Microsoft addressed a whopping 206 vulnerabilities lurking in its vast portfolio of business products and foundational systems in this month’s Patch Tuesday update, marking the vendor’s largest monthly batch of security patches on record, according to researchers.

The massive assortment of vulnerabilities in Microsoft’s latest defect dump accentuates an alarming trend across technology — fears and warnings about a roaring flood of error-riddled software have materialized. And the disease is spreading. 

“It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Researchers consistently highlight the role artificial intelligence is playing in discovering more vulnerabilities and aiding in the development of patches and testing. Childs isn’t alone in wondering if this is the new normal and how that will impact defenders’ strategies for patch prioritization and deployment. 

“Pandora’s proverbial box has been opened, and as more advanced AI models become available, we expect the norm to continue upward across the board, not just for Patch Tuesday,” Satnam Narang, senior staff research engineer at Tenable, said in an email.

This vulnerability flood isn’t a one-off or rare event. Half of Microsoft’s Patch Tuesday updates through the first half of this year contained a volume of defects well into the triple digits. 

“The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018,” Childs wrote. 

Microsoft disclosed three vulnerabilities — CVE-2026-45586, CVE-2026-50507 and CVE-2026-49160 — that were publicly known at the time of release, but not yet exploited in the wild, according to the company. 

Yet, in an out-of-band update May 19, the vendor did disclose and release a patch for CVE-2026-41091, an actively exploited zero-day vulnerability affecting Microsoft Defender.

Microsoft disclosed one max-severity vulnerability — CVE-2026-48567, affecting Azure HorizonDB — and nine defects with critical CVSS ratings. The company designated 15 of the vulnerabilities it addressed this month as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft breaks Patch Tuesday record with 206 vulnerabilities appeared first on CyberScoop.

Cisco customers are confronting yet another actively exploited zero-day vulnerability affecting the vendor’s SD-WAN management software, reinforcing pressure on organizations that have experienced rare breaks from active threats this year.

The vulnerability — CVE-2026-20245 — marks the seventh actively exploited zero-day in Cisco SD-WANs this year.

Cisco said it first became aware of active exploitation of the latest defect in the network management software earlier this month. The company disclosed the vulnerability, which was first spotted by Mandiant, on Thursday and warned that a security patch is not yet available and there are no workarounds to mitigate the defect in the meantime.

“A patch for this vulnerability will be provided on a future date,” a company spokesperson said in a statement. 

Cisco did not attribute the attacks to any specific group, describe the objectives of those attacks or share how many organizations have already been impacted.

The validation error defect affecting the Cisco Catalyst SD-WAN Manager allows authenticated or local attackers to execute commands as root, resulting in command-injection attacks on an affected system, the company said.

Yet, the scope of potential impact may be limited because exploitation requires valid credentials or privileged access through other means. Cisco said exploitation of a pair of zero-days it disclosed earlier this year —  CVE-2026-20182 or CVE-2026-20127 — could allow attackers the access required to exploit the new vulnerability. 

The company said it is “not aware of successful exploitation by other means,” adding that it “observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices.”

Landon Rice, senior exploit developer at VulnCheck, said the need for existing privileges “makes an attacker heavily reliant on previous vulnerabilities, or a net-new initial access vector, in order to be able to reach the privilege escalation path.”

Cisco advised customers to upgrade to fixed software released in May as part of its response to CVE-2026-20182 as a protective measure. 

Absent a patch that would provide organizations more protection against the new vulnerability, Cisco provided some indicators of compromise but noted that those same log entries may occur during standard operations. The company encouraged customers that need help distinguishing between legitimate and malicious activity to contact Cisco Technical Assistance Centers.

Cisco isn’t the only security vendor facing an onslaught of attacks on its customers, but it is among the most heavily targeted. The Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities affecting Cisco SD-WANs and firewalls to its known exploited vulnerabilities catalog this year, not including CVE-2026-20245, which has yet to be added to the catalog.

The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop.

Troy West was in Warsaw when his dinner was interrupted by his phone. But he was happy about it.

West, associate director of cybersecurity for autonomous offensive security company XBOW, had just learned that a trial version of the company’s platform had found a vulnerability that led to a full takedown of a development environment used by Moderna, the pharmaceutical company primarily known for its work related to mRNA vaccines.

It was, by most measures, exactly the kind of outcome a security team dreads. But for West and Farzan Karimi, Moderna’s deputy CISO, it was something closer to a proof of concept. XBOW’s product had done in hours what a human penetration tester could not — and it had done so with a level of persistence and creativity that neither of them had fully anticipated.

The episode is one data point in a much larger shift now rippling through the cybersecurity industry: The artificial intelligence models discovering vulnerabilities are moving faster than the teams that have to patch them.

