /div hr h2 Acknowledgments /h2 ul li Kim Myung-gyu of Trend Micro Zero Day Initiative reported this vulnerability to CISA /li /ul hr h2 Legal Notice and Terms of Use /h2 p

Why do the Riskiest SOC Alerts Go Unanswered? Security operations teams are drowning in alerts. But the real problem isn't always alert volume; it's the blind spots. The most dangerous alerts are the ones no one is investigating. A recent report from The Hacker News examined why certain high-risk alert categories - WAF, DLP, OT/IoT, dark web intelligence, and supply chain signals- consistently

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers. [...]

This is the worst Linux vulnerability in years. TL;DR copy.fail is a Linux kernel local privilege escalation, not a browser or clipboard attack. Disclosed by Theori on 29 April 2026 with a working PoC. It abuses the kernel crypto API (AF_ALG sockets) plus splice() to write four bytes at a time straight into the page cache of a file the attacker does not own. The exploit works unmodified across Ubuntu, RHEL, Debian, SUSE, Amazon Linux, Fedora and most others. No race condition, no per-distro offsets. The file on disk is never modified. AIDE, Tripwire and checksum-based monitoring see nothing. Kubernetes Pod Security Standards (Restricted) and the default RuntimeDefault seccomp profile do not block the syscall used. A custom seccomp profile is needed. The mainline fix landed on 1 April. Distros are rolling kernels out now. Patch. “Local privilege escalation” sounds dry, so let me unpack it. It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems. Why does that matter on shared infrastructure? Because “local” covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary. News article .

Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow it, restrict it, or monitor it? However, that framing misses the point. The more urgent

CVSSv3 Score: 6.3 An improper neutralization of special elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiMail may allow an authenticated privileged attacker to execute unauthorized code or commands via specifically crafted HTTP or HTTPS requests. Revised on 2026-05-12 00:00:00

CVSSv3 Score: 6.5 An OS command injection vulnerabtility [CWE-78] in FortiAP and FortiAP-W2 cli may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted cli command. Revised on 2026-05-12 00:00:00

CVSSv3 Score: 5.0 An improper export of Android application components [CWE-926] in FortiTokenAndroid may allow other applications on the device to read the OTP code via an exported Content Provider URI. Revised on 2026-05-12 00:00:00

CVSSv3 Score: 4.0 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEB UI may allow an authenticated attacker with at least read-only admin permission to read log files via HTTP crafted requests. Revised on 2026-05-12 00:00:00

CVSSv3 Score: 6.1 An improper neutralization of special elements used in an OS command ("OS Command Injection") vulnerability [CWE-78] in FortiAP, FortiAP-U FortiAP-W2 CLI may allow an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI requests. Revised on 2026-05-12 00:00:00