Automation, Cloud Controls, and Critical Advisories Define the Day

Platform teams leaned into automation and governance today. Fortinet introduced agentic-AI workflows in FortiSIEM 7.5 to speed investigations while respecting data-sovereignty boundaries, and AWS expanded Resource Control Policies to tighten identity and log access at the organization level. Balancing those preventive moves, a critical telnetd flaw in GNU InetUtils surfaced with simple, root-level exploitation, as detailed by The Hacker News, alongside active targeting of collaboration and email platforms.

AI-Driven Operations Move Into the SOC

Fortinet is positioning FortiSIEM 7.5 as a faster path from alert to analysis. The release adds FortiAI-Assist investigation and search agents that compile evidence, assess impact, and accept natural-language tasks, backed by improved federated search, real-time event tagging, and expanded Osquery support. A free Windows agent for IT and OT environments supports constrained networks, and the design emphasizes centralized oversight with localized data collection to address regional compliance. The goal is to accelerate investigations, reduce analyst effort, and standardize playbooks across distributed teams.

On the developer side, Google Cloud showcased Antigravity, an agent-first IDE with planning modes, artifact reviews, and built-in browsers, and highlighted Nano Banana Pro (Gemini 3 Pro Image) for grounded, dynamic image generation. A Factory Floor demo walks through spinning up a new Agent Development Kit project, building a slide generator, and using MCP tools to integrate testing and storage. The emphasis is that orchestration, planning, and tool integration—not just model capability—drive reliable outputs.

Inside incident response, Google Cloud details how Google SREs use Gemini 3 via Gemini CLI and an internal agent to shrink mean time to mitigation. The workflow chains deterministic tools (incident details, causal analysis, time-series correlation, log analysis), enforces policy checks and human confirmation, and produces audit trails and postmortems. When an initial mitigation failed in the outlined scenario, the agent pivoted to code context, generated a corrective change list, and coordinated rollout—illustrating auditable, human-in-the-loop automation for high-stakes operations.

Cloud Controls and Architecture Updates

AWS broadened Resource Control Policies to Amazon Cognito and CloudWatch Logs, letting organizations define maximum permissions for identity pools, user pools, and log groups across accounts. This helps enforce data perimeters and align identity and telemetry custody with governance standards, complementing SCPs and IAM. In parallel, Amazon Bedrock AgentCore Browser now supports custom Chrome‑compatible extensions delivered from S3, enabling enterprise workflows that need specialized authentication, tool integrations, or performance tweaks within a managed, auditable browser environment.

Google Cloud made managed connection pooling for AlloyDB for PostgreSQL generally available. The service‑managed pooler reuses backend sessions to cut TLS handshakes and initialization overhead, supports transaction and session modes, and aims to deliver higher concurrency and throughput—especially for web and serverless patterns—without the operational burden of self‑hosted pooling.

Advisories and Active Exploitation

A high‑severity authentication bypass in GNU InetUtils telnetd (CVE-2026-24061) allows remote, passwordless root login by abusing how telnetd passes the USER variable to /usr/bin/login. GreyNoise observed exploitation attempts shortly after disclosure. Administrators should patch or disable telnetd, firewall access, and migrate to SSH where possible. In the email stack, an authentication bypass in SmarterTools SmarterMail—since patched—was rapidly exploited after release; BleepingComputer reports attackers could reset administrator passwords and achieve full system control, underscoring the need to update to the fixed build and audit for suspicious resets.

Cisco addressed an actively exploited RCE, CVE-2026-20045, affecting Unified CM, Unity Connection, and related components; there are no workarounds, and fixes are version‑specific. The issue has been added to CISA’s KEV catalog with agency deadlines, and customers on older releases must migrate to supported builds. Details and patching guidance are covered by The Hacker News. In the connected‑home and ICS space, CISA published a critical advisory for Hubitat Elevation hubs (CVE-2026-1201) due to an authorization bypass through a user‑controlled key; firmware 2.4.2.157 remediates the flaw. CISA recommends upgrading and applying standard ICS network protections. Why it matters: exposed management planes and weak authorization paths continue to be reliable entry points that demand rapid, version‑aware remediation and strict access controls.

Targeted Intrusions and Social Engineering

Check Point reports that the KONNI threat actor is pivoting toward developers—especially in blockchain and cryptocurrency—using convincing, AI‑assisted lures to reach code repositories, credentials, and build pipelines. Defenders should treat developer‑facing content as high risk, enforce MFA and least privilege, sandbox untrusted documents, and monitor for unusual repository and network activity.

Okta warns of vishing‑driven, adversary‑in‑the‑middle campaigns that steal SSO credentials and bypass push‑based MFA using real‑time, operator‑controlled phishing flows. BleepingComputer notes targeting of financial services and related sectors, with extortion following data theft from integrated apps. Phishing‑resistant authentication (FastPass, FIDO2 security keys, passkeys), rapid takedowns, and monitoring of Okta dashboard activity are advised. Separately, a ransomware incident at Conceptnet disrupted web and email services for the provider and several customers; CSOonline reports restoration is ongoing with temporary sites deployed while forensics proceed.