Across recent conversations and presentations, industry experts said the tools are getting sharper, the attack surface is getting larger, and the gap between finding a problem and fixing it is not closing fast enough. For now, most organizations are caught between the speed of discovery and the slowness of remediation, with vendors across the industry rushing to position their products as the way through.

A shift in scale 

The inflection point came with Claude Mythos. When Anthropic announced the highly guarded model, security executives at major enterprise technology companies took notice in a way they had not with prior frontier releases. 

Zscaler was among the early organizations given access to the model, and CEO Jay Chaudhry told CyberScoop that he directed his team to use it to probe the company’s own applications.

“Are we finding some serious stuff? Yes, indeed,” Chaudhry told CyberScoop at Gartner’s Security & Risk Management Summit. He was careful to note that the findings were not necessarily more severe than those produced by other models. The issue, he said, was volume. 

“There aren’t enough resources and cycles to fix all those,” he said. 

The reason Mythos changed the calculus, according to Tom Gillis, general manager for infrastructure and security products at Cisco, comes down to code complexity. Legacy network infrastructure was built on tens of millions of lines of code developed over decades, and earlier AI models lacked the context window and reasoning capacity to comprehend it in full.

“The models couldn’t understand the entirety of it before,” he told CyberScoop. “Now they can. That’s why they’re finding all these vulnerabilities.”

The problem runs deeper than application code. Firewalls and network switches often run for decades without updates or reboots, and many have never been patched in any meaningful way. The combination of aging infrastructure and newly capable AI models has created what Gillis described as a meaningful and accelerating shift in attacker capability that the industry’s existing operational rhythms were not built to absorb.

An opportunity in existing technology 

Cisco’s answer to the oncoming vulnerability deluge is a technology it calls Live Protect, a compensated control built on eBPF, a Linux feature that lets security software operate at the kernel level to block threats without rewriting system code.

“It’s a pinpoint, laser-fine control that can shield a vulnerability on a production system,” Gillis said. “We’re not touching or modifying the binaries of that production system.”

The intent is to shrink the window between discovering a vulnerability and the next scheduled patch, allowing IT teams to fix issues without taking systems offline.

“This is a finger in the dike that plugs a hole until you get to new change control windows,” he said, acknowledging that some customers may be tempted to treat the shields as a permanent solution. 

The product has been shipping since October, but customer urgency shifted noticeably after Mythos. “Customers are like, ‘Oh, good story, Tom. I’ll think about it.’ Now it’s like, ‘Oh my God, turn this thing on right now.’”

He also noted that eBPF is open source, and said he expects the broader industry to follow. 

“While I’m very proud of Cisco leading the market with these compensated controls, I know my competitors have to do this.”

The bot that broke everything 

But shielding vulnerabilities only works if you know they exist. Karimi, the Moderna deputy CISO, faced a different problem: His vulnerability management system was surfacing hundreds of high-severity findings with no reliable way to know which ones an attacker could actually exploit. His team had skilled red-teamers, but they were finite resources. What he needed was something that could test continuously, everywhere.

“We have some very senior red-teamers and pen-testers in our organization that are pointed in a specific direction,” Karimi said during a presentation at the Gartner summit. “XBOW is covering different attack stories for us.”

West, who leads offensive security for XBOW, describes the platform as a response to a structural problem in how offensive security has traditionally worked. Human testers scope an engagement, run it, write a report, and move on. The window between tests is where risk accumulates.

“Historically you have exploit developers spending time finding the right vulnerabilities, writing the exploits, finding if those exploits are reachable, and then finding a way to chain them all together,” West said. “That takes a long time.”

Given the realities, Karimi decided to put XBOW through a trial, which produced two notable findings.

In the first, XBOW identified a web application firewall bypass on a company application built on the Spring Boot framework. The bypass involved encoding a single character (a capital “A”) as its percent-encoded URL equivalent (A), which the WAF interpreted as a legitimate request, allowing the bot unfettered access. 

The second finding, which was the cause for West’s dinner interruption, was more consequential. West had provided XBOW with access to the source code of an internal application called Orders, used by Moderna’s research partners to procure drug substances, but no login credentials. The platform identified a valid API key embedded in the source code, used it to authenticate, and then began probing the application’s APIs for SQL injection vulnerabilities.

What happened next was not entirely planned. One of those APIs handled a malformed SQL injection attempt in an unexpected way, dumping garbage data into a shared routing application that other services depended on.

“Not only was it able to kick that Orders app I showed you, but it somehow kicked over the entire ecosystem of apps,” West said.

Human pen-testers who reviewed the findings afterward confirmed they were valid, and said they would not have found them on their own. Karimi said despite the outage, his team recognized the value immediately.

