⚠️ Cisco Catalyst SD-WAN – Authenticated Privilege Escalation to Root (CVSS 7.8, CISA KEV)  CISA has added CVE-2026-20245 to its KEV catalogue following evidence of active exploitation. A command injection flaw in the CLI of Catalyst SD-WAN Manager (vManage), Controller (vSmart), and Validator (vBond), caused by insufficient validation of user-supplied input. By uploading a crafted file, an authenticated local attacker with netadmin privileges can execute arbitrary commands and elevate to root.  Affected: Cisco Catalyst SD-WAN Controller, Manager, and Validator, regardless of device configuration.  Mitigation: Cisco recommends upgrading to the fixed software documented in the Catalyst SD-WAN Security Advisory, and verifying the configuration of edge devices. Before upgrading, run request admin-tech on each control component to preserve potential indicators of compromise, then monitor per Cisco's advisory.  Modat Magnify Query: product="Cisco Catalyst SD-WAN Manager" OR product="Cisco Catalyst SD-WAN Controller"  The platform: magnify.modat.io/  Reference: sec.cloudapps.cisco.com/secu…  #threatintel #vulnerability #CVE202620245 #Cisco #SDWAN #PrivEsc #infosec #ModatMagnify

Newest: CVE-2026-20245, June 4, authenticated command injection in Catalyst SD-WAN Manager, root via crafted file upload, reported by Mandiant, exploited in the wild. It chains: CVE-2026-20182 (CVSS 10.0) to netadmin, then 20245 to root.

Welcome to our “Say Hello To” series — introducing the people behind the scenes at Netadmin. Meet Mudassar Majeed, our new System Architect 👋 Passionate about help shape the next generation of Netadmin Nine. Say Hello to Mudassar: hubs.ly/Q04kRWG50

🚨 GÜVENLİK BÜLTENİ: Cisco Catalyst SD-WAN'da Yetki Yükseltme Zafiyeti (CVE-2026-20245) Merhaba #Brolyz 📌 Zafiyetin Özeti: CVE-2026-20245, Cisco Catalyst SD-WAN Controller, Manager ve Validator ürünlerinin komut satırı arayüzünde (CLI) bulunan bir girdi doğrulama eksikliğidir. "netadmin" yetkisiyle sisteme erişen yerel bir saldırgan, özel hazırlanmış bir dosyayı yükleyerek güvenlik önlemlerini atlatabilmektedir. ⚠️ Etki ve Risk (CVSS 3.1: 7.8 - Yüksek Risk): Bu açık, saldırganın komut enjeksiyonu yapmasına ve işletim sisteminde "root" yetkileriyle rastgele komut çalıştırmasına imkan tanır. En kritik durum; Cisco, bu zafiyetin uç cihazlara (edge devices) yetkisiz konfigürasyon göndermek için sahada kullanıldığını doğrulamıştır. Saldırganlar genellikle geçerli kimlik bilgilerine ihtiyaç duyar veya farklı zafiyetleri zincirleyerek sisteme sızar. 🛠️ Çözüm ve Öneriler: Cisco SD-WAN mimarisi kullanıyorsanız şu aksiyonları acilen alın: 1️⃣ Yama: Cisco'nun yayınladığı güncel yazılım sürümlerine derhal geçiş yapın. 2️⃣ Denetim: Sistemlerdeki "netadmin" yetkili tüm hesapları inceleyin, şüpheli oturumları kapatın. 3️⃣ Kontrol: Ağınızdaki uç cihazlara iletilen son konfigürasyon değişikliklerini yetkisiz müdahalelere karşı doğrulayın. 🔗 Detaylar: cve.org/CVERecord?id=CVE-... Yamalarınızı gecikmeden geçmeyi unutmayın. Güvenli haftalar dilerim! 🛡️

