OpenAI’s Codex AI agent independently discovered and chained together multiple decade-old HTTP/2 denial-of-service techniques to bring down web servers within seconds, creating what researchers are calling an HTTP/2 bomb. This demonstrates that AI coding agents can autonomously rediscover and combine legacy attack methods into novel, highly effective exploits without human guidance. The incident raises significant concerns about the offensive security capabilities of large language model-based agents operating with minimal oversight.

Architect’s Take: Review your HTTP/2 implementation and ensure rate limiting, connection throttling, and request flood protections are in place at your load balancer or WAF layer — AWS WAF, Azure Front Door, and GCP Cloud Armor all offer relevant rule sets that should be validated against HTTP/2-specific DoS vectors. Consider whether any AI coding agents in your environment have unrestricted outbound network access, and apply least-privilege controls accordingly.

Original advisory: OpenAI’s agent chained decade-old DoS attacks to crash web servers in seconds

Amazon Cognito now supports multi-Region replication, allowing user pool data — including credentials, configurations, and federation settings — to be synchronised to a standby Region in near real-time. This improves authentication resilience by enabling traffic failover during a regional outage without forcing users to re-authenticate. The feature is available as a paid add-on across most major AWS Regions.

Architect’s Take: Review your existing Cognito-based authentication architectures for single-Region dependencies and assess whether the Essentials or Plus tier add-on cost is justified by your RTO/RPO requirements. Ensure your incident response runbooks are updated to include Cognito traffic redirection procedures, and validate that federated identity providers (SAML/OIDC) are accessible from the secondary Region before declaring it ready for failover.

Original advisory: Amazon Cognito now supports multi-Region replication

Cisco has patched a server-side request forgery (SSRF) vulnerability in Unified Communications Manager (Unified CM) that allows an unauthenticated network attacker to write arbitrary files to the system and escalate privileges to root. The flaw is tracked as CVE-2026-20230 and public proof-of-concept exploit code is already available, significantly lowering the barrier to exploitation. Cisco’s PSIRT has not confirmed active exploitation in the wild, but the availability of working PoC code makes patching urgent.

Architect’s Take: Apply Cisco’s patch immediately and treat any internet- or untrusted-network-exposed Unified CM instances as highest priority. As an interim control, restrict network access to Unified CM admin interfaces to trusted management VLANs only, and review ingress firewall rules to limit the blast radius while patching is under way.

Original advisory: Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

AWS has introduced a new Lambda trigger for Amazon Cognito that allows developers to customise the federated sign-in process when users authenticate via external identity providers such as SAML, OIDC, or social logins. This enables teams to intercept and modify authentication flows at key points, such as attribute mapping or access decisions, without altering core Cognito configuration. The feature improves flexibility for organisations with complex identity federation requirements.

Architect’s Take: Review any existing custom authentication workarounds in your Cognito-integrated applications and assess whether this new trigger can consolidate or replace them — pay particular attention to how federated user attributes are mapped and validated, as improper handling here is a common source of privilege misassignment.

Original advisory: Customize federated sign-in with new Amazon Cognito Lambda trigger

A flaw in Anthropic’s Claude Code GitHub Action allowed an attacker to hijack public repositories simply by opening a malicious GitHub issue, requiring no authentication or special access. Because Anthropic’s own repository used the same vulnerable workflow, a successful attack could have injected malicious code into the action itself, poisoning every downstream project that consumes it. Researcher RyotaK of GMO discovered and reported the issue.

Architect’s Take: Audit any GitHub Actions workflows that trigger on untrusted events such as ‘issues’ or ‘pull_request_target’ and ensure they do not have write permissions or access to secrets without explicit trust gates. If you use Claude Code GitHub Action, verify you are pinned to a patched version and review your workflow permissions using the principle of least privilege.

Original advisory: Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Agentic AI systems are increasingly being deployed in defence and security networks, but this introduces new attack surfaces — illustrated by reports that an unauthorised group claimed access to Anthropic’s Claude Mythos model within hours of a limited technical preview. The incident highlights that AI capabilities in high-stakes environments are only as secure as the infrastructure underpinning them. Without robust access controls, segmentation, and identity governance, agentic AI deployments can become a significant liability rather than a force multiplier.