“If we’re able to demonstrate where you could have an outage in a safe testing environment, that’s a great signal,” he said.

The broader value, Karimi argued, is in forcing prioritization when bugs are discovered. “If you have exploit proofs, you can provide that plus-one modifier and really point your developers to remediate the top tier of real risk that’s been validated.”

But he does worry about the volume of bugs that will be surfaced by these tools. 

“How do we now handle the volume of bugs that have gone up due to AI-driven scale?” he said. “That’s a whole other problem space.”

A broader reckoning

Across these conversations, a consistent theme was that even as defenders are trying to get arms around the forthcoming wave of bugs, it’s going to be a tremendously uphill battle. That mirrors what some of the industry’s top leaders have been saying for months. 

It also mirrors what the model developers themselves have consistently been warning about. In its announcement about expanding access to Mythos, Anthropic admitted the timeline for a publicly available tool similar to its cybersecurity-focused model is shortening, and there are no guarantees it will be released with safeguards. 

“In that world, cyberattacks could occur much more often, and in much more unpredictable forms,” the blog post reads.

Gillis was blunter about what happens to organizations that don’t move. 

“Some people will be slow to change,” he said. “But the consequence of not making that change is gonna be front-page news. It’s a massive, massive compromise. You know, like, ‘you gave up every credit card number.’ Bummer.”

The post Inside the race to adapt to an AI-powered security world appeared first on CyberScoop.

A Department of Commerce inspector general report released Thursday found that the National Institute of Standards and Technology has mismanaged a critical cybersecurity vulnerability database through poor planning, inefficient operations, duplicate federal programs, and failure to communicate with users.

The National Vulnerability Database, maintained by NIST since 2005, collects information about computer security flaws and adds details like severity ratings and affected products. This information helps cybersecurity professionals across government and the private sector decide which security problems to fix first. In February 2024, the database’s enrichment contract lapsed, creating a backlog of unprocessed security flaws that has only grown worse.

The report identified the lack of strategic planning as a core problem. NIST leaders admitted they had no long-term plan for clearing the backlog, even as it grew from about 13,000 unprocessed security flaws in June 2024 to over 27,000 by the end of 2025.

NIST publicly promised in May 2024 that it would clear the backlog by September 2024, setting a goal of processing 6,200 security flaws per month, but the agency had never processed more than 5,000 per month in the past.

The report found major inefficiencies in how NIST enriches the information that is attached to the vulnerabilities. 

Analysts spend about 80% of their time on two tasks: calculating severity scores and identifying which products are affected. The inspector general’s office tested NIST’s severity scores and found they matched independent evaluators only 12% of the time. Also, nearly 80% of vulnerability submissions already include these scores from the companies that are responsible for the software. This means NIST is doing work that is often unnecessary and inconsistent. The inspector general proposed cutting back on severity score calculation work over the next two years, estimating that NIST would save $800,000 that it could redirect to other program areas.

Another efficiency problem highlighted is the program’s manual process for identifying affected products. Creating these standardized product identifiers takes a lot of time and keeps analysts from clearing the backlog. NIST is developing tools to make this faster, but it remains a major slowdown.

The report also found major duplication between two federal security programs. When the Cybersecurity and Infrastructure Security Agency launched its own Vulnrichment program in May 2024, there was no coordination between the agencies, leading to NIST analysts sometimes repeating work that CISA analysts had already completed. Additionally, the two agencies even hired the same contractor for portions of the same work. The inspector general found at least 21,000 cases of duplicated work between May 2024 and December 2025, wasting approximately $200,000 in the process.  

Communication failures have made the problems worse. In April 2024, over 50 cybersecurity professionals sent an open letter to Congress complaining that NIST was not being transparent about the database’s problems. Neither NIST nor the Department of Commerce answered the letter.

Vulnerability database programs managed by the federal government have been a point of contention for the cybersecurity community over the past two years. Earlier this year, NIST announced that it has narrowed its priorities for the NVD, focusing only on vulnerabilities in CISA’s KEV catalog, software used by the federal government, and critical software identified under Executive Order 14028.

A similar program that serves as a catalog of known security flaws, the Common Vulnerabilities and Exposures (CVE) list, has had similar issues over the past few years. That program, run by CISA, narrowly escaped a sudden demise when a last-minute, 11-month contract extension averted a shutdown in April 2025. Since then, several competing databases from European nonprofits and other private entities have been stood up in order to better coordinate how vulnerabilities are tracked, disclosed, and ultimately patched.

The inspector general recommended that NIST create a long-term plan for the database, set up a plan to clear the backlog with specific goals, cut back on unnecessary severity score work, make it easier for outside companies to help identify affected products, immediately start working with CISA to stop duplicating work, and develop a plan to communicate better with users.