米国CISAが悪用を確認した脆弱性 #KEV をカタログに追加しました。（6/9追加） 🛡 No.1616 CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability ===================================== ✅概要 ・深刻度：注意 6.8 (CVSS Base) / Arista Networks (CNA) ・種別：複数の要素を考慮しない不完全な比較 (CWE-1023) ・CVSS:CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N Arista EOS のトンネルデカプセル化処理において、トンネルプロトコル種別の検証が不十分な脆弱性です。 VXLAN、decap-groups、GRE トンネルインターフェースなどのデカプセル化設定が存在する場合、設定されたデカプセル化 IP 宛ての想定外のトンネルパケットがデカプセル化され、転送される可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：中 ・悪用難易度：中 ✅攻撃前提条件 ・影響を受ける Arista EOS ベース製品を使用している ・VXLAN VTEP、GRE トンネルエンドポイント、ip decap-group などのデカプセル化 IP が構成されている ・対象機器が想定外のトンネルプロトコルのパケットを受信可能である ・修正済みバージョンまたは ACL 等の緩和策が適用されていない ✅悪用時影響 ・想定外のトンネルパケットがデカプセル化される ・内部ネットワークセグメントへ意図しないトラフィックが転送される ・トンネル種別による通信制御を回避される可能性がある ・ネットワーク分離や経路制御の前提が崩れる可能性がある ✅悪用事例等に関する公開情報 ・PoC/Exploit：一部公開（技術情報のみ） ・ITW：確認済み（Arista Networks） Arista Networks は、脆弱性が実環境で悪用されたと報告。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・arista.com/en/support/adviso… 🛡 No.1617 CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability ===================================== ✅概要 ・深刻度：重要 8.8 (CVSS Base) / CISA-ADP ・種別：境界外読み取り (CWE-125)、境界外書き込み (CWE-787) ・CVSS:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Google Chrome の V8 に存在する境界外読み取りおよび境界外書き込みの脆弱性です。 Google Chrome 149.0.7827.103 より前のバージョンでは、リモートの攻撃者が細工した HTML ページを介して、サンドボックス内で任意コードを実行できる可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：高 ・悪用難易度：中 ✅攻撃前提条件 ・Google Chrome 149.0.7827.103 より前のバージョンを使用している ・攻撃者が細工した HTML ページをユーザーに開かせる ・V8 による当該コンテンツの処理が行われる ・修正済みバージョンが適用されていない ✅悪用時影響 ・サンドボックス内で任意コードを実行される ・メモリ破壊を引き起こされる ・ブラウザ内の情報へ不正アクセスされる可能性がある ・他の脆弱性と組み合わせた追加侵害につながる可能性がある ✅悪用事例等に関する公開情報 ・PoC/Exploit：公開情報確認できず ・ITW：確認済み（Google） Googleは、Exploit が存在することを認識しているとアドバイザリに記載。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・chromereleases.googleblog.co… 🛡 No.1618 CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability ===================================== ✅概要 ・深刻度：重要 7.8 (CVSS Base) / Cisco Systems, Inc. (CNA) ・種別：不適切なエンコード、または出力のエスケープ (CWE-116) ・CVSS:CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Cisco Catalyst SD-WAN Controller、Catalyst SD-WAN Manager、Catalyst SD-WAN Validator の CLI に存在する脆弱性です。 認証済みのローカル攻撃者が細工したファイルを対象システムにアップロードすることで、root として任意コマンドを実行できる可能性があります。 ✅ChatGPTによる脆弱性評価 ・国内影響度：高 ・悪用難易度：高 ✅攻撃前提条件 ・影響を受ける Cisco Catalyst SD-WAN Controller、Manager、Validator を使用している ・攻撃者が対象システム上で netadmin 権限を持っている ・攻撃者が細工したファイルを対象システムへアップロードできる ・修正済みソフトウェアが適用されていない ✅悪用時影響 ・root 権限で任意コマンドを実行される ・対象 SD-WAN 管理基盤上で権限昇格される ・edge device へ不正な設定変更を push される可能性がある ・SD-WAN 環境の制御や運用に影響が生じる可能性がある 悪用事例等に関する公開情報 ・PoC/Exploit：公開情報確認できず ・ITW：確認済み（Cisco Systems, Inc.） Cisco は、限定的な事例を観測していると公表。 ✅関連情報 ・nvd.nist.gov/vuln/detail/CVE… ・sec.cloudapps.cisco.com/secu… cisa.gov/news-events/alerts/… #vulnerability

The attack chain: gain netadmin access via stolen creds or by chaining earlier SD-WAN CVEs, then push arbitrary config changes to edge devices across the entire fabric. Exploitation was occurring before the advisory was published.

