Hello, stay ahead with CISO Brief 🚀

⚠️ OX Security disclosed a systemic "by design" vulnerability in Anthropic's Model Context Protocol (MCP) SDK that permits remote command execution across reference implementations (Python, TypeScript, Java, Rust). Unsafe defaults in MCP's STDIO configuration produced 10 vulnerabilities affecting projects such as LiteLLM, LangChain, and Flowise, impacting over 7,000 public servers and 150 million downloads. Several downstream vendors have issued patches, but Anthropic has declined to change the protocol reference implementation, leaving an ongoing AI supply-chain risk.

🔒 Nitin Raina’s move from IT operations to Thoughtworks’ global CISO and global head of enterprise risk illustrates a fast-growing trend: CISOs increasingly lead enterprise risk programs. Since 2020 Raina has built an ERM function that links strategic, operational, and cybersecurity risks through assessments, gap analyses, and controls. Industry reports show most CISOs now share accountability for operational business risk and are responsible for AI governance, making GRC and risk quantification central to executive and board trust.

⚠️ Unit 42's hands-on evaluation finds frontier AI models can autonomously identify complex software vulnerabilities and map exploit chains, dramatically accelerating the discovery-to-exploitation timeline. The researchers warn this capability raises immediate risks to open source projects and supply chains, and will compress N-day windows to hours. They urge aggressive prevention, automated patching, and hardened development pipelines.

🔧 Microsoft has reverted a service update that prevented some customers from launching the Microsoft Teams desktop client, leaving affected users stuck on a loading screen with the error “We're having trouble loading your message. Try refreshing.” The vendor traced the failure to a transient service infrastructure issue and a regression in the client build caching system. Microsoft says its automated recovery system remediated the impact and advises users to fully quit and restart Teams so the fix can propagate.

🔐 Capsule Security researchers discovered prompt-injection flaws in Microsoft Copilot Studio and Salesforce Agentforce that allow attackers to inject malicious instructions via standard input fields. In Copilot, a crafted payload in a SharePoint form field can overwrite agent instructions and exfiltrate SharePoint data; Microsoft has released a patch (CVE-2026-21520). In Agentforce, attackers can embed directives in public lead forms that an agent with email or query capabilities may execute, enabling broad CRM data leakage.

🔍 Anthropic's Claude Mythos — developed under Project Glasswing and currently trialed by select organizations — faces scrutiny after VulnCheck's analysis found limited publicly attributable results. The team identified 75 CVE entries mentioning Anthropic, 40 credited to its researchers, but only one explicitly tied to Glasswing (CVE-2026-4747), with several additional findings embargoed. Anthropic has signaled more transparency in July 2026. Security experts caution that Mythos' reported exploit success rates could still accelerate attacker capabilities and outpace corporate change controls.

🔒 The NCSC has published a coordinated plan to improve NHS cyber resilience, focusing on piloting tools via ACD 2.0, securing the software supply chain, managing vulnerability disclosures, enhancing visibility and promoting services such as Early Warning, the Cyber Action Toolkit and Cyber Essentials. The agency is applying the Software Security Code of Practice in procurement and using data science to prioritise supplier risk while its Vulnerability Reporting Service continues to support GP surgeries, trusts and health boards. Additional measures include the NHS App adopting passkeys, attack surface management, deception-technology experiments, DNS analytics and Threat Hunting Workshops to develop playbooks and strengthen sector collaboration.

🔐 Grinex, a Kyrgyzstan-based exchange believed to be the successor to Garantex, said a "large-scale cyber-attack" by foreign intelligence agencies last week resulted in the theft of one billion rubles (about $13.2m) from Russian customers and forced it to suspend operations. The firm said it filed a criminal complaint and published the crypto address where the funds were allegedly deposited after being converted to TRX. Blockchain forensics firm Chainalysis disputed the account, noting the rapid swap into TRX via a Tron-based DEX mirrors known laundering tactics and raised the possibility of a false-flag operation or an insider exit scam.

⚠️Microsoft has released out-of-band updates to address multiple issues affecting Windows Server systems after the April 2026 cumulative patches. An installation failure impacting KB5082063 on Windows Server 2025 and LSASS crashes that can force domain controllers into restart loops are the primary problems. Microsoft published OOB fixes for Server 2025 (KB5091157) — which resolves both issues — and separate updates for 23H2, 2022, 2019, 2016 and Azure hotpatch editions; some Server 2025 devices may also enter BitLocker recovery after KB5082063.

