An attacker exploited a previously unknown and unpatched Cisco vulnerability earlier this year to infiltrate a communications service provider and gain the highest level of access possible, Mandiant said Wednesday.

Cisco has since patched the flaw, one of seven actively exploited zero-day vulnerabilities this year in its SD-WAN (software-defined wide area network) software used to manage internet traffic within organizations, typically those that are widely distributed, such as banks with numerous branches.

But Google-owned cybersecurity firm Mandiant said the attacker (or attackers) could have used its root-level access to obtain broad and undetected visibility into the internal traffic throughout the provider’s entire corporate network. In a caveat, Mandiant also said it could not fully assess how far the compromise actually went because of how cleverly the perpetrators hid their activity.

The attack illustrated hackers’ ongoing targeting of edge devices, Mandiant said. Attacks on such devices have been very common and involved in some of the most consequential breaches in recent years, prompting the Cybersecurity and Infrastructure Agency to direct federal agencies to give them special attention this year.

“This campaign underscores the living off the edge paradigm, where threat actors prioritize the compromise of network appliances to bypass traditional security perimeters,” Mandiant wrote in a blog post. “As organizations increasingly adopt software-defined networking, the orchestrators managing these environments become primary targets. These devices offer a black box environment for threat actors: they often lack the telemetry required for deep forensic analysis, and their role as a central control plane provides a stealthy platform for persistent, wide-scale access to internal enterprise traffic.”

Mandiant didn’t attribute the attack to any specific group, citing the work the attacker did to cover their tracks and delete evidence. But it noted that “for state-sponsored actors, the ability to exploit zero-day vulnerabilities in these platforms remains a premier vector for long-term strategic intelligence collection.”

Kelli Vanderlee, senior manager for Google Threat Intelligence Group, told CyberScoop that “exploiting zero day vulnerabilities in edge devices and the extensive anti-forensic activities are consistent with previously documented cyber espionage threat actor behavior.”

The company also didn’t name the victim service provider.

The attacks on the service provider came in two waves. The first activity Mandiant observed from late 2025 to early 2026 exploited one of two then-unpatched vulnerabilities (CVE-2026-20127 or CVE-2026-20182), with the attacker making unauthorized “peering” connections to the victim’s SD-WAN Manager devices in a kind of digital handshake to verify identity and trust.

Once there, the attacker facilitated its access and used it to manipulate default account passwords in hopes of avoiding detection. Next, the attacker exploited the zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager, activity Mandiant observed in March, and created a rogue user account, “troot” that gave full root-level control.

“On June 4, 2026, Cisco published a security advisory about a privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager,” a Cisco spokesperson said. “Cisco strongly recommends customers upgrade to a fixed software release as outlined in the advisory.”

Updated 6/24/26: to include Cisco comment.

The post Malicious hackers exploit Cisco zero-day for highest access level at communications service provider appeared first on CyberScoop.

Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.

The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.

Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture. 

“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email. 

Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”

The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.

While Washington D.C. frets over the potential impact of Anthropic’s Claude Fable 5, security researchers continue to track how the integration of frontier AI tools are transforming the digital security landscape for malicious hackers and defenders alike.

The breakneck speed of model releases may be creating short, silent security gaps for developers who must choose between performance and security, according to a new report.

Researchers at Backslash Security pored through update logs for Claude Code, Anthropic’s flagship coding model, finding the company was patching dozens of newly discovered security vulnerabilities in the program between April and early June 2026.

The logs revealed the details of more than 30 security relevant patches implemented over that timeframe, but Anthropic did not publicize them. Instead, Backslash Security researchers found them by reviewing update logs for every new version of a Claude Code release in the last two months, noted the security-relevant fixes and traced each one back to the version and date it shipped.

The patches included fixes for data poisoning, prompt injection and arbitrary code execution vulnerabilities. One bypassed core safeguards put in place to prevent Claude Code from accepting catastrophic deletions commands, such as erasing an entire codebase, by adding a single backslash to the command. Another leaked user OAuth credentials, while a third allowed an AI agent to plant a backdoor in shell startup files.

There is nothing inherently odd about this: most companies regularly update and patch their software  and anyone who had auto-updates turned on would automatically be switched to the newest, secure version of Claude Code.

But Yossi Pik, co-founder and chief technology officer at Backslash Security, told CyberScoop that the research concluded “the way AI agents are released is different than previous software.”

“We debated internally, because when I originally said I wanted to write about this, I was told ‘Okay, every company has the [same] issue, then they patch and fix,” he said. “This is the nature of software, but I think that what makes this unique is the cadence and frequency of the releases.”

AI companies keep a ferocious pace when updating their models. Claude Code’s changelog indicates there have been 16 different versions through the first half of June, while OpenAI’s Codex was updated 6 times.

Because model updates often bring short-term performance and stability issues, software developers typically wait a week or more before upgrading to a new version.

These time gaps create small windows of vulnerability and force developers to choose between security and performance. The report identifies several reasons why developers don’t automatically update their AI models, including companies that may rely on internal vetting or release schedules, operate in regulated or air-gapped environments where model versions are frozen, and the need to maintain long-running sessions or use manual installations.

Pik said some IT and security teams have also told him they prefer not to install any new version of an AI model without letting it run on other environments first.

“You don’t have that much flexibility, either I go to the latest and I’m getting a less stable version [of the model] or I’m waiting for a few days or a week until I can install it, and hope that nothing would happen during this time,” said Pik.

The Backslash report is not intended as a dig at the security rigor of Anthropic, noting the company tends to “patch fast and document more than anyone” and has addressed every issue and vulnerability identified in the report.

Rather, it’s to highlight the series of mostly silent and persistent security exposures that an organization faces when adopting AI into their workflow.

Other software programs and technology products face similar tradeoffs through different updates, but most of the vulnerabilities detailed in the change log – such as getting an agent to leak data or accept malicious prompts – are unique to large language models and AI systems.

That means integrating AI tools can bring new security problems to an organization, both from outsiders who can poison or influence the model and insiders who can maliciously or accidentally direct the model to access or leak systems, data and identities.

For most Claude Code users, this process runs automatically in the background. Yet Yik points out that just as AI is transforming work itself,  it’s also changing how we need to approach software security and updates.

“It should not be compared to [Microsoft] Office that is installed and gets patched once in a while,” he said. “It’s a completely different beast that keeps evolving, and we don’t want to limit it…I think that it’s great for everyone. We just need to make sure that we do it in a secure way, and every organization should understand what that means for them.”

The post AI’s constant patching treadmill can be a security problem appeared first on CyberScoop.

Google threat hunters spotted yet another Chinese state-sponsored espionage group that for years had burrowed into systems belonging to government and private organizations to steal data across academia, medicine, military, cybersecurity and foreign policy. 

Google Threat Intelligence Group discovered the previously unknown threat group UNC6508, which targeted organizations in the United States and Canada, in late 2025 but traced its earliest known compromise back to September 2023. 

The revelation mirrors an alarming pattern of Chinese espionage groups dropping backdoors into critical infrastructure to pre-position for potential sabotage, intercept research and steal data with national security implications. These groups working at the behest of China’s government, including UNC6508, operated in stealth for years before authorities or researchers discovered their activity.

“We don’t know the full extent or impact of the campaign,” Patrick Whitsell, senior security engineer at GTIG, told CyberScoop. Researchers said the threat group intruded a medical research university in September 2023, stole credentials and communications, and remained active on the institution’s systems through November 2025 when it was discovered.

Google said it confirmed multiple victims compromised with INFINITERED, a custom backdoor the threat group deployed on targeted networks to steal administrative credentials after it exploited externally facing REDCap (Research Electronic Data Capture) servers.

Researchers still don’t know how UNC6508 gained initial access to the REDCap servers. Google said the survey and database software, which was created at Vanderbilt University and issued multiple patches for critical remote-code execution vulnerabilities throughout 2023, is widely used across the medical research community. 

