Security & IT News

Security teams are working in an environment where speed, scale, and complexity are all increasing at the same time. Across the Rapid7 2026 Global Cybersecurity Summit , the focus was not just on how the threat landscape is evolving, but on how teams are adapting their approach to keep up. The sessions brought together perspectives from across detection and response, exposure management, AI, and security operations, with a consistent emphasis on making better decisions earlier and with more confidence. How modern attacks are starting across identity, cloud, and social engineering Several sessions explored how initial access has shifted toward identity misuse, social engineering, and cloud misconfigurations. These entry points often blend into normal activity, making it harder for teams to distinguish between legitimate behavior and early-stage compromise. Understanding how attacks begin has become a critical part of detection strategy. Rather than relying on a single signal, teams need to recognize how activity develops across multiple systems and how seemingly low-risk events can connect into something more serious. What real incident response looks like inside modern MDR and SOC teams The sessions focused on MDR and the SOC provided a closer look at how incidents unfold in practice. Investigations rarely follow a clean path, and analysts are constantly making decisions with incomplete information while attackers continue to move. What stands out is how MDR extends the SOC beyond detection, combining continuous monitoring with human-led response to guide organizations through incidents as they happen. Alerts initiate the process, but outcomes depend on how teams interpret signals, prioritize actions, and manage tradeoffs under pressure across cloud, identity, and on-prem environments. This view highlights the operational reality behind incident response, where coordination and judgment shape the outcome as much as the technology itself. Why complexity is slowing security teams down Security environments continue to expand, bringing more tools, more data, and more potential points of failure. Across the summit, speakers highlighted how fragmented visibility and unclear ownership can make it difficult to maintain a consistent view of risk. The challenge is not eliminating complexity, but managing it in a way that allows teams to act effectively. Organizations that focus on clarity, ownership, and prioritization are better positioned to respond when signals start to converge. How exposure management is reshaping risk prioritization A recurring theme was the shift from vulnerability management toward exposure management. Vulnerability data provides insight into what exists, but it does not always reflect what creates meaningful risk. Exposure management adds context by connecting vulnerabilities to assets, identities, and business impact. This allows teams to focus on what is reachable and relevant, helping them prioritize based on real-world risk r

Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had

Microsoft's total vulnerability count stayed steady in 2025, but critical flaws surged year over year. BeyondTrust breaks down why attackers are increasingly focused on privilege escalation and identity abuse. [...]

AI-powered vulnerability scanning leaves no excuse for unpatched bugs as the EU Cyber Resilience Act pushes firms toward secure-by-design software

IT teams are increasingly overwhelmed by alerts from disconnected systems, forcing responders to manually coordinate investigations during network incidents. This webinar explores how automation and AI-assisted workflows can help reduce response delays and improve operational coordination. [...]

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-05.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could allow an attacker to take control of the victim's browser. /strong /p p The following versions of Kieback amp; Peter DDC Building Controllers are affected: /p ul li DDC4002 lt;=1.12.14 (CVE-2026-4293) /li li DDC4100 lt;=1.12.14 (CVE-2026-4293) /li li DDC4200 lt;=1.12.14 (CVE-2026-4293) /li li DDC4200-L lt;=1.12.14 (CVE-2026-4293) /li li DDC4400 lt;=1.12.14 (CVE-2026-4293) /li li DDC4002e lt;=1.23.4 (CVE-2026-4293) /li li DDC4200e lt;=1.23.4 (CVE-2026-4293) /li li DDC4400e lt;=1.23.4 (CVE-2026-4293) /li li DDC4020e lt;=1.23.4 (CVE-2026-4293) /li li DDC4040e lt;=1.23.4 (CVE-2026-4293) /li li DDC520 lt;=1.24.1 (CVE-2026-4293) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 5.3 /td td Kieback amp; Peter /td td Kieback amp; Peter DDC Building Controllers /td td Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities, Communications, Financial Services, Food and Agriculture, Government Services and Facilities, Healthcare and Public Health, Information Technology /li li strong Countries/Areas Deployed: /strong Austria, China, France, Germany, United Arab Emirates /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-4293 /a /h3 div class= csaf-accordion-content p The affected products are vulnerable to cross-site scripting (XSS), enabling JavaScript to be executed by the victim's browser, which allows the attacker to control the browser. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-4293 View CVE Details /a /p hr h4 Affected Products /h4 h5 Kieback amp; Peter DDC Building Controllers /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Kieback amp; Peter /div div class= ics-version strong Product Version: /strong br Kieback amp; Peter DDC4002: lt;=1.12.14, Kieback amp; Peter DDC4100: lt;=1.12.14, Kieback amp; Peter DDC4200: lt;=1.12.14, Kieback amp; Peter DDC4200-L: lt;=1.12.14, Kieback amp; Peter DDC4400: lt;=1.12.14, Kieback amp; Peter DDC4002e: lt;=1.23.4, Kieback amp; Peter DDC4200e: lt;=1.23.4, Kieback amp; Peter DDC4400e: lt;=1.23.4, Kieback amp; Peter DDC4020e: lt;=1.23.4, Kieback amp; Peter DDC4040e: lt;=1.23.4, Kieback amp; Peter DDC520: lt;=1.24.1 /d

