AI Zero Trust, LLM Platform Gains, and Critical Flaws Exposed

Security moves centered on prevention set the tone today. A new post from Microsoft details a Zero Trust for AI program spanning tools, assessments, and a reference architecture, while support for disaggregated LLM inference via NIXL over EFA arrived from AWS. Alongside these enablement themes, a critical telnetd bug and high‑impact advisories on EV charging and building controls underscore the continuing risks from legacy protocols and exposed operational tech, and researchers flagged active exploitation against a firewall management platform and government collaboration suites.

AI security guardrails move from strategy to practice

A coordinated Zero Trust for AI effort introduces an AI pillar to the Zero Trust Workshop, expands automated assessments across identity, endpoints, data, and networking, and adds a reference architecture to operationalize verify‑explicitly, least‑privilege, and assume‑breach principles. The materials in the post from Microsoft outline patterns for threat modeling, cross‑product integrations, and end‑to‑end observability — with a dedicated assessment for AI slated for summer 2026 — to help teams address prompt injection, data poisoning, model misuse, and over‑privileged or misaligned agents. The value is a clearer bridge from strategy to prioritized, actionable implementation.

CrowdStrike broadened runtime defenses for agentic applications by integrating Falcon AIDR with NVIDIA NeMo Guardrails. Policies now span input sanitization, output filtering, RAG ingestion, and tool invocation, with more than 75 built‑in detectors and custom entities to block or redact malicious prompts, PII, secrets, and restricted topics. Guidance encourages starting in monitor‑only mode to baseline agent behavior before enforcing controls in production.

Cloudflare brought large open models to Workers AI, starting with Kimi K2.5, and detailed platform changes — custom kernels on its Infire engine, prefix caching with metrics, a session‑affinity header, and a pull‑based async API — to support high‑volume agent workloads. Internal examples cite substantial cost reductions for code‑review agents and feature additions like multi‑turn tool use, vision inputs, and structured outputs. For teams scaling agents, the economics and reliability improvements address practical blockers to adoption.

Cloud foundations for scalable inference and access

Support for the NVIDIA Inference Xfer Library (NIXL) over Elastic Fabric Adapter aims to increase KV‑cache throughput, cut inter‑token latency, and improve memory utilization in disaggregated LLM serving. The integration from AWS works with popular frameworks (NVIDIA Dynamo, SGLang, vLLM), is available on all EFA‑enabled EC2 instance types across regions at no extra charge, and targets lower tail latency and higher throughput‑per‑dollar. Teams should verify required versions and profile workloads before production rollout.

AWS also enabled federated permissions for Amazon Redshift with IAM Identity Center across multiple regions. Organizations can extend a primary Identity Center deployment without duplicating identity stores, enforce row‑ and column‑level controls and masking consistently at query time, and provide SSO from tools like QuickSight and SQL clients. The change reduces administrative overhead while preserving fine‑grained, centralized access policies.

Advisories and patches: legacy services and commerce risks

A critical vulnerability in GNU inetutils telnetd (CVE‑2026‑32746) allows unauthenticated remote code execution as root via a buffer overflow in the LINEMODE SLC handler. Reporting by CSO Online notes exploitation requires only a TCP connection to port 23, with many deployments running telnetd as root across legacy servers, appliances, and embedded systems. Maintainers prepared a patch promptly; immediate mitigations include disabling telnetd, migrating to SSH, dropping privileges, and restricting TCP/23 until updates are applied.

Sansec disclosed a flaw dubbed PolyShell affecting Magento Open Source and Adobe Commerce 2.x that lets unauthenticated attackers upload polyglot files via the REST API which can be executed if the upload directory is accessible. As covered by BleepingComputer, Adobe has provided mitigations and sample web server rules, with a production patch pending. Administrators should deny access to pub/media/custom_options/, verify web server blocking rules, scan for uploaded shells, and monitor logs for suspicious activity.

CISA issued an advisory on CTEK Chargeportal, citing missing authentication on WebSocket endpoints (CVSS 9.4), lack of rate limiting, predictable session IDs, and exposed station identifiers that could enable station impersonation, unauthorized OCPP commands, and denial‑of‑service. The product is being sunset in April 2026; network isolation, minimized internet exposure, and secure remote access are recommended. A companion advisory for IGL‑Technologies eParking.fi from CISA describes unauthenticated OCPP WebSocket access (CVSS 9.4), missing rate limits, and predictable, non‑expiring sessions enabling impersonation and backend abuse; the vendor reports updates to strengthen authentication, whitelisting, and monitoring. Why it matters: exposed control endpoints in EV charging backends can translate quickly into operational disruption.

Exploitation and enforcement updates

Analysis reported by CSO Online shows the Interlock ransomware group exploiting a critical deserialization bug (CVE‑2026‑20131) in Cisco Secure Firewall Management Center weeks before a patch was released, with honeypots capturing the attack chain and tooling. The case highlights the pre‑patch exposure window and the need for defense‑in‑depth, rapid mitigation, and log hunting alongside urgent patching.

State‑linked actors tracked as APT28 used a high‑severity stored XSS in Zimbra (CVE‑2025‑66376) to compromise Ukrainian government email systems, according to BleepingComputer. The campaign exfiltrated credentials, session tokens, and up to 90 days of mailbox content over DNS and HTTPS, underscoring the ongoing targeting of unpatched collaboration platforms.

Researchers documented DarkSword, a full‑chain JavaScript exploit kit used for rapid data theft on iOS 18.x, chaining six vulnerabilities — including multiple zero‑days prior to fixes — to achieve kernel‑level control and exfiltrate broad device data. The Hacker News reports the watering‑hole delivery, sandbox escapes, and modular payloads optimized for hit‑and‑run collection, with patches issued across iOS 18.6–18.7.x.

Following a destructive attack on a medical device maker’s environment, two clearnet domains used by the Handala group were seized under a U.S. federal warrant; the sites now display a law‑enforcement seizure banner and point to FBI‑controlled name servers. Coverage by BleepingComputer notes the action aims to disrupt ongoing malicious activity; the group has acknowledged the seizures and signaled plans to rebuild infrastructure.