Top #CVE to prioritize 👀 - @Android Framework #privesc (CVE-2025-48595) - @SolarWinds Serv-U (CVE-2026-28318) - @Cisco Catalyst SD-WAN Manager (CVE-2026-20245) - @Cisco Unified Communications Manager (CVE-2026-20230) - @Acer Wave 7 routers (CVE-2026-49200/49201) - @UniFi OS Server (CVE-2026-34908/34909) - @Google Chrome (CVE-2026-10881/10882/10883) - #MCP Toolbox (CVE-2026-9739) - @Ivanti ISTM (CVE-2026-9614) - @Atlassian Bamboo Data Center #RCE (CVE-2026-27727)

Eight US agencies published a warning about cyberattacks on fuel tank monitoring systems.  These systems monitor fuel levels, temperature, and leak detection at gas stations and transportation hubs. Attackers gained access and changed settings on these systems. The attack vectors listed were simple: authentication bypass, hardcoded creds, default passwords, OS command injection, SQLi. Almost every week, we see attacks hitting critical infra that use default passwords or have an admin console exposed to the internet. Ensure the basics are taken care of. If you keep default passwords on admin console exposed to the internet, what do you expect? 😑

@AnthropicAI published "#ZeroTrust for #AI #agents". A very interesting read, I highly recommend it. The most important part is the shift in assumption. Agents are not just chatbots anymore. They can read docs, call APIs, open pull requests, trigger workflows, write code, and sometimes execute. That means they are becoming a new kind of identity inside the company. And this identity is not very reliable. It can be influenced by prompts. It can misunderstand context. It can act faster than a human watching it. That changes the security model. Until now, we designed access around humans and service accounts. Agents are not human users, nor are they normal service accounts. But they still hold credentials, can call tools, and touch real systems. That makes can prompt-level guardrails useful. But not enough. Real enforcement has to sit outside agents: → Give them less access → Make their credentials short-lived → Put them in a sandboxed environment → Log every important action → Whitelist their tools Assume the agent will eventually do something unexpected. It always does, doesn’t it? 🤔 The PDF is free. Link in replies.

@CISACyber left AWS #GovCloud keys, tokens, and plaintext passwords exposed in a public GitHub repo. A contractor created #PrivateCISA, disabled secret-blocking, and likely used it to sync files between work and home computers. @GitGuardian found it. Another researcher confirmed some exposed AWS keys still worked. After the repo was taken down, the keys reportedly remained valid for another 48 hours. This can happen to anyone, even #CISA. 😑

@Verizon issued a 2026 Data Breach Report: 48% of breaches involved supply chain compromise; 67% of employees use unauthorized GenAI at work. The lesson? The industry is obsessed with AI in SAST, pentesting, and SOC. Fair. But we still see plaintext passwords, exposed cloud keys, poisoned extensions, and irresponsible public exploit disclosures. Maybe the priority isn’t "more AI security," but getting the basics right?

#AI is now finding more bugs than #humans. @Microsoft May #PatchTuesday included 16 vulnerabilities found by #MDASH, their new AI system that orchestrates over 100 specialized agents. Four of those were critical #RCE in the Windows kernel. @PaloAltoNtwks doubled its typical monthly advisories and said most findings came from AI models scanning their code. @mozilla found 271 bugs in @firefox using #Mythos last month, then used the same approach again.

And honestly, I side with Linus on this. The majority of vendors are now running AI against their own code, and the patches are coming in waves. Buckle up and prepare for a ride.😑 See top #CVE below. Have you embraced #AI for #security checks? How is your team handling the volume of #critical #vulns?

Me every Friday 😀 I know it’s only Wednesday, but this pic was too good not to share. Are you feeling the same sometimes? Do I have @harrypotter fans here? Let's connect! ⤵️

Two new @Linux Privilege Escalation vulnerabilities were disclosed. Security researchers found two more serious #LPE vulnerabilities in #Linux: Copy Fail 2: #ElectricBoogaloo and #DirtyFrag. Using these vulnerabilities, an unprivileged local user can gain root-level access to the system.

A fake @OpenAI Privacy Filter repo hit #1 on @huggingface (AI “popular right now” list). 244K downloads. And it was malware. A repo was impersonating an #OpenAI open-weight model and delivered a Rust-based #infostealer to @Windows users.

On the topic of @huggingface and AI-related malware. Have you secured your AI? Do you have 2FA enabled and the memory feature off? Have you opted out of training datasets on your personal information? If not yet, you should do this (see how in first comment).