Security & IT News

Detection and response are under pressure. Expanding attack surfaces, identity misuse, cloud sprawl, and AI-accelerated threats have changed what “ready” looks like for a SOC. That’s why this year’s Global Cybersecurity Summit places continuous threat defense at the center of the conversation. The focus is clear: this is what modern MDR looks like when it’s designed to disrupt attackers earlier, not just react to them faster. 2026 MDR sessions: A sneak peek Throughout the summit, several sessions will explore how detection and response are evolving in practice. In this year’s “ Inside the Modern SOC” , we’ll look at how response actually unfolds when pressure is high and decisions matter. It’s a close examination of ownership, escalation, and how teams coordinate across endpoint, identity, and cloud telemetry. In “ Using Red Teaming to Power Preemptive MDR” , the conversation shifts upstream. Rather than treating red teaming as a compliance exercise, this session examines how continuous testing strengthens detection coverage and validates response workflows before a real attacker forces the issue. For the executive leaders “A CISO’s Guide to MDR Accountability and Outcomes” will examine MDR through a leadership lens, describing how leaders can best evaluate performance, define success, and ensure response strategies hold up under scrutiny. As detection models grow more complex, clarity around accountability can become just as important as technical capability. For hands-on practitioners, “ Hunt or Be Hunted: Frontline Tales of Detection” offers a scenario-driven walkthrough of how SOC analysts triage signals, manage handoffs, and make decisions under real operational pressure. Meanwhile, "IR in Practice: Tools, Tradecraft, and Adversary-Informed Investigation” provides a deeper look at investigative workflows – including practical use cases and adversary-informed response approaches. What preemptive MDR really means Together, these sessions represent part of a broader theme: Preemptive security operations is not about adding more tools or generating more alerts. It is about reducing uncertainty, aligning exposure with detection, and building workflows that allow teams to act with confidence. And this is only a preview. Additional sessions, speakers, and perspectives will continue to be announced as the summit approaches. If you’re responsible for detection strategy, response readiness, or MDR governance, this track is designed to meet you where you operate. Join us May 12–13 and be part of the shift toward more confident, preemptive security operations. Register now

I’m skeptical about—and not qualified to review—this new result in factorization with a quantum computer, but if it’s true it’s a theoretical improvement in the speed of factoring large numbers with a quantum computer.

No bad luck here: Friday the 13th brings new modules and a Metasploit Pro milestone This week’s Metasploit Framework release delivers three new modules across reconnaissance, evasion, and exploitation: LeakIX-powered discovery for exposed services and leaked data, a Linux x64 RC4 payload packer for more flexible evasive delivery, and an unauthenticated RCE module for SPIP Saisies (CVE-2025-71243). Alongside those additions, we shipped practical quality-of-life improvements including a smaller configurable bind_netcat payload path, and automatic WordPress service reporting in the WordPress mixin. Finally, we’re also excited to share the new Metasploit Pro 5.0.0 release with an updated UI and SSO support amongst other changes, check out the announcement here: Announcing Metasploit Pro 5: Penetration Testing, Evolving . New module content (3) LeakIX Search Authors: LeakIX [email protected] and Valentin Lobstein [email protected] Type: Auxiliary Pull request: #21002 contributed by Chocapikk Path: gather/leakix_search Description: Adds a new module auxiliary/gather/leakix_search, a new module for LeakIX API - a search engine focused on indexing internet-exposed services and leaked credentials/databases. Linux RC4 Encrypted Payload Generator Author: Massimo Bertocchi Type: Evasion Pull request: #20966 contributed by litemars Path: linux/x64/rc4_packer Description: Adds a new module evasion/linux/x64/rc4_packer packer that encrypts the generated payload with RC4, prepends an optional sleep-based delay (nanosleep), and decrypts/executes the payload at runtime via a compact precompiled stub. SPIP Saisies Plugin Unauthenticated RCE Authors: OpenStudio and Valentin Lobstein [email protected] Type: Exploit Pull request: #21001 contributed by Chocapikk Path: multi/http/spip_saisies_rce AttackerKB reference: CVE-2025-71243 Description: This adds a new module for CVE-2025-71243, an unauthenticated PHP code-injection vulnerability in the SPIP Saisies plugin. The injection takes place through _anciennes_valeurs, which allows an attacker to inject a PHP payload. Enhancements and features (2) #20885 from dledda-r7 - Updates the bind_netcat payload to allow it to be smaller by selecting either default or BSD-style netcat command syntax. Previously, the payload ran both command syntaxes combined by an OR operator so wherever it was executed, the payload worked. The default behavior remains to run both, but in the event a user needs a significantly shorter payload, they can select a single netcat syntax and adjust the filenames. #20961 from Nayeraneru - This adds service reporting to Wordpress mixin. Now, when you use a Wordpress module, it will automatically report the target as Wordpress if detected. Documentation You can find the latest Metasploit documentation on our docsite at docs.metasploit.com . Get it As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from Git