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-02.json strong View CSAF /strong /a /p h2 Summary /h2 p strong A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens is preparing fix versions and recommends countermeasures for products where fixes are not, or not yet available. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks' upstream security notifications. [1] https://security.paloaltonetworks.com/ /strong /p p The following versions of Siemens RUGGEDCOM APE1808 Devices are affected: /p ul li RUGGEDCOM APE1808 vers:all/* (CVE-2026-0300) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 10 /td td Siemens /td td Siemens RUGGEDCOM APE1808 Devices /td td Out-of-bounds Write /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Germany /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-0300 /a /h3 div class= csaf-accordion-content p A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-0300 View CVE Details /a /p hr h4 Affected Products /h4 h5 Siemens RUGGEDCOM APE1808 Devices /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br Siemens /div div class= ics-version strong Product Version: /strong br RUGGEDCOM APE1808 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br Disable Response Pages in the Interface Management Profile attached to every L3 interface in any zone where untrusted/internet traffic can ingress. Keep Response Pages enabled only on interfaces in trust/internal zones where legitimate users' browsers ingress /p p strong Mitigation /strong br Disable User-ID™ Authentication Portal if not required /p p strong Mitigation /strong br Restrict access to the User

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-01.json strong View CSAF /strong /a /p h2 Summary /h2 p strong An update is available that resolves vulnerability in the product versions listed as affected in this advisory. A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. /strong /p p The following versions of ABB CoreSense HM and CoreSense M10 are affected: /p ul li CoreSense™ HM lt;=2.3.1, 2.3.4 (CVE-2025-3465) /li li CoreSense™ M10 lt;=1.4.1.12, 1.4.1.31 (CVE-2025-3465) /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 7.1 /td td ABB /td td ABB CoreSense HM and CoreSense M10 /td td Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Food and Agriculture, Commercial Facilities, Critical Manufacturing /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2025-3465 /a /h3 div class= csaf-accordion-content p A path traversal vulnerability in these products can allow unauthenticated users to gain access to restricted directories. Exploiting this vulnerability can lead to complete system compromise and exposure of sensitive information. /p p a href= https://www.cve.org/CVERecord?id=CVE-2025-3465 View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB CoreSense HM and CoreSense M10 /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ABB /div div class= ics-version strong Product Version: /strong br CoreSense™ HM lt;=2.3.1, CoreSense™ M10 lt;=1.4.1.12 /div div class= ics-status strong Product Status: /strong br fixed, known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Vendor fix /strong br The vulnerabilities are corrected in the following version: CoreSense™ HM v2.3.4 amp; CoreSense™ M10 v1.4.1.31 ABB recommends that customers apply the update at the earliest convenience. /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/22.html CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-table

