Security & IT News

Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to achieve remote code execution, privilege escalation, or information disclosure. The vulnerability, now tracked as CVE-2026-9082, carries a CVSS score of 6.5 out of 10.0, per CVE.org. Drupal said the vulnerability resides in a database abstraction API that is

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. RAMPART, short for Risk Assessment and Measurement Platform for Agentic Red Teaming, functions as a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents, covering

In this article Why we are investing in this RAMPART: Continuous safety testing for agentic AI Clarity: Helping check software engineering assumptions RAMPART and Clarity available now The AI systems shipping inside enterprises today are fundamentally different from the ones we were building even two years ago, because they have moved well past answering questions and into accessing your email, retrieving records from your CRM, writing and executing code, and taking actions on your behalf across dozens of connected systems. That shift from “generate text” to “do things in the world” changes the safety equation entirely, because an agent that can act can also potentially act in ways nobody intended. Today Microsoft is open-sourcing two tools designed to help engineers: Microsoft RAMPART , an agent test framework for encoding adversarial and benign scenarios as repeatable tests that can run in CI, making it easy to turn red-team findings and AI incidents into lasting regression coverage; and Clarity , a structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code. We built these tools because we believe that AI safety has to become a continuous engineering discipline rather than a periodic checkpoint, and we think the best way to make that happen is to put practical, open tools in the hands of the people doing the building. Why we are investing in this Helping teams think through the “why,” before the “how” of software building: In the vibe coding era, execution is easy and the harder question is the “why.” The most expensive safety failures we see almost always trace back to design mistakes that nobody questioned early enough, long before any adversary got involved — say, when a product team decided their agent should have access to a tool, or handle a particular user flow, without fully working through what could go wrong. By the time a red team engagement surfaces the issue, the system is largely built, and addressing it means going back to the drawing board. We wanted to give product managers and engineers a way to pressure-test their assumptions at the start of a project, when changing course is cheap and the right conversation can save months of rework. Scaling the lessons of red teaming across the industry. The techniques that uncover vulnerabilities in one agentic product almost always shed light on another. A cross-prompt injection attack that works against one system will often work, with minor variations, against a customer service agent or a coding assistant. But those lessons tend to stay locked inside individual engagement reports. Our goal was to build a system where the lessons of red teaming exercises can be turned into runnable engineering assets. Making incidents reproducible and mitigations verifiable. If something goes wrong in production AI systems, the team responding needs to do two things quickly: replicate the incident

Identity checks alone can't stop attackers using stolen session tokens and compromised devices. Specops Software outlines why Zero Trust strategies increasingly depend on continuous device verification. [...]

Modern attack surfaces don’t sit still. Cloud expansion, SaaS sprawl, identity complexity, and shadow IT are continuously reshaping organizational risk. For security leaders, visibility isn’t the challenge anymore, but actually operationalizing that visibility is. Surface Command was built to unify asset and identity intelligence across your external attack surface. But translating that intelligence into executive-ready dashboards or operational reporting has often required knowledge of Cypher queries. Today, that changes: We’re introducing filter-based dashboard widgets in Surface Command, enabling teams to build meaningful attack surface management (ASM) dashboards in minutes, without writing a single query. And for CISOs focused on advancing continuous threat exposure management ( CTEM ), this is more than a usability enhancement. It’s an operational accelerator. From filters to dashboards, instantly Security teams already use saved asset and identity filters to answer critical questions: Which internet-facing assets are high risk? Where do privileged identities intersect with exploitable exposures? Which business units own unmanaged cloud infrastructure? What third-party SaaS applications expand our attack surface? Now, those same saved filters can be converted directly into live dashboard widgets. If your team can build a filter table, they can now build a dashboard. There’s no need to understand query syntax or rely on specialized expertise for common reporting needs. With just a few clicks, exposure views become shareable, persistent dashboards built on the same unified data model that powers Surface Command. Figure 1: Creating dashboard “widgets” in the Rapid7 Command Platform Reducing friction in exposure reporting For many organizations, the barrier to effective exposure management isn’t visibility, it’s friction. When dashboard creation requires query expertise, reporting slows down, operational teams depend on a small group of power users, executive visibility lags behind exposure reality, and CTEM initiatives stall under complexity. Filter-based widgets remove that bottleneck. Security teams can now spin up exposure dashboards in minutes, empower analysts and vulnerability teams to self-serve, deliver consistent reporting to leadership, and standardize exposure views across business units. This lowers the barrier to building and maintaining exposure intelligence across the organization, and that matters when “continuous” is the goal. A practical enabler for continuous threat exposure management (CTEM) Beyond a framework, CTEM is a discipline. One that treats exposure management as an ongoing cycle, not a point-in-time project. CTEM is commonly organized into five continuous steps: Scope – Define what you’re focusing on (systems, business services, exposure themes, time horizons). Discover – Identify the assets, identities, and exposures within scope. Prioritize – Determine what matters most based on risk and impact. Validate – Confir