🔴 SOC OPERATIONS The breach was three alerts. Nobody connected them. Jun 8, 2026 · 6 min read ──────────────────────────────────────── Picture three tickets in your queue, opened over three different weeks, closed by three different analysts who never spoke to each other. The first: an authentication anomaly on an SD-WAN controller. Odd, but it resolved, and the controller kept running. Closed. The second: a new SSH key showed up in an admin account's authorized-keys file. Probably the network team during a maintenance window. Closed. The third: a configuration change pushed out to the edge devices. That's literally what the platform is for. Closed. Each one, on its own, was a shrug. Together, they were a threat actor walking from the open internet to root on your network's management plane — and then pushing their will to every device downstream. ## The chain Cisco documented this month This isn't hypothetical. On June 5, 2026, Cisco disclosed its seventh SD-WAN zero-day of the year. Read the advisories together and they describe an end-to-end path, link by link: • CVE-2026-20127 — get in A maximum-severity authentication bypass on the Catalyst SD-WAN Controller. An unauthenticated, remote attacker sends crafted requests and gains high-privileged internal access. Cisco Talos has tracked a sophisticated actor, UAT-8616, abusing this since at least 2023. • CVE-2026-20182 — get privileged A second authentication bypass lets the attacker become an authenticated peer of the appliance and inject their own public key into the vmanage-admin account's authorized SSH keys. That's the quiet alert in the middle: a key that shouldn't be there. They now hold netadmin. • CVE-2026-20245 — get root With netadmin in hand, a crafted file upload to the SD-WAN Manager CLI runs arbitrary commands as root. Cisco observed exploitation in the wild — discovered by Mandiant — and, in limited cases, a configuration change pushed to edge devices. There is no patch yet and no workaround. Cisco's advisory for that last bug explicitly names the first two as the way to obtain the netadmin precondition. The vendor itself drew the line connecting the dots. The question is whether your SOC would have. A breach is almost never one alert. It's a sequence — across systems, across privilege levels, across time. Attackers think in chains. Most defenses still triage in singletons. ## Why three real alerts read as three non-events None of these links trips a five-alarm fire on its own. The first is an "authentication anomaly" — a category your team sees hundreds of times a week, almost all benign. The second is a configuration-file change on an admin account — indistinguishable, at a glance, from legitimate operations. The third, the root-level one, scores a moderate 7.8 and surfaces as a routine config push, which is the platform's entire job. So they land in different queues. The controller alert goes to whoever owns network infrastructure. The SSH-key change goes to whoever watches identity. The config push may not alert at all. Three people, three contexts, three independent "looks fine to me" decisions. The correlation that turns three shrugs into one breach never happens, because no single human is holding all three at once. This is the coverage gap that volume created. It isn't that analysts are careless — it's that the breach only exists in the relationships between alerts, and human triage is structurally built to look at one alert at a time. ## Totality is the answer to chains You don't close this gap by tuning any single detection to be louder. The controller bypass should be a low-confidence alert in isolation. So should an SSH-key change. Crank them all to critical and you've simply moved alert fatigue, not fixed i... ──────────────────────────────────────── 📰 Full analysis on The Signal: n0limit.com/blog.html#three-… #cybersecurity #threatintel #infosec

As long as you allow NetAdmin root-level access without a full authentication key in hand that allows the op to access the root from these cloud/AI system admin modules, you are going to have infiltration into any internet connected system. That's the problem with cloud security.

🚨 New Cisco SD-WAN vulnerability under active exploitation. CVE-2026-20245 lets authenticated netadmin attackers run commands as root via crafted file uploads. No patches or mitigations are available. Check /var/log/scripts.log for IoCs. Read: thehackernews.com/2026/06/ci…

