Cloud Run IAP, Veeam Fixes, KEV Chrome 0‑Days, and AWS Rollouts

Platform hardening led today’s security developments. Google introduced direct Cloud Run IAP integration and a public-access option aligned with organizational controls, while Veeam issued urgent fixes for multiple high‑severity flaws in Backup & Replication (The Hacker News). In parallel, U.S. federal guidance elevated two actively exploited Chrome bugs to the CISA KEV catalog, reinforcing the priority of rapid browser patching.

Identity and perimeter controls consolidate

Google Cloud made access management on Cloud Run more straightforward with direct Identity‑Aware Proxy enablement and clarified patterns for public endpoints. The release removes prior load balancer prerequisites, supports context‑aware signals and Workforce Identity Federation, and allows unauthenticated CORS preflight requests while enforcing authentication on others. A new “Allow Public access” setting disables the Cloud Run IAM invoker check for use cases secured by network layers or org policies, giving teams clearer choices between centralized IAP and alternative controls. The changes aim to cut operational overhead for both internal and public services while preserving organization‑wide posture.

AWS expanded regional resilience for workforce access by adding multi‑Region replication to Identity Center, using customer‑managed KMS keys to protect replicated identity data and enabling region‑local access with centralized administration. For sovereignty‑bound workloads in Europe, managed network protections now extend to the AWS European Sovereign Cloud with the launch of Network Firewall, keeping logs, operations, and enforcement within EU jurisdiction.

Operations and developer tooling tighten reliability

AWS introduced new service level objective features in Application Signals: data‑driven SLO recommendations based on P99 latency and error rates, aggregated service‑level SLOs for a consolidated reliability view, and calendar‑aligned performance reports for trend analysis. In parallel, the newly released SAM Kiro power brings guided, opinionated serverless development into AI‑assisted workflows, steering IAM policy construction and enforcing observability via Powertools for AWS Lambda to reduce misconfiguration risk.

For performance‑sensitive services, Lambda Rust on Managed Instances pairs the serverless control plane with EC2‑based price‑performance and native concurrency, targeting high‑throughput APIs, stream processing, and inference. Compute options also widened with EC2 M8azn reaching the Ohio Region, offering up to 5 GHz CPUs, larger caches, greater memory bandwidth, and higher I/O to accelerate latency‑sensitive and compute‑intensive workloads. Teams should benchmark representative services, validate runtime behavior, and weigh cost models before migration.

Advisories and exploited vulnerabilities

Veeam shipped security updates for Backup & Replication to address seven critical issues that could enable remote code execution, file manipulation, or local privilege escalation (The Hacker News). The most severe (CVE‑2026‑21666, CVE‑2026‑21667, CVE‑2026‑21669) are rated CVSS 9.9 and allow an authenticated domain user to execute code on the backup server; fixes are available for 12.x in 12.3.2.4465, with additional coverage in 13.0.1.2067 for select flaws. Administrators are urged to patch promptly, verify build versions, rotate service credentials, restrict management interfaces, review audit logs, and apply compensating controls where immediate updates are not possible. Why it matters: backup platforms hold elevated privileges and are frequent ransomware targets, amplifying the impact of delayed remediation.

Two actively exploited Chrome vulnerabilities—an out‑of‑bounds write in Skia (CVE‑2026‑3909) and an implementation bug in V8 (CVE‑2026‑3910)—were added to the CISA KEV catalog, triggering remediation requirements for federal agencies and a call for all organizations to prioritize updates. Rapid deployment across managed fleets, inventory of outdated versions, and layered browser protections remain critical.

Qualys TRU detailed nine CrackArmor flaws in Linux AppArmor that can undermine mandatory access control, bypass container isolation, and enable local privilege escalation to root (CrackArmor). The issues affect kernels since 4.11 on distributions integrating AppArmor. The advisory urges immediate kernel patching, isolation of affected systems, and monitoring for suspicious privilege‑escalation attempts.

Threat operations and software supply chains

Law enforcement disrupted the SocksEscort residential proxy service that hijacked hundreds of thousands of home and SOHO routers for fraud, DDoS, ransomware distribution, and other crimes (The Hacker News). Investigators attribute infections to AVrecon malware targeting about 1,200 device models via critical RCE and command‑injection bugs, achieving persistence by flashing custom firmware. The operation seized domains and servers across multiple countries and froze cryptocurrency tied to the service.

Web supply‑chain risk surfaced as researchers observed a temporary compromise of the AppsFlyer Web SDK domain that injected obfuscated JavaScript to swap and exfiltrate cryptocurrency wallet addresses (BleepingComputer). Separately, the GlassWorm campaign escalated by abusing Open VSX relationships across at least 72 extensions to deliver malware to developers, alongside related activity in GitHub repositories and npm packages (GlassWorm). Why it matters: transitive and URL‑based dependencies can silently introduce credential theft and wallet‑draining payloads, calling for stronger registry review and dependency auditing.

On the social‑engineering front, Microsoft tracked Storm‑2561 using SEO‑poisoned results to push signed, trojanized VPN installers that harvest enterprise credentials and then redirect users to legitimate downloads to reduce suspicion (CSO). In a separate enterprise incident, Telus Digital is investigating a large‑scale data‑theft claim by an extortion group; the company reports no impact to connectivity or services while the scope remains unverified (CSO).

AI‑agent operational exposure also drew attention as China’s CNCERT warned that weak defaults and privileged access in the open‑source OpenClaw agent can enable indirect prompt injection and data exfiltration, including URL‑based leaks via link previews (OpenClaw). Recommended mitigations include isolating management interfaces, containerizing deployments, disabling automatic skill updates, and keeping agents patched.