The role and demand for red-teaming capabilities are growing, as more exploitable CVEs make their way into criminal hands. Being proactive is no longer a capability that can be reserved for annual tests, but a continuous assessment to determine exposure and even through the validation of an organization's security posture. With this in mind, we are delighted to announce the long awaited availability of Metasploit Pro 5.0.0 – which is not just an update, but a fundamentally new approach to red-teaming, designed with the sole intention of staying ahead of ever-increasingly capable threat actors. Amongst the multitude of changes, Metasploit 5.0.0 offers an intuitive testing workflow that removes the ever evolving complexity of testing, as well as a suite of powerful new modules and critical enhancements. This is the version you can't afford to miss. For all the technical details, the granular release notes can be viewed here . So what’s new? Intuitive testing workflow Say goodbye to complexity, as Metasploit Pro has completely overhauled the testing workflow. Updates are highlighted by an intuitive user interface, ensuring that your focus remains on high-value penetration testing and vulnerability validation, not fighting the interface. These changes are the foundation for the future, preserving the core functionality you rely on while enabling even more powerful features down the road. ⠀ Stop guessing and start seeing. The new implementation of Network Topology support provides instant, crystal-clear clarity on hosts that have been compromised, have associated cracked credentials, or captured data. For enterprise environments with vast, complex surfaces, we’ve invested in performance improvements, giving you the power to zoom and pan through hundreds of available hosts with zero lag. This is actionable visualization that transforms data into defense. ⠀ Vulnerability detection improvements Get the necessary assurance before you click 'run.' Metasploit modules can now register crucial vulnerability detection details as part of running. This means that modules capable of running pre-check detection logic give you the full intelligence picture before you attempt exploitation. This new level of transparency and detail empowers you to make smarter, faster decisions, saving you precious time and minimizing the chance of failed module runs and adverse side effects. ⠀ Advanced workflow improvements Unleash your inner expert with unprecedented control and efficiency. Advanced users of Metasploit Pro will immediately benefit from multiple UX improvements to the single module run page. Tired of manually configuring options? Users now receive intelligent suggestions for applicable values, including network targets, Kerberos credential cache files, and more – streamlining ADCS workflows. ⠀ Furthermore, you now have the ability to manually choose and configure individual payloads, giving you the final word on how you exploit targets. Metasploit Pro will continue

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker , a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency. Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices. A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker. “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads. The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike. Handala was one of several hacker groups recently profiled by Palo Alto Networks , which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore , a MOIS-affiliated actor. Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.” A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.” “Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.” Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trust

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software. There are no pressing “zero-day” flaws this month (compared to February’s five zero-day treat), but as usual some patches may deserve more rapid attention from organizations using Windows. Here are a few highlights from this month’s Patch Tuesday. Image: Shutterstock, @nwz. Two of the bugs Microsoft patched today were publicly disclosed previously. CVE-2026-21262 is a weakness that allows an attacker to elevate their privileges on SQL Server 2016 and later editions. “This isn’t just any elevation of privilege vulnerability, either; the advisory notes that an authorized attacker can elevate privileges to sysadmin over a network,” Rapid7’s Adam Barnett said. “The CVSS v3 base score of 8.8 is just below the threshold for critical severity, since low-level privileges are required. It would be a courageous defender who shrugged and deferred the patches for this one.” The other publicly disclosed flaw is CVE-2026-26127 , a vulnerability in applications running on .NET . Barnett said the immediate impact of exploitation is likely limited to denial of service by triggering a crash, with the potential for other types of attacks during a service reboot. It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint. CVE-2026-26113 and CVE-2026-26110 are both remote code execution flaws that can be triggered just by viewing a booby-trapped message in the Preview Pane. Satnam Narang at Tenable notes that just over half (55%) of all Patch Tuesday CVEs this month are privilege escalation bugs, and of those, a half dozen were rated “exploitation more likely” — across Windows Graphics Component, Windows Accessibility Infrastructure, Windows Kernel, Windows SMB Server and Winlogon. These include: – CVE-2026-24291 : Incorrect permission assignments within the Windows Accessibility Infrastructure to reach SYSTEM (CVSS 7.8) – CVE-2026-24294 : Improper authentication in the core SMB component (CVSS 7.8) – CVE-2026-24289 : High-severity memory corruption and race condition flaw (CVSS 7.8) – CVE-2026-25187 : Winlogon process weakness discovered by Google Project Zero (CVSS 7.8). Ben McCarthy , lead cyber security engineer at Immersive , called attention to CVE-2026-21536 , a critical remote code execution bug in a component called the Microsoft Devices Pricing Program. Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users. But McCarthy says it’s notable as one of the first vulnerabilities identified by an AI agent and officially recognized with a CVE attributed to the Windows operating system. It was discovered by XBOW , a fully autonomous AI penetration testing agent. XBOW has consistently ranked at o