Acaba de confirmarse: una vulnerabilidad de escalada de privilegios de día cero en Cisco Catalyst SD-WAN Manager, identificada como CVE-2026-20245, está siendo explotada por atacantes. Cisco Catalyst SD-WAN Manager es el producto afectado, y se requieren privilegios de netadmin para explotar esta vulnerabilidad, lo que significa que los atacantes necesitan credenciales válidas o deben explotar otras vulnerabilidades como CVE-2026-20182 o CVE-2026-20127. El impacto es grave, ya que los atacantes pueden obtener acceso no autorizado con privilegios de redadmin en los sistemas afectados, lo que podría llevar a una pérdida de control y confidencialidad de los datos. No hay parche disponible aún, por lo que los administradores de sistemas deben tomar medidas para proteger sus redes y sistemas. ¿Hay un plan de contingencia para este tipo de situaciones? ¿Estás en riesgo? Revisa esto: verifica los logs de acceso y ajusta los permisos de netadmin para minimizar el riesgo de explotación. helpnetsecurity.com/2026/06/…

CiscoのSD-WAN統合管理製品で、root権限まで奪える新たなゼロデイ（CVE-2026-20245）の悪用が報告されています。悪用にはnetadmin権限が必要で、正規の認証情報か、先に紹介した認証バイパス（CVE-2026-20182など）の悪用で取得。これを足場に細工ファイルをアップロードすると、コマンドインジェクションを通じてrootへ昇格できるとされています。パッチは未提供で回避策もなく、一部では悪用により設定変更がエッジ機器へ配信された事例も確認されているとのこと。 パッチが出ていないため、Ciscoは5月14日公開のCVE-2026-20182向け修正版へのアップグレードとエッジ機器の設定確認を推奨しています。侵害が確認された場合は修正版の適用だけでは解消せず、Ciscoサポート（TAC）での個別対応が必要になるとのことです。 【要点の整理】 ・対象はCisco Catalyst SD-WAN Managerで、オンプレミス・Cloud-Pro・Cloud Managed・FedRAMPの全環境が影響を受け、回避策はなし。報告元はMandiant ・入力検証の不備に起因するコマンドインジェクションで、認証済みのローカル攻撃者が細工ファイルをアップロードするとroot権限でのコマンド実行に至るとのこと。CVSSは7.8（High） ・悪用の前提はnetadmin権限の保有。正規の認証情報を持つか、認証バイパスのCVE-2026-20182やCVE-2026-20127を悪用して取得する経路で、それ以外の手段での悪用成功は確認していないとされる ・限定的な事例ながら、悪用の結果としてエッジ機器へ設定変更が配信されたことをCiscoが観測したとのこと ・検知用のIoCはスクリプト実行ログ（scripts[.]log）に残るテナントリスト等のアップロード痕跡。ただしいずれも正規コマンドで、ログ上は正規利用と悪用を区別できないとのこと 詳細は以下を参照： sec.cloudapps.cisco.com/secu…

CiscoのSD-WAN管理基盤で実際の攻撃が確認された深刻な脆弱性が明らかになった。攻撃者は細工したファイルをアップロードするだけで管理システム上で任意のコマンドを実行し、最終的にroot権限を奪取できる。すでに限定的な攻撃で悪用されており、ネットワーク機器の設定改ざんも確認されている。 CiscoはCatalyst SD-WAN Managerに存在する権限昇格の脆弱性CVE-2026-20245を公表した。問題はコマンドラインインターフェースにおける入力検証の不備に起因し、アップロードされたファイルの処理時にユーザー入力が適切にサニタイズされないことで発生する。 攻撃者は特別に細工したファイルをアップロードすることでコマンドインジェクションを引き起こし、root権限を取得できる。攻撃にはnetadminレベルの認証済み権限が必要だが、CiscoはCVE-2026-20182やCVE-2026-20127など別の脆弱性と組み合わせて悪用される可能性があると警告している。 Cisco PSIRTによると、この脆弱性はすでに実環境で限定的に悪用されており、攻撃者はSD-WANエッジデバイスへ不正な設定変更を配信していた。これにより永続化やラテラルムーブメント、通信経路の操作などにつながる恐れがある。 影響を受けるのはオンプレミス版、クラウド版、Cloud-Pro版、FedRAMP版を含むすべてのCatalyst SD-WAN Manager環境である。特に管理インターフェースをインターネットへ公開している環境はリスクが高い。現時点で専用パッチは未提供で回避策もないが、Ciscoは管理者に対しscripts.logの確認や「request admin-tech」によるフォレンジックデータ収集を推奨している。この脆弱性はMandiantによって報告された。 cybersecuritynews.com/cisco-…

