Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

May 15, 2026

CISA Adds Cisco SD-WAN CVE to KEV; FCEB Remediate Now

🔒 CISA has added CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller, to its Known Exploited Vulnerabilities catalog and requires Federal Civilian Executive Branch agencies to remediate by May 17, 2026. The flaw is rated 10.0 (CVSS) and allows an unauthenticated remote attacker to obtain administrative privileges. Cisco links active exploitation to threat cluster UAT-8616 and advises customers to follow its advisories and mitigation guidance.

Cisco CISA KEV Authentication Bypass Active Exploitation

May 14, 2026

AI Finds 18-Year-Old Remote Code Execution Flaw in Nginx

🔍 Researchers using an LLM-powered platform discovered a critical 18-year-old heap buffer overflow in Nginx that can enable remote code execution under certain conditions. Tracked as CVE-2026-42945, it resides in ngx_http_rewrite_module and affects versions 0.6.27 through 1.30.0. Patches were released in 1.31.0 and 1.30.1 and in Nginx Plus releases; several F5 products remain pending updates. Exploitation can cause server crashes and, without ASLR, may allow arbitrary code execution.

Remote Code Execution LLM Security Vulnerability Disclosure

May 14, 2026

TeamPCP Offers Mistral AI Code Repositories for Sale

🔒 Mistral AI says the TeamPCP group is offering nearly 450 repositories allegedly stolen from the company’s codebase, demanding a $25,000 buy‑it‑now price and threatening to leak the files within a week if unsold. The hackers claim about 5 gigabytes of internal source code used for training, fine‑tuning, benchmarking, model delivery, and inference was exfiltrated after a compromise tied to the Mini Shai-Hulud supply‑chain attack and tampered TanStack packages. Mistral confirmed some SDK packages were contaminated briefly but says forensic analysis found no compromise of core repositories, hosted services, or managed user data.

Mistral AI Supply Chain Compromise Data Exfiltration

May 14, 2026

CloudFront Adds OCSP Revocation Checking for mTLS Support

🔐 Amazon CloudFront now supports Online Certificate Status Protocol (OCSP) for viewer mutual TLS (mTLS), allowing real-time validation of client certificate revocation during connection establishment. Previously, revocation was handled via CloudFront Functions and KeyValueStore with static lists. CloudFront now queries the OCSP responder embedded in certificates and caches responses up to 30 minutes. The OCSP result is exposed to connection functions for custom logic.

AWS Certificate Management PKI Product Update

May 14, 2026

Amazon CloudFront Adds mTLS Passthrough Mode for Origins

🔐Amazon CloudFront now supports passthrough mode for viewer mutual TLS (mTLS), enabling customers to forward client certificate chains directly to their origin for validation instead of requiring CloudFront to perform certificate verification. In passthrough mode CloudFront forwards every request and the full client certificate chain to the origin and does not cache responses, ensuring end-to-end authentication is enforced by the origin. Connection functions remain available so you can inspect or transform connection-level data before it reaches your origin. CloudFront mutual TLS (viewer) passthrough is available at no additional cost.

Certificate Management

May 14, 2026

Amazon EC2 M3 Ultra Mac Instances Now Generally Available

🔔 Amazon Web Services announced general availability of Amazon EC2 M3 Ultra Mac instances, built on Apple M3 Ultra Mac Studio hardware. These instances, powered by the AWS Nitro System, deliver up to 10 Gbps network and 8 Gbps EBS bandwidth and include a 28-core CPU, 60-core GPU, 32-core Neural Engine, and 256 GB of unified memory. Compared to M4 Max, they provide significant uplifts in CPU, GPU, memory, and Neural Engine capacity. Available in US East (N. Virginia) and US West (Oregon).

AWS EC2 Product Launch

May 14, 2026

Critical Auth Bypass in Burst Statistics Plugin Patched

🔒 Wordfence disclosed a critical authentication bypass in the Burst Statistics WordPress plugin (CVE-2026-8181) that lets unauthenticated actors impersonate admin users via REST API requests and even create rogue admin accounts. The flaw, introduced in versions 3.4.0 and 3.4.1, misinterprets wp_authenticate_application_password() return values, treating errors or null as successful authentication. Users should upgrade to 3.4.2 or disable the plugin immediately.

Authentication Bypass Active Exploitation Vulnerability Disclosure

May 14, 2026

Regional Routing for AWS Access Portals with Vanity Domains

🌐 AWS outlines how to present a single, brand-aligned vanity entry point (for example, aws.mycompany.com) in front of IAM Identity Center multi-Region access portals. The approach uses Amazon Route 53 latency-based routing, Application Load Balancer 302 redirects, and optional Amazon ARC Region switches for automated failover while TLS is managed through AWS Certificate Manager. Traffic is directed to the nearest healthy regional portal and the vanity domain does not persist in the browser address bar.

AWS IAM Identity Security

May 14, 2026

Fragnesia: New Local Linux Kernel Privilege Flaw Emerges

🔒 Fragnesia (CVE-2026-46300) is a local Linux kernel privilege escalation that exploits the XFRM ESP-in-TCP subsystem to obtain a memory write primitive, enabling in-memory modification of security-sensitive files while bypassing standard filesystem permissions. A public PoC exists, but remote exploitation is not possible; an attacker needs local access and control of socket operations. Vendors including Red Hat and Ubuntu are issuing patches and workarounds, and administrators should update kernels, consider disabling esp4/esp6 or avoiding kernels built with CONFIG_INET_ESPINTCP, and increase monitoring until systems are patched.