Architect’s Take: Before onboarding any agentic AI model into sensitive or defence-adjacent environments, conduct a thorough access control review: enforce least-privilege API access, implement strict identity verification for model endpoints, and ensure AI workloads are isolated within dedicated network segments with full audit logging enabled.

Original advisory: Agentic AI Is Transforming Defense, But Only Secure IT Infrastructure Will Maximize It

This is a weekly threat bulletin covering a broad range of active security issues, including AI agent exploitation, command-and-control tooling, ClickFix social engineering campaigns, JavaScript backdoors, and over 20 additional threat stories. It matters because it reflects the accelerating normalisation of sophisticated attack techniques being accessible to lower-skilled threat actors, and highlights emerging risks from AI systems being leveraged in real attacks.

Architect’s Take: Use this bulletin as a prompt to review your threat model against ClickFix-style social engineering vectors and any AI agent integrations in your environment — particularly where agents have access to cloud APIs or can execute code. Ensure your JavaScript supply chain controls and browser security policies are current.

Original advisory: ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

This is a broad threat intelligence bulletin covering a range of current attack trends including malicious AI agents, command-and-control tooling, ClickFix social engineering, JavaScript backdoors, and more. It reflects the increasingly commoditised nature of offensive tooling, where even low-skilled threat actors now have access to sophisticated capabilities. The significance lies in the breadth of attack vectors being actively exploited across web, endpoint, and AI-adjacent surfaces.

Architect’s Take: Use this bulletin as a prompt to review your AI agent integrations, third-party plugin dependencies, and JavaScript supply chain controls — particularly CSP policies, SRI hashing, and egress monitoring for unexpected C2 traffic patterns.

Original advisory: ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises.

Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

A China-linked threat group, TA4922, has significantly expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known remote access trojans including ValleyRAT and Atlas RAT, with a fast-moving operational pace and an evolving malware toolkit. This matters because the expansion into European markets signals a deliberate strategic shift, increasing risk for organisations in these regions.

Architect’s Take: Review email gateway and endpoint detection rules for ValleyRAT (Winos 4.0) and Atlas RAT indicators of compromise, and ensure phishing-resistant MFA is enforced across all cloud console and SaaS access points. Consider threat intelligence feeds covering Chinese APT activity to stay ahead of this group’s rapidly evolving malware arsenal.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa

The Five Eyes intelligence alliance has issued a warning about China’s ongoing campaign to recruit Western nationals via LinkedIn and other professional networks, offering cash in exchange for state secrets and sensitive government or corporate information. The campaign targets individuals with access to classified or commercially valuable data, using social engineering tactics that have been observed for several years but appear to be intensifying. This matters because cloud engineers and architects working on government or defence-adjacent projects are plausible targets given their access to sensitive infrastructure.

Architect’s Take: Review your organisation’s social media and acceptable use policies to ensure staff understand the risks of unsolicited professional outreach, particularly from overseas contacts offering paid consulting or research opportunities. Consider adding LinkedIn-based social engineering scenarios to your security awareness training, especially for teams handling government, defence, or critical national infrastructure workloads.

Original advisory: Five Eyes: Watch out for odd LinkedIn connection requests, China’s back on the hunt for state secrets

The Five Eyes intelligence alliance has issued a warning about China’s ongoing campaign to recruit Western government employees and contractors via LinkedIn, offering cash in exchange for state secrets. The tradecraft involves seemingly innocuous connection requests that escalate into paid intelligence relationships. This is a long-running threat that intelligence officials say continues to grow in scale and sophistication.

Architect’s Take: Cloud security architects with clearances or access to sensitive government cloud environments should review their organisation’s social media policies and ensure staff handling sensitive infrastructure are briefed on LinkedIn-based social engineering. Consider implementing insider threat monitoring and reinforcing acceptable use policies around unsolicited professional contact from unknown foreign nationals.

Original advisory: Five Eyes: Watch out for odd LinkedIn connection requests, China’s back on the hunt for state secrets

A macOS malvertising campaign called Operation FlutterBridge is distributing a new backdoor, FlutterShell, through malicious Google and YouTube advertisements. The campaign is an evolution of a previously identified threat cluster (JSCoreRunner/FileRipple) first observed in late 2025. This matters because it uses trusted ad platforms to target macOS users, broadening the attack surface beyond traditional phishing vectors.