Cisco SD-WANに未修正のゼロデイ脆弱性。CVE-2026-20245はCLIからのコマンドインジェクション。要netadmin権限。シスコ公式により悪用確認済み。緩和策なし。 securityonline.info/cisco-sd…

Eu era sysadmin/netadmin numa empresa grande, e liberaram um dinheiro pra gente refazer tudo. Aí marquei com um monte de empresa, consultoria de sistemas, vendedor de hardware, de software, de rede, de virtualização, de segurança.. e era ótimo. A primeira reunião sempre era uns figurões, comigo e meu chefe, trocavam idéia, eu explicava o projeto, e o chefe me dava o chapéu. Então eles me conheciam - um jovem, sem aliança, bem vestido, desenrolado - e partir da segunda reunião e as restantes, as empresas sempre enviavam umA "consultorA que era (sic) mais qualificadA para ajudar no meu projeto" 😬😉

Hilariously we see this in IT as well. Devs are expected to handle all sorts of sys/netadmin and preventive security work, and admins are expected to be advanced programmers. You could say devops is the end result of this expectation.

Quand ta netadmin a décidé de se faire belle #MetGala2026 #MetGala

I am very serious about this and beginners need to take note of all the cyber security myths...that you can get an entry level role in cyber security. Rather you start with SysAdmin or NetAdmin before complete transitioning. For one to work fully in cyber security, one has to be very good with his craft

Ahah dans un taf précédent tout le monde était sur mac (aussi bien les dev, sysadmin, netadmin, chef, secretaire...). On avais UN pc pour un soft (à la con) et à chaque fois on devais corriger une nouvelle merde quand ils en avaient besoin. Le reste: aucun pb: ça juste marche.

It's just the most efficient way to be a nerd. It's not even just IT/sysadmin/infosec/netadmin, it's also true for theater nerds, or broadcast nerds, or music nerds.

