World Passkey Day is a chance to reflect on progress toward a shared goal: reducing our reliance on passwords and other phishable authentication methods by accelerating passkey adoption. As cyberattacks become more automated and AI-powered, each account is only as secure as its weakest credential. Real progress requires more than adding stronger sign-in options—it requires removing phishable credentials and strengthening common attack paths like recovery flows. In partnership with the FIDO Alliance, Microsoft is committed to advancing passkey adoption through ongoing standards work, active participation in working groups, and other contributions to a passwordless future. Explore Microsoft Entra identity and access solutions Passwords remain a major source of risk; they’re difficult to manage and easy to steal. Along with weaker forms of multifactor authentication, they’re also highly vulnerable to phishing: AI-powered campaigns drive click-through rates as high as 54%. 1 In response, Microsoft is expanding passkey adoption across our ecosystem. We’re reducing reliance on legacy authentication and strengthening account recovery so it won’t become a backdoor for cyberattackers. “Instead of vulnerable secrets or potentially identifiable personal information, a passkey uses a private key stored safely on the user’s device. It only works on the website or app for which the user created it, and only if that same user unlocks it with their biometrics or PIN. This means passkey users can’t be tricked into signing in to a malicious lookalike website, and a passkey is unusable unless the user is present and consenting. These are some qualities that make passkeys a ‘phishing-resistant’ form of authentication.” From Microsoft Digital Defense Report . Passkey adoption continues to grow industry wide Passkey adoption is accelerating: FIDO Alliance estimates 5 billion passkeys already in use worldwide. 2 Across Microsoft’s consumer services, including OneDrive, Xbox, and Copilot, hundreds of millions of users sign in with passkeys every day. There are many reasons to choose passkeys as the standard authentication method over passwords. Sign-in success rates are significantly higher than with passwords, and exposure to credential-based attacks is significantly lower. 3 Organizations and individual users alike prefer the simpler, more secure sign-in experience passkeys offer. 4 Inside Microsoft, we’ve eliminated weaker authentication methods and rolled out phishing-resistant authentication, covering 99.6% of users and devices in our environment. 5 It’s made signing in a lot simpler: no codes to enter, no extra prompts to manage, just a straightforward experience for everyone. Product updates across sign-in and recovery Across Microsoft, we’ve been steadily building passkey support into every layer of the identity experience from consumer accounts to enterprise access with Microsoft Entra , and from device-based authentication like Windows
Security & IT News
LiveReal-time news from 13+ trusted sources — BleepingComputer, The Hacker News, Krebs on Security, Dark Reading & more.
Toronto police said this is the "first known instance" of an SMS blaster being used in Canada.
Two days left to save up to $410 on your pass, and get a second one at 50% off to TechCrunch Disrupt 2026. Offer ends May 8, 11:59 p.m. PT. Register now.
Let's be honest, the patching window just shrank to something no practitioner or organization can keep up with. Organizations now need to operate in an environment that must assume breach, which means fundamentals like attack surface management, micro-segmentation, identity management, and attack path validation – aka a few core pillars of CTEM – just became the most important initiatives within the cybersecurity department. Rapid7 is the only vendor that provides a truly unified platform to master Continuous Threat Exposure Management (CTEM) . How Rapid7 satisfies all 5 steps of the CTEM Framework Steps 1 and 2: Scoping and Discovery Achieving full visibility Rapid7 eliminates "unknown unknowns" by providing line-of-sight into 100% of your hybrid attack surface. Surface Command (CAASM): We establish a single source of truth by unifying asset and identity inventory from over 200 third-party vendors and native sources. Vulnerability Management: Our full-stack active scanning discovers shadow IT hidden within your enterprise network. External Attack Surface Management (EASM): We scan the entire IPv4 space of the internet to automatically track changes to registered domains and public networks so you can map your external kingdom. Unified CNAPP (Cloud Security): Our platform provides real-time, agentless visibility into every resource running across your multi-cloud environment (AWS, Azure, GCP, and Kubernetes). Through Event-Driven Harvesting (EDH) , we identify infrastructure changes in under 60 seconds. This allows us to map not just the