“Given the breadth of the threat actor’s intelligence collection criteria and their ability to remain undetected within compromised networks for more than a year, we assess the known victims likely represent only a fraction of a larger campaign,” Whitsell said. “We also assess that this highly capable threat actor will remain active and continue to be a threat to the defense, technology and medical industries for the foreseeable future.”

Google said the campaign targeted clinical providers, academic medical centers and U.S. military health institutions, demonstrating advanced capabilities from a threat group that doesn’t currently overlap with any other publicly known groups.

The threat group abused domain compliance rules to steal data, a technique that doesn’t rely on malware or living-off-the-land tools, and routed traffic through U.S.-based IPs to blend in with legitimate traffic, researchers said.

“We have some evidence to suggest this is a large threat group with multiple sub-teams, but this is not confirmed,” Whitsell said.

Like other previously identified China state-sponsored espionage groups, UNC6508 remains active.

Google said it disrupted some of UNC6508’s known infrastructure by disabling an Gmail account it used to exfiltrate data, notified the affected organizations and helped remediate compromises before it published research on UNC6508’s activities.

Whitsell said several unconfirmed instances of compromise remain under investigation.

The post Google exposes China espionage group that’s been lurking in networks undetected since 2023 appeared first on CyberScoop.

Last Friday, the Trump administration sent a shock through the tech ecosystem when the Department of Commerce levied export controls on Anthropic’s new AI model Fable 5.

Anthropic has taken steps to limit the risks around the commercial sale of its Mythos model, including declining to release it publicly, funneling it to organizations for cyber defense and developing guardrails for Fable 5 that would default its answers to older, less powerful models around sensitive topics like cybersecurity and biological warfare.

But the Trump administration was reportedly alarmed by recent reports from Amazon and another cybersecurity researcher claiming to have jailbroken Fable 5 within days of its public release, and determined that if researchers in the U.S. could jailbreak the model, so could America’s foreign adversaries.

The Commerce Department’s decision spurred Anthropic to shut off the models for all users as they attempted to convince the White House to change course.

But some cybersecurity and AI experts have sharply disagreed with the White House’s actions, saying the research has not demonstrated that anyone has been able to circumvent Fable 5’s safeguards and access the kind of dangerous new capabilities that have worried officials.

Katie Moussouris, a well-known cybersecurity expert, said Monday that Anthropic provided her with a copy of third-party research on guardrail bypass techniques for Fable 5.

According to Moussouris, the researchers asked three Claude models – Fable 5, Mythos and Claude Opus – to review batches of known, vulnerable open source code for security issues. Fable 5 initially refused the request, but the researchers were able to use “a multistep and manual process” to get Fable 5 to turn the output into automated scripts that could test patches for the vulnerability.

Third-party research since Fable 5’s release has not found ways to bypass its safeguards around hacking. The capabilities researchers have demonstrated are foundational to what makes Fable 5 and other frontier models valuable for cybersecurity defense.

“Defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works,” she wrote. “That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day.”

Moussouris previously provided technical expertise to the Waasenaar Agreement, a voluntary multilateral security agreement around controlling exports for both munitions and dual use technology that includes the U.S. and dozens of other countries.  Based on the research she’s seen, she called placing export restrictions on all foreign sales of Fable 5 “heavy handed” and “misguided.”

Some lawmakers who in favor of higher regulations and scrutiny on the national security implications of AI were nevertheless critical of the White House decision. Senator Mark Warner, D-Va., told CyberScoop in a statement that while “there may be circumstances where restrictions on the export of frontier AI models are warranted,” those decisions must be “grounded in a transparent, risk-based process with clear rules and consistent standards.”

The Trump administration’s approach, he argued, has been the opposite, and he called for Congress to pass a statutory framework for testing and approving frontier AI models based on transparency, predictability and fairness.

“This administration has repeatedly shown a willingness to weaken export controls designed to protect our national security and maintain our technological edge over adversaries, while also making no secret of its hostility toward Anthropic,” said Warner. “That raises serious questions about whether this effort is being driven by objective national security concerns or something else.”

Anthropic said it subjected Fable 5 to 1,000 hours of testing from internal and external red team, reporting that no universal jailbreaks were found that would remove those guardrails or allow the model to access Mythos for cyber and biology work.

Moussouris is far from alone. She is one of dozens of cybersecurity experts who signed an open letter Monday calling on the Trump administration to “Free Fable.”    

The researchers say that while Mythos-class models are “quite good” at identifying and exploiting vulnerabilities in software code, they “are not uniquely good” compared to other frontier models they use every day for cybersecurity defense.

For example, despite OpenAI’s Daybreak model offering similar vulnerability discovery and patching capabilities. It was not included in the Commerce Department’s restrictions.

The researchers also note that Fable 5’s guardrails have been notoriously oversensitive compared to other frontier models used by red teamers, becoming “a source of humor in the cyber community on launch day” as IT and cyber workers reported online that they couldn’t get the model to perform basic defensive cybersecurity tasks.

The letter questions whether the issues found in the jailbreaking reports would even qualify as offensive capabilities, and note they can be reproduced in other commercial and open-source models, including GPT 5.5, Claude Opus, Claude Sonnet and Chinese models like Kimi 2.7.

“The justification for this unprecedented action was that Fable provides a unique ‘uplift’ of capabilities beyond other AI models, but AI has been finding bugs and generating working exploits at superhuman levels since last year,” they wrote.

The White House decision comes as AI companies face increasing backlash from a public that is now overwhelming calling for more robust government intervention.

A Johns Hopkins University poll in May found broad, bipartisan support for AI regulations, with 73% calling for bans on AI-generated images and video, 68% calling for labels on AI content, 75% wanting disclosure laws around when they interact with AI chatbots and 70% calling for “the right to interact with a human rather than an AI in medical, legal, educational and government settings.”

Another global survey of 18,000 people released this week found that the top four concerns most people have around AI all revolve around the tool’s ability to spread misinformation, create deepfakes to embarrass or hurt others, making it easier for criminals to hack into victim networks and helping terrorists create new weapons.

Senior reporter Tim Starks contributed reporting for this story.

The post Cybersecurity experts don’t think Anthropic’s Fable 5 presents a unique threat  appeared first on CyberScoop.

Researchers are warning that cybercriminals exploited an Oracle PeopleSoft zero-day vulnerability and potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.

Mandiant and Google Threat Intelligence Group said it became aware of the attacks earlier this month as part of its ongoing monitoring of ShinyHunters operations. The notorious cybercrime group claims it hacked more than 100 organizations and started naming victims and publishing allegedly stolen data Tuesday.

University of Nottingham, one of ShinyHunters’ alleged victims, on Wednesday confirmed a significant amount of student data was stolen during a cyberattack after the threat group leaked some of the school’s data.

The attacks date back to at least May 27, according to Mandiant, and involve the exploitation of CVE-2026-35273, a defect in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to execute remote code and takeover affected servers.

Oracle disclosed the vulnerability and recommended some steps for mitigation Wednesday, weeks after the attacks were already underway. The vendor hasn’t released a patch to address the defect and did not respond to a request for comment.

Google said it alerted more than 100 organizations of potentially vulnerable endpoints in their environments, but it declined to confirm how many victims are compromised. 

“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today,” Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop Thursday evening. He added that more victims, beyond Google’s visibility, may be impacted.

Most of the potential victim pool is based in the United States and 68% are in the higher education sector, according to Google.

“We have previously observed ShinyHunters target the education sector this year, however it’s possible this targeting is representative of the majority of exposed PeopleSoft instances belonging to the sector,” Carmakal said. 

Oracle PeopleSoft PeopleTools includes more than 40 tools for human resources and customer relationship management.

The attacks come less than a year after the Clop ransomware group exploited a zero-day in Oracle E-Business Suite that affected dozens of victims. The data theft extortion campaign that followed those attacks, which began in August, didn’t get underway until October.

The post ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw appeared first on CyberScoop.

