Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.

The path-traversal vulnerability — CVE-2026-22557 — affects software used to manage UniFi networking devices, including access points, gateways and switches. The vendor disclosed and released patches for the defect in a security advisory Wednesday.

“As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.

“However, because this is a path-traversal vulnerability, the technical complexity for an attacker is typically lower than memory-corruption or buffer-overflow bugs,” he added. “Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”

Censys sensors observed nearly 88,000 UniFi Network Application hosts publicly exposed to the internet as of Friday morning. The software doesn’t expose what version it’s running, so scans cannot distinguish between vulnerable and patched instances.

Roughly one-third of the exposed instances of UniFi Network Application are located in the United States. 

As a defender, when you see a CVSS 10 for a product you immediately recognize and know is everywhere, you probably get a bit anxious,” Guidry said. “You also know it’s remotely exploitable, requires no authentication, and needs no user interaction, because it wouldn’t be a 10 if it wasn’t. Ubiquiti is a name you hear frequently, and many of those devices are sitting directly on the internet.”

Ubiquiti advises UniFi Network Application users to update to the latest software versions, which also addressed a second vulnerability — CVE-2026-22558 — that attackers could exploit to escalate privileges.

The post Ubiquiti defect poses account takeover risk for UniFi Networking Application users appeared first on CyberScoop.

CISOs are facing unprecedented challenges to their mental health due to today’s rapidly evolving threat landscape. They are often held accountable if a breach or disruption occurs, and the average tenure for a CISO tends to decrease significantly after such incidents. This constant pressure makes it difficult for them to find peace, let alone get a good night’s sleep. Meanwhile, threats are increasing in speed and complexity, but budgets and board interest are starting to decline: a bad combination.

Proofpoint reports that CISOs are experiencing a record level of burnout. 76% of CISOs feel they are at risk of experiencing a material cyberattack within the next 12 months. Another survey finds  that many CISOs operate in an environment where their roles are misunderstood, under-supported, or burdened with unrealistic expectations.

CISOs occupy one of the most pressure-packed seats in modern organizations. They have become accustomed to constant fatigue while protecting intellectual property, customer data, brand reputation, and ensuring regulatory compliance—all while balancing technology, law, business strategy, and crisis management. Yet, while cybersecurity news often highlights major breaches or zero-day exploits, it rarely addresses a quieter, ongoing problem: CISO burnout and the deeper, systemic problem of security exhaustion. 

Regardless of the industry—be it healthcare, financial services, utilities, or transportation— critical infrastructure will always be a target.  This ongoing threat transforms professional fatigue into a national security concern.

Why do CISOs burn out?

The role of a CISO has evolved significantly. According to Cybersecurity Dive,  CISOs around the world now have more authority and influence in corporate governance, with more reporting directly to the CEO than ever before. The days of a CISO focusing solely on technical tasks are over. Today’s CISO is actively involved in risk management, strategic planning, revenue generation, employee training and awareness, physical security, recovery, and more. 

Here’s a sample of what CISOs juggle to be successful: 

24/7/365 – Cyber risk is a constant, not a project with a clear end date. Attackers probe for weaknesses at all hours, meaning the threat environment never rests. For CISOs managing critical infrastructure, this ongoing vigilance means sleepless nights — downtime isn’t just a financial concern but can also threaten public safety. 

High-stakes accountability with low-level control: CISOs are increasingly held accountable, even though their actual control can be limited. Boards, regulators, and even national authorities increasingly hold these leaders responsible for security incidents. Yet they must rely on operational technology (OT) teams, outdated systems, third-party vendors, and the everyday actions of employees — any of which can become an attack vector.

At the same time, there is often a mismatch between the resources provided and the expectations placed on CISOs. Effective security requires skilled staff, advanced tools, and constant training—yet many organizations, especially public utilities or municipal systems, struggle with limited budgets and personnel. The result is CISOs feeling like their enterprises are one incident away from disaster.

Complex regulatory overload: Regulatory compliance compounds this pressure. Critical infrastructure CISOs must navigate overlapping compliance frameworks, which is a maze of acronyms: NERC CIP, HIPAA, TSA directives, and a growing list of cybersecurity performance goals from agencies like CISA. While following these frameworks is necessary, the sheer volume of audits and paperwork can divert time and attention away from actually reducing risk.