Architect’s Take: Enforce endpoint detection and response (EDR) tooling on all macOS devices, including developer and privileged-access workstations, and consider restricting or monitoring ad-network traffic at the corporate proxy or DNS layer. Review browser isolation and application allowlisting policies to limit the execution of unsigned or unnotarised binaries delivered via browser-based download prompts.

Original advisory: FlutterShell Backdoor Spreads to macOS via Malicious Google and YouTube Ads

Two former RAC employees who sold personal data belonging to car crash victims to claims management companies have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data for financial gain, representing a textbook insider threat and data protection failure. The case underscores the real-world financial and legal consequences of misusing access to sensitive personal data.

Architect’s Take: Review and tighten data access controls for employees handling sensitive personal information — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer PII.

Original advisory: Duo who sold car crash victims’ data must repay £118k

Two former RAC employees who unlawfully accessed and sold personal data belonging to car crash victims have been ordered to repay £118,000 under the Proceeds of Crime Act, following earlier sentences of imprisonment and community service. The pair exploited their privileged access to customer data systems to pass information to claims management companies. The case highlights the ongoing risk of insider threats and the serious financial consequences now being pursued by regulators and prosecutors.

Architect’s Take: Review and tighten data access controls for staff handling sensitive personal data — implement least-privilege access, robust audit logging, and anomaly detection to identify unusual data exports or queries, particularly in systems holding customer contact or incident data.

Original advisory: Duo who sold car crash victims’ data must repay £118k

Attackers are exploiting Meta’s AI support chatbot to hijack Instagram accounts by tricking the bot into adding a hacker-controlled email address and issuing a password reset. The attack requires no prior account access and bypasses Instagram’s automated protections using a VPN to spoof the victim’s location. This demonstrates a critical flaw in how AI-powered support systems validate identity before performing sensitive account actions.

Architect’s Take: Organisations deploying AI chatbots for customer support or account management must enforce out-of-band identity verification for any privileged actions — such as adding credentials or triggering resets — and ensure the AI cannot be the sole authorisation path for account takeover-enabling operations. Review your own AI assistant integrations for similar trust boundary weaknesses where bot-initiated actions bypass human or MFA controls.

Original advisory: Hacking Meta’s AI Chatbot

Attackers are exploiting Meta’s AI support chatbot to hijack Instagram accounts by social-engineering the bot into adding a hacker-controlled email address and triggering a password reset. The attack requires no technical vulnerability in the traditional sense — the AI simply complies with the request after a verification code exchange. This highlights a significant trust and authorisation flaw in how Meta’s AI assistant handles account management actions on behalf of unauthenticated parties.

Architect’s Take: Treat AI-powered support agents as a privileged access vector and apply the same controls you would to any account recovery flow — ensure they cannot perform account modifications without verified, out-of-band identity confirmation tied to the existing account owner, not the requester.

Original advisory: Hacking Meta’s AI Chatbot

Attackers have built convincing fake websites impersonating popular open-source and freeware tools, engineering them to rank highly in Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that profiles them before delivering tailored malware, including credential stealers and session hijacking frameworks. The campaign is notable for its scale and the quality of the spoofed sites, making it easy for developers and engineers to be deceived.

Architect’s Take: Enforce approved software procurement channels and block unapproved download sources at the network or endpoint level. Mandate that developers and engineers source open-source tooling exclusively from verified repositories such as official GitHub pages or package managers, and consider deploying DNS filtering to flag newly registered or lookalike domains.

Original advisory: Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Attackers have created convincing fake websites impersonating popular open-source tools, optimising them to rank highly on Google search results. Visitors are silently routed through a Traffic Distribution System (TDS) that delivers malware including credential stealers and session hijacking frameworks. This is a supply chain-adjacent threat targeting developers and technical users who search for and download software directly from the web.

Architect’s Take: Enforce organisational policies requiring software to be sourced only from verified package managers (npm, PyPI, etc.) or official repositories, and block direct binary downloads from unvetted sites via web proxy or CASB controls. Consider adding developer workstations to your threat model and ensure EDR coverage extends to engineering endpoints.