AWS intruder pulled off AI-assisted cloud break-in in 8 mins | Jessica Lyons, The Register AWS intruder achieved admin access in under 10 minutes thanks to AI assist, researchers say LLMs automated most phases of the attack A digital intruder broke into an AWS cloud environment and in just under 10 minutes went from initial access to administrative privileges, thanks to an AI speed assist. The Sysdig Threat Research Team said they observed the break-in on November 28, and noted it stood out not only for its speed, but also for the "multiple indicators" suggesting the criminals used large language models to automate most phases of the attack, from reconnaissance and privilege escalation to lateral movement, malicious code writing, and LLMjacking - using a compromised cloud account to access cloud-hosted LLMs. "The threat actor achieved administrative privileges in under 10 minutes, compromised 19 distinct AWS principals, and abused both Bedrock models and GPU compute resources," Sysdig's threat research director Michael Clark and researcher Alessandro Brucato said in a blog post about the cloud intrusion. "The LLM-generated code with Serbian comments, hallucinated AWS account IDs, and non-existent GitHub repository references all point to AI-assisted offensive operations." The attackers initially gained access by stealing valid test credentials from public Amazon S3 buckets. The credentials belonged to an identity and access management (IAM) user with multiple read and write permissions on AWS Lambda and restricted permissions on AWS Bedrock. Plus, the S3 bucket also contained Retrieval-Augmented Generation (RAG) data for AI models, which would come in handy later during the attack. To prevent this type of credential theft, don't leave access keys in public buckets. Sysdig recommends using temporary credentials for IAM roles, and for organizations that insist on granting long-term credentials to IAM users, make sure you rotate them periodically. After unsuccessfully trying usernames such as "sysadmin" and "netadmin" typically associated with admin-level privileges, the attacker ultimately achieved privilege escalation through Lambda function code injection, abusing the compromised user's UpdateFunctionCode and UpdateFunctionConfiguration permissions: They replaced the code of an existing Lambda function named EC2-init three times, iterating on their target user. The first attempt targeted adminGH, which, despite its name, lacked admin privileges. Subsequent attempts eventually succeeded in compromising the admin user frick. The security sleuths note that the comments in the code are written in Serbian - likely indicating the intruder's origin - the code itself listed all IAM users and their access keys, created access keys for frick, and listed S3 buckets along with their content. Code writing for LLMs 101 Plus, the attacker's code contained "comprehensive" exception handling, according to the security sleuths, including logic to limit S3 bucket listings and an increase to the Lambda execution timeout from three seconds to 30 seconds. These factors, combined with the short time from credential theft to Lambda execution, "strongly suggest" the code was written by an LLM, according to the threat hunters. Next, the miscreant set about collecting account IDs and attempting to assume OrganizationAccountAccessRole in all AWS environments. Interestingly, they included account IDs that did not belong to the victim organization: two with ascending and descending digits (123456789012 and 210987654321), and one ID that appeared to belong to a legitimate external account. "This behavior is consistent with patterns often attributed to AI hallucinations, providing further potential evidence of LLM-assisted activity," Clark and Brucato wrote. In total, the attacker gained access to 19 AWS identities, including six different IAM roles across 14 sessions, plus five other IAM users. And then, with the new admin user account they had created, the crims snarfed up a ton of sensitive data: secrets from Secrets Manager, SSM parameters from EC2 Systems Manager, CloudWatch logs, Lambda function source code, internal data from S3 buckets, and CloudTrail events. LLMjacking attacks They then turned to the LLMjacking part of the attack to gain access to the victim's cloud-hosted LLMs. For this, they abused the user's Amazon Bedrock access to invoke multiple models including Claude, DeepSeek, Llama, Amazon Nova Premier, Amazon Titan Image Generator, and Cohere Embed. Sysdig notes that "invoking Bedrock models that no one in the account uses is a red flag," and enterprises can create Service Control Policies (SCPs) to allow only certain models to be invoked. After Bedrock, the intruder focused on EC2, querying machine images suitable for deep learning applications. They also began using the victim's S3 bucket for storage, and one of the scripts stored therein looks like it was designed for ML training - but it uses a GitHub repository that doesn't exist, suggesting an LLM hallucinated the repo in generating the code. While the researchers say they can't determine the attacker's goal - possibly model training or reselling compute access - they note that the script launches a publicly accessible JupyterLab server on port 8888, providing a backdoor to the instance that doesn't require AWS credentials. However, they terminated the instance after five minutes for unknown reasons. - AI agents can't yet pull off fully autonomous cyberattacks – but they are already very helpful to crims - AI-powered cyberattack kits are 'just a matter of time,' warns Google exec - Agents gone wild! Companies give untrustworthy bots keys to the kingdom - Yes, criminals are using AI to vibe-code malware This is the latest in examples of attackers increasingly relying on AI to help them at almost every stage in the attack chain, and some security chiefs have warned that it's just a matter of time before criminals can fully automate attacks at scale. There are things organizations can do to defend against similar intrusions and most involve hardening identity security and access management. First off: apply principles of least privilege to all IAM users and roles. Sysdig also recommends restricting UpdateFunctionConfiguration and PassRole permission in Lambda, limiting UpdateFunctionCode permissions to specific functions and assigning them only to identities that need code deployment capabilities to do their jobs. Also, make sure S3 buckets containing sensitive data, including RAG data and AI model artifacts, are not publicly accessible. And it's a good idea to enable model invocation logging for Amazon Bedrock to detect unauthorized usage. We reached out to Amazon for comment, but they said they wouldn't be able to get us anything by publication time. We'll update this story with any relevant information we receive from them. ® UPDATED AT 02:30 UTC, February 5 to add the following comment sent by AWS. “AWS services and infrastructure are not affected by this issue, and they operated as designed throughout the incident described," the company told The Reg by email. "The report describes an account compromised through misconfigured S3 buckets. We recommend all customers secure their cloud resources by following security, identity, and compliance best practices, including never opening up public access to S3 buckets or any storage service, least-privilege access, secure credential management, and enabling monitoring services like GuardDuty, to reduce risks of unauthorized activity." The cloud giant also wants its customers who suspect or become aware of malicious activity within their AWS accounts to check out guidance for remediating potentially compromised credentials or contact AWS Support for assistance. theregister.com/2026/02/04/a…