Recovering from Incident Recovery: The work does not pause after an incident occurs. Each attack, audits, or compliance request can set up days or weeks of reactive cycles, especially for CISOs in sectors like healthcare or energy. Recovery isn’t just about restoring data and systems, but also requires re-establishing communications re-established, resolving vulnerabilities and conducting post-mortems. The result is a sense of no true downtime –only the anticipation of the next incident.

Isolation and expectation management: Finally, CISOs often face professional isolation as their role evolves. Collaboration with C-suite counterparts—many of whom come from non-technical backgrounds—can be a challenge to work with, requiring effort to build trust and integrate lessons learned. At the same time, CISOs must clearly communicate technical risk, advocate for risk-reduction resources, and help reinforce strong governance and clarity of authority for security programs across the organization.   

What security exhaustion looks like

Burnout and exhaustion show up in predictable, yet sometimes subtle ways. Recognizing these warning signs early – both at the individual and organizational level – is essential to prevent the long-term declines in resilience.

• Cognitive fatigue: Difficulty concentrating, diminished decision-making quality, and reduced ability to think strategically, especially after long stretches of incident response.
• Reactive leadership: A preference for short-term firefighting over building sustainable resilience.
• Attrition and turnover: Burnt-out CISOs, analysts, engineers, and consultants leave, taking institutional knowledge with them. This problem is particularly severe in critical infrastructure, where sector-specific expertise takes years to build.
• Risk blindness: Over time, defenders can become desensitized to alerts and threats, increasing the likelihood of missing important signals.
• Reduced innovation: Exhaustion drains curiosity and motivation, making it harder to explore new defensive technologies like zero trust architectures or OT network segmentation. Groupthink can undermine creativity for the sake of completing tasks.

Patching the vulnerabilities

Beyond the human cost, CISO burnout has measurable organizational — and societal — impacts.

• Operational fragility: Overreliance on a few senior leaders creates single points of failure. In critical infrastructure, that fragility can translate into cascading service disruptions that affect entire regions and key assets.
• Compliance risk: Exhausted teams may miss audit deadlines or fail to implement required controls, leading to regulatory penalties and reduced stakeholder trust.
• Increased incident likelihood: Reactive teams struggle to maintain threat intelligence, patch management, and incident detection. In OT environments, those gaps can lead to operational shutdowns or physical damage.
• Talent drain: A reputation for poor work-life balance makes it even more difficult to attract experienced cybersecurity professionals—a problem that is already especially challenging in the utilities, healthcare, and transportation sectors.

How to reduce burnout 

Align Authority with Accountability: If CISOs are responsible for outcomes that affect national or public safety, they need the corresponding authority and budget to match that responsibility. This means having the power to make decisions over third-party vendors, technology upgrades, and what risks the organization is willing to accept. In regulated sectors, boards and regulators should ensure security leaders are empowered, not just held accountable.

Make security a shared responsibility: Security shouldn’t rest on the shoulders of a single team. By embedding secure-by-design principles into engineering, OT, and business processes, organizations can ensure that everyone—from line managers and engineers to plant operators—takes ownership of basic cyber hygiene. This approach not only reduces the workload on security teams but also strengthens the organization’s collective defense posture.

Build a war room, not a warzone: Incident response should be structured, not chaotic. Conduct regular tabletop exercises involving both IT and OT stakeholders. Clear playbooks and delegation frameworks prevent all crises from escalating to the CISO’s desk and beyond.

Embrace work-life balance: Establish structured on-call rotations and ensure that staff have adequate recovery time after major incidents. Encourage leaders to prioritize time off and set an example by maintaining healthy boundaries. For critical infrastructure CISOs, this may involve creating deputy roles or appointing regional alternates to avoid relying on a single individual. Security work is inherently stressful, particularly when public safety is at stake. Provide access to confidential counseling, employee assistance programs, and peer support networks. It’s also important to normalize open conversations about mental health among executives and at industry conferences.

Give people their recognition: Publicly acknowledging the work of the CISO and their team helps retain top talent and fosters a supportive, positive culture throughout the organization. 

