< ciso
brief />

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

Critical wp2shell RCE in WordPress core requires patch

🔒 Public proof-of-concept exploits have been released for the critical "wp2shell" pre-authentication remote code execution chain affecting WordPress Core. The attack combines two flaws, CVE-2026-63030 and CVE-2026-60137, impacting WordPress 6.9.x and 7.0.x, prompting forced auto-updates to versions 6.9.5 and 7.0.2. Administrators are urged to patch immediately or apply temporary WAF/REST API mitigations while updates are applied.
read more →

Microsoft warns of surge in ACR Stealer attacks

🛡️ Microsoft reports a marked increase in attacks leveraging ACR Stealer, an info-stealing MaaS that exfiltrates browser passwords, tokens, and sensitive documents from enterprise environments. Between late April and mid‑June, threat actors used social engineering (ClickFix), WebDAV servers, and mshta.exe to deliver obfuscated PowerShell loaders, Python-based installers, and in-memory payloads. The actor abuses GUID-based WebDAV paths, steganographic JPEGs, and public blockchains as dead-drop resolvers to mask activity and maintain C2 communications. Microsoft recommends filters, application control, and limiting access to unnecessary web resources to reduce exposure.
read more →

Gemini lock-screen flaw lets messages be sent

🔒 Google is fixing a vulnerability that lets an attacker with physical access to a locked Android 16 device use Gemini to send SMS and WhatsApp messages without entering a PIN. Reports since May show the bypass exploits Gemini's Deep Research and a specific multi-touch gesture to circumvent authentication. Google says a patch is imminent; meanwhile, users should restrict Gemini's lock-screen access to limit exposure.
read more →

Critical WordPress core flaw enables anonymous RCE

🔒 WordPress patches a critical pre-auth remote code execution (RCE) in core that an anonymous HTTP request could exploit on default installs. Researcher Adam Kues of Assetnote reported the issue as wp2shell, and WordPress released versions 6.9.5 and 7.0.2 on July 17, 2026, to remediate affected 6.9.x and 7.0.x releases. Owners should verify their exact version and apply updates; Searchlight offers a checker and temporary mitigations for the REST batch endpoint.
read more →

Abbott investigates dual cybersecurity incidents amid claims

🔍 Abbott Laboratories is probing two separate cybersecurity incidents after confirming unauthorized access to legacy Exact Sciences systems within its Cancer Diagnostics business and investigating a separate claim of a breach of its LabCentral portal. The company says the Cancer Diagnostics intrusion does not affect operations, products, manufacturing, or patient services and that legacy systems are separate from Abbott's main environment. Abbott engaged incident response teams, notified law enforcement, and does not expect a material business impact. The extortion gang ShinyHunters and another actor, ShadowByt3$, each claim to have exfiltrated different sets of data, though Abbott disputes some characterizations.
read more →

OpenSSL HollowByte memory-exhaustion flaw analysis

🛡️ OpenSSL received a silent June fix for a denial-of-service issue Okta branded "HollowByte," which causes servers to allocate up to 131 KB per TLS ClientHello before the body arrives. The bug lets attackers exhaust connections and, on glibc systems, fragment the heap so freed memory remains resident until process restart. Fixed releases are 4.0.1, 3.6.3, 3.5.7, 3.4.6, and 3.0.21 dated June 9, but OpenSSL chose to treat the change as a "bug or hardening" without a CVE, advisory, or changelog note.
read more →

Cloudflare deploys WAF rules for WordPress RCE and SQLi

🛡️ Cloudflare has deployed new Web Application Firewall protections to block two critical WordPress vulnerabilities: an unauthenticated RCE in the REST API and a related SQL injection. The rules, activated on July 17, 2026 at 17:03 UTC, protect all proxied customers including Free plans. Customers should still apply WordPress patches (7.0.2 and backports) and ensure Managed Rules remain set to Block while monitoring Security Events.
read more →

HollowByte DoS in OpenSSL bloats server memory

🛡️ Okta researchers disclosed a DoS flaw named HollowByte that lets unauthenticated attackers bloat OpenSSL server memory by sending an 11-byte payload with a forged header. Vulnerable OpenSSL versions allocate memory based on the claimed message length before receiving the payload, then block waiting for data that never arrives, causing heavy heap fragmentation and long-lived RSS growth. The OpenSSL team silently fixed the issue and backported the patch to multiple release lines; administrators are urged to upgrade to the patched versions immediately.
read more →

OnlyFans creators help CISOs curb site abuse

🔒 Security researchers report that OnlyFans creators are using DMCA takedown rights and search engine mechanisms to disrupt scam networks that host stolen adult content on compromised government and university websites. These operations — called SEO parasites — route traffic from hijacked entry pages to monetized scam or malware sites. The takedowns not only remove illicit content from search results but also prompt site owners to investigate and remediate vulnerabilities.
read more →

