Identity Hardening, Cisco SD‑WAN Exploited, ICS EV Alerts

Identity and testing controls led today’s updates. A new phishing‑resistant MFA capability, FalconID, is now generally available, according to CrowdStrike, while an architectural deep dive into automated penetration testing from AWS blog outlines multi‑agent orchestration, validation, and reporting. Advisory activity remained elevated, including critical ICS issues and active exploitation pressure on enterprise networking platforms, underscoring the need to patch promptly and harden management planes.

Identity, testing, and content integrity

FalconID introduces phishing‑resistant, FIDO2‑based authentication embedded in the Falcon platform, as described by CrowdStrike. It binds biometrics to trusted devices and legitimate domains and evaluates sign‑ins against endpoint, identity, and SaaS telemetry, adding proximity validation and support for legacy protocols through indirect authentication. Continuous authorization from a recent acquisition is positioned to remove standing privileges and apply just‑in‑time access across major identity and cloud systems, enabling revocation mid‑session as risk signals change. This aims to curb MFA fatigue and phishing by unifying strong authentication with real‑time context.

A multi‑agent approach to automated penetration testing detailed by the AWS blog combines intelligent sign‑in, baseline black‑box and white‑box scans, managed task execution, and guided exploration that adapts to discovered endpoints and documentation. Specialized workers execute fuzzing, code analysis, and CVE lookups, while deterministic validators and expert assertions vet candidate findings before CVSS scoring and remediation‑focused reporting. Reported benchmark results highlight the impact of external verification and model knowledge on attack success rates. Why it matters: assertion‑backed validation and scalable planning can reduce false positives and surface actionable defects faster for remediation teams.

In creative pipelines, Google Cloud introduced Nano Banana 2, a generative image model in preview via the Gemini API on Vertex AI, with capabilities for accurate text rendering, localization, upscaling, and subject consistency. For provenance and enterprise transparency, it pairs SynthID with C2PA Content Credentials to attach contextual metadata about how AI was used. The model targets faster iteration and production‑ready outputs that slot directly into existing workflows.

SD‑WAN exploitation drives urgent response

Media reports detail an authentication bypass in Cisco Catalyst SD‑WAN components tracked as CVE‑2026‑20127 that has been exploited since 2023 to gain high‑privileged, non‑root administrative access and manipulate configuration via NETCONF, with follow‑on activity including downgrades, local privilege escalation (CVE‑2022‑20775), and log tampering. According to The Hacker News, Cisco has released fixed versions across affected release lines, and U.S. authorities have taken steps including catalog additions and directives to drive rapid patching and investigation. Recommended actions include immediate updates, audits for rogue peers and unauthorized keys, review of specific log paths for downgrade/reboot indications, restriction of management‑plane exposure, and comprehensive forensic review for indicators of compromise.

Industrial and EV‑charging advisories

An advisory from CISA documents critical issues in Mobility46’s OCPP WebSocket implementation, including missing authentication for critical functions (CVSS 9.4), lack of rate limiting, weak session management, and insufficiently protected credentials. Potential impacts include charger impersonation, unauthorized command execution, data corruption, session hijacking, and large‑scale service disruption across Energy and Transportation sectors. The vendor did not respond to coordination requests; CISA recommends isolating control networks, minimizing Internet exposure, using secure remote access, and applying ICS detection and mitigation practices. Why it matters: exposed OCPP endpoints can translate directly into unauthorized operational control and telemetry manipulation at grid edge scale.

Separately, CISA outlined a set of critical vulnerabilities in Copeland XWEB and XWEB Pro controllers, including pre‑authentication remote code execution paths (one with CVSS 10.0), authentication bypasses, weak cryptography, command injection, path traversal, arbitrary file read, and a stack overflow. Fixes are available; operators should update via the vendor’s mechanisms and follow standard ICS hardening guidance. No public exploitation was reported at the time of the advisory.

Cloud infrastructure and data platforms evolve

General availability of the Amazon EC2 I8g.metal‑48xl instance family was announced with Graviton4 processors and third‑generation Nitro NVMe SSDs, positioned for I/O‑intensive, low‑latency databases and analytics. The AWS post cites up to 60% compute improvement over I4g, better per‑TB storage performance, reduced latency/variance, and Nitro offload that strengthens isolation while boosting throughput. For data serving, Google Cloud introduced a preview Spanner columnar engine to accelerate scan‑heavy queries and serve Apache Iceberg lakehouse datasets with low latency and global consistency; Google highlights order‑of‑magnitude speedups on representative analytics while isolating transactional workloads via automatic query routing.

Operationally, AWS announced Security Hub Extended to combine AWS detections with curated third‑party partner solutions under consolidated billing and support, as described by AWS. Findings are normalized in Security Hub to simplify triage and correlation with flexible pay‑as‑you‑go or flat‑rate pricing. In compute, EC2 M8i and M8i‑flex instances are now available in additional regions, expanding access to AWS‑exclusive Intel Xeon 6‑based options for memory‑bandwidth‑sensitive general‑purpose workloads, according to AWS.