< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 2 of 11

UK government patches 400+ vulnerabilities via AI

🔎 The UK government's GC3 ran weekly in-person hackathons using frontier AI models to scan public code repositories across nine departments, identifying 407 findings including authentication bypasses, data exposure and remote code execution. Teams built diverse pipelines combining models and traditional tools like Gitleaks, Trivy and Semgrep, and all exploitable critical and high-risk issues were remediated. The initiative highlighted the benefits of tightly scoped model components, the need for human triage, and cost-effective scanning, though export restrictions on some models may affect future work.
read more →

Scaling Security Scans to Serve Millions

🔍 Cloudflare’s Security Insights runs automated scans to surface risks across accounts, zones, and DNS records. They faced two problems: scans were too infrequent (up to two weeks) and many free accounts were opt-in only. To resolve this they increased scanning throughput ~10x, redesigned Kafka consumers, optimized Postgres bulk inserts, centralized API latency to follow the primary DB, and improved scheduling with per-zone timing, randomization, and adaptive rate limiting.
read more →

CISA Adds One Vulnerability to KEV Catalog

🔔 CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog after confirmed active exploitation. The agency emphasizes that such flaws are common attack vectors posing significant risk to the federal enterprise and urges rapid remediation. Binding Operational Directive 26-04 requires FCEB agencies to prioritize fixes for KEV-listed CVEs on internet-exposed assets and to check for compromise prior to patching. CISA encourages all organizations to adopt risk-based vulnerability management and submit potential KEV candidates via the KEV Nomination Form.
read more →

AI-Driven Vulnerabilities and Security Fundamentals

🔍 Talos contrasts personal tech nostalgia with a sharp warning: AI-driven vulnerability discovery now outpaces human patching. The blog highlights how frontier models can autonomously find and exploit zero-days in minutes, collapsing the traditional vulnerability lifecycle. It urges organizations to move beyond patch-centric defenses and adopt a three-stage fallback model emphasizing prevention, detection, and resilience through controls like MFA, CIS benchmarks, segmentation, and behavioral EDR/XDR.
read more →

CISA Directive Replaces Deadline Patching With Risk

🔒 CISA has issued Binding Operational Directive 26-04 requiring US federal agencies to shift from rigid, deadline-driven patching to a risk-based remediation model that prioritizes actively exploited threats. The directive ties remediation windows to risk — including a three-day forensic and patching requirement for the most critical flaws — and consolidates previous mandates into a single framework. It replaces CVSS-based prioritization with a four-factor risk assessment and gives agencies 180 days to meet the new timelines.
read more →

CISA mandates rapid remediation of critical federal flaws

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 26-04 to require Federal Civilian Executive Branch agencies to prioritize and accelerate patching of high-risk vulnerabilities. The directive sets remediation timelines based on asset exposure, presence in CISA's Known Exploited Vulnerabilities (KEV) catalog, exploit automation risk, and potential for system control, with the shortest deadline as three days. It supersedes previous BODs and applies to on-premises, third-party hosted, and cloud environments, excluding certain military, intelligence, and contractor systems.
read more →

CISA Directive Pushes Risk-Based, Contextual Patching

🔒 CISA issued Binding Operational Directive 26-04 to prioritize vulnerabilities by contextual risk rather than CVSS alone. The directive uses four factors — internet exposure, KEV listing, exploit automation, and post-exploitation impact — to set dynamic remediation timelines, including a three-day requirement for the highest-risk cases. The guidance aims to help agencies focus scarce resources on flaws most likely to be exploited amid faster discovery driven by AI.
read more →

June Patch Tuesday: Record CVE Count and Critical Fixes

🔒 June Patch Tuesday brought an unprecedented wave of fixes: Microsoft released over 200 CVEs including three disclosed zero-days and 32 critical patches, while SAP and Adobe patched multiple high-severity enterprise flaws. Microsoft warns this increase may become the new normal as AI accelerates vulnerability discovery, urging risk-based prioritization and automated patching. Administrators should urgently assess critical kernel, Active Directory, Hyper-V, and Exchange fixes.
read more →

SMB Cyber Readiness: What Strengthens or Breaks It

🔒 The ESET SMB Cyber Readiness Index 2026 finds 45% of small and medium businesses experienced a cyber-incident in the past year, yet confidence in resilience often rises among repeat victims. The report highlights common root causes—phishing, unpatched vulnerabilities, monitoring gaps and weak passwords—and notes a mismatch between headline-driven fears like AI malware and the mundane vectors attackers exploit. Preparation, clear decision authority, and disciplined reduction of attack surface are critical to withstand incidents.
read more →

Enterprises Ship Vulnerable AI-Generated Code Despite Risks

🛡️ New research from Checkmarx finds enterprises are increasingly shipping AI-generated code despite widespread vulnerabilities. The survey of 2,350 security leaders shows nearly half of production code is AI-built and organizations that rely heavily on AI introduce far more insecure code. Many firms lack formal AI governance and continue to accept or defer fixing known issues, while tool sprawl and developer pressure compound the problem.
read more →