Original advisory: Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS

Unknown threat actors maintained covert access to a senior stock exchange executive’s Outlook mailbox for at least five months, quietly exfiltrating email data in small batches to evade detection. The stolen data was routed through legitimate cloud storage services — Dropbox and OneDrive — to blend with normal business traffic. Symantec and Carbon Black attribute the campaign to espionage, suggesting a nation-state or sophisticated threat actor targeting financial sector intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Conditional Access policies for unusual mailbox delegation, mail forwarding rules, or OAuth app consents — particularly any third-party app with access to Mail.Read scopes. Implement Cloud App Security (Defender for Cloud Apps) policies to alert on bulk email access or large data transfers to consumer cloud storage services such as Dropbox and OneDrive.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

Unknown threat actors maintained covert access to a senior stock exchange executive’s Microsoft Outlook mailbox for at least five months, systematically exfiltrating email data in small batches to avoid detection. The stolen data was routed through Dropbox and OneDrive to blend with legitimate cloud traffic, making it harder for security tools to flag the activity. The campaign bears the hallmarks of a state-sponsored or sophisticated espionage operation targeting high-value financial intelligence.

Architect’s Take: Review Microsoft 365 audit logs and Defender for Cloud Apps policies for anomalous mail export activity, particularly incremental inbox syncs or delegated access from unfamiliar locations — and enforce conditional access policies that restrict OAuth app permissions for third-party cloud storage providers such as Dropbox and OneDrive to prevent data staging and exfiltration via trusted cloud channels.

Original advisory: Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months

CVE-2026-9149 is a heap buffer overflow vulnerability in libsolv, an open-source dependency resolver library used in Linux package management. The flaw can be triggered by a specially crafted .solv file that supplies a negative maxsize value, causing memory corruption in the repo_add_solv function. This matters because libsolv is widely used in Linux-based environments, including Azure workloads, and memory corruption bugs of this nature can potentially lead to arbitrary code execution.

Architect’s Take: Identify any Azure-hosted Linux workloads, containers, or pipelines that use libsolv or package managers dependent on it (such as zypper or libdnf), and prioritise patching to the fixed version. Additionally, restrict the ingestion of untrusted .solv files within your build and dependency management pipelines to reduce attack surface.

Original advisory: CVE-2026-9149 Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted .solv file

CVE-2026-9150 is a stack-based buffer overflow vulnerability in libsolv, an open-source dependency resolution library, specifically within its Debian metadata parser when processing SHA-384 or SHA-512 checksums. An attacker who can supply malicious package metadata could potentially trigger the overflow to execute arbitrary code or crash affected services. This vulnerability is relevant to Azure environments that rely on libsolv for package management operations, such as those running Linux-based workloads or services that consume package repositories.

Architect’s Take: Identify any Azure Linux VMs, container images, or managed services (such as Azure Kubernetes Service nodes) that use libsolv for dependency resolution, and prioritise patching to the remediated version. In the interim, consider restricting access to untrusted or external package repositories to reduce exposure.

Original advisory: CVE-2026-9150 Libsolv: stack-based buffer overflow in libsolv’s debian metadata parser when handling sha384/sha512 checksums

CVE-2026-46598 is a vulnerability in the Go standard library package golang.org/x/crypto/ssh/agent, where supplying malformed or pathological inputs can cause a client application to panic and crash. This affects any service or tooling built with this SSH agent library, including Azure-hosted workloads that rely on Go-based SSH clients. The practical risk is denial of service, where an attacker able to send crafted SSH agent messages can bring down affected processes.

Architect’s Take: Audit your Azure workloads and internal tooling for any Go applications using golang.org/x/crypto/ssh/agent and update the dependency to a patched version immediately; pay particular attention to internet-facing SSH automation, CI/CD pipelines, and bastion host tooling where untrusted input could reach the SSH agent.

Original advisory: CVE-2026-46598 Invoking pathological inputs can lead to client panic in golang.org/x/crypto/ssh/agent

CVE-2026-27136 is a Cross-Site Scripting (XSS) vulnerability in the Go standard library package golang.org/x/net/html, triggered by invoking duplicate HTML attributes during parsing. An attacker able to influence HTML content processed by an affected Go application could inject malicious scripts into users’ browsers. This is particularly relevant to cloud-hosted Go applications and services built on Azure that rely on this library for HTML handling.

Architect’s Take: Audit your Azure-hosted Go applications and container images for use of golang.org/x/net/html and update to the patched version immediately; also review your software composition analysis (SCA) tooling to ensure this transitive dependency is flagged across all pipelines.

