AI Agent Controls, Identity Consolidation, and ICS Patches

AI-facing controls took center stage, with Cloudflare unveiling a new way to serve web content to agents as clean Markdown and Microsoft mapping common misconfigurations that put Copilot Studio agents at risk. Identity strategy also shifted as Palo Alto Networks closed its CyberArk acquisition, while CISA issued multiple industrial-control advisories and updated its Known Exploited Vulnerabilities catalog, underscoring the pace from prevention to active exploitation.

AI agents: Controls, signals, and abuse

Cloudflare introduced Markdown for Agents, an edge capability that converts HTML to Markdown on the fly for requests bearing an Accept: text/markdown header. The company reports large token-count reductions for AI crawlers and agents and adds machine-readable content-use headers (Content-Signal) alongside an estimated token-count header. Alternatives including Workers AI toMarkdown() and a /markdown rendering API support dynamic pages, and Radar telemetry now surfaces content_type trends for AI bot traffic. The aim is to cut compute and token costs while giving operators clearer control over how content is used.

The Microsoft Defender Security Research Team detailed the top misconfigurations that expose Copilot Studio agents in its Top 10 Risks analysis. Issues include overly broad sharing, unauthenticated agents, raw HTTP actions, orphaned components, embedded credentials, unmanaged MCP tools, and unconstrained orchestration. The team provides Advanced Hunting queries and an operational playbook: enforce least privilege and strong authentication, prefer managed connectors, move secrets to Azure Key Vault, audit tool configurations, and retire dormant assets. Why it matters: small maker choices can bypass governance and create straightforward paths to data exposure and privilege escalation.

Google’s threat team observed adversarial use of generative models across the attack lifecycle in its latest AI Threat Tracker. Highlights include model-extraction (distillation) campaigns probing APIs to clone logic, underground services proxying commercial models, and proofs-of-concept such as HONESTCUE and COINBAIT that generate and run in-memory code via model APIs. The report outlines layered mitigations—from API monitoring and takedowns to classifier updates and product safeguards—feeding into a broader Secure AI Framework.

Identity consolidation reshapes Zero Trust

Palo Alto Networks finalized its $25B acquisition of CyberArk, a leading PAM vendor, positioning identity at the center of its Zero Trust platform, according to CSO Online. The company frames the move as unifying privileged access across human, machine, and AI identities to reduce standing privilege, limit lateral movement, and speed breach containment, with near-term continuity for standalone CyberArk offerings and phased integrations with Prisma and Cortex. Analysts also flag integration and licensing risks, as well as customer concerns about potential lock-in as identity becomes tightly coupled to the broader platform.

Industrial networks: Patches and risk

Siemens addressed extensive third-party component flaws in industrial devices running SINEC OS earlier than 3.3, spanning RUGGEDCOM and SCALANCE families deployed across critical sectors. The CISA-published advisory for SINEC OS aggregates high and critical CVEs affecting BusyBox, libpcap, libcurl, OpenSSL, Expat, Python tarfile handling, ncurses, and kernel components, among others, with issues ranging from buffer overflows and use-after-free to improper certificate validation. A separate CISA notice covers COMOS V10.4–V10.6, citing XSS (DOMPurify mXSS), a Chrome Mojo sandbox escape, curl-related weaknesses, and missing server-certificate validation in IAM/SDK components. Siemens ProductCERT provides fixes for some lines and guidance where patches are pending; operators are urged to update, segment networks, avoid internet exposure, and use secured remote access.

CISA also published a critical advisory for Airleader GmbH, noting an unauthenticated, unrestricted file upload (CVE-2026-1358, CVSS 9.8) in Airleader Master up to version 6.381 that can enable remote code execution. A fixed release (6.386) is available, and organizations that cannot patch immediately should contact the vendor for mitigations and follow CISA guidance to isolate control networks and minimize exposure.

Exploitation and urgent web fixes

A critical pre-auth RCE in BeyondTrust appliances (CVE-2026-1731) is under active exploitation following public proof-of-concept code, per BleepingComputer. Affected Remote Support (25.3.1 and earlier) and Privileged Remote Access (24.3.4 and earlier) portals can be abused via an unauthenticated WebSocket path after harvesting an identifier from /get_portal_info, leading to OS command execution. SaaS instances were auto-patched; on‑prem customers must manually update, restrict access, review logs for WebSocket and portal_info activity, rotate credentials, and investigate for compromise.

CISA added four entries to the Known Exploited Vulnerabilities catalog, including Microsoft Configuration Manager (CVE-2024-43468), Notepad++ (CVE-2025-15556), SolarWinds Web Help Desk (CVE-2025-40536), and Apple software (CVE-2026-20700). The KEV update triggers remediation timelines for U.S. federal agencies and is a practical prioritization list for all organizations.

Separately, a critical RCE in the WPvivid Backup & Migration WordPress plugin (CVE-2026-1357, 9.8) enables unauthenticated arbitrary file uploads when a nondefault transfer feature is enabled. A patched release (v0.9.124) is available; site owners should update promptly, audit uploads and logs, and consider disabling the remote receive feature until patched, according to BleepingComputer. The fix adds decryption checks, filename sanitization, and stricter file-type enforcement.