NIST agreed with all six recommendations and said it is working on them. The agency must submit a plan showing how it will address these problems by late July.

You can read the full report here. 

The post Federal audit reveals NIST’s NVD is plagued by poor planning and duplication appeared first on CyberScoop.

Anthropic said its month-old Project Glasswing initiative has uncovered more than 10,000 high- or critical-severity software vulnerabilities across systemically important code, a finding the company says has shifted the central problem in cybersecurity from discovering flaws to verifying and patching them.

The findings, drawn from partner reports and independent evaluations, mark one of the first large-scale accountings of what a frontier AI model can do when pointed at widely used code, and of the bottlenecks that emerge once it does.

Several partners reported that their rates of bug discovery had increased more than tenfold. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company said it considered better than that of human testers. At one unnamed partner bank, the model was credited with helping detect and prevent a fraudulent $1.5 million wire transfer initiated after a customer’s email account was compromised and followed up with spoofed phone calls.

External evaluations cited in the update tracked with the results Anthropic released. The United Kingdom’s AI Security Institute found that Mythos Preview was the first model to solve both of its cyber ranges — simulations of multistep cyberattacks — from end to end. Mozilla said it found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in Firefox 148 using an earlier Anthropic model. AI-powered security platform XBOW called the model a significant step up over existing systems on its web exploit benchmark.

Anthropic also used Mythos to scan more than 1,000 open-source projects. The model has flagged 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings reviewed by six independent security research firms or by Anthropic itself, over 90% were confirmed as valid, and over 62% were confirmed to be high or critical.

The company did note that while it’s good at finding vulnerabilities, there is still a gap in having people fix every issue. 

“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” the report states. 

Open-source maintainers have also been contending with a wave of low-quality, AI-generated bug reports, and Anthropic said it tries to reproduce and assess each issue before reporting it. At maintainers’ request, it has sometimes disclosed bugs without further vetting, reporting 1,129 such cases, of which the model estimated 175 to be high or critical.

Anthropic said it has not released Mythos-class models publicly because no company, including itself, has developed safeguards to prevent serious misuse. In the interim, it has released Claude Security in public beta for enterprise customers, which it said has been used to patch more than 2,100 vulnerabilities in three weeks using the publicly available Claude Opus 4.7, and has begun a Cyber Verification Program for security professionals.

The company said it plans to expand Project Glasswing with additional partners, including U.S. and allied governments, before any broader release of the underlying model.

“Glasswing helps the most systemically important cyber defenders gain an asymmetric advantage. However, there is an urgent need for as many organizations as possible to shore up their cyber defenses,” the report states. “We hope that our generally available models, and the new tools, resources, and research we’re providing to accompany them, will support those organizations to improve their cybersecurity posture.”

The post Anthropic: Mythos finds more than 10,000 software flaws in first month appeared first on CyberScoop.

Attackers couldn’t get enough of the vulnerabilities at their disposal last year, making exploits the top initial access vector across more than 22,000 breaches Verizon analyzed in its latest Data Breach Investigations Report released Tuesday.

The massive annual study uncovered a surge of exploited vulnerabilities during a one-year period ending in October 2025. Exploited defects accounted for 31% of all known initial access vectors, jumping from 20% the previous year. 

The uptick in exploited vulnerabilities is a reflection of the “sisyphean cause” of vulnerability management, researchers wrote in the report. “Put quite simply, there are often too many vulnerabilities and not enough time for patching all of them.”

Organizations are struggling to keep up with the torrent of vulnerabilities affecting technology across their systems. This slide is especially worrisome, and declining, among defects in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog.

Only 26% of the critical vulnerabilities in CISA’s catalog were fully remediated by more than 13,000 organizations Verizon studied in 2025, marking a drop from 38% the year prior. 

“There is also a worse result for the median time elapsed for a vulnerability to be fully patched by detection,” researchers wrote in the report. “Our new median time is 43 days, almost two weeks longer than last year’s 32 days.”

Verizon also noted that the median number of KEV vulnerabilities that organizations had to patch jumped from 11 in 2024 to 16 in 2025.

CISA’s KEV catalog contained more than 1,500 CVEs as of February, and 65% of those were exploited during the previous year, according to the report.

Verizon identified the five most common weaknesses of CISA KEV CVEs in its report as out-of-bounds read, heap-based buffer overflow, use after free, external control of file name or path and access of resource using incompatible type.

Attacker motivations remained relatively consistent last year, with financially-motivated cybercriminals accounting for 88% of all breaches. Espionage-driven attacks from state-affiliated groups made up the remainder.