p a href= https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-139-04.json strong View CSAF /strong /a /p h2 Summary /h2 p strong Successful exploitation of this vulnerability could result in information disclosure, including capture of camera account credentials. /strong /p p The following versions of ZKTeco CCTV Cameras are affected: /p ul li SSC335-GC2063-Face-0b77 Solution /li /ul div class= csaf-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS /th th role= columnheader Vendor /th th role= columnheader Equipment /th th role= columnheader Vulnerabilities /th /tr /thead tbody tr td v3 9.1 /td td ZKTeco /td td ZKTeco CCTV Cameras /td td Authentication Bypass Using an Alternate Path or Channel /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Commercial Facilities /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong China /li /ul hr h2 Vulnerabilities /h2 div class= csaf-accordion p a class= csaf-accordion-toggle-all href= # Expand All + /a /p div class= csaf-accordion-item h3 a class= csaf-accordion-toggle href= # CVE-2026-8598 /a /h3 div class= csaf-accordion-content p An undocumented configuration export port is accessible on some models of ZKTeco CCTV cameras. This port does not require authentication and exposes critical information about the camera such as open services and camera account credentials. /p p a href= https://www.cve.org/CVERecord?id=CVE-2026-8598 View CVE Details /a /p hr h4 Affected Products /h4 h5 ZKTeco CCTV Cameras /h5 div class= ics-vendor-version-status div class= ics-vendor strong Vendor: /strong br ZKTeco /div div class= ics-version strong Product Version: /strong br ZKTeco SSC335-GC2063-Face-0b77 Solution: lt;V5.0.1.2.20260421 /div div class= ics-status strong Product Status: /strong br known_affected /div /div div class= ics-remediations h6 Remediations /h6 p strong Mitigation /strong br ZKTeco has patched this vulnerability in firmware version V5.0.1.2.20260421. ZKTeco recommends that users upgrade to firmware version V5.0.1.2.20260421 or later at their earliest opportunity. /p p strong Mitigation /strong br Please see the security advisory from ZKTeco here: https://www.zkteco.com/en/announcement/23 for further information. br a href= https://www.zkteco.com/en/announcement/23 https://www.zkteco.com/en/announcement/23 /a /p /div p strong Relevant CWE: /strong a href= https://cwe.mitre.org/data/definitions/288.html CWE-288 Authentication Bypass Using an Alternate Path or Channel /a /p hr h4 Metrics /h4 div class= csaf-table csaf-metrics-table table class= tablesaw tablesaw-stack data-tablesaw-mode= stack data-tablesaw-minimap thead tr th role= columnheader data-tablesaw-priority= persist CVSS Version /th th role= columnheader Base Score /th th role= columnheader Base Severity /th

In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. "These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,"

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Since the last update , the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI. Bottom line up front Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minutes, downloads above 500 million) and was the first documented npm malware shipping with valid SLSA Build Level 3 provenance, plus a 1-in-6 disk-wipe payload on Israeli and Iranian locale hosts. NHS England issued the campaign's first government alert; CISA stayed silent. Action: audit CI for the indicators below, stop trusting provenance alone, pin and lockfile-verify dependencies. How this developed The period opened quiet and derivative: the lead story was PCPJack , a rival worm that evicts TeamPCP before stealing credentials, alongside a single-researcher claim that a Checkmarx Jenkins plugin had been backdoored. Days later it turned loud: Checkmarx officially confirmed that exact Jenkins compromise, and a new Mini Shai-Hulud worm hit the npm and PyPI ecosystems hard. The through-line is escalation: an unconfirmed rumor became a confirmed incident, and the campaign moved from a quiet competitor-eviction story to a high-impact, signed-malware supply chain wave. What changed, by theme Checkmarx Jenkins plugin: an unconfirmed claim, then official confirmation Takeaway: a single-researcher claim, explicitly logged as unconfirmed at the time, was confirmed by Checkmarx four days later. On 2026-05-09, researcher Berk Albayrak reported on X that the Checkmarx Jenkins AST scanner plugin had been backdoored. No Tier 1 outlet, no vendor, and no Checkmarx statement corroborated it at the time, so it was carried as information-only pending confirmation. On 2026-05-11 Checkmarx published an official update acknowledging that a tampered plugin (version 2026.5.09) had been published to the Jenkins Marketplace, with an exposure window of 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC. The Register , BleepingComputer , SecurityWeek , and The Hacker News carried it the same day. This is the third TeamPCP compromise of Checkmarx in three months, and the malicious plugin was installed by several hundred Jenkins controllers. Last known-good build: 2.0.13-829.vc72453fa_1c16 (2025-12-17). Remediated builds (both 2026-05-09): 2.0.13-848.v76e89de8a_053 and 2.0.13-847.v08c0072b_2fd5. The Mini Shai-Hulud TanStack wave Takeaway: a self-spreading worm poisoned roughly 170 npm and PyPI packages, and the publishes came from TanStack's own trusted release pipeline. Starting 2026-05-11 at 19:20 UTC, the worm published 84 malicious artifacts across 42

Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. [...]

INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these

What happens when a phishing email looks clean enough to pass through security, but dangerous enough to expose the business after one click? That is the gap many SOCs still struggle with: the attacks that leave teams unsure what was exposed, who else was targeted, and how far the risk has spread. Early phishing detection closes that gap. It helps teams move from uncertainty to evidence faster,

Supply chain attackers are not only trying to slip malicious code into trusted software. They are trying to steal the access that makes trusted software possible. Recently, three separate campaigns hit npm, PyPI, and Docker Hub in a 48-hour window, and all three targeted secrets from developer environments and CI/CD pipelines, including API keys, cloud credentials, SSH keys, and tokens. This is

Microsoft has finally brought back the resizable taskbar and Start menu to Windows 11 in the latest preview version rolling out to Insiders in the Experimental channel. [...]

A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. [...]