assets, but the complex identities and permissions that define your cloud risk. Step 3: Prioritization Moving beyond static scores We replace generic risk scores with Active Risk and Threat-Aware Context . Our platform automatically prioritizes vulnerabilities based on real-world exploitability data from Rapid7 Labs and the Exploit Prediction Scoring System (EPSS). We are also able to incorporate your own organization’s tagging infrastructure to properly contextualize your enterprise so you focus on what matters most. Step 4: Validation Continuous human-led red teaming This is where Rapid7 truly stands apart from automated-only vendors or point-in-time pen tests. Vector Command provides the expert human logic needed to bypass compensating controls like WAFs that stop automated tools cold. This gives Rapid7 the ability to answer the question: “How would an attacker get in?” We fully map the attack chain from the external to the internal so you have insight into where your controls are weakest. Ed Montgomery at Rapid7 has written extensively about the power of Vector Command – you can find his blogs here . Here’s a sampling of a couple of those stories: The Telerik UI Example: While a scanner flags an old version of Telerik, our operators discovered they could bypass a WAF by splitting a malicious payload into 118 individual, "harmless" fragments. We bypassed the WAF and this achieved full remote code execution tha
p CISA has added one new vulnerability to its nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul type="disc" li a href="https://www.cve.org/CVERecord?id=CVE-2026-6973" target="_blank" CVE-2026-6973 /a nbsp;Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability nbsp; /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a nbsp;established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the nbsp; a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a nbsp;for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing nbsp;timely nbsp;remediation of nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" KEV Catalog vulnerabilities /a nbsp;as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities" specified criteria /a . nbsp; /p
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-127-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability may enable an attacker to access tenant email addresses and associated information in cleartext or cause a denial-of-service condition. /strong /p p The following versions of MAXHUB Pivot client application are affected: /p ul li MAXHUB Pivot client application /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 7.3 /td td MAXHUB /td td MAXHUB Pivot client application /td td Use of a Broken or Risky Cryptographic Algorithm /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Information Technology /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong United States /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-6411 /a /h3 div class="csaf-accordion-content" p This vulnerability, in the MAXHUB Pivot client application versions prior to v1.36.2, may allow an attacker to obtain encrypted tenant email addresses and related metadata from any tenant. Due to the presence of a hardcoded AES key within the application, the encrypted data can be decrypted, enabling access to tenant email addresses and associated information in cleartext. Furthermore, an attacker may be able to cause a denial-of-service condition by enrolling multiple unauthorized devices into a tenant via MQTT, potentially disrupting tenant operations. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-6411" View CVE Details /a /p hr h4 Affected Products /h4 h5 MAXHUB Pivot client application /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br MAXHUB /div div class="ics-version" strong Product Version: /strong br MAXHUB MAXHUB Pivot client application: lt;v1.36.2 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br MAXHUB recommends users upgrade the Pivot client application to v1.36.2 or newer. The remediation has been made available through an OTA update. Users running v1.36.2 or later are not affected and need only ensure they continue to maintain the latest version. At this time, MAXHUB is not aware of any public exploitation of this issue. For more information, see the MAXHUB support page. br a href="https://www.maxhub.com/en/support/" https://www.maxhub.com/en/support/ /a /p /div p strong Releva
ICE is developing its own version of smart glasses, with facial recognition tied to various databases.
U.S. prosecutors said a ransomware gang fueled Russian government corruption, and allowed the gang's leaders to avoid paying taxes and dodge the country's military draft.
Braintrust, a startup that makes an “operating system for engineers building AI software,” notified customers that hackers broke into one of its Amazon cloud environments, and is asking customers to rotate their API keys.