Amazon GameLift Streams adds IAM role support

🔐 Amazon GameLift Streams now allows assigning an IAM role to a stream session so streamed applications can securely access AWS resources like Amazon S3 and DynamoDB. By passing a RoleArn when starting a session, applications receive short-lived, auto-refreshing credentials via the standard AWS SDK credential chain with no code changes. The service validates role configuration at session start and the console offers a pre-filled trust policy template for easy setup; the feature is available in all Regions where GameLift Streams runs.
read more →

One‑click migration to Amazon OpenSearch UI

🔄 Amazon OpenSearch Service now provides one‑click migration from legacy OpenSearch Dashboards to the new OpenSearch UI for both domains and serverless collections. This serverless, zero‑downtime interface enables unified observability and search across data sources while preserving tenants and saved objects. You can migrate into new or existing OpenSearch UI workspaces and choose whether to consolidate or retain multiple tenants per team. The capability is available in all Regions where OpenSearch UI is offered and is documented in the OpenSearch UI Help and Amazon OpenSearch Service Developer Guide.
read more →

Shadow Token via Remote Debug: OAuth mailbox hijack

🔒 Kaspersky researchers describe a covert technique named Shadow Token via Remote Debug (STRD) used by the ToddyCat APT to gain persistent access to Google Workspace mailboxes without user interaction. The attackers deploy malware (Umbrij) that duplicates a browser profile, launches a headless debugging browser, and programmatically authorizes a third-party OAuth app to obtain an access token. This approach can survive password resets and evades endpoint detection when properly executed.
read more →

Global IAM Data Governance Tags for BigQuery

🔒 This post introduces the preview of IAM data governance tags for BigQuery column-level security. Built on Google Cloud Resource Manager tags with purpose=DATA_GOVERNANCE, these tags are global, support hierarchical classification up to five levels, and are replicated for disaster recovery. The article explains creating tag keys/values, attaching tags to columns via JSON or SQL, and defining regional BigQuery data policies for masking or raw access. It highlights decoupled governance, regional policy enforcement, and layered security requirements.
read more →

Thirteen demos for Gemini Enterprise Agent Platform

🔎 This post introduces 13 code-first demos for the Gemini Enterprise Agent Platform, showing how to build, scale, govern, and optimize agents using the ADK and Agents CLI. The demos range from an ADK foundation codelab and MCP data connectors to stateful deployment on Agent Runtime, event-driven long-running workflows, and production-grade governance with Agent Gateway and Model Armor. Each demo teaches practical patterns — from UI generation and multi-language A2A pipelines to test-driven security, AutoRater evaluations, and cross-framework orchestration — so teams can prototype locally and then deploy and monitor agents at enterprise scale.
read more →

Microsoft at Black Hat USA 2026: Defending Trust

🔒 At Black Hat USA 2026, Microsoft Security highlights how threat actors exploit trusted systems—software, developer workflows, identities, and AI—to scale attacks. Sessions and briefings across August 4–6 focus on supply chain compromises, AI security, and practical defense strategies. Visit booth #2144 for demonstrations, expert-led services, and community events including a reception on August 5.
read more →

HyperPod adds partition-level network topology for Slurm

🧭 Amazon SageMaker HyperPod now supports partition-level network topology configuration for Slurm clusters, allowing a single cluster to run different topologies (tree or block) per partition. HyperPod auto-detects topology from instance types—UltraServer types map to block and hierarchical-interconnect types map to tree—while partitions without topology data remain schedulable. The feature is enabled by default for Slurm 25.11+ and is available in all Regions that support HyperPod.
read more →

Ransomware Now Disrupts a Government Every Day

🔒 Analysis from Comparitech finds ransomware attacks on government agencies rose in early 2026, averaging one incident per day. The study recorded 187 attacks from January to June 2026, a 13% increase from late 2025, with just over half publicly confirmed. The US was the most targeted country (31%), mean demands were around $100,000, and groups like The Gentlemen, Qilin and LockBit were prominent. Experts stress timely patching, backups and staff training to reduce risk.
read more →

Ernst & Young discloses support system data breach

🔒 Ernst & Young has notified clients of a data breach after a third-party support ticket system used by its IT staff was compromised. The company says support tickets may have contained documents with client tax information and that unauthorized access occurred between March 28 and April 12. EY detected anomalous activity on April 23, engaged external cybersecurity experts, secured systems, and notified law enforcement. Affected clients are offered 24 months of identity monitoring through Experian.
read more →