< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 3 of 11

AI-driven urgency reshapes enterprise cybersecurity budgets

🔒 The rapid rise of frontier and agentic AI is creating board-level urgency that may finally unlock sustained cybersecurity funding. Industry leaders at recent conferences noted that autonomous AI systems expose operational risk, widen attack surfaces, and outpace traditional security architectures. CISOs are reframing cybersecurity as an operational enabler for safe AI adoption, pushing for investments in visibility, identity, monitoring, and AI-specific controls. Vendors and experts caution that budget requests need clear business cases tied to measurable outcomes.
read more →

AI-Driven Exploitability Forces Faster Patching

🔒 As AI models like GPT5.5 and Claude Mythos accelerate exploit discovery, organisations face shrinking windows to patch vulnerabilities. Industry experts at Infosecurity Europe warn mean time to exploit has fallen from days to hours, prompting regulatory responses such as India’s 12-hour patch expectation. Analysts contrast vendor-centric EU rules with market-driven US approaches and recommend exploit-intelligence led patching, automation, segmentation and stronger producer SLAs.
read more →

Anthropic expands Project Glasswing to 150 more firms

🔎 Anthropic has added 150 additional companies to its Project Glasswing initiative, prioritizing critical infrastructure sectors like power, water, healthcare, communications, and hardware. Analysts view the expansion positively for increasing vulnerability discovery, but warn of a remediation bottleneck: vendors and SOCs may struggle to validate, prioritize, and patch a potential 10x or greater increase in findings. Experts emphasize the need for confidence scoring, automation, and third-party validation to maintain trust and ensure timely remediation.
read more →

Two-year-old Oracle WebLogic flaw now actively exploited

🔒 US federal agencies were ordered to patch a two-year-old high-severity Oracle WebLogic Server vulnerability, CVE-2024-21182, after its addition to CISA’s Known Exploited Vulnerabilities catalog. The flaw affects supported versions 12.2.1.4.0 and 14.1.1.0.0 and was patched by Oracle in the July 2024 CPU. Security experts note that inclusion in the KEV indicates active weaponization and highlight persistent slow patching across organizations as a key risk.
read more →

Responsible Vulnerability Disclosure in the AI Era

🛡️ Responsible Disclosure in the Age of AI argues that frontier AI systems now autonomously discover software vulnerabilities at unprecedented speed and scale, exposing long-standing technical debt in the software industry. The piece traces the evolution of assurance practices and disclosure frameworks and highlights growing tension between offensive and defensive cyber equities, particularly in the U.S. and China. It calls for coordinated national and international efforts to accelerate remediation, patch management, and investment in automated repair capabilities to close the narrowing window before adversaries exploit these advances.
read more →

Amazon Inspector improves EC2 agent scanning

🛡️ Amazon Inspector introduces the new Inspector VM Scanner for agent-based EC2 scanning, increasing detection coverage while lowering CPU usage on instances. The updated scanner expands findings to include software such as WordPress, Apache HTTP Server, Python packages, and Ruby gems, bringing agent-based coverage closer to agentless parity. Customers can enable the VM Scanner via the Inspector console or API, including organization-wide enablement for delegated administrators, with no additional IAM instance profile roles required.
read more →

IBM and Red Hat Launch Project Lightwell Security Clearinghouse

🔐 IBM and Red Hat announced Project Lightwell, a $5 billion initiative backed by 20,000 engineers to create an AI-powered enterprise clearinghouse for discovering and remediating open source vulnerabilities. Initially focused on Java/Maven and designed with 11 financial partners, the service will backport validated fixes into deployed dependency versions without requiring upgrades. The project emphasizes a secure intermediary model for embargoed disclosures, aims to return fixes upstream to communities, and will be offered as a commercial subscription.
read more →

Less Panic Patching, More Precision in Remediation

🔍 This edition of Threat Source argues for smarter patch prioritization, pairing CVSS severity with EPSS likelihood to focus scarce operations on vulnerabilities being actively exploited. It contrasts centralized KEV visibility with emerging decentralized GCVE enrichment and highlights Cisco Talos' new open-source EvidenceForge for generating realistic synthetic logs to train defenders. The newsletter also summarizes recent incidents, vulnerability research, and tooling updates.
read more →

CERT-In urges tighter remediation timelines amid AI risks

🔒 India’s cybersecurity agency, CERT-In, has issued a framework urging organizations to patch, mitigate, or isolate known exploited internet-facing “crown jewel” systems within 12 hours where feasible, citing AI-assisted attacks that compress exploitation timelines. The 38-page blueprint prescribes tiered remediation windows—one day for externally exposed critical flaws, three days for critical internal issues, and five days for high-severity vulnerabilities—while emphasizing temporary mitigations and continuous exposure management over periodic assessments.
read more →

Check Point Frontier AI Readiness Jumbo Release

🛡️ This update describes Check Point’s Frontier AI Models Readiness Program and the resulting Jumbo Security Release. It outlines an AI-driven, multi-repository code-scanning initiative called BLAST that provides contextual, architecture-aware analysis to find exploitable vulnerabilities. The release includes dozens of hardening improvements and targeted fixes for multiple CVEs, and customers are urged to update to benefit from the protections.
read more →