Tackling burnout requires changes at both the organizational and individual levels. Companies need to invest in people, improve processes, and implement automation so their cybersecurity teams can do their best work–instead of just getting by. A truly sustainable cybersecurity program protects not only data and systems, but also the well-being of the people responsible for defending them.

In the end, defending critical infrastructure is not only about technology; it’s about endurance. And endurance requires care, balance, and the recognition that cybersecurity is a human mission as much as a technical one.

Brian Harrell currently serves as the Chief Security Officer for a large energy company with assets and operations in 25 states. He is a former Assistant Secretary for Infrastructure Protection at the Department of Homeland Security. 

David Mussington, CISSP served as CISA’s Executive Assistant Director for Infrastructure Security and now as Professor of the Practice at the University of Maryland. 

The post The realities of CISO burnout and exhaustion appeared first on CyberScoop.

A new security-focused AI model released Thursday by OpenAI aims to automate bug hunting, patching and remediation.

The model, powered by ChatGPT-5 and given the name Aardvark, has been used internally at OpenAI and among external partners. Currently offered in an invite-only Beta, it’s designed to continuously scan source code repositories to find known vulnerabilities and bugs, assess and prioritize their potential severity, then patch and remediate them.

In a blog post published on the company’s website, OpenAI claims that Aardvark “does not rely on traditional program analysis techniques like fuzzing or software composition analysis.”

“Instead, it uses LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities,” the blog stated. “Aardvark looks for bugs as a human security researcher might: by reading code, analyzing it, writing and running tests, using tools, and more.”

OpenAI says Aardvark can also develop threat models based on the contents of a repository and project security goals and design, sandbox vulnerabilities to test their exploitability, annotate problematic code and submit proposed patches for human review.

In addition to finding security vulnerabilities, the company said Aardvark has shown the potential to spot logic and privacy bugs in code bases, and identified 92% of known and synthetically introduced vulnerabilities in unspecified “golden” repositories. Members of the open source community who operate noncommercial repositories will be able to use the scanner for free.

The company recently updated its coordinated vulnerability disclosure process in September, rolling out changes that include no longer committing to strict disclosure timelines, which OpenAI said can “pressure developers” and emphasizing broader ecosystem security. The Beta version of the model is currently open to select research partners, and OpenAI said it plans to broaden the tool’s use over time as it refines detection, validation and reporting capabilities.

“By catching vulnerabilities early, validating real-world exploitability, and offering clear fixes, Aardvark can strengthen security without slowing innovation,” the blog stated.

Aardvark’s release reflects OpenAI’s desire to leverage their technology for automated vulnerability scanning and remediation, a field where large language models have shown increasing promise and potential over the past year. The company said Aardvark has identified 10 vulnerabilities thus far that have received Common Vulnerabilities and Exposure (CVE)  entries.

Other companies, such as startup XBOW, have been able to develop AI security models over the past year that can ride to the top of bug bounty leaderboards at HackerOne and BugCrowd, run day and night and identify and fix hundreds of vulnerabilities.

XBOW founder Oege de Moor, who previously led GitHub Next, the company’s software research and development division, told CyberScoop in July that their model receives some human guidance on the front and manual validation on the backend, but otherwise runs autonomously during its bug hunting.

While vulnerability research experts have described models like XBOW as more useful for high-volume, low-impact bugs, the company has attempted to showcase the evolving model’s ability to tackle higher complexity bugs and exploits.

An automated program to address the thousands of low-severity bugs plaguing the internet, while freeing up human operators to tackle higher complexity vulnerabilities, would still have tremendous value. Some security experts point out that large cyber intrusions and multi-stage malware attacks are often less about exploiting zero days or high severity bugs and more about chaining together lower- and medium-impact flaws that exist in unpatched systems.

But another consideration around these models is the sheer energy they consume. De Moor said that while XBOW had solved thousands of bugs and received bug bounties and awards for its work, those earnings aren’t enough to cover the total compute costs to run XBOW over that time.

The post OpenAI releases ‘Aardvark’ security and patching model  appeared first on CyberScoop.

Kent Ickler & Jordan Drysdale // Preface We had a sysadmin and security professional “AA” meeting on November 8, 2018. We met and discussed things that seem to be painfully […]

The post WEBCAST: Blue Team-Apalooza appeared first on Black Hills Information Security, Inc..