Microsoft reopened some wounds and has reignited debate over the past couple weeks about vulnerability disclosure and the sometimes adversarial dynamic it creates between security researchers and vendors. 

The latest controversy ensued when Microsoft threatened criminal legal action against a security researcher who publicly disclosed a series of zero-day vulnerabilities with proof-of-concept exploits. Microsoft insisted it received no details about the vulnerabilities prior to release, adding that the defects were not responsibly disclosed and put its customers at unnecessary risk.

The public dispute between Microsoft and the researcher known as “Nightmare Eclipse,” who couldn’t be identified or reached for comment, sparked dismay among some security professionals. Microsoft’s forceful response and the resulting backlash revived a friction point between vendors and researchers who find and report flaws in the software they sell.

“The fight is being argued as coordinated disclosure, but the grievance underneath is personal and specific in a way disclosure shouldn’t be, especially with a vendor that has been at it for so long,” Katie Moussouris, founder and CEO at Luta Security, told CyberScoop.

“Microsoft seemed to get emotional and shouldn’t have publicly said anything, but somehow felt justified in calling out a researcher and involved law enforcement in the same breath,” she said. “That puts them right back in the first stages of vulnerability disclosure grief: denial and anger.”

The former longtime Microsoft employee who ran outreach with the security community, created the company’s first bounty program and has given conference talks on the subject as far back as 2013, said the company doubled down on its lack of responsibility in the whole saga.

Microsoft declined to answer questions in the wake of the fallout.

Nightmare Eclipse hinted at a breakdown and impending battle with the vendor in a series of blog posts leading up to Microsoft’s missive about the vulnerabilities RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.

Attackers exploited three of the six vulnerabilities Nightmare Eclipse released before they were patched by Microsoft.

The researcher claimed Microsoft refused to communicate, didn’t pay or credit them for discovering and reporting some of the vulnerabilities, deleted the Microsoft Security Response Center account they used to disclose vulnerabilities and flagged their GitHub account for removal. 

“You are proving to everyone that you are actively escalating this conflict,” they wrote, before threatening Microsoft with a release in mid-July that “will make sure your bones are shattered that day.”

Vulnerability disclosure is a two-way street

The characteristics of proper vulnerability disclosure processes are nuanced and often framed in the eyes of the beholder.

Any successful dance between bug hunters and vendors comes down to meeting each other halfway, said Andrew Morris, founder and chief architect of GreyNoise. 

While vendors must fix software defects and prioritize security, Morris noted that irresponsible vulnerability disclosure harms both incident responders and potential victims. 

“Personally, I feel like this researcher is being extremely petty. It seems like they have an ax to grind,” he said.

“You’re not allowed to give somebody something and say it’s out of the kindness of your heart, and then be pissed when they don’t pay you for it.” 

But Morris also made clear that vendors bear responsibility for building trust with researchers.  

“If you actually care about being the first one to know about bugs in your software, not learning about it once harm has happened, or once somebody’s gotten popped, then you want to cultivate that trust with the security community,” Morris said. 

Microsoft said it recognizes that the relationship between security researchers and vendors is critical and, at times, fragile. 

“We deeply value the security community, and will continue to take your feedback seriously,” the company said in its post on X. 

Yet, the company remains steadfast in opposing the circumstances of Nightmare Eclipse’s disclosures, describing their actions as illegal, unjustifiable and irresponsible. 

“When an individual breaks the law and engages in malicious activity causing real harm to our customers, we will work with law enforcement as appropriate,” Microsoft said without naming the researcher by their moniker. “We continue to believe strongly in coordinated vulnerability disclosure as the foundation for protecting customers and improving our products. We know that, given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions.”

The cost of pushback

Security researchers seek out defects for various reasons: bounty payouts, recognition, industry credibility, or simply the thrill of the hunt that comes with finding vulnerabilities and getting them fixed.

At its best, this process happens behind the scenes, with patches released and customers warned before exploitation occurs.

This collaborative approach has taken root and improved considerably, but there are still cases where researchers feel slighted. 

“The public has no idea what went on behind the scenes to judge why a researcher that previously coordinated finally had enough and decided to drop a zero-day [vulnerability],” Moussouris said. As such, she’s less inclined to criticize Nightmare Eclipse’s actions, adding that “they come off as someone who needs help.” 

Yet, trust breaks down between vulnerability researchers and vendors often. Earlier this week, security researcher Ammar Askar claimed his last interaction with Microsoft’s security team was so poor that he decided to publicly disclose any bugs he finds in VS Code going forward. He made good on that threat by dropping a vulnerability and exploit code for a defect that allows attackers to steal GitHub tokens. 

While actions like this can sabotage trust and drive a wedge between vendors and vulnerability researchers, recourse to a large extent is limited. Moussouris said most of the time, the legal and ethical boundaries are clear to those involved. Researchers can report bugs, withhold them, sell them, or publish them. “The one red line is crime: using a flaw to extort or attack people,” Moussouris said. 

“Threatening to publish on a set date is a threat to disclose, and disclosure is lawful. You can find the tone ugly. [Nightmare Eclipse] still broke no rule and violated no duty.” 

The timing couldn’t be worse 

Both sides are partly responsible for what happened, but Microsoft made things worse, Morris said. Threatening legal action and taking an aggressive approach have never worked. Building a good relationship between researchers and vendors requires open communication and trust. 

“I thought we were past this. It turns out that we are not,” he said. 

The Nightmare Eclipse incident comes at a fraught time in this space. Vendors and their customers are confronting a deluge of more vulnerabilities, and the rise of artificial intelligence models that discover them is exacerbating this challenge, leaving security experts alarmed about what’s coming.

The prospects for where vulnerabilities will be discovered and exploited next, and to what impact, are unknown and wildly unsettling. 

These signals imply that the classic, CVE-based system with responsibly disclosed processes is probably broken, Morris said. “There’s just so many CVEs. It’s like, is this even working anymore?”

For now and despite all its faults, coordinated vulnerability disclosure programs are widely viewed as the most sensible and scalable approach to this dilemma.

“Coordinated disclosure is what happens when a vendor gets lucky. Someone they did not hire hands them a real bug instead of using it or selling it. That puts the whole burden of keeping coordination alive on the vendor,” Moussouris said. “Silent patching with no CVE and calling out researchers who don’t follow your timeline for disclosure squanders the vendor’s luck.”  

She stressed the stakes: “I hope Microsoft and all vendors learn that coordinated vulnerability disclosure is a gift and a grace from the security researcher community to them, and public disclosure is still better than non-disclosure or crime.”

The alternatives to a deteriorating relationship could wreak havoc and leave every vendor and customer more susceptible to attack. 

“If vendors unlearn how to receive free intellectual property and labor from the security community in the form of vulnerability reports with gratitude, we’re headed for a world where nobody bothers to give vendors any heads up, or they move to a timed disclosure model that gives no grace,” Moussouris said.

She concluded with a direct message: “Product vendors wrote the vulnerable code, own the risk, and they owe it to their users to do everything in their power to reduce that risk.” That includes “keeping their grievances to themselves and learning from introspection on coordinated vulnerability disclosure gone wrong.”

The post Nightmare Eclipse incident shows the researcher-vendor fights may never fully go away appeared first on CyberScoop.

Government agencies, cybersecurity companies and threat researchers are pouring resources into studying how fast-developing AI tools can be wielded by malicious actors to hack into victim organizations.

But as agentic AI becomes more embedded in business infrastructure, there’s also a high possibility that a breach could be caused by an insider guiding the tool, whether maliciously or due to lack of security controls.

In research shared exclusively with CyberScoop, DTEX researchers detail how a common workflow in Anthropic’s Claude Cowork used in corporate environments offers convenience for AI agent deployment but grants near-total access to the system.

Claude Cowork includes tools that let users remotely control their agents. One particular tool, known as Dispatch, relays commands from a user’s phone to their desktop Claude agent. It also includes a plugin for communicating with Salesforce AI agents that access and transfer data.