CVSSv3 Score: 6.0 An Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability [CWE-88] in FortiDeceptor WEBUI may allow a privileged attacker with super-admin profile and CLI access to delete sensitive files via crafted HTTP requests. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 3.4 An improper restriction of excessive authentication attempts vulnerability [CWE-307] in FortiManager and FortiAnalyzer may allow an attacker to bypass bruteforce protections via exploitation of race conditions. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 7.3 An Improper Control of Interaction Frequency vulnerability [CWE-799] in FortiWeb may allow a remote unauthenticated attacker to bypass the authentication rate-limit via crafted requests. The success of the attack depends on the attacker's resources and the password target complexity. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 7.7 A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability [CWE-120] in FortiSwitchAXFixed may allow an unauthenticated attacker within the same adjacent network to execute unauthorized code or commands on the device via sending a crafted LLDP packet. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 7.0 A Stack-based Buffer Overflow vulnerability [CWE-121] in FortiManager fgtupdates service may allow a remote unauthenticated attacker to execute unauthorized commands via crafted requests, if the service is enabled. The success of the attack depends on the ability to bypass the stack protection mechanisms. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 6.5 A use of externally-controlled format string vulnerability [CWE-134] in FortiAnalyzer, FortiAnalyzer Cloud, FortiManager and FortiManager Cloud fazsvcd daemon may allow a remote privileged attacker with admin profile to execute arbitrary code or commands via specially crafted requests. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 3.8 A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiMail, FortiVoice and FortiRecorder debug logs may allow an authenticated malicious administrator to obtain user's secrets via CLI commands. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 6.3 An improper certificate validation [CWE-295] vulnerability in the FortiManager GUI may allow a remote unauthenticated attacker to view confidential information via a man in the middle [MiTM] attack. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 7.4 A UNIX symbolic link (Symlink) Following vulnerability [CWE-61] in FortiClientLinux may allow a local and unprivileged user to escalate their privileges to root. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 2.5 A NULL Pointer Dereference vulnerability [CWE-476] in FortiWeb may allow an authenticated attacker to crash the HTTP daemon via crafted HTTP requests. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 6.7 An OS Command Injection vulnerability [CWE-78] in FortiWeb API may allow an authenticated attacked to execute arbitrary commands via a specialy crafted HTTP request. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 6.7 An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiSandbox Cloud WEB UI may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. Revised on 2026-03-10 00:00:00

CVSSv3 Score: 6.8 An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiManager and FortiAnalyzer multifactor authentication may allow an attacker with knowledge of the admins password to bypass multifactor authentication checks via submitting multiple crafted requests. Revised on 2026-03-10 00:00:00

AI-based assistants or “agents” — autonomous programs that have access to the user’s computer, files, online services and can automate virtually any task — are growing in popularity with developers and IT workers. But as so many eyebrow-raising headlines over the past few weeks have shown, these powerful and assertive new tools are rapidly shifting the security priorities for organizations, while blurring the lines between data and code, trusted co-worker and insider threat, ninja hacker and novice code jockey. The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot ) — has seen rapid adoption since its release in November 2025. OpenClaw is an open-source autonomous AI agent designed to run locally on your computer and proactively take actions on your behalf without needing to be prompted. The OpenClaw logo. If that sounds like a risky proposition or a dare, consider that OpenClaw is most useful when it has complete access to your digital life, where it can then manage your inbox and calendar, execute programs and tools, browse the Internet for information, and integrate with chat apps like Discord, Signal, Teams or WhatsApp. Other more established AI assistants like Anthropic’s Claude and Microsoft’s Copilot also can do these things, but OpenClaw isn’t just a passive digital butler waiting for commands. Rather, it’s designed to take the initiative on your behalf based on what it knows about your life and its understanding of what you want done. “The testimonials are remarkable,” the AI security firm Snyk observed . “Developers building websites from their phones while putting babies to sleep; users running entire companies through a lobster-themed AI; engineers who’ve set up autonomous code loops that fix tests, capture errors through webhooks, and open pull requests, all while they’re away from their desks.” You can probably already see how this experimental technology could go sideways in a hurry. In late February, Summer Yue , the director of safety and alignment at Meta’s “superintelligence” lab, recounted on Twitter/X how she was fiddling with OpenClaw when the AI assistant suddenly began mass-deleting messages in her email inbox. The thread included screenshots of Yue frantically pleading with the preoccupied bot via instant message and ordering it to stop. “Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun deleting your inbox,” Yue said. “I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.” Meta’s director of AI safety, recounting on Twitter/X how her OpenClaw installation suddenly began mass-deleting her inbox. There’s nothing wrong with feeling a little schadenfreude at Yue’s encounter with OpenClaw, which fits Meta’s “move fast and