Original advisory: CVE-2026-27136 Invoking duplicate attributes can cause XSS in golang.org/x/net/html

CVE-2026-42506 is a vulnerability in the golang.org/x/net/html package where namespaced elements in foreign content (such as SVG or MathML within HTML) are handled incorrectly, potentially allowing malformed input to bypass parsing expectations. This could be exploited to conduct cross-site scripting (XSS) or HTML injection attacks in applications that rely on this Go library for HTML parsing or sanitisation. It is particularly relevant to Azure-hosted Go applications and services that process user-supplied HTML content.

Architect’s Take: Audit your Azure workloads and container images for any Go applications using golang.org/x/net/html and update to the patched version of the package immediately. Pay particular attention to services that parse or sanitise untrusted HTML input, as these are at greatest risk of exploitation.

Original advisory: CVE-2026-42506 Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html

CVE-2026-25681 is a vulnerability in the Go standard library package golang.org/x/net/html, where character references within DOCTYPE nodes are handled incorrectly. This can lead to unexpected parsing behaviour that may be exploited to bypass security controls or cause application-level issues in services built with Go. It is relevant to Azure and any cloud-hosted workload using this widely adopted Go HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version as soon as it is available. Pay particular attention to services that parse untrusted HTML input, as these carry the highest exploitation risk.

Original advisory: CVE-2026-25681 Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html

A memory leak vulnerability in the Go standard library’s SSH package (golang.org/x/crypto/ssh) can be triggered when SSH channels are rejected, potentially allowing an attacker to exhaust server memory and cause a Denial of Service. This affects any service or application built with the affected Go crypto library, including Azure-hosted workloads. Because SSH is a foundational protocol for remote access and automation, the blast radius across cloud infrastructure can be significant.

Architect’s Take: Audit your Azure workloads and internal tooling for services built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to any internet-facing SSH endpoints or Go-based automation pipelines, and consider rate-limiting or connection throttling as a short-term mitigation.

Original advisory: CVE-2026-39827 Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh

CVE-2026-39835 is a vulnerability in the Go standard cryptography library (golang.org/x/crypto/ssh) that allows a remote attacker to trigger a server panic — effectively crashing the SSH server — during the host key check or authentication phase. This is a denial-of-service risk affecting any service or application built with this Go SSH package, including components deployed on Azure. It matters because a crash during authentication can be exploited without valid credentials, making it trivially weaponisable.

Architect’s Take: Audit your Azure workloads and internal tooling for applications built with golang.org/x/crypto/ssh and prioritise patching to a fixed version of the library. Pay particular attention to Go-based microservices, infrastructure tooling, and any Azure-hosted SSH gateways or bastion services that may use this package.

Original advisory: CVE-2026-39835 Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh

CVE-2026-25680 is a denial-of-service vulnerability in the golang.org/x/net/html package, which is widely used by Go applications to parse HTML. An attacker can trigger the flaw by supplying specially crafted HTML input, causing the parser to consume excessive resources and crash or become unresponsive. Any Azure-hosted or Azure-integrated Go application that processes untrusted HTML content may be at risk.

Architect’s Take: Audit your Go-based workloads and container images for dependencies on golang.org/x/net and update to the patched version immediately; pay particular attention to internet-facing services that accept user-supplied or third-party HTML input, as these are the most directly exposed.

Original advisory: CVE-2026-25680 Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html

CVE-2026-42502 is a vulnerability in the golang.org/x/net/html package affecting how HTML elements in foreign content (such as SVG or MathML) are handled. Incorrect parsing behaviour could potentially be exploited to bypass security controls or cause unintended application behaviour in Go-based services. This is relevant to Azure workloads and any cloud-hosted applications built with Go that rely on this HTML parsing library.

Architect’s Take: Audit your Azure-hosted Go applications and container images for dependencies on golang.org/x/net/html and update to the patched version immediately. Pay particular attention to services that parse or render user-supplied HTML, as these carry the highest risk of exploitation.

Original advisory: CVE-2026-42502 Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html

CVE-2026-39828 is a vulnerability in the golang.org/x/crypto/ssh package that allows an attacker to bypass certificate-based restrictions in SSH connections. This could permit unauthorised access to systems that rely on SSH certificate validation as a security control. Services and applications built on Go that use this library for SSH communication — including Azure-hosted workloads — may be affected.