DTEX researchers tested two scenarios. The first prompted Claude to summarize information from Salesforce and paste it into a draft Outlook email. The second tasked the agent with archiving selected files and transferring them via the Cowork app.

In both cases, researchers used simple, single-turn prompts and spent between 10-30 minutes preparing to exfil  the data.

Alex Desmond, director of insider threat intelligence and innovation at DTEX, told CyberScoop that both improvements in frontier models and deeper integration of AI tools into IT network operations have reduced the time defenders have to react to a breach.

“In cyberattacks, you talk about the kind of execution time of adversaries coming in and dropping ransomware, we’re now seeing the kill chain drop to 30 and 10 minutes depending on what they’re doing,” Desmond said. “Six months ago, that was a couple of hours.”

But that speed, when paired with direct access to business networks or cloud services, can also create an insider threat nightmare for organizations that must monitor for both malicious actors and potential mistakes from legitimate employees using the technology.

Over the past few years, western IT and cybersecurity businesses have been inundated with job applicants secretly working on behalf of the North Korean government. Their salaries are used to evade international sanctions and fund Pyongyang’s nuclear program, but it also positions the individuals to access or steal sensitive data or assets from these companies. 

“You’ve got a nation-state actor getting into an environment legitimately,” Desmond said. “Now if you gave them access to AI tools on top of that…you’re like ‘here’s the keys to everything and here’s this awesome tool that’s just going to make your job – stealing our data – easier.’”

Tests by DTEX confirmed that the agents indeed had access to sensitive systems, applications and data – including the ability to download SharePoint corporate data, production documentation in OneDrive, access to Outlook email, Salesforce data (and all the data it can access), and any other files on the user’s endpoint device. For each of these applications, Claude Cowork has a dedicated plugin or API to share externally if prompted.  

To be clear, DTEX’s research does not involve exploiting a software bug or configuration vulnerability, and it doesn’t come with a CVE. It’s more of an IT governance and visibility problem. Businesses are racing to integrate AI tools into their workflow and pushing employees to use the technology while failing to put in place the kind of security controls, access policies and monitoring required to spot problems.

For instance, it may not be possible to determine how a data breach or leakage involving an AI agent actually occurred if an organization is not logging and auditing its prompts – or whether the incident was the result of an agent running amok or responding to potentially malicious instructions.

While network and cloud monitoring can identify when data is being accessed or downloaded from SharePoint, that may not be a strong enough signal to stand out for defenders.

“If a user’s normal workflow is to pull sensitive files down to work locally all the time, you don’t have endpoint monitoring and you introduce an AI agent, it then just has access to all that data” along with the ability to exfiltrate it,” Desmond said.

The post Your AI agent could become your biggest insider threat  appeared first on CyberScoop.

Researchers and threat hunters are scrambling to respond to an actively exploited authentication-bypass vulnerability affecting Palo Alto Networks customers’ firewalls. 

The company initially tagged CVE-2026-0257 with a medium-severity rating when it disclosed the defect May 13, but quickly reassessed it as critical after Rapid7 observed and confirmed active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency followed suit, and added the vulnerability to its known exploited vulnerabilities catalog Friday.

The escalated threat posed by the defect, which allows remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall, showcases how quickly a seemingly mild vulnerability can turn into an urgent warning. 

“Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied,” a company spokesperson said in a statement. The company on Friday urged all customers to immediately apply the patch or follow its recommended steps for mitigation. 

The vendor and Rapid7, which first observed exploitation May 17 in a customer environment, declined to say how many organizations are impacted thus far. Yet, Douglas McKee, director of vulnerability intelligence at Rapid7, warned: “We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity” on May 21. 

Jake Knott, security researcher at watchTowr, told CyberScoop the vulnerability and resulting exploits follows a recurring trend wherein attackers target exposed network edge devices and rapidly identify, develop and weaponize exploits for initial access. 

“This is yet another authentication bypass on a device whose sole job is to guard the front door to an organization’s network,” he said. “What stands out is how simple it is — an attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request.”

The vulnerability has a few requisites that limit exposure, specifically posing risk to some Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies. 

“The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate,” said Caitlin Condon, vice president of security research at VulnCheck.

“It’s difficult to say how many deployments meet those criteria for exploitability, but Palo Alto Networks firewalls have a very large footprint, which means even uncommon configurations can present significant attack surface area,” she added.

Rapid7 said the same attacker or group is likely responsible for both waves of exploitation last month, but in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network. 

The attackers are “highly opportunistic and clearly monitor the security research community,” McKee said. “Attackers are purposefully weaponizing medium-severity vulnerabilities, which are typically lower priority or blind spots for organizations.”

Multiple threat clusters are swarming to the opportunity and quickly adapting to published research.  Researchers have not attributed the malicious activity to any specific threat groups. 

“Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage,” McKee said. 

Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. Yet, within days of its public disclosure, initial assessments were proven inadequate.

“This is a pattern we continue to see — the urgency only arrives after exploitation is underway,” Knott said. “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”

The post Attackers are exploiting Palo Alto Networks defect that initially flew under the radar appeared first on CyberScoop.

Security researchers chained together five separate weaknesses in the popular workflow automation service Zapier that, if first discovered by a malicious actor, could have granted access to millions of user accounts and the systems those accounts connect to.

The flaws, disclosed by security firm Token Security, did not require malware or insider access. The only prerequisite, according to the company’s report, was a free Zapier account. From there, researchers chained together weaknesses that, if taken individually, would have looked routine, but together opened a path to one of the most widely used services of the modern internet.

Zapier’s software can be configured to move data between email, customer-relationship tools, payment processors, calendars, code repositories and thousands of other applications. The company says it supports more than 8,000 third-party integrations and has millions of users, which means breaking into Zapier could escalate into a wide-ranging supply-chain attack.

The researchers said an attempted attack would start by exploiting a weakness in how users write small pieces of code as part of their automations. Once that feature was isolated, researchers recovered login credentials the service had tried to discard. Those credentials, in turn, exposed an internal storage system holding more than 1,100 of Zapier’s private software images, one of which contained a publishing key for a piece of code that runs inside every logged-in Zapier user’s browser.

According to the report, if an attacker updated that code, they could have acted as a legitimate user inside the platform, creating new automations, altering existing ones, and tapping into connections the user had already approved to outside services. From there, they could instruct the platform to send emails, move files, pull records from customer databases, or post messages, all from accounts that appeared entirely legitimate.

The researchers stressed that a possible attacker could not have obtained passwords or login keys for those connected services, as those remain on Zapier’s servers. But because the actions would have been carried out through Zapier itself, they would have looked, to any outside system, like the user’s own.

A separate finding, uncovered during the same research, illustrated how immediate that risk can be. The researchers said they discovered a working key tied to the personal account of the chief technology officer of an outside artificial-intelligence company whose software Zapier used internally. Using that key, they were able to send an email from the executive’s own Gmail account to a mailbox they controlled.

Token Security told Zapier the capability existed but did not exploit it. The researchers confirmed they had the access needed to push a malicious update into code running inside every signed-in Zapier user’s browser, and instead reported the findings in February under the company’s bug-bounty program. 

Researchers said that Zapier triaged the issues within four days, remediated within three weeks, and worked with the company to allow disclosure. The company paid the program’s maximum bounty of $3,000 and says it has no evidence the weaknesses were exploited before they were patched.

“Worth saying out loud in a culture that often punishes disclosure programs for slowness,” Token’s blog post reads.  

Zapier did not respond to CyberScoop’s request for comment. 

The episode lands at a moment when automation platforms and artificial-intelligence tools are increasingly being granted the standing authority to act on behalf of users across dozens of services at once. Token Security’s researchers argued that the weaknesses they found were not unique to Zapier. Each link in the chain, they said, was a well-documented kind of mistake. The vulnerability was the chain itself, and the same pattern, they warned, almost certainly exists at other companies that have not yet looked.