Security operations are entering a new phase. As attack techniques grow faster and more complex, the effectiveness of a SOC depends less on collecting more data and more on how well platforms can turn context into action at scale. KuppingerCole Analysts’ 2026 Emerging AI Security Operations Center (SOC) reflects this shift clearly: the future of security automation is not defined by static rules or isolated workflows, but by intelligence‑driven automation that supports analyst decision‑making across the full security lifecycle. This evolution mirrors what many security leaders already experience day to day, that the limiting factor is no longer alert volume, but human capacity. Microsoft is excited to be named an Overall Leader, and the Market Leader, in this report, as we see automation as a core component of the future of cybersecurity. Read the report Figure 1: Overall Leadership in the AI SOC market From playbook‑driven SOAR to intelligence‑led automation Traditional security orchestration, automation, and response (SOAR) solutions were built to automate predictable, repeatable tasks: enrichment steps, ticket creation, notifications, and predefined containment actions. These capabilities remain valuable, but they were designed for an era when incidents followed more deterministic patterns. This is a critical change. In many SOCs today, analysts still spend significant time: Stitching together context across alerts and data sources. Manually triaging incidents that turn out to be benign. Following repetitive investigation and response steps. The result is slower response times and analyst burnout—at exactly the moment attackers are moving faster and operating more quietly. Automation built into the analyst experience Microsoft has evolved the way these common challenges can be addressed, leveraging machine learning, large language models (LLMs), and agents, including releases such as: Automatic attack disruption : An always-on capability that limits lateral attackers and reduces the overall impact of an attack, from associated costs to loss of productivity, leaving security operations teams in complete control of investigating, remediating, and bringing assets back online. Phishing triage agent : An agent that runs sophisticated assessments—including semantic evaluation of email content, URL and file inspection, and intent detection—to determine whether a submission is a true phishing threat or a false alarm. AI powered incident prioritization : A machine learning prioritization model to surface the incidents that matter most, assigning each incident a priority score from 0–100 and explaining the key factors behind the ranking. Playbook generator : An experience that allows users to create python-code playbooks using natural language for flexible workflow automation. These capabilities are just the beginning of how we are introducing agents and automation to help users move faster, freeing analysts to focus on higher‑value tasks like proactive
In this article Activity overview Mitigation and protection guidance Hunting queries Indicators of compromise Microsoft researchers continue to observe the evolution of an infostealer campaign distributing ClickFix ‑style instructions and targeting macOS users. In this recent iteration, threat actors attempt to take advantage of users who are looking for helpful advice on macOS-related issues (for example, optimizing their disk space) in blog sites and other user-driven content platforms by hosting their malicious commands in these sites. These commands, which are purported to install system utilities, load an infostealing malware like Macsync, Shub Stealer, and AMOS into the targets’ devices instead. The malware then collects and exfiltrates data, including media files, iCloud data and Keychain entries, and cryptocurrency wallet keys. In some campaigns, the malware replaces legitimate cryptocurrency wallet apps with trojanized versions, putting users at an added security risk. Prior iterations of this campaign delivered the infostealers through disk image ( .dmg ) files that required users to manually install an application. This recent activity reflects a shift in tradecraft, where threat actors instruct users to run Terminal commands that leverage native utilities to retrieve remotely hosted content, followed by script‑based loader execution. Unlike application bundles opened through Finder—which might be subjected to Gatekeeper verification checks such as code signing and notarization—scripts downloaded and launched directly through Terminal (for example, by using osascript or shell interpreters) don’t undergo the same evaluation. This delivery mechanism enables attackers to initiate malware execution through user‑driven command invocation, reducing reliance on traditional application delivery methods and increasing the likelihood of successful execution. In this blog, we take a look at three campaigns that use this new tradecraft. We also provide mitigation guidance and detection details to help surface this threat. Activity overview Initial access Standalone websites were seen hosting pages that included a Base64-encrypted instruction for end users to run. Some sites present this information in multiple languages. As of this writing, these websites that we’ve observed are either already down or have been reported. Figure 1: Landing page of a script campaign (domenpozh[.]net) Figure 2. ClickFix instructions hosted on mac-storage-guide.squarespace[.]com. Figure 3. mac-storage-guide.squarespace[.]com page was seen presenting content in different languages, such as Japanese. In other instances, content that included instructions leading to malware were observed to be hosted on Craft, a note-taking platform that lets writers and content creators take notes and distribute their content. We’ve observed that pages like macclean[.]craft[.]me were taken down relatively quickly. Figure 4. ClickFix instruction hosted on macclean[.]craft[.]me. Threat ac
A new survey found that kids find it easy to bypass age checks, despite a rise in age-verification laws around the world.