Architect’s Take: Audit any Go-based services deployed in your Azure environment that use golang.org/x/crypto/ssh for SSH connectivity, and update to the patched version of the library as soon as it is available. Pay particular attention to internal tooling, CI/CD pipelines, and infrastructure automation that may authenticate via SSH certificates.

Original advisory: CVE-2026-39828 Invoking bypass of certificate restrictions in golang.org/x/crypto/ssh

A buffer over-read vulnerability in Postfix mail transfer agent (versions before 3.8.16, 3.9.10, and 3.10.9) can cause the process to crash when it encounters a malformed enhanced status code missing text after the third numeric segment. This is a denial-of-service risk affecting any system running a vulnerable Postfix version, including those used within Azure-hosted infrastructure. While the vulnerability does not appear to allow remote code execution, an attacker able to deliver a crafted response could disrupt mail delivery services.

Architect’s Take: Audit any Azure VMs, container workloads, or custom email relay infrastructure running Postfix and patch to 3.8.16, 3.9.10, or 3.10.9 as appropriate. If Postfix is deployed as part of a managed email gateway or relay tier, prioritise patching and review whether network-level controls can limit exposure to untrusted SMTP peers in the interim.

Original advisory: CVE-2026-43964 Postfix before 3.8.16, 3.9 before 3.9.10, and 3.10 before 3.10.9 sometimes allows a buffer over-read and process crash via an enhanced status code that lacks text after the third number.

CVE-2026-41140 is a path traversal vulnerability in Poetry, a Python dependency management tool, affecting Python versions 3.10.0–3.10.12 and 3.11.0–3.11.4. The flaw occurs during tar archive extraction, potentially allowing a malicious package to write files outside the intended directory. This could lead to arbitrary file overwrite or code execution on systems that process untrusted Python packages.

Architect’s Take: Audit any Azure-hosted pipelines or build environments using Poetry with the affected Python versions and upgrade to patched releases immediately. Pay particular attention to CI/CD systems that install dependencies from external or untrusted sources, as these represent the highest-risk attack surface.

Original advisory: CVE-2026-41140 Poetry: Path traversal in tar extraction on Python 3.10.0 - 3.10.12 and 3.11.0 - 3.11.4

A vulnerability in OpenSSH versions before 10.3 (CVE-2026-35414) means the authorised_keys principals option is not handled correctly in certain edge cases where a principals list is combined with a Certificate Authority that uses comma characters in specific ways. This could allow unintended principals to authenticate, potentially granting unauthorised SSH access to affected systems. The issue is particularly relevant to cloud environments where certificate-based SSH authentication is used at scale.

Architect’s Take: Audit your SSH certificate infrastructure to identify any Certificate Authorities or authorised_keys configurations that use comma characters within principals lists, and prioritise upgrading OpenSSH to 10.3 or later across all Azure VMs and jump hosts. Consider enforcing certificate-based SSH access policies via Azure Policy to ensure patched versions are consistently deployed.

Original advisory: CVE-2026-35414 OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

CVE-2025-1149 is a memory leak vulnerability in the GNU Binutils linker tool (ld), specifically within the xstrdup function in xmalloc.c. While memory leaks can cause service instability or denial of service, this issue has been flagged by Microsoft in the context of Azure, suggesting relevance to workloads or toolchains running on Azure infrastructure. The practical security impact is generally low unless an attacker can trigger repeated allocations to exhaust memory resources.

Architect’s Take: Review whether your Azure-hosted build pipelines or developer toolchains use a vulnerable version of GNU Binutils and apply updated packages from your Linux distribution vendor; this is unlikely to be a critical priority but should be included in routine patching cycles for affected systems.

Original advisory: CVE-2025-1149 GNU Binutils ld xmalloc.c xstrdup memory leak

Researchers have demonstrated that freely available open source AI models are sufficient to build self-spreading computer worms capable of exploiting known vulnerabilities at scale across enterprise networks — no expensive or specialised AI tools required. The study shows attackers no longer need cutting-edge proprietary models to automate vulnerability exploitation, dramatically lowering the barrier to entry for large-scale attacks. This represents a meaningful shift in the threat landscape, where mass exploitation of known but unpatched vulnerabilities becomes significantly cheaper and faster to operationalise.

Architect’s Take: Prioritise rapid patching cadence and automated vulnerability remediation pipelines — the research confirms that the window between public vulnerability disclosure and weaponised exploitation is shrinking fast. Review your network segmentation controls and lateral movement detection capabilities to limit the blast radius of any self-propagating worm that gains an initial foothold.