Zapier says the issues have been fixed and no further action is required. But the researchers suggested organizations with heightened sensitivity review their automation logs for anything they did not create, and consider reauthorizing Zapier connections to particularly sensitive systems.

You can read the full research report on Token Security’s website. 

The post Zapier fixes bug chain that researchers say risked widespread account takeover appeared first on CyberScoop.

Apple has released quantum-resistant cryptographic code and the mathematical verification tools it developed to prove the code’s correctness, making them publicly available for independent review and broader use across the industry.

The release includes implementations of two quantum-secure algorithms, ML-KEM and ML-DSA, along with the formal verification libraries and tools Apple created to validate their accuracy. The company also published detailed documentation of its verification methodology, which it describes as achieving the strongest known correctness results for any widely deployed production implementation of these algorithms.

The quantum-secure algorithms are integrated into corecrypto, Apple’s cryptographic library used across its operating systems. The library handles encryption, decryption, hashing, and digital signatures on over 2.5 billion active devices. Apple began deploying quantum-resistant encryption in iMessage in 2024 and has expanded the technology to VPN services and TLS networking protocols.

One of the tools released is the company’s Cryptol-to-Isabelle translator, which converts cryptographic models between formal languages, along with supporting libraries needed to reproduce the results. Formal verification uses mathematical proofs to show that code works correctly for all possible inputs. Apple translated its code into Cryptol, a formal language developed by Galois, then into Isabelle, a proof assistant from the University of Cambridge and The Technical University of Munich, to prove both matched the official standards. Apple has used Isabelle previously to verify hardware cryptographic components.

The verification process uncovered errors that conventional testing would have missed. Researchers found a missing computational step in the ML-DSA code that would have silently broken digital signatures. If this bug had reached production, messages in iMessage may have appeared authenticated when they actually weren’t, leaving users unaware their communications lacked proper security.

Even with these tools, Apple acknowledged that it still depends on conventional cryptographic testing and evaluation is needed for assurance. Formal verification can catch errors that traditional testing simply cannot find. Testing works by trying many scenarios, but with complex cryptographic code, there are too many possible inputs to test exhaustively. Subtle bugs can hide in the gaps between test cases and never trigger a warning. Formal verification, by contrast, uses mathematics to prove correctness across all possible inputs at once.

However, Apple’s team writes that it couldn’t formally verify every single aspect of their code with the tools available, so they combined approaches: formal verification for core mathematical correctness, conventional testing for aspects formal methods couldn’t cover, and careful evaluation of how all the pieces work together. Apple argues this hybrid approach provides the most robust security for critical cryptographic software.

“Based on our work to date, we believe that the strongest assurance possible comes from combining formal verification with conventional methods and critically evaluating the end-to-end results,” the blog post reads.

Furthermore, the blog states that Apple selected ML-KEM and ML-DSA from among several standardized quantum-resistant algorithms because they best matched the company’s requirements for security, performance, and compact parameters. The algorithms address the threat posed by future quantum computers, which could potentially break the encryption methods currently protecting digital communications.

More information can be found on Apple’s corecrypto GitHub page. 

The post Apple open-sources quantum-resistant encryption code appeared first on CyberScoop.

The FBI is warning organizations and defenders about Kali365, a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens, issuing a public service announcement Thursday. 

The toolkit bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services. This technique grants cybercriminal-controlled applications access to Microsoft 365 accounts, opening victims up to a host of follow-on malicious activity, including data theft, fraud, extortion and ransomware attacks.

Kali365 is one of many rapidly emerging device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers. 

Instead of gaining access to accounts via phishing kits that steal credentials and second-factor authentication codes, device-code phishing platforms connect a malicious app to a legitimate account with a single code. The process requires fewer steps and less interaction with the user, but victims do have to copy-and-paste a code generated by the Kali365 platform to grant access.

“We see quite a bit of this device-code phishing activity, but so much of it looks really similar. They’re all using the same types of lures, the same types of content, the same branding,” Selena Larson, senior threat researcher at Proofpoint, told CyberScoop. “It is very much AI generated, AI driven, and the threat actors, I think, are finding it pretty effective because we’re seeing this shift happen kind of all at once.”

Proofpoint researchers observed seven device-code phishing tools that looked nearly identical during a 10-day period last month.

Device-code phishing isn’t new, but platforms like Kali365 have integrated new techniques that differ from MFA phishing, and might be more effective as a result. “It’s something that people might not be used to. It’s a little bit sleeker,” Larson said.

This also partly explains why these cybercriminal tools are growing so quickly. Larson said Proofpoint observed an explosion in device-code phishing activity starting in February. 

By April, Kali365 was up and running and primarily distributed on Telegram, according to the FBI. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the agency said in the public warning. 

Researchers at Arctic Wolf Labs, which has also been tracking large-scale campaigns linked to Kali365, said the platform charges affiliates $250 for 30 days of service or $2,000 for a full year.

Kali365 stores the OAuth access and refresh tokens it captures, and makes those available to affiliates on its platform. Those tokens can also be shared and reused by other cybercriminals who didn’t participate in the initial phishing lure, Arctic Wolf researchers added. 

The FBI also noted that these Microsoft 365 tokens provide persistent access, allowing attackers to wade through multiple Microsoft services without a password or additional MFA requests. 

“Identity can be very, very powerful once you’re in an organization,” Larson said, adding that attackers can abuse that access to impersonate people, access and steal data for extortion, commit fraud and deploy malware.

The post FBI warns about fast-growing phishing kit targeting Microsoft 365 users appeared first on CyberScoop.

Attackers couldn’t get enough of the vulnerabilities at their disposal last year, making exploits the top initial access vector across more than 22,000 breaches Verizon analyzed in its latest Data Breach Investigations Report released Tuesday.

The massive annual study uncovered a surge of exploited vulnerabilities during a one-year period ending in October 2025. Exploited defects accounted for 31% of all known initial access vectors, jumping from 20% the previous year. 

The uptick in exploited vulnerabilities is a reflection of the “sisyphean cause” of vulnerability management, researchers wrote in the report. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them.”

Organizations are struggling to keep up with the torrent of vulnerabilities affecting technology across their systems. This slide is especially worrisome, and declining, among defects in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.

Only 26% of the critical vulnerabilities in CISA’s catalog were fully remediated by more than 13,000 organizations Verizon studied in 2025, marking a drop from 38% the year prior. 

“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” researchers wrote in the report. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”

Verizon also noted that the median number of KEV vulnerabilities that organizations had to patch jumped from 11 in 2024 to 16 in 2025.

CISA’s KEV catalog contained more than 1,500 CVEs as of February, and 65% of those were exploited during the previous year, according to the report.

Verizon identified the five most common weaknesses of CISA KEV CVEs in its report as out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path and access of resource using incompatible type.

Attacker motivations remained relatively consistent last year, with financially-motivated cybercriminals accounting for 88% of all breaches. Espionage-driven attacks from state-affiliated groups made up the remainder.

“Ransomware continues to be among the most disruptive and impactful types of breaches we see. Not unlike the price of everything from fast food to adult beverages in ballparks, it continues to trend upward,” researchers wrote in the report.

Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. Yet, Verizon observed some positive trends in ransomware as well.

Ransom payments continued to decline, with 69% of victims reporting they didn’t pay, and the median payment slid from $150,000 in 2024 to almost $140,000 last year.

Tracking ransomware remains a challenge for researchers and authorities. 

“There is a growing disconnect between what is being reported and the reality of what has occurred, in no small part due to threat actors reusing old breaches, reposting breaches from other criminal partners and making up breaches out of whole cloth to help increase their notoriety in the criminal world,” Verizon wrote in the report. “We’re beginning to think that these cybercriminals might not be entirely trustworthy.”

Yet, despite the lack of indisputable data on ransomware activity, researchers concluded: “Ransomware is still the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you.”

The post Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches appeared first on CyberScoop.