Overview On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300 , a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor. CVE-2026-0300 is a buffer overflow ( CWE-787 ) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected firewall. No authentication or user interaction is required. Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to either untrusted IP addresses or the public internet. No patches are currently available; fixed versions are expected to begin rolling out on May 13, 2026, with additional releases through May 28, 2026. PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, representing a significant attack surface. Rapid7 strongly urges all organizations running affected PAN-OS versions with the User-ID Authentication Portal enabled to apply the available workarounds immediately and prioritize patching as soon as fixed versions become available. Update #1: On May 6, 2026, CVE-2026-0300 was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. Palo Alto Networks Unit 42 also published a threat brief attributing observed exploitation to CL-STA-1132, a likely state-sponsored threat cluster that deployed open-source tunneling tools and conducted Active Directory enumeration following initial compromise. Mitigation guidance Organizations running PA-Series and VM-Series firewalls with the User-ID™ Authentication Portal enabled should apply the available workarounds immediately and prioritize patching as soon as fixed versions are released. Check the official documentation to establish whether the affected User-ID™ Authentication Portal is currently enabled. According to the Palo Alto Networks advisory, the following versions are affected by CVE-2026-0300: Product Affected Unaffected Fix ETA PAN-OS 12.1 12.1.4-h5 12.1.7 = 12.1.4-h5 = 12.1.7 05/13 05/28 PAN-OS 11.2 11.2.4-h17 11.2.7-h13 11.2.10-h6 11.2.12 = 11.2.4-h17 = 11.2.7-h13 = 11.2.10-h6 = 11.2.12 05/28 05/13 05/13 05/28 PAN-OS 11.1 11.1.4-h33 11.1.6-h32 11.1.7-h6 11.1.10-h25 11.1.13-h5 11.1.15 = 11.1.4-h33 = 11.1.6-h32 = 11.1.7-h6 = 11.1.10-h25 = 11.1.13-h5 = 11.1.15 05/13 05/13 05/28 05/13 05/13 05/28 PAN-OS 10.2 1
Executive summary In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade. Technical artifacts, including a specific code-signing certificate and Command-and-Control (C2) infrastructure, suggest with moderate confidence that this activity is linked to MuddyWater (Seedworm), an Iranian Advanced Persistent Threat (APT) affiliated with the Ministry of Intelligence and Security (MOIS). The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate Multi-Factor Authentication (MFA). Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent. This report deconstructs the infection chain and analyzes the custom "Game.exe" Remote Access Trojan (RAT). Additionally, this explores the process by which MuddyWater is increasingly leveraging the cybercriminal ecosystem to provide plausible deniability for geopolitical espionage and prepositioning, particularly in the US. The strategy highlights the convergence between state-sponsored intrusion activity and criminal tradecraft, where a big “tell” lies in the techniques that were deployed – and those that weren’t. This overall strategy suggests the primary goal was not financial gain. It is also further proof of the lines blurring against the background of geopolitical tensions, and that attribution is becoming more difficult if teams do not take it upon themselves to conduct proper and thorough research. Rapid7 coverage Rapid7 has coverage for this campaign across both intelligence and detection workflows. The campaign is available in Rapid7’s Intelligence Hub , providing customers with curated context, indicators, and threat actor tradecraft to support awareness, investigation, and prioritization. Relevant detections are also available in InsightIDR, helping security teams identify activity associated with this intrusion pattern across their environments. Chaos ransomware: Profile and targeting Active since February 2025, Chaos is a ransomware-as-a-service (RaaS) operation specializing in big-game hunting (BGH) attacks against high-profile organizations, with reported ransom demands reaching up to $300,000. Despite the name, it is distinct from the Chaos malware builder identified in 2021. The group emerged shortly after the July 2025 law enforcement disruption of BlackSuit infrastructure during Operation Checkmate and is likely composed of former BlackSuit and/or Royal members. To expand its operations, Chaos advertises its affiliate program on cybercrime forums, such