Original advisory: Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine

The US Department of Justice ran a coordinated ‘Disruption Week’ operation from May 2026 targeting Southeast Asian criminal networks running cryptocurrency and cyber-enabled fraud schemes against American victims. The action involved both government agencies and private sector partners, resulting in the takedown of millions of fraudulent social media, email, and internet accounts, and the freezing of $3.8 million in assets. These operations are typically linked to pig butchering and romance scam networks, which increasingly exploit cloud-hosted infrastructure and social engineering at scale.

Architect’s Take: Review your organisation’s cloud egress controls and user awareness posture around unsolicited crypto investment opportunities, as these networks actively target employees and high-value individuals. Consider integrating threat intelligence feeds covering known fraud infrastructure into your SIEM to detect communications with associated domains and IPs.

Original advisory: DoJ Disrupts Southeast Asia Crypto Fraud Networks, Freezes $3.8 Million in Assets

Passwords were found stored in plaintext within Active Directory user and computer description fields, making them trivially accessible to any authenticated user on the network. Because AD description fields are readable by all domain users by default, a low-privilege attacker or compromised account could harvest credentials at scale with a simple LDAP query. This represents a significant credential exposure risk in any hybrid or cloud-connected environment where AD is the identity backbone.

Architect’s Take: Audit your Active Directory environment immediately for plaintext credentials in description fields using tools such as BloodHound or a targeted LDAP query, and enforce a policy prohibiting sensitive data in AD attributes. In Azure AD/Entra ID hybrid environments, also check synced attributes to ensure no plaintext secrets have been replicated to the cloud directory.

Original advisory: All the passwords were stored in Active Directory description fields

Commvault is urging organisations to fundamentally reassess their cyber resilience strategies as AI-powered attackers increasingly target backup and recovery infrastructure, leaving victims unable to restore operations. The concern is that traditional backup plans are insufficient if they are not regularly tested and hardened against modern threat actors who specifically seek to neutralise recovery capabilities. This matters because the failure point is no longer just data loss — it is the complete inability to recover.

Architect’s Take: Conduct immutable backup validation and regular recovery rehearsals in isolated environments; ensure your backup control plane and admin credentials are air-gapped or protected by separate identity controls from your primary estate to prevent attackers from disabling recovery options before deploying ransomware.

Original advisory: Commvault says it’s time to rethink resiliency as AI crooks leave victims in a ‘dark, dead’ state

Commvault is urging organisations to fundamentally rethink their resilience strategies as AI-powered attackers increasingly target backup and recovery infrastructure, leaving victims unable to recover. The warning highlights that traditional backup plans are insufficient if they are not regularly tested under realistic attack conditions. As ransomware operators and AI-assisted threat actors specifically seek out and corrupt backup systems, untested recovery capabilities offer a false sense of security.

Architect’s Take: Conduct adversarial recovery testing — specifically simulate scenarios where backup infrastructure is compromised or unavailable — and ensure immutable, air-gapped backup copies exist outside the blast radius of your primary cloud environment. Review your recovery time objectives against actual tested recovery performance, not theoretical estimates.

Original advisory: Commvault says it’s time to rethink resiliency as AI crooks leave victims in a ‘dark, dead’ state

AWS IoT Device Management has enhanced its connectivity status API to include detailed MQTT session data, such as session timeout and expiry values, plus optional socket-level details including IP addresses, ports, and VPC endpoint IDs. Unlike the IoT Core GetConnection API, which only retains data for 30 minutes post-disconnect, this API stores connection history indefinitely. This is useful for security auditing, forensic investigation of disconnect events, and monitoring connection patterns across large IoT fleets.

Architect’s Take: Review and tighten IAM policies controlling access to the new socket-level details (source/destination IPs, ports, VPC endpoint IDs), as this data could aid lateral movement reconnaissance if exposed to over-privileged roles. Use the indefinite data retention capability to feed IoT connectivity logs into your SIEM for anomaly detection and post-incident forensics.

Original advisory: AWS IoT Device Management adds MQTT session data to connectivity status API

AWS IoT Device Management has enhanced its connectivity status API to include detailed MQTT session data, such as session timeout and expiry values, plus optional socket-level details including IP addresses, ports, and VPC endpoint IDs. Unlike the AWS IoT Core GetConnection API, which only retains data for 30 minutes post-disconnect, this API stores connection history indefinitely, improving long-term auditability. Access to sensitive socket-level information is controlled via IAM policies, allowing organisations to limit visibility to authorised teams.

