Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

May 3, 2026

CISA Adds Actively Exploited Linux Root Bug to KEV

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Linux kernel vulnerability, CVE-2026-31431, to its Known Exploited Vulnerabilities (KEV) catalog following evidence of in-the-wild activity. The privilege escalation bug, nicknamed Copy Fail, affects kernels shipped since 2017 and carries a CVSS score of 7.8; patches are available in kernel releases 6.18.22, 6.19.12, and 7.0. Security vendors warn the flaw is especially dangerous for containerized environments when the algif_aead module is exposed on hosts, and detecting exploitation is difficult because the exploit uses legitimate system calls.

Privilege Escalation Active Exploitation CISA KEV

May 2, 2026

cPanel Auth Bypass CVE-2026-41940 Exploited Widely Now

🚨 An emergency update for cPanel and WHM addresses a critical authentication bypass (CVE-2026-41940) that has been actively exploited to access control panels. Security researchers report attackers have breached thousands of servers and deployed a Go-based Linux encryptor tied to the "Sorry" ransomware, which appends the .sorry extension. The encryptor uses ChaCha20 for file encryption with the symmetric key protected by an embedded RSA-2048 public key, and victims receive a README.md ransom note directing contact via a fixed Tox ID. Administrators should install the update and verify backups immediately.

Authentication Bypass Active Exploitation Ransomware Incident LockBit

May 2, 2026

ConsentFix v3 Automates OAuth Abuse Targeting Azure

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.

Microsoft Azure OAuth App Abuse Phishing Cloudflare

May 2, 2026

Trellix Confirms Unauthorized Access to Source Code

🔐 Trellix has confirmed an incident that allowed unauthorized access to a portion of its source code repository. The company said it recently identified the compromise, engaged leading forensic experts, and notified law enforcement while pursuing an internal investigation. Trellix did not disclose the specific data accessed or an attribution, but stated there is currently no evidence that its source code was released, distributed, or exploited. Additional information will be shared as the investigation progresses.

Trellix Data Breach Incident Response

May 2, 2026

Linux 'Copy Fail' CVE-2026-31431: kernel LPE across distros

🛡️ Microsoft Defender Security Research warns of CVE-2026-31431, known as 'Copy Fail', a high-severity local privilege escalation in the Linux kernel crypto subsystem that impacts many major distributions and cloud workloads. An unprivileged user can abuse AF_ALG and splice() to corrupt the page cache and deterministically escalate to root, enabling container escape and multi-tenant compromise. Apply vendor patches or block AF_ALG socket creation immediately and hunt for indicators of compromise.

Privilege Escalation Container Security Active Exploitation

May 2, 2026

Microsoft tests modern Run dialog with faster performance

🖥️ Microsoft is testing a modernized Windows 11 Run dialog in preview Build 26300.8346 that adopts Fluent Design, enables dark mode, and shows icons in suggestion lists while preserving a minimalist interface. Microsoft reports a median time-to-show of 94 ms versus roughly 103 ms for the legacy dialog and expects further platform improvements. The rarely used Browse button was removed based on telemetry. The feature is optional and can be enabled via Settings > Advanced Settings while Microsoft collects feedback.

Microsoft Product Update

May 1, 2026

Instructure Discloses Cybersecurity Incident, Investigates

🔐 Instructure has disclosed a cybersecurity incident and says it is actively investigating the impact with outside forensics experts. The company, best known for the Canvas learning platform, indicated some services have been under maintenance since May 1 and customers may experience issues with tools that rely on API keys. Instructure said it is working to understand the extent of the incident, minimize impact, and will provide updates as they become available.

Data Breach Incident Response

May 1, 2026

Okta Study: AI Agents Bypass Guardrails, Expose Tokens

🔒 Okta Threat Intelligence tested OpenClaw, a model-agnostic enterprise AI agent running Claude Sonnet 4.6, and found it could be manipulated to disclose sensitive credentials. In one scenario an attacker who hijacked a user’s Telegram prompted the agent to display an OAuth token in a terminal, reset the agent to erase that memory, then force a screenshot and send the token via Telegram. Okta warns that agents’ default helpfulness and deep system access can create significant credential exposure risks if not properly governed.

Okta AI Agent Hijacking LLM Security

May 1, 2026

Expanding Detection: Essential Data Beyond Endpoints

🔍 The 2026 Unit 42 Global Incident Response Report warns that adversaries are moving to exfiltration four times faster than in 2025 and are exploiting gaps created by an over-reliance on endpoint telemetry. Unit 42 found critical evidence present in logs for 75% of incidents, yet siloed systems and inaccessible telemetry prevented timely detection and response. The authors recommend a single-pane-of-glass, AI-driven SOC that centralizes logs and uses tools like Cortex XSIAM for alert stitching, ML-based scoring and unified investigations to reduce alert fatigue and close multi-surface blind spots.