“Ransomware continues to be among the most disruptive and impactful types of breaches we see. Not unlike the price of everything from fast food to adult beverages in ballparks, it continues to trend upward,” researchers wrote in the report.

Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. Yet, Verizon observed some positive trends in ransomware as well.

Ransom payments continued to decline, with 69% of victims reporting they didn’t pay, and the median payment slid from $150,000 in 2024 to almost $140,000 last year.

Tracking ransomware remains a challenge for researchers and authorities. 

“There is a growing disconnect between what is being reported and the reality of what has occurred, in no small part due to threat actors reusing old breaches, reposting breaches from other criminal partners and making up breaches out of whole cloth to help increase their notoriety in the criminal world,” Verizon wrote in the report. “We’re beginning to think that these cybercriminals might not be entirely trustworthy.”

Yet, despite the lack of indisputable data on ransomware activity, researchers concluded: “Ransomware is still the yoga pants of cybersecurity — ubiquitous, stubbornly popular and appearing in unexpected places near you.”

The post Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches appeared first on CyberScoop.

As defenders get their hands on newer AI models with more powerful cybersecurity capabilities like Anthropic’s Mythos and OpenAI’s Daybreak, organizations are being told to prepare for a flood of new vulnerability reports.

But for bug bounty programs across the nation, that day may already be here, as yesterday’s frontier models and today’s open-source AI tools have dramatically increased the volume of bug reports flowing into companies around their own products or on larger bounty platforms online.

GitHub, one of the world’s largest online code repositories, said it is tightening its definition of a “complete” bug report after a significant increase in AI-assisted submissions over the past year.

Although the influx has had some benefits, many reports are submitted without proof of concept, are reliant on unrealistic attack scenarios or cover issues already listed as ineligible. As a result, the company is having difficulty separating signal from noise.

“This isn’t unique to GitHub,” wrote Jarom Brown, senior product security engineer at GitHub. “Programs across the industry are grappling with the same challenge, and some have shut down entirely.”

Brown said GitHub does not want to ban the use of AI generated reports entirely, calling it a “force multiplier” for security in the right context. But in a world where it’s never been easier to use AI to generate theoretical bugs, the company wants researchers to go the extra mile to confirm that their discoveries can actually be exploited in real-world conditions.

What we need is the same standard we’ve always expected: validation,” Brown wrote. “An AI-assisted finding that’s been verified, reproduced, and submitted with a working proof of concept is a great submission. An unvalidated output submitted as-is without reproduction or demonstrated impact is not.”

Grant Bourzikas, chief security officer at Cloudflare, said triaging bugs and proving they can be exploited  has always been one of the hardest parts of vulnerability research, and AI vulnerability scanners and code have “made it worse.”

For instance, code written in C and C++ programming languages are vulnerable to a range of exploits – like buffer overflows and out-of-bounds reading and writing – that don’t exist in memory safe languages like Rust. AI tools scanning software written in memory unsafe programming languages are far more likely to generate false positives.

But one of the biggest flaws continues to be that AI tools are also designed to give the user what they’re asking for, even when it’s not there. This leads to the generation of bug reports filled with speculation and qualifiers around exploitability that require human follow up.

“That’s a reasonable bias for an exploratory tool,” Bourzikas wrote. “It’s a ruinous one for a triage queue, where every speculative finding spends human attention and tokens to dismiss, and that cost compounds across thousands of findings.”

Cloudflare recently shared results from testing Mythos on 50 of its own code repositories, looking for exploits. Bourzikas called Mythos “a different kind of tool doing a different kind of work” from other frontier models, and that it made significant progress in reducing false positives.

For example, he pointed to two Mythos capabilities that stood out compared to other models: chaining exploits together and generating its own proof-of-concept code to confirm exploitability.

Older models could spot many of the same bugs, but they often couldn’t figure out how to exploit them effectively, or show that the issue could be exploited in real world conditions.

Others have argued that the gap in bug hunting capabilities between newer frontier AI models and older ones, or open source models available today is not as large as advertised. 

Swedish software developer Daniel Stenberg, lead developer for curl, an open source file transfer tool used around the world, recently wrote about his experience with Mythos Preview. Like others, he has also seen a higher volume of AI-fueled bug reports over the past year, but said the flood of low-quality reports has tapered off significantly since March as models have improved.

Curl is mature and polished by the standards of most software: Stenberg estimates each line of code has been rewritten or altered at least four times, and he said he has used both human and AI tools in the past to implement hundreds of bug fixes over Curl’s existence.

That makes it a unique testing ground for the enhanced capabilities of Mythos, which was reportedly so powerful at finding vulnerabilities that Anthropic opted not to release it to the general public.