A self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, this time embedding itself across hundreds of npm packages. The threat actor behind it, identified as TeamPCP, has been linked to earlier waves of the same campaign, with this latest variant more capable than previous waves.

Researchers analyzing the payload found a worm that spreads autonomously, installs persistent backdoors at the operating system level, and is specifically engineered to survive the most common first response: removing the package.

How the attack works

The malware executes the moment an affected software package is installed, whether in a developer’s local environment or inside a CI/CD pipeline. A hook fires before any other step, giving the payload immediate access to the machine.

It harvests GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings. In automated build environments, it uses the pipeline’s own trusted identity to obtain publishing credentials, allowing it to push poisoned package versions to the registry under a legitimate maintainer’s name. The stolen data is sent to attacker-controlled GitHub repositories.

After it steals a publishing token, the malware checks every package that token can access, adds its code to those packages, and publishes new poisoned versions using the maintainer’s account. One infected CI runner — the machine or virtual server that automatically builds, tests and publishes code for a project — can therefore taint every package that runner is allowed to publish. It also searches a developer’s computer for other Node.js projects and copies itself into them, so a single infected install can compromise an entire workstation.

“If any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated, persistence artifacts are removed, and recent publish activity has been reviewed,” Aikido Security researchers wrote in a blog post. 

Removing the package is not enough

Researchers found that a standard dependency rollback leaves the attacker’s access intact. The malware embeds backdoors in developer tool settings — notably .vscode/tasks.json and .claude/settings.json — which remain on disk even after the npm package is removed. Those files must be audited and cleaned to eliminate the attacker’s foothold.

The payload also installs OS-level background services: a systemd user service on Linux, a LaunchAgent on macOS. Both run a backdoor called kitty-monitor, which polls GitHub’s commit search every hour for signed remote commands. A second process, gh-token-monitor, checks stolen GitHub tokens every 60 seconds — alerting the attacker the moment one is revoked. An attacker can maintain access and monitor the victim’s response in near real time, long after the original infection has been discovered.

Multiple security companies have pointed out which popular dependencies are being targeted. In this wave, it’s been popular data visualization software, including Alibaba’s open-source AntV and TallyUI. The campaign also touched widely used utilities such as echarts-for-react (a React wrapper for ECharts) and timeago.js (a small JavaScript library that allows developers to format timestamps).

“Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions,” wrote researchers from Socket, an application security company.

The campaign remains active. Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Researchers have warned that any machine or pipeline that installed an affected version should be treated as fully compromised.

Last week, TeamPCP targeted other prominent software libraries with the malware, including TanStack, UiPath, and MistralAI.

The post Mini Shai-Hulud returns, compromising hundreds of npm packages appeared first on CyberScoop.

As defenders get their hands on newer AI models with more powerful cybersecurity capabilities like Anthropic’s Mythos and OpenAI’s Daybreak, organizations are being told to prepare for a flood of new vulnerability reports.

But for bug bounty programs across the nation, that day may already be here, as yesterday’s frontier models and today’s open-source AI tools have dramatically increased the volume of bug reports flowing into companies around their own products or on larger bounty platforms online.

GitHub, one of the world’s largest online code repositories, said it is tightening its definition of a “complete” bug report after a significant increase in AI-assisted submissions over the past year.

Although the influx has had some benefits, many reports are submitted without proof of concept, are reliant on unrealistic attack scenarios or cover issues already listed as ineligible. As a result, the company is having difficulty separating signal from noise.

“This isn’t unique to GitHub,” wrote Jarom Brown, senior product security engineer at GitHub. “Programs across the industry are grappling with the same challenge, and some have shut down entirely.”

Brown said GitHub does not want to ban the use of AI generated reports entirely, calling it a “force multiplier” for security in the right context. But in a world where it’s never been easier to use AI to generate theoretical bugs, the company wants researchers to go the extra mile to confirm that their discoveries can actually be exploited in real-world conditions.

What we need is the same standard we’ve always expected: validation,” Brown wrote. “An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not.”

Grant Bourzikas, chief security officer at Cloudflare, said triaging bugs and proving they can be exploited  has always been one of the hardest parts of vulnerability research, and AI vulnerability scanners and code have “made it worse.”

For instance, code written in C and C++ programming languages are vulnerable to a range of exploits – like buffer overflows and out-of-bounds reading and writing – that don’t exist in memory safe languages like Rust. AI tools scanning software written in memory unsafe programming languages are far more likely to generate false positives.

But one of the biggest flaws continues to be that AI tools are also designed to give the user what they’re asking for, even when it’s not there. This leads to the generation of bug reports filled with speculation and qualifiers around exploitability that require human follow up.

“That’s a reasonable bias for an exploratory tool,” Bourzikas wrote. “It’s a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.”

Cloudflare recently shared results from testing Mythos on 50 of its own code repositories, looking for exploits. Bourzikas called Mythos “a different kind of tool doing a different kind of work” from other frontier models, and that it made significant progress in reducing false positives.

For example, he pointed to two Mythos capabilities that stood out compared to other models: chaining exploits together and generating its own proof-of-concept code to confirm exploitability.

Older models could spot many of the same bugs, but they often couldn’t figure out how to exploit them effectively, or show that the issue could be exploited in real world conditions.

Others have argued that the gap in bug hunting capabilities between newer frontier AI models and older ones, or open source models available today is not as large as advertised. 

Swedish software developer Daniel Stenberg, lead developer for curl, an open source file transfer tool used around the world, recently wrote about his experience with Mythos Preview. Like others, he has also seen a higher volume of AI-fueled bug reports over the past year, but said the flood of low-quality reports has tapered off significantly since March as models have improved.

Curl is mature and polished by the standards of most software: Stenberg estimates each line of code has been rewritten or altered at least four times, and he said he has used both human and AI tools in the past to implement hundreds of bug fixes over Curl’s existence.

That makes it a unique testing ground for the enhanced capabilities of Mythos, which was reportedly so powerful at finding vulnerabilities that Anthropic opted not to release it to the general public.

After gaining access to Mythos, Stenberg received the results of a scan of 178,000 lines of curl code. Ultimately, the scan flagged five “confirmed” vulnerabilities. Further exploration by human researchers found that 4 of the bugs were false positives or had no security impact. The one remaining bug Mythos found? A low-severity flaw that will be fixed in a regular June update.

Even as he praised the impact of AI on cybersecurity generally, Stenberg concluded that for all the hype, Mythos is only “a bit better” than previously released models.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

The post AI might cut false positives, but it won’t stop the slop  appeared first on CyberScoop.

Attackers returned once again to a common target with a massive user base by exploiting a max-severity zero-day vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager.

The threat group behind the “limited” number of attacks Cisco is aware of thus far are also linked to a series of previously disclosed vulnerabilities in the vendor’s firewalls and SD-WAN systems, the company said in a threat advisory Thursday.

The authentication bypass vulnerability — CVE-2026-20182 — has a CVSS rating of 10 and “behaves like a master key,” Douglas McKee, director of vulnerability intelligence at Rapid7, wrote in a blog post. 

“An attacker can present themselves to the controller as a trusted network router and, if the system accepts that claim without properly validating it, they can obtain the highest level of administrative access,” he added. “That is the cybersecurity version of a Jedi mind trick.”

Rapid7 discovered and reported the vulnerability to Cisco on March 9, and Cisco said it became aware of limited exploitation of the vulnerability earlier this month. The vendor disclosed and released a patch for the vulnerability Thursday, and the Cybersecurity and Infrastructure Security Agency quickly added the defect to its known exploited vulnerabilities catalog.

Cisco did not explain what occurred during that two-month window. Yet, the disclosure and warning from researchers marks another challenge for Cisco customers that have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February. 

Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. CISA has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog in less than three months.

Cisco Talos researchers attributed the latest round of zero-day attacks to UAT-8616, the same attackers that exploited a pair of separate zero-days in Cisco’s network edge software for at least three years before the activity was discovered and reported in February. 

The company, which described the exploitation of the new zero-day as ongoing, once again declined to answer questions about the origins or motivations of UAT-8616. 