p CISA has added seven new vulnerabilities to its a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href= https://www.cve.org/CVERecord?id=CVE-2008-4250 target= _blank CVE-2008-4250 /a Microsoft Windows Buffer Overflow Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2009-1537 target= _blank CVE-2009-1537 /a Microsoft DirectX NULL Byte Overwrite Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2009-3459 target= _blank CVE-2009-3459 /a Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2010-0249 target= _blank CVE-2010-0249 /a Microsoft Internet Explorer Use-After-Free Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2010-0806 target= _blank CVE-2010-0806 /a Microsoft Internet Explorer Use-After-Free Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-41091 target= _blank CVE-2026-41091 /a Microsoft Defender Elevation of Privilege Vulnerability /li li a href= https://www.cve.org/CVERecord?id=CVE-2026-45498 target= _blank CVE-2026-45498 /a Microsoft Defender Denial of Service Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. /p p a href= https://www.cisa.gov/binding-operational-directive-22-01 Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href= https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href= /known-exploited-vulnerabilities-catalog data-entity-type= node data-entity-uuid= 79453b83-86b9-4e2f-b1ec-abf73c6eb291 data-entity-substitution= canonical title= Known Exploited Vulnerabilities Catalog KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href= /known-exploited-vulnerabilities data-entity-type= node data-entity-uuid= f2adba9a-0404-494c-a90c-4363a4a5c934 data-entity-substitution= canonical title= Reducing the Significant Risk of Known Exploited

New Industry Data Just Released Suggests Not. On May 19th, 2026, Orchid Security released the results of our Identity Gap: Snapshot 2026. Among the findings, "identity dark matter" (the unseen, unmanaged elements of identity) now overshadows the visible elements 57% vs. 43%. And it couldn't have occurred at a worse time, with enterprises embracing Agent AI with both arms (and unfortunately, as

PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. [...]

AI-generated lookalike domains are now embedded inside the third-party scripts running on your web properties. Here's why your current stack can't see them, and what detection actually requires. Download the CISO Expert Guide to Typosquatting in the AI Era → TL;DR Typosquatting is no longer a user problem. Attackers now embed lookalike domains inside legitimate third-party scripts.

Verizon DBIR finds 31% of data breaches began with software flaws last year

Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. "Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey,'" the

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. [...]

Discord announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE). [...]

The FBI says Americans have lost over $388 million last year to scams using cryptocurrency kiosks, also known as crypto ATMs or Bitcoin ATMs. [...]

A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. [...]

Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN's Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. "Users

Microsoft plans to raise the quality bar of Windows 11 drivers, as drivers "sit at the heart of every Windows experience" and connect the OS to the "silicon, components, and peripherals." [...]

Security teams are working in an environment where speed, scale, and complexity are all increasing at the same time. Across the Rapid7 2026 Global Cybersecurity Summit , the focus was not just on how the threat landscape is evolving, but on how teams are adapting their approach to keep up. The sessions brought together perspectives from across detection and response, exposure management, AI, and security operations, with a consistent emphasis on making better decisions earlier and with more confidence. How modern attacks are starting across identity, cloud, and social engineering Several sessions explored how initial access has shifted toward identity misuse, social engineering, and cloud misconfigurations. These entry points often blend into normal activity, making it harder for teams to distinguish between legitimate behavior and early-stage compromise. Understanding how attacks begin has become a critical part of detection strategy. Rather than relying on a single signal, teams need to recognize how activity develops across multiple systems and how seemingly low-risk events can connect into something more serious. What real incident response looks like inside modern MDR and SOC teams The sessions focused on MDR and the SOC provided a closer look at how incidents unfold in practice. Investigations rarely follow a clean path, and analysts are constantly making decisions with incomplete information while attackers continue to move. What stands out is how MDR extends the SOC beyond detection, combining continuous monitoring with human-led response to guide organizations through incidents as they happen. Alerts initiate the process, but outcomes depend on how teams interpret signals, prioritize actions, and manage tradeoffs under pressure across cloud, identity, and on-prem environments. This view highlights the operational reality behind incident response, where coordination and judgment shape the outcome as much as the technology itself. Why complexity is slowing security teams down Security environments continue to expand, bringing more tools, more data, and more potential points of failure. Across the summit, speakers highlighted how fragmented visibility and unclear ownership can make it difficult to maintain a consistent view of risk. The challenge is not eliminating complexity, but managing it in a way that allows teams to act effectively. Organizations that focus on clarity, ownership, and prioritization are better positioned to respond when signals start to converge. How exposure management is reshaping risk prioritization A recurring theme was the shift from vulnerability management toward exposure management. Vulnerability data provides insight into what exists, but it does not always reflect what creates meaningful risk. Exposure management adds context by connecting vulnerabilities to assets, identities, and business impact. This allows teams to focus on what is reachable and relevant, helping them prioritize based on real-world risk r