After gaining access to Mythos, Stenberg received the results of a scan of 178,000 lines of curl code. Ultimately, the scan flagged five “confirmed” vulnerabilities. Further exploration by human researchers found that 4 of the bugs were false positives or had no security impact. The one remaining bug Mythos found? A low-severity flaw that will be fixed in a regular June update.

Even as he praised the impact of AI on cybersecurity generally, Stenberg concluded that for all the hype, Mythos is only “a bit better” than previously released models.

“My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.”

The post AI might cut false positives, but it won’t stop the slop  appeared first on CyberScoop.

Mythos matters. It is a significant step forward in AI-assisted vulnerability discovery. But it does not mean cybersecurity changed overnight, nor does it mean enterprises are suddenly facing fully automated exploitation at internet scale tomorrow.

It does mean the offensive side of AI is continuing to improve. The defensive side needs to catch up now.

Mythos is the latest step in a longer trend. Over the next several years, expect the same pattern to repeat: incremental progress, then a jump; incremental progress, then a jump. Models will get more capable and cheaper with each cycle, and each jump will put more pressure on security teams still operating at human speed.

Mythos demonstrated that AI can find software vulnerabilities with unprecedented depth. That is real progress and should be taken seriously. However, this was not a case where AI suddenly made enterprise compromise cheap, easy, or automatic. Even in Anthropic’s own examples, the cost of discovering a critical vulnerability was significant. One example cited roughly $20,000 in token costs to identify a significant OpenBSD issue. 

Mythos made vulnerability discovery cheaper to scale by replacing bodies with dollars. But finding a vulnerability is only one part of the operational reality.

An attacker still has to determine whether that vulnerability is exploitable in a specific enterprise, identify a viable attack path, gain the necessary access, and successfully operationalize the exploit in a real environment. None of that became easy just because a model found a software bug.

And on the defensive side, Mythos does not yet solve the much harder enterprise problem: How do I know whether this vulnerability is actually exploitable in my environment, and what is the most efficient way to remediate it without breaking the business?

The real enterprise problem is not discovery. It is prioritization and action. Security leaders do not struggle only because vulnerabilities exist. They struggle because the operational cost of deciding what matters, what is exploitable, what can wait, and what can be fixed safely is enormous.

If a large enterprise learns that a critical vulnerability has been found in widely used software, the next step is not magic. It is a painful chain of operational questions focused on where they run the software, what version it is, whether there is a realistic attack path, and many more.

Mythos leaves the defensive cost of answering those questions inside a real enterprise largely unchanged. The right lesson is preparation.

One of the mistakes the market often makes with AI is assuming every new capability is the moment everything changes. The right move is to start now with defensive AI systems that are useful today and positioned to improve over time. For most enterprises, that means looking for AI products that help improve alert investigation, threat hunting, and vulnerability management, offer full audit capabilities, connect to enterprise data and reason to provide organizational context, and evolve as the model landscape matures.

The goal is to build the operational foundation now for a future in which more of the work can be automated safely.

Today, defenders need systems that let humans remain involved while the machine helps them scale. Over time, that involvement will change. Analysts will spend less time doing repetitive work themselves and more time orchestrating, reviewing, and improving how automated work gets done.

Eventually, some workflows will need to be reviewed in bulk rather than one action at a time. When response moves at machine speed, a human may not approve every individual remediation action. Instead, they will need a control center view into patterns: what the system did today, what worked, what did not, and what should be adjusted tomorrow.

That is a very different future from the simplistic idea of “replace the analyst.”

The real future is one where humans move from doing every task manually to supervising systems, shaping policy, reviewing patterns, and controlling how increasingly capable agents operate.

Mythos is a warning. Not because it means the sky is falling. Because it shows where the offensive side is heading. Defenders should move accordingly and with urgency.

Alex Thaman is the chief technology officer at Andesite. Over a 20+ year career, Alex has been an engineering leader at Microsoft, Unity Software, and Scale AI.

The post Mythos can find the vulnerability. It can’t tell you what to do about it. appeared first on CyberScoop.

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

Microsoft addressed 165 vulnerabilities affecting its various products and underlying systems, including one actively exploited vulnerability in Microsoft Office SharePoint, in this month’s Patch Tuesday update. 

“By my count, this is the second-largest monthly release in Microsoft’s history,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Microsoft didn’t explain why its monthly batch of patches grew so large this month, but Childs noted that many vulnerability programs are experiencing a significant increase in submissions found by artificial intelligence tools. “For us, our incoming rate has essentially tripled, making triage a challenge, to say the least,” he added. 

The zero-day vulnerability — CVE-2026-32201 — has a CVSS rating of 6.5 and allows attackers to view sensitive information and make changes to disclosed information. Microsoft said the improper input validation defect in Microsoft Office SharePoint allows unauthenticated attackers to perform spoofing over a network.