p CISA has added one new vulnerability to its nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. nbsp; /p ul type="disc" li a href="https://www.cve.org/CVERecord?id=CVE-2026-0300" target="_blank" CVE-2026-0300 /a nbsp;Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a nbsp;established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the nbsp; a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a nbsp;for more information. nbsp; /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing nbsp;timely nbsp;remediation of nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" KEV Catalog vulnerabilities /a nbsp;as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities" specified criteria /a . nbsp; /p
A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—and potentially much more consequential—territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the papers. “ GDDRHammer: Greatly Disturbing DRAM RowsCross-Component Rowhammer Attacks from Modern GPUs .” “With our work, we… show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.” Update Friday, April 3: On Friday, researchers unveiled a third Rowhammer attack that also demonstrates Rowhammer attacks on the RTX A6000 that achieves privilege escalation to a root shell. Unlike the previous two, the researchers said, it works even when IOMMU is enabled. The second paper is GeForge: Hammering GDDR Memory to Forge GPU Page Tables for Fun and Profit : …does largely the same thing, except that instead of exploiting the last-level page table, as GDDRHammer does, it manipulates the last-level page directory. It was able to induce 1,171 bitflips against the RTX 3060 and 202 bitflips against the RTX 6000. GeForge, too, uses novel hammering patterns and memory massaging to corrupt GPU page table mappings in GDDR6 memory to acquire read and write access to the GPU memory space. From there, it acquires the same privileges over host CPU memory. The GeForge proof-of-concept exploit against the RTX 3060 concludes by opening a root shell window that allows the attacker to issue commands that run unfettered privileges on the host machine. The researchers said that both GDDRHammer and GeForge could do the same thing against the RTC 6000.
The cybersecurity company says it's seen thousands of infection attempts, and at least a dozen successful hacks after users installed malicious versions of the popular Windows software.
The full agenda for the Rapid7 2026 Global Cybersecurity Summit is now live, and it gives a clearer sense of how the conversation around security operations is evolving. Across two days, the sessions progress from a shared understanding of how threats are changing into a more detailed look at how teams detect, respond, and make decisions in practice. Day 1: How threats evolve and how teams respond The day opens with a keynote, Defense Starts Earlier Than You Think , where Brian Castagna is joined by Craig Robinson, Research Vice President at IDC, to examine why complexity has become the main barrier to effective security and what changes when teams start acting earlier. That context carries into The Reality of Running a SOC in 2026 , featuring Raj Samani alongside Rachel Tobac, CEO of SocialProof Security, and Graham Cluley, cybersecurity speaker and podcast host. The discussion focuses on how attacks actually begin, from identity misuse to cloud misconfigurations, and why defenders often fall behind as those attacks evolve. In Customer Panel: How Clarity Beats Complexity , leaders including Debby Briggs, CISO at Netscout Systems, Raheem Daya, Chief Technology Officer at Target RWE, and Will Lambert from Culligan International share how they are simplifying their environments and focusing on outcomes rather than activity. From there, Inside the Modern SOC: Who Carries You Through an Incident walks through a real investigation step by step, showing how alerts are triaged, decisions are made, and outcomes are shaped under pressure. The conversation then turns to AI in The AI Dilemma: Automating Defense Without Surrendering Judgment , where the role of AI in the SOC is examined through the lens of trust, transparency, and how it supports analyst decision-making in practice. In Beyond the Vulnerability List , the focus shifts to exposure management, looking at how organizations are moving beyond static vulnerability tracking and using exposure as an early signal to guide detection and response. That idea of validation continues in Using Red Teaming to Power Preemptive MDR , where continuous adversary testing is used to prove detection coverage and refine response workflows before an incident occurs. The day also includes a