“We strongly recommend customers apply the available fixed software releases and follow the guidance provided in the advisories and Cisco Talos blog,” a spokesperson for the company said in a statement.

Cisco Talos researchers also warned that UAT-8616 and at least 10 other threat groups have chained together and achieved “widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Infrastructure.” The company previously disclosed and released patches for the vulnerabilities — including CVE-2026-20122, CVE-2026-20128 and CVE-2026-20133 — in February. 

Rapid7 said it discovered the latest critical authentication bypass vulnerability when it was researching CVE-2026-20127, a previous zero-day the Five Eyes identified and confirmed as actively exploited by UAT-8616 in late 2025. Authorities and Cisco waited at least two months to disclose and patch the vulnerability, and share emergency mitigation guidance.

That campaign, which got underway at least three years prior, marked the second series of actively exploited zero-days in Cisco edge technology in less than a year. Both campaigns prompted CISA to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered. 

The latest zero-day, which bypasses authentication in the same control-plane service as CVE-2026-20127,  requires no credentials or prior knowledge of the target environment for exploitation, Jonah Burgess, senior security researcher at Rapid7, told CyberScoop.

“Cisco confirmed it affects all deployment types, including on-premises, cloud, and FedRAMP environments. The SD-WAN Controller manages routing and policy for the entire overlay network, so a single compromised controller can potentially give an attacker influence over every branch, data center, and cloud edge connected to that fabric,” Burgess added.

His colleague at Rapid7, McKee, said attackers have become very good at turning weaknesses in central network infrastructure into high-impact operations. 

“Compromising one branch router is useful. Compromising the controller that manages the entire estate is a very different conversation. Now you are talking about the ability to reroute traffic, intercept communications, push malicious configuration, or simply break connectivity across the whole organization,” he wrote.

“That is the real paradox here,” McKee added. “The same architecture that gives defenders scale and simplicity can also give attackers a single point of catastrophic leverage.”

The post Cisco zero-day under ongoing attack by persistent threat group appeared first on CyberScoop.

Two of the most advanced artificial intelligence models — Anthropic’s Claude Mythos Preview and OpenAI’s GPT-5.5 — have significantly surpassed the already-accelerating pace at which AI systems are completing autonomous cybersecurity tasks, according to separate findings published Wednesday by the United Kingdom’s AI Security Institute (AISI) and Palo Alto Networks.

The AISI, which conducts pre-deployment evaluations of frontier AI models on behalf of the British government, said both Claude Mythos Preview and GPT-5.5 have substantially exceeded the doubling trend the institute had been tracking since late 2024. Whether the results represent an isolated capability jump or the start of a new, faster trajectory remains unclear.

The AISI estimated earlier this year that frontier models’ 80% reliability cyber time horizon — a measure of how long a task takes a human expert, used as a proxy for AI autonomy — had been doubling approximately every five months. That was itself roughly half the eight-month doubling time the institute estimated in November 2025. Now Mythos Preview and GPT-5.5 have since outperformed any trend lines the institute has measured.

“Frontier AI’s autonomous cyber and software capability is advancing quickly: the length of cyber tasks that frontier models can complete autonomously has doubled on the order of months, not years,” the AISI wrote.

The clearest evidence of the capability jump came from the AISI’s cyber ranges, its structured simulations of multi-stage attacks against small, undefended enterprise networks. A newer checkpoint of Claude Mythos Preview became the first model to complete both of the institute’s ranges. It solved “The Last Ones,” a 32-step simulated corporate network attack, in 6 of 10 attempts, and completed “Cooling Tower” — previously unsolved by any model — in 3 of 10 attempts. GPT-5.5 solved “The Last Ones” in 3 of 10 attempts.

Palo Alto Networks reached similar conclusions through its own testing. The company said it began testing Claude Mythos in April as a launch partner for Anthropic’s Project Glasswing, and has since tested Claude Opus 4.7 and OpenAI’s GPT-5.5-Cyber as part of OpenAI‘s Trusted Access for Cyber program.

“The latest models are extraordinarily capable at finding vulnerabilities and changing them into critical exploit paths in near-real-time,” Palo Alto Networks wrote.

The company released security advisories covering 26 CVEs representing 75 issues — compared to a typical monthly volume of fewer than five CVEs — that were identified through AI model scanning across more than 130 products. All important vulnerabilities in its SaaS products had been patched, with patches available for all customer-operated products.

The AISI was careful to note the limits of its data. The estimates are based on a relatively small number of models, and the hardest tasks in the test suite have the least amount of human comparison data. Even so, the institute said the overall trend holds up: dropping any single model from the analysis barely moves the needle, shifting the estimated doubling time by less than a month in either direction. Separate research from METR, a nonprofit that tracks how quickly AI handles software tasks, arrived at a nearly identical figure — a doubling time of approximately four months since late 2024.

“No single benchmark result should be read as a precise measure of AI capability,” the AISI wrote. “Regardless, the direction of change and rapid growth have been consistent across the models, methodological choices and independent data we examined.”

Palo Alto Networks outlined four immediate priorities for enterprises as these models continue to grow in usage: First, find and fix vulnerabilities in code and applications before attackers do. Second, shrink the attack surface and use AI to spot security misconfigurations. Third, deploy detection and response tools across all systems, using machine learning to catch threats in real time. Fourth, build security operations fast enough to respond in minutes, because AI-powered attacks may soon unfold that quickly.

The AISI said it is developing more demanding evaluations, including new cyber ranges and the addition of active cyber defenses, to better reflect real-world conditions as model capabilities continue to advance.

The post Researchers say AI just broke every benchmark for autonomous cyber capability appeared first on CyberScoop.

Microsoft addressed another triple-digit batch of vulnerabilities cutting across its various enterprise products, components and underlying systems. Yet despite the high number of defects, the vendor reported no actively exploited zero-days in this month’s Patch Tuesday update.

Thirteen of the 137 vulnerabilities Microsoft disclosed were assigned critical CVSS ratings, including a pair of vulnerabilities affecting Azure — CVE-2026-33109 and CVE-2026-42823 — and CVE-2026-42898 in Microsoft Dynamics 365 with 9.9 CVSS scores. 

The company designated 13 vulnerabilities as more likely to be exploited, and 113 defects as less likely or unlikely to be exploited.

The high volume of vulnerabilities reflects a growing trend researchers have been anticipating as artificial intelligence models are deployed to find previously uncovered defects in code. 

While not all of these bugs were found by AI, it’s likely they had an AI-related component — even if it was just AI writing the submission,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Childs was especially intrigued by CVE-2026-41096, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely. 

“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses could achieve unauthenticated remote-code execution across your enterprise,” he added. 

Childs also described CVE-2026-41089, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”

Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365. 

“With no user interaction required, and the potential to impact systems beyond the vulnerable component’s original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform,” he said in a blog post.

“Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption,” Bicer added.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical appeared first on CyberScoop.

Instructure, the company behind Canvas, said it reached an agreement with the cybercriminals who threatened to leak a trove of sensitive data they claim was stolen during a prolonged cyberattack on the widely used education tech platform.

Pressure was mounting on the company as widespread outages left schools, students and teachers temporarily unable to access critical data late last week when the company took Canvas offline after the attackers defaced the platform’s login page. By Friday, the company said Canvas — a central hub for K-12 and university coursework, exams, grades and communication — was back online and fully operational. 

ShinyHunters, a decentralized crew of prolific cybercriminals that researchers affiliate with The Com, claimed responsibility for the attack on its data leak site and was attempting to extort the company for an unknown ransom amount. 

Instructure didn’t outright say it paid a ransom, but insisted the agreement provided all necessary assurances. “The data was returned to us. We received digital confirmation of data destruction (shred logs),” the company said in an update Monday.

“We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise,” the company added. “This agreement covers all impacted Instructure customers, and there is no need for individual customers to attempt to engage with the unauthorized actor.”