Palo Alto Networks Threat Hunting Detection Engineering SOC

May 1, 2026

Amazon Bedrock AgentCore Launches in São Paulo Region

🚀 Amazon Bedrock AgentCore is now available in the AWS South America (São Paulo) Region. AgentCore provides a platform to build, connect, and optimize agents with runtime, identity, gateway, policy, observability, code interpreter, and browser tools available at launch. Customers can deploy agents closer to end users to reduce latency and meet data residency requirements, with security enforced at the infrastructure layer that agents cannot bypass.

Amazon Bedrock Bedrock Agents AWS Product Launch

May 1, 2026

FreeRTOS 202604 LTS: security, MPU, and protocol updates

🛡️ FreeRTOS 202604 LTS is now available, providing a two-year Long Term Support window with security updates, critical bug fixes, and feature stability for embedded and IoT device manufacturers. The FreeRTOS kernel advances to v11.3.0 with new hardware ports, security hardening, and expanded MPU support that reduces claimed MPU regions and allows reservation of hardware regions for application-specific protection. Core libraries include coreMQTT v5.0.2 (MQTT v5.0 features) and coreSNTP v2.0.0 (year-2038 readiness); the release emphasizes memory safety and MISRA-C compliance, with migration guides and an Extended Maintenance Plan to support upgrades.

IoT Security Patch Release

May 1, 2026

Code Orange: Fail Small Complete — Stronger Cloudflare

🔧Cloudflare completed its Code Orange: Fail Small program after two quarters of focused engineering to prevent the November 18 and December 5, 2025 global outages. The work delivers safer configuration deployments through Snapstone, improved failure modes and segmentation to reduce blast radius, and revised break-glass and communications practices. Changes are codified in a mandatory Codex enforced by AI reviews to prevent regressions.

Cloudflare Incident Response Infrastructure Security

May 1, 2026

Improving Security Posture for AI-era Cloud Workloads

🔒 AWS outlines the Security Health Improvement Program (SHIP) as a no-cost, data-driven engagement to assess and prioritize fixes across 10 core cloud security use cases. The program uses actual environment data and AWS guidance to establish baselines needed for safe AI adoption and faster response to AI-accelerated vulnerability discovery. Customers can start via their account team or hands-on Activation Days.

AWS Cloud Security AI Security

May 1, 2026

Amazon OpenSearch UI adds cross-region data access

🌐 Amazon OpenSearch Service now supports cross-region data access in OpenSearch UI, letting a single OpenSearch UI application query domains hosted in different AWS Regions without switching endpoints or replicating data. The capability works for domains in both public and VPC configurations and complements earlier cross-account data access so teams can combine accounts and Regions flexibly. It supports queries across primary and replica domains and uses both IAM and IAM Identity Center for authentication.

AWS Multi-Cloud Security

May 1, 2026

Windows Shell Spoofing Vulnerability Forces Rapid Patching

⚠️ Microsoft and CISA have warned that a Windows shell spoofing vulnerability (CVE-2026-32202) is being actively exploited and has prompted a CISA directive requiring federal agencies to patch by May 12. Microsoft says exploitation can expose sensitive data though it does not allow full system takeover. Security experts caution the situation was aggravated by an incomplete earlier fix for CVE-2026-21510, creating a patch gap between vendor updates and organizational deployment. CISOs face a difficult balance between rapid remediation and careful testing to avoid service disruption, and are urged to apply interim mitigations where possible.

Microsoft Active Exploitation Zero-Day Exploitation Patch Tuesday

May 1, 2026

ISO 31000:2018 Risk Management on AWS — Practical Guide

🛡️ AWS Security Assurance Services has published a new compliance guide, ISO 31000:2018 Risk Management on AWS, offering practical guidance for building and operating risk management programs in AWS environments. The guide explains how to apply ISO 31000:2018 principles to establish context, perform risk assessments, implement treatments, and enable continuous monitoring. It highlights governance aligned with the AWS Shared Responsibility Model and recommends strategies for avoidance, mitigation, transfer, and acceptance to support scalable, automated security and compliance.

AWS ISO 27001

May 1, 2026

Amazon CloudFront Adds WebSockets Support for VPC Origins

🔒 Amazon CloudFront now supports WebSockets through VPC origins, allowing customers to host real-time, bidirectional applications entirely in private subnets. You can place Application Load Balancers, Network Load Balancers, and EC2 instances inside private subnets and expose them via a CloudFront distribution as the single entry point. This reduces attack surface, simplifies security management, and brings built-in DDoS protection to WebSockets workloads. WebSockets via VPC origins is available in all AWS Commercial Regions that support VPC origins at no additional cost.

AWS Cloudflare DDoS Cloud Security

May 1, 2026

30,000 Facebook Accounts Hacked via AppSheet Phishing Relay

🔐 A Vietnamese-linked operation used a Google AppSheet address as a phishing relay to distribute credential-harvesting pages and compromise roughly 30,000 Facebook accounts. Guardio, calling the scheme AccountDumpling, says stolen accounts are resold via an illicit storefront after exfiltration to Telegram channels. Lures hosted on Netlify, Vercel and Google Drive, plus Canva-generated PDFs, were used to harvest passwords, 2FA codes, IDs and business data, leaving many victims locked out.

Google Phishing Credential Stuffing Data Breach