short look at Rapid7: What’s New and What’s Next , connecting recent innovations across exposure management, MDR, and AI to how teams operate in practice. The closing session, Persistence Under Pressure , introduces a different perspective. Former Special Forces operator Jason Fox draws on real-world experience to explore preparation, understanding the adversary, and how teams make decisions when conditions are less predictable. Day 2: Strategy for leaders, execution for practitioners The second day builds on that foundation, with two dedicated tracks designed around how security teams actually work. For security leaders, The CISO’s Role in Enterprise Transformation brings together perspectives from Craig Robinson and Horst Moll, C
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-125-01.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Hitachi Energy is aware of a vulnerability that affects the Hitachi Energy PCM600 product versions listed in this document. An attacker successfully exploiting this vulnerability can impact integrity of the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation. /strong /p p The following versions of Hitachi Energy PCM600 are affected: /p ul li PCM600 Legacy vers:PCM600_Legacy/ lt;=2.11 (CVE-2018-1002208) /li li PCM600 3.0, 3.0_HF1, 3.0_HF2, 3.0_HF3, 3.1, 3.1_SP1, 3.1_SP2, 3.1_SP3 (CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208, CVE-2018-1002208) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 4.4 /td td Hitachi Energy /td td Hitachi Energy PCM600 /td td Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2018-1002208 /a /h3 div class="csaf-accordion-content" p SharpZipLib before 1.0 RC1 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. /p p a href="https://www.cve.org/CVERecord?id=CVE-2018-1002208" View CVE Details /a /p hr h4 Affected Products /h4 h5 Hitachi Energy PCM600 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Hitachi Energy /div div class="ics-version" strong Product Version: /strong br PCM600 Legacy Version 2.11 and earlier, PCM600 3.0, PCM600 3.0 HF1, PCM600 3.0 HF2, PCM600 3.0 HF3, PCM600 3.1, PCM600 3.1 SP1, PCM600 3.1 SP2, PCM600 3.1 SP3 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong None available /strong br Prior to acquisition, PCM600 product versions 2.11 and earlier were distributed under ABB’s organization. Some Hitachi Energy users may still be operating these legacy versions. While ABB continues to maintain the PCM600 2.x product line, Hitachi Energy now exclusively maintains and distributes the PCM600
p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-125-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow a standard user to escalate privileges on the host machine. /strong /p p The following versions of Johnson Controls CEM AC2000 are affected: /p ul li CEM AC2000 12.0 (CVE-2026-21661) /li li CEM AC2000 11.0 (CVE-2026-21661) /li li CEM AC2000 10.6 (CVE-2026-21661) /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 8.7 /td td Johnson Controls Inc. /td td Johnson Controls CEM AC2000 /td td Uncontrolled Search Path Element /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Ireland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2026-21661 /a /h3 div class="csaf-accordion-content" p The affected product is vulnerable to DLL hijacking, which could allow an attacker to escalate standard user privileges on the host machine. /p p a href="https://www.cve.org/CVERecord?id=CVE-2026-21661" View CVE Details /a /p hr h4 Affected Products /h4 h5 Johnson Controls CEM AC2000 /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br Johnson Controls Inc. /div div class="ics-version" strong Product Version: /strong br Johnson Controls Inc. CEM AC2000: 12.0, Johnson Controls Inc. CEM AC2000: 11.0, Johnson Controls Inc. CEM AC2000: 10.6 /div div class="ics-status" strong Product Status: /strong br known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Mitigation /strong br Johnson Controls recommends users apply the following mitigations: /p p strong Mitigation /strong br Upgrade CEM AC 2000 12.0 to 12.0 Release 10. /p p strong Mitigation /strong br Upgrade CEM AC 2000 11.0 to 11.0 Release 9. /p p strong Mitigation /strong br Upgrade CEM AC 2000 10.6 to 10.6 Release 3. /p p strong Mitigation /strong br For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory. br a href="https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories" https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories /a /p /div p strong Relevant CWE: /strong a href="https://cwe.mitre.org/data/definitions/427.html" CWE-427 Uncontrolled Search Path Eleme