CERT‑In issues 12‑hour patch expectation for AI era

🛡️ New guidance from India's CERT-In urges organizations to remediate actively exploited internet-facing vulnerabilities within 12 hours, citing AI-driven acceleration of reconnaissance and exploitation. The document, published on May 25, maps how generative AI, LLMs and autonomous agents speed up vulnerability discovery, phishing and malware creation. It sets tiered timelines for remediation, recommends using the KEV catalog and EPSS for prioritization, and advises interim mitigations when patches are unavailable.
read more →

CERT-In mandates rapid patching to curb AI-enabled threats

🔒 CERT-In has issued a 38‑page blueprint urging organisations to remediate known exploited, internet‑facing critical vulnerabilities within 12 hours where feasible to counter AI‑assisted automation of vulnerability discovery and exploitation. The guidance emphasizes continuous, risk‑based vulnerability and patch management, Zero Trust, defence‑in‑depth, supply chain scrutiny, and secure‑by‑design practices. It also prescribes tiered remediation timeframes for critical and high‑severity flaws and recommends temporary mitigations when patches are unavailable.
read more →

Vulnerabilities Surpass Credentials as Top Breach Entry

🔍 Verizon’s 2025 DBIR finds exploited vulnerabilities were the initial cause in 31% of breaches, overtaking credential abuse at 13%. The report highlights slower remediation: only 26% of critical CISA KEVs were fully fixed, with median patch time rising to 43 days. Analysts warn AI-driven exploit development, sprawling supply chains, and growing vulnerability volumes are worsening the threat landscape, urging risk-based continuous patching and stronger identity controls.
read more →

Anthropic’s Project Glasswing Reveals Widespread Flaws

🔍 Anthropic and over 50 partners report Project Glasswing, using Claude Mythos Preview, has surfaced roughly 10,000 critical or high-severity vulnerabilities across open source projects and partner software. The initiative scanned more than 1,000 open-source projects and validated thousands of findings with independent security firms, but maintainers are overwhelmed by the volume and pace of disclosures. Anthropic is disclosing issues under a coordinated policy and has launched enterprise offerings like Claude Security and a Cyber Verification Program to support legitimate security research.
read more →

Anthropic's Mythos Finds 10,000+ High Severity Flaws

🔎 Anthropic disclosed that Project Glasswing and access to Claude Mythos Preview helped partners uncover over 10,000 high- or critical-severity vulnerability candidates across widely used, systemically important software since last month. Analysis verified 1,726 true positives, including 1,094 high- or critical-severity flaws, and resulted in 97 upstream patches and 88 advisories. One notable finding was a critical WolfSSL flaw (CVE-2026-5194).
read more →

AWS Security Agent adds verification scripts

🔐 AWS Security Agent now generates verification scripts for penetration test findings to help teams reproduce and validate discovered vulnerabilities. The tool creates ready-to-run scripts for each confirmed finding that include setup instructions, documented environment variables, and redacted sensitive values. Teams download the script, configure variables, and execute it against targets to streamline triage and speed remediation. Verification scripts are available in all Regions where AWS Security Agent is supported.
read more →

Google integrates CodeMender into enterprise agent platform

🔒 Google is folding CodeMender into its broader Agent Platform strategy, expanding the AI-powered security agent from standalone vulnerability remediation toward an integrated, governed enterprise agent ecosystem. Launched in October 2025 to autonomously identify and patch vulnerabilities using Gemini models, CodeMender reportedly upstreamed dozens of fixes but lacks published performance metrics on accuracy and regressions. The integration emphasizes governance, observability, and identity, positioning CodeMender as a controlled participant in AI-native development and security pipelines rather than an unsupervised remediation tool.
read more →

Three-Quarters Admit Shipping Vulnerable Code

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.
read more →

Why Security Fixes Often Miss Vulnerability Dashboards

🔍 On April 22 a trojanized Bitwarden CLI briefly appeared on npm, harvesting developer tokens via a compromised GitHub Action tied to the Checkmarx supply‑chain incident. Bitwarden later issued CVE‑2026‑42994, but the author notes the CVE was retroactive and did not imply a patchable defect. The piece argues CVE’s artifact‑centric model struggles with agentic and model‑mediated threats that mutate behaviorally and often evade dashboards.
read more →

Verizon DBIR: Exploitation Replaces Credential Abuse

🔍 Verizon's latest DBIR reports that vulnerability exploitation has become the top initial access vector, accounting for 31% of breaches compared with 13% for credential abuse. The study links this shift to slower patching—only 26% of CISA KEV critical flaws were fully remediated—and a larger backlog of critical vulnerabilities. It also warns that threat actors may be using AI to scale discovery and exploitation, and highlights rising supply-chain incidents, increased shadow AI adoption, and persistent human-factor risks.
read more →