The Cybersecurity and Infrastructure Security Agency added the zero-day to its known exploited vulnerabilities catalog shortly after Microsoft’s disclosure. 

Microsoft also addressed a high-severity vulnerability — CVE-2026-33825 — that was publicly known at the time of release. The vendor said the defect in Microsoft Defender is more likely to be exploited and could allow unauthorized attackers to elevate privileges locally.

“What starts as a foothold can quickly become full system domination,” Jack Bicer, director of vulnerability research at Action1, said in a blog post about the vulnerability. 

“Once exploited, it allows full control over endpoints, enabling data exfiltration, disabling security tools and lateral movement across networks,” Bicer said.

Proof-of-concept exploit code for the defect is publicly available, which increases the likelihood of exploitation in the wild, he added.

Microsoft disclosed two critical vulnerabilities this month — CVE-2026-33824 affecting Windows IKE Extension and CVE-2026-26149 affecting Microsoft Power Apps — but designated both of the defects as less likely to be exploited.

More than three-quarters of the vulnerabilities disclosed this month are less likely to be exploited, according to Microsoft. Meanwhile, the company designated 19 vulnerabilities as more likely to be exploited.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft drops its second-largest monthly batch of defects on record appeared first on CyberScoop.

Major technology companies have joined forces in an effort to use advanced artificial intelligence to identify and address security flaws in the world’s most critical software systems, marking a significant shift in how the industry approaches cybersecurity threats.

Anthropic announced Project Glasswing on Tuesday, bringing together Amazon, Apple, Broadcom, Cisco, CrowdStrike, the Linux Foundation, Microsoft, and Palo Alto Networks. The initiative centers on Claude Mythos Preview, an unreleased AI model that Anthropic will make available exclusively to project partners and approximately 40 additional organizations responsible for critical software infrastructure.

The model has already identified thousands of previously unknown vulnerabilities in its initial testing phase, including security flaws that have existed in widely used systems for decades, according to Anthropic. Among the discoveries is a 27-year-old bug in OpenBSD, an operating system known primarily for its security focus, and a 16-year-old vulnerability in FFmpeg, a widely used video software program that automated testing tools had failed to detect despite running the affected code line five million times. The company has been in contact with the maintainers of the relevant software, and all found vulnerabilities have been patched. 

Anthropic will commit up to $100 million in usage credits for the project, along with $4 million in direct donations to open-source security organizations. The company has stated it does not plan to make Mythos Preview available to the general public, citing concerns about the model’s potential misuse.

The initiative reflects growing concerns within the technology sector about the dual-use nature of advanced AI systems. While Mythos Preview was not trained specifically for cybersecurity purposes, its coding and reasoning capabilities have proven effective at identifying subtle security flaws that have eluded human analysts and conventional automated tools.

“Although the risks from AI-augmented cyberattacks are serious, there is reason for optimism: the same capabilities that make AI models dangerous in the wrong hands make them invaluable for finding and fixing flaws in important software—and for producing new software with far fewer security bugs,” the company said in a blog post. “Project Glasswing is an important step toward giving defenders a durable advantage in the coming AI-driven era of cybersecurity.”

The project comes as the industry has predicted that similar AI capabilities will soon become more widespread. Anthropic executives have indicated that without coordinated action, such tools could eventually reach actors who might deploy them for malicious purposes rather than defensive security work.

Participating organizations will be required to share their findings with the broader industry. The project places particular emphasis on open-source software, which forms the foundation of most modern systems, including critical infrastructure, yet whose maintainers have historically lacked access to sophisticated security resources.

“Open source software constitutes the vast majority of code in modern systems, including the very systems AI agents use to write new software. By giving the maintainers of these critical open source codebases access to a new generation of AI models that can proactively identify and fix vulnerabilities at scale, Project Glasswing offers a credible path to changing that equation,” said Jim Zemlin, CEO of the Linux Foundation. “This is how AI-augmented security can become a trusted sidekick for every maintainer, not just those who can afford expensive security teams.” 

Additionally, Anthropic says it has engaged in ongoing discussions with U.S. government officials regarding Mythos Preview’s capabilities. The company has framed the project in national security terms, arguing that maintaining leadership in AI technology represents a strategic priority for the United States and its allies. Anthropic has been locked in a high-stakes dispute with the Department of Defense about the U.S. military’s use of the startup’s Claude AI model in real-world operations. 

The project’s success will depend partly on whether the collaborative approach can keep pace with rapid advances in AI capabilities. Anthropic has indicated that frontier AI systems are likely to advance substantially within months, potentially creating a dynamic environment where defensive and offensive capabilities evolve in parallel.