Record-breaking June 2026 Patch Tuesday updates

🚨 Microsoft released fixes addressing nearly 200 vulnerabilities in its June 2026 Patch Tuesday, the largest monthly tally to date, with almost three dozen rated critical and public exploit code for at least three flaws. Multiple zero-days were patched, including CVE-2026-49160 affecting IIS and CVE-2026-50507 for BitLocker, with some reports tied to researcher "Nightmare Eclipse." Microsoft and other vendors noted rising use of AI in vulnerability discovery and unusually high browser flaw counts this month.
read more →

XBOW Evaluates Anthropic’s Mythos Preview Model

🔎 XBOW received early access to Anthos Mythos Preview and ran a structured evaluation across benchmarks, interactive workflows, and live-site integrations. The model excels at reading source code, finding vulnerability candidates, and aiding native-code analysis and reverse engineering. While powerful for generating leads and precise technical analysis, Mythos Preview is less effective at exploit validation and exhibits mixed judgment that benefits from human orchestration.
read more →

Most Firms Admit Deploying Vulnerable Production Code

🔍 A new Checkmarx report found that 95% of CISOs have been pressured to deprioritize or delay reporting security issues, and 75% acknowledged their organizations knowingly deployed vulnerable code to production. Respondents cited compensating controls, deadlines, late detection, and difficulty of fixes as reasons. The survey of 2,350 security professionals also flagged limited remediation rates and rising risks from AI-generated code.
read more →

AI-powered worm highlights urgent enterprise risk

🛡️ Researchers at the University of Toronto built an AI-driven worm prototype that autonomously discovered and exploited vulnerabilities across a simulated enterprise network. Using a locally hosted, free LLM and a custom agentic harness, the worm self-replicated to multiple systems by chaining old and recent CVEs and common misconfigurations. Over several days it spread to most targets, demonstrating that attackers do not need cutting-edge models to mount damaging, adaptive attacks. The findings underscore the need for faster patching, AI-assisted defensive testing, and improved architecture such as segmentation and zero trust.
read more →

Anthropic’s Project Glasswing: Status and Concerns

📰 Anthropic launched Project Glasswing in April to let companies use its Mythos model to discover and remediate software vulnerabilities. The project produced a status report claiming many findings, including some dangerous issues, yet most reported vulnerabilities appear unpatched. Anthropic’s reluctance to release detailed data and methodology — instead asking the public to "trust us" — raises questions about the accuracy and interpretation of the results.
read more →

DSIT Rethinks Remediation to Simplify Vulnerability Fixes

🔍 The UK's DSIT manages security for over half a million government domains and is streamlining how vulnerabilities are communicated and fixed. Nick Woodcraft explained at Infosecurity Europe 2026 that DSIT focuses on clear, outcome-oriented guidance so non-experts can prioritise remediations. The department uses SIEM integration and NCSC channels to distribute trusted data and avoids overwhelming organisations by staging issue disclosures. Emphasis remains on basics like patching to mitigate faster-emerging threats.
read more →

IG Report Criticizes NIST Over NVD Backlog

🔍 A U.S. Commerce Department inspector general report faults NIST for management and strategy shortcomings that contributed to a growing backlog in the National Vulnerability Database (NVD). The report cites duplicated effort with CISA, insufficient communication, and inconsistent severity scoring as key issues, while NIST points to budget cuts and disputed the report’s tone. Industry experts say the backlog reflects broader funding and process failures and warn that AI-driven increases in vulnerability discovery demand rethinking NVD processes.
read more →

Underground Playbook Targets Vulnerability Programs

🛡️ A forum tutorial by an actor named "Hercules" outlines a simple, practical workflow for scanning, validating, exploiting, and monetizing vulnerabilities, blending «legal» disclosure steps with clear illegal options. Flare researchers tracked the post and responses across multiple forums, noting demand for mentorship and the tutorial’s repeat reposting. The write-up highlights use of public tools like Nuclei, emphasizes accessibility for beginners, and explains monetization paths including direct extortion, underground sales, and asset resale. The analysis warns defenders that readable, motivational guides scale criminal capability and underscores the importance of effective vulnerability disclosure programs.
read more →

Security teams warned: prepare for 'son of Mythos'

🛡️ Security experts at Infosecurity Europe warned that expanding access to frontier AI tools for vulnerability discovery — notably Anthropic’s Project Glasswing and OpenAI’s reported GPT-5.5 Cyber pilot — heralds a structural shift in cybersecurity. Speakers advised organisations to harden controls, run incident response exercises, and accelerate adoption to avoid falling behind attackers. The panel stressed that AI augments, not replaces, human expertise; combined use improves validation and remediation of AI-discovered issues.
read more →

Konvu wins Infosecurity Europe Cyber Startup award

🏆 Konvu, an AI-native vulnerability triage platform, won the inaugural Infosecurity Europe Cyber Startup competition live on stage at Infosecurity Europe 2026. The startup beat four rivals and receives an exhibition stand at Infosecurity Europe 2027, PR support from Origin Communications and a branding workshop from Dusted. CEO Lucas Masson highlighted Konvu's agent-driven checks and evidence-backed exploitability decisions that integrate into existing workflows.
read more →