Red Hat Privilege Escalation Patch Release

May 14, 2026

Critical Cisco SD-WAN Controller Zero-Day Exploits

⚠ Cisco warns of an actively exploited authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182) rated 10.0, affecting on-premises and SD-WAN Cloud Manager deployments. The vulnerability stems from a peering authentication mechanism that "is not working properly" and can grant high-privileged, non-root administrative access and NETCONF control. Cisco detected exploitation in May, released security updates as the only full remediation, and advises restricting management-plane access and reviewing peering and auth logs for IOCs.

Cisco Zero-Day Exploitation Authentication Bypass Active Exploitation

May 14, 2026

SageMaker Adds Serverless Fine-Tuning for Qwen3.6 Model

🚀 Amazon SageMaker AI now supports serverless customization for the Qwen3.6 27B parameter model using supervised fine-tuning (SFT) and reinforcement fine-tuning (RFT). This extends SageMaker's existing fine-tuning support for Qwen3.5 and other open-weight models. Serverless customization removes infrastructure management—SageMaker handles provisioning and orchestration—so teams pay only for what they use. The feature is available in US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), and EU (Ireland).

Amazon SageMaker AI AWS Product Update

May 14, 2026

OpenAI Confirms Device Breach in TanStack Supply Attack

🔒 OpenAI confirmed that two employee devices were breached in the Mini Shai-Hulud/TanStack supply-chain attack that compromised hundreds of npm and PyPI packages. The company said customer data, production systems, intellectual property, and deployed software were not impacted. OpenAI isolated affected systems, revoked sessions, rotated credentials, and engaged a third-party forensic firm. It is rotating code-signing certificates as a precaution, requiring macOS users to update desktop apps before June 12, 2026.

OpenAI Supply Chain Compromise Data Breach Code Signing

May 14, 2026

AWS Transform Adds Customer-Owned S3 Artifact Storage

🗂️ AWS Transform now supports customer-owned Amazon S3 buckets, letting customers control where transformation artifacts are stored and how they are secured. You can configure your own S3 bucket, optionally encrypt artifacts with your AWS KMS key, and manage access policies in your account. Migration teams can upload files directly and centralize artifacts across accounts to support regulated industries and data sovereignty requirements. This capability is available in all Regions where AWS Transform is offered.

AWS S3 AWS KMS Data Sovereignty

May 14, 2026

AWS Extends Transform Tools to IDEs, Plugins, MCP Support

🛠️ AWS has made its AWS Transform agents available through an agent plugin, a Kiro Power in the Kiro marketplace, and the AWS Transform MCP server. Developers can now invoke transformation capabilities from their IDE, the web console, or programmatically, maintaining consistent job state across surfaces. IAM role authentication is supported, enabling use of existing AWS credentials for environments, workspaces, and jobs.

AWS MCP Product Update

May 14, 2026

AWS Launches Kiro Power Agent Builder for Transform

🛠️ AWS announced general availability of the agent builder toolkit Kiro Power for AWS Transform, enabling partners and customers to create customized transformation agents tailored to modernization projects. The toolkit supports the full agent lifecycle—build with Kiro Power, share across teams and partner networks, and register agents with AWS Transform for discovery. It's available in the Kiro Power marketplace and targets Migration and Modernization Competency Partners, ISVs, and customers.

AWS Product Launch

May 14, 2026

Pwn2Own Berlin 2026 Day One: 24 Zero-Days Paid Out

🔒 On day one of Pwn2Own Berlin 2026 researchers earned $523,000 exploiting 24 unique zero-days, led by Orange Tsai, who collected $175,000 after chaining four logic flaws to escape the Microsoft Edge sandbox. Windows 11 was rooted three times for new privilege-escalation bugs, and Valentina Palmiotti secured payouts for Red Hat Workstations and an NVIDIA Container Toolkit flaw. The event focuses on enterprise and AI-targeted technologies.

Zero-Day Exploitation Microsoft Red Hat Nvidia

May 14, 2026

Preparing for an Imminent Surge in Software Patching

🔧 Cisco Talos argues that rapid advances in AI-driven code analysis will soon expose decades of latent software defects, triggering a likely surge in vulnerability disclosures and urgent patches. While AI can augment human reviewers by scanning code at scale, threat actors will also use these tools to find exploits. Organizations should reassess patch prioritization, scale deployment processes, and plan for systems that cannot be quickly patched. Talos recommends zero trust, centralized logging, PowerShell script block logging, and updated incident response playbooks.

Cisco Patch Management AI Security Vulnerability Management

May 14, 2026

New Image and Embedding Models Available in SageMaker

🆕 AWS added FLUX.2-klein-base-4B and Qwen3-Embedding-0.6B to Amazon SageMaker JumpStart. FLUX.2 targets real-time image generation and multi-reference editing in a compact architecture that can run on consumer GPUs with about 13GB VRAM. Qwen3-Embedding delivers instruction-aware, multilingual text embeddings across 100+ languages for retrieval, RAG, and semantic search. Customers can deploy these models via SageMaker Studio or the SageMaker Python SDK.

AWS Amazon SageMaker AI Product Launch