The threat group initially set a deadline of May 6 — four days after Instructure previously said the incident was contained — claiming it stole 3.65 terabytes of data spanning 275 million records across 8,809 school systems. 

When that deadline passed without payment, ShinyHunters escalated its pressure on the company by “injecting an extortion message directly into the Canvas login pages of roughly 330 institutions, and pivoted to school-by-school extortion with a current deadline of May 12,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told CyberScoop.

The additional public pressure prompted Infrastructure to take Canvas offline, disrupting schoolwork and access to critical systems nationwide. 

Instructure CEO Steve Daly apologized over the weekend for the company’s inconsistent communication and deficient public response to the cyberattack. 

“Over the past few days, many of you dealt with real disruption. Stress on your teams. Missed moments in the classroom. Questions you couldn’t get answered. You deserved more consistent communication from us, and we didn’t deliver it. I’m sorry for that,” he said in a statement.

Daly acknowledged that the attack, which remains under investigation aided by CrowdStrike, exposed usernames, email addresses, course names, enrollment information and messages. He insisted that course content, submissions and credentials were not compromised.

The temporary but widespread disruption has spurred broad concern across the education sector as ransomware experts and threat hunters continue to track developments. The cyberattack also caught the attention of lawmakers on Capitol Hill. 

The House Homeland Security Committee on Monday published a letter to Daly seeking a briefing with him or a senior leader at Instructure by May 21. 

“The recurrence of an intrusion within days of an initial breach disclosure, and Instructure’s apparent failure to fully remediate the underlying vulnerabilities during that window, raise serious questions about the company’s incident response capabilities and its obligations to the institutions and individuals whose data it holds,” House Homeland Security Chairman Andrew Garbarino, R-N.Y., wrote in the letter to Daly.

The committee wants to learn more about the “circumstances of both intrusions, the the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and the Cybersecurity and Infrastructure Security Agency,” he added. 

CISA did not describe the extent of its involvement in Instructure’s response. “CISA is aware of a potential cyber incident affecting Canvas. As the nation’s cyber defense agency, we provide voluntary support and cybersecurity services to organizations in responding to and recovering from incidents,” Chris Butera, the agency’s acting executive assistant director for cybersecurity, said in a statement.

Instructure’s timeline of the attack has changed and remains incomplete. The company said it first detected unauthorized activity in Canvas on April 29 and immediately revoked the attacker’s access and initiated an incident response. Researchers not directly involved with the formal investigation said ShinyHunters gained access to Canvas at least a few days earlier.

The follow-on malicious activity on May 7 — the defacement of public login pages — was tied to the same incident, the company said. 

“We have since confirmed that the unauthorized actor carried out this activity by exploiting an issue related to our Free-For-Teacher accounts. This is the same issue that led to the unauthorized access the prior week. As a result, we have made the difficult decision to temporarily shut down Free-For-Teacher accounts,” the company said in an updated post about the incident.

Instructure did not answer questions about the vulnerability or explain how attackers intruded its systems. The company said it also revoked privileged credentials and access tokens for affected systems, rotated internal keys, restricted token creation pathways, and deployed additional security controls and monitoring.

Canvas is fully operational and safe to use, the company said, adding that CrowdStrike has reviewed known indicators of compromise and “found no evidence that the threat actor currently has access to the platform.”

Access still remains spotty and unavailable for some Canvas users as school districts restore the platform in phases after conducting their own internal checks.

Halcyon published an alert about the attack Friday, including a screenshot of the message that some school staff, guardians and students encountered before Instructure took the learning management system offline.

ShinyHunters is a notorious data theft extortion group that previously hit major cloud platforms, including Salesforce and Snowflake, via voice phishing, credential theft and supply-chain attacks. 

Education is a recurring and consistent target for cybercriminals, accounting for more than 250 ransomware attacks globally last year, according to Halcyon. 

Yet, the scope of the attack on Canvas “makes this one of the largest single education-sector exposures we’ve tracked,” Kaiser said.

“By compromising a shared platform used across thousands of schools, ShinyHunters hit the entire education sector in one move, which is the same playbook Clop ran against Oracle EBS customers last fall,” she added. “Among 2026 incidents against critical infrastructure, this is at or near the top for education-sector impact, and it highlights a trend of third-party software vendors now being part of an attack surface, and causing cascading effects across an entire sector.”

Cybersecurity professionals focused on ransomware and data theft extortion consistently encourage victims to not pay ransoms, but they also often acknowledge that companies have to make tough decisions based on their own interests and the security of their customers or users caught up in the aftermath.

Allison Nixon, chief research officer at Unit 221B, said the threat group claiming responsibility for the attack should not be trusted. 

“They are claiming they will delete the data after they are paid, and if they are not paid that they will leak the data,” she told CyberScoop. “This is in line with the past data extortion scams run by the same and related Com actors, who have made false statements to victims and to the public in the past.”

Instructure acknowledged that its agreement with the attackers isn’t ironclad. “While there is never complete certainty when dealing with cybercriminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” the company said.

Daly — a longtime security executive who was previously CEO at Ivanti — ended his mea culpa with a pledge to improve communications and provide a summary of a forensics report soon.

“Last week, we made a call to get the facts right before speaking publicly. That instinct isn’t wrong, but we got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates. You’ve been clear about that, and it’s fair feedback. We will change that moving forward,” he said. 

“Rebuilding trust takes time,” Daly added. “We’re going to earn it back through consistent action and honest communication.”

Update: May 12, 11:00 am: This story has been updated to reflect that Instructure announced they have reached a deal with ShinyHunters.

The post Instructure claims hackers returned stolen Canvas data after an extortion standoff appeared first on CyberScoop.

Google researchers found a zero-day exploit developed by artificial intelligence and alerted the susceptible vendor to the imminent threat before a well-known cybercrime group initiated a mass-exploitation campaign, the company said in a report released Monday.

The averted disaster probably isn’t the first time attackers used AI to build a zero-day, but it is the first time Google Threat Intelligence Group found compelling evidence that this long-predicted and worrying escalation in vulnerability-exploit development is underway.

“We finally uncovered some evidence this is happening,” John Hultquist, chief analyst at GTIG, told CyberScoop. “This is probably the tip of the iceberg and it’s certainly not going to be the last.”

Google declined to identify the specific vulnerability, which has been patched, or name the “popular open-source, web-based administration tool” it affected. It did, however, note that the defect impacted a Python script that allows attackers to bypass two-factor authentication for the service.

Researchers also withheld details about how they discovered the zero-day exploit or the cybercrime group that was preparing to use it for a large-scale attack spree.

The threat group has a “strong record of high-profile incidents and mass exploitation,” Hultquist said, suggesting the attackers are prominent and well-known among cybersecurity practitioners. 

GTIG is fairly confident the threat group was using AI in a meaningful way throughout the entire process, but it has yet to determine if the technology also discovered the vulnerability it ultimately developed into an exploit.

Whichever AI model the attackers used — Google is confident it wasn’t Gemini or Anthropic’s Mythos — left artifacts throughout the exploit code that are inconsistent with human developers. This evidence, which included documentation strings in Python, highly annotated code and a hallucinated but non-existent CVSS score, tipped Google off to the fact AI was heavily involved, Hultquist said. 

GTIG has been warning about and expecting AI-developed exploits to hit systems in the wild, especially after its Big Sleep AI agent found a zero-day vulnerability in late 2024.

“I think the watershed moment was two years ago when we proved this was possible,” Hultquist said, adding that there are probably several other AI developed zero-days in play now. 

Yet, to him, the discovery of a zero-day exploit developed by AI is less concerning than what this single instance forebodes even further.

“The game’s already begun and we expect the capability trajectory is pretty sharp,” Hultquist said. “We do expect that this will be a much bigger problem, that there will be more devastating zero-day attacks done over this, especially as capabilities grow.”

The post Google spotted an AI-developed zero-day before attackers could use it appeared first on CyberScoop.