“Project Glasswing is a starting point,” Anthropic wrote in a blog post. “No one organization can solve these cybersecurity problems alone: frontier AI developers, other software companies, security researchers, open-source maintainers, and governments across the world all have essential roles to play. The work of defending the world’s cyber infrastructure might take years; frontier AI capabilities are likely to advance substantially over just the next few months. For cyber defenders to come out ahead, we need to act now.”

The post Tech giants launch AI-powered ‘Project Glasswing’ to identify critical software vulnerabilities appeared first on CyberScoop.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report. 

These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as Scattered Spider, accounted for 11% of all incidents Mandiant investigated last year.

Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said. Yet, the rise of voice phishing marks a concerning shift in tactics, especially in large-scale attacks with sweeping impacts.

“This type of social engineering attack is extremely powerful. It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop. “We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”

Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including campaigns targeting Salesforce customers attributed to threat groups Google Threat Intelligence Group tracks as UNC6040 and UNC6240.

This global shift in attacks was most clearly seen in the sharp drop in email-based phishing., For years, phishing has been a popular method because it’s cheap and requires little technical skill. It works much like high-volume advertising — a spray-and-pray strategy focused on reaching as many people as possible rather than specific targeting.

Email phishing is no longer a top initial access vector, according to Mandiant. The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.

“The higher the investment, the higher the payout needs to be,” Kutscher said. “[Interactive phishing] takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”

These techniques are difficult to defend against because they’re designed to exploit human instincts and bypass many security controls. “We’ve always said, unfortunately the human tends to be the weakest link,” Kutscher said. 

Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year. Exploited defects remain a persistent problem.

The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-53770 in Microsoft SharePoint.

Attackers of various origins and objectives exploited all three of the vulnerabilities en masse and as zero-days. 

Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.

Technology companies were the most frequently attacked in 2025, accounting for 17% of all incidents. The following most-targeted industries included finance at 14.6%, business and professional services at 13.3% and health care at 11.9%.

The post The phone call is the new phishing email appeared first on CyberScoop.

Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild. 

Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.

Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.

Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.

“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.

“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”

The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:

• SD-WAN vulnerabilities: CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129 and CVE-2026-20133
• Cisco Secure Firewall Management Center software vulnerabilities: CVE-2026-20079 and CVE-2026-20131

Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.

The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.

Interlock ransomware hits Cisco firewalls

The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.

Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.

“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities. 

4 Cisco SD-WAN defects under attack

The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits. 

“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.

Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.

Cisco declined to answer questions and said customers can find the latest information on its security advisories page.

Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance. 

“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said. 

“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”

The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said. 

“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.

The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.

“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said. 

“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”

The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.

Microsoft addressed 83 vulnerabilities that cut across its broad portfolio of enterprise software and underlying services in its latest security update. The company’s Patch Tuesday release contained no actively exploited zero-day vulnerabilities and six defects it described as more likely to be exploited. 

The vendor’s batch of patches marks the first monthly update without an actively exploited zero-day in six months.

The “lack of bugs under active attack is a nice change from last month,” when Microsoft reported six actively exploited vulnerabilities, Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post Tuesday. 

Two vulnerabilities addressed this month — CVE-2026-21262 and CVE-2026-26127 — were listed as publicly known at the time of release. “These bugs are more bark than bite,” said Satnam Narang, senior staff research engineer at Tenable. 

More than half of the defects in this month’s update can trigger escalated privileges, and six of those vulnerabilities — CVE-2026-23668, CVE-2026-24289, CVE-2026-24291, CVE-2026-24294, CVE-2026-25187 and CVE-2026-26132 — were rated as more likely to be exploited, Narang added.

An information-disclosure defect in Microsoft Excel — CVE-2026-26144 — showcases an attack scenario that’s likely to occur more often, according to Childs. “An attacker could use it to cause the Copilot Agent to exfiltrate data off the target,” essentially making it a zero-click operation, he wrote.

Researchers also focused on a pair of defects in Microsoft Office with CVSS ratings of 8.4 — CVE-2026-26110 and CVE-2026-26113 — that attackers can trigger to execute arbitrary code. The preview plane in Microsoft Office can serve as the attack vector for both vulnerabilities.

“Remote-code execution vulnerabilities in Office applications pose significant risks for organizations, as documents are widely shared via email, file shares, and collaboration platforms,” Mike Walters, president and co-founder of Action1, said in an email. 

“If exploited, attackers could gain control of user systems, deploy ransomware, steal corporate data, or move laterally across internal networks,” he added. “Even a single malicious document could compromise an endpoint and give attackers a foothold inside the organization.”

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s monthly Patch Tuesday is first in 6 months with no actively exploited zero-days appeared first on CyberScoop.