🚨 Darktrace researchers disclosed ZionSiphon, a newly observed malware family tailored to Israeli water treatment and desalination systems. The June 29, 2025 sample establishes persistence, escalates privileges, propagates via removable media, and scans local subnets for OT services, probing Modbus, DNP3 and S7comm devices. It contains routines to alter chlorine dosing and pressure parameters but appears unfinished or misconfigured; non-target hosts trigger a self-destruct sequence.

🔒 Vercel disclosed a security breach tied to a compromised Context.ai account used by an employee, which enabled an attacker to take over the employee's Vercel Google Workspace account. The actor accessed some Vercel environments and environment variables that were not marked sensitive, while encrypted sensitive variables show no evidence of exposure. Vercel is working with Mandiant, law enforcement and Context.ai, and has contacted affected customers to rotate credentials and investigate further.

🔒 Vercel has disclosed an unauthorized access incident that affected a limited subset of customers and certain internal systems. The company says its public services remain operational while it investigates the incident with external incident response experts and law enforcement. Vercel is notifying impacted customers and urging them to review environment variables, enable the sensitive environment variable feature where available, and rotate secrets or tokens if there is any suspicion of exposure.

📧 Threat actors are exploiting Apple account-change notifications to deliver callback phishing within legitimate emails sent from Apple's infrastructure. They place scam text into the account's first and last name fields, then trigger a shipping-info update so Apple sends the altered notification. Because messages are sent from appleid@id.apple.com and pass SPF, DKIM, and DMARC, they appear authentic and can bypass filters, increasing the risk of successful callback scams.

🔍 NIST will stop providing severity scores and detailed enrichment for lower-priority CVEs beginning April 15, citing a surge in submissions that has overwhelmed its capacity. The National Vulnerability Database will continue to list all reported CVEs, but entries deemed low priority will keep only the severity assigned by the submitting CNA. NIST will only add detailed analysis for issues in CISA’s KEV, those affecting U.S. federal software, or critical software defined by EO 14028; organizations may request enrichment for low-priority entries via email to nvd@nist.gov.

⚠️ A critical remote code execution vulnerability has been disclosed in protobuf.js, the widely used JavaScript implementation of Google's Protocol Buffers, caused by unsafe dynamic code generation that concatenates schema-derived identifiers into functions. An attacker who can supply or influence schemas can inject arbitrary JavaScript into a generated Function() call, which executes when the crafted schema is processed. Maintainers and Endor Labs urge immediate upgrades to patched releases and recommend treating schema-loading as untrusted while auditing transitive dependencies.

🔧 A recent Microsoft Edge update introduced a code regression that breaks right-click paste in the Microsoft Teams desktop client, leaving the Paste option greyed out in chat context menus. Microsoft advises using keyboard shortcuts (Ctrl+C/Ctrl+V on Windows, Cmd+C/Cmd+V on macOS) as an immediate workaround. The company says it identified the cause in Edge and is rolling out a staged fix while monitoring telemetry.

🔒 NAKIVO has released Backup & Replication v11.2, introducing an automated real-time replication engine and expanded hypervisor support. The update delivers full compatibility with VMware vSphere 9 and Proxmox VE 9.0 (with 9.1 in scope), plus immutable backups, pre-recovery malware scanning, and air-gapped options to strengthen ransomware resilience. v11.2 also adopts OAuth 2.0 for email notifications and upgrades core platform components to improve stability and recovery speed.

🔐 Microsoft Defender Security Research outlines a human-operated intrusion playbook where attackers abuse cross-tenant Microsoft Teams collaboration to impersonate IT/helpdesk staff and socially engineer users into granting remote assistance. With user consent, adversaries gain interactive access via Quick Assist or similar tools, then execute attacker modules by side-loading them into trusted vendor-signed applications. The chain leverages native administrative protocols such as WinRM and commercial RMM tooling to move laterally and stage sensitive business data for exfiltration. Microsoft Defender provides correlated identity, endpoint, and collaboration telemetry to surface and disrupt this pathway.