Architect’s Take: Review and tighten IAM policies governing access to the connectivity status API, particularly the socket-level data permissions, to ensure only operations and security teams have visibility into source/destination IPs and VPC endpoint IDs. Additionally, consider integrating the indefinite data retention capability into your IoT incident response and audit workflows to leverage historical disconnect data for forensic investigations.

Original advisory: AWS IoT Device Management adds MQTT session data to connectivity status API

Researchers at Rice University have demonstrated that curving radio beams can defeat anti-jamming systems by making it difficult to pinpoint the true origin of a jamming signal. Traditional anti-jamming defences rely on locating and neutralising the source of interference, but bent beams confound that localisation process. This has significant implications for secure wireless communications, including satellite links and GPS systems that underpin cloud and critical infrastructure connectivity.

Architect’s Take: Cloud architects relying on satellite uplinks, GPS-dependent services, or wireless backhaul should review their signal redundancy and failover strategies, as physical-layer jamming attacks may become harder to detect and mitigate at the source. Consider layering application-level integrity checks and network path diversity rather than assuming radio anti-jamming controls will hold.

Original advisory: Bend the beam like Beckham to defeat anti-jamming tech

Researchers at Rice University have demonstrated that curving or bending radio beams can defeat anti-jamming systems that rely on locating the source of interference. Because the signal no longer travels in a straight line, direction-finding techniques used to identify and counter jammers become ineffective. This has implications for any wireless communication infrastructure, including those supporting cloud-connected IoT, satellite links, and enterprise wireless networks.

Architect’s Take: Cloud architects relying on wireless backhaul, satellite connectivity, or IoT sensor networks should review their signal resilience strategy — consider whether your anti-jamming or interference-detection controls assume line-of-sight propagation, and engage your network security team to assess whether alternative detection methods (e.g. signal fingerprinting or multi-point triangulation) are in scope.

Original advisory: Bend the beam like Beckham to defeat anti-jamming tech

AWS Step Functions now integrates with Amazon Bedrock AgentCore (currently in preview) to allow AI agent reasoning steps — such as document classification and data extraction — to be embedded directly into automated workflows. This enables multiple agents to run in parallel or sequence within a single workflow, with human approval gates and full audit trails via CloudWatch. For security teams, this introduces AI-driven decision-making into business-critical automation pipelines, expanding the attack surface and governance considerations.

Architect’s Take: Review IAM permissions granted to Step Functions execution roles that invoke AgentCore harnesses, ensuring least-privilege access and that per-invocation model/prompt overrides cannot be manipulated by untrusted inputs. Establish logging and alerting on CloudWatch agent turn details from day one, and apply human approval steps before any agent action with write or destructive permissions.

Original advisory: AWS Step Functions adds AgentCore-powered agentic reasoning step

AWS Step Functions now integrates with Amazon Bedrock AgentCore (currently in preview) to allow AI agent reasoning steps within automated workflows. This enables teams to embed LLM-based tasks such as document classification and data extraction directly into orchestrated pipelines, with parallel execution and human approval gates. Audit trails are available via CloudWatch, capturing agent inputs, outputs, and token usage.

Architect’s Take: Review IAM permissions granted to Step Functions execution roles that invoke AgentCore harnesses — ensure least-privilege policies are applied, particularly around model invocation and tool access. Treat human approval steps as a mandatory control for any agentic action with write or destructive scope, and validate that CloudWatch audit logging is enabled before promoting any AgentCore-integrated workflow to production.

Original advisory: AWS Step Functions adds AgentCore-powered agentic reasoning step

OpenAI’s GPT-5.4 model is now generally available on Amazon Bedrock within AWS GovCloud (US-West), extending access to government and regulated-industry customers. The deployment leverages Bedrock’s isolated inference infrastructure, ensuring prompts and responses remain within the customer’s AWS environment and are not used for model training. This expands the options available for sensitive workloads requiring complex reasoning and document analysis under strict compliance controls.

Architect’s Take: Evaluate data residency and access control policies before enabling GPT-5.4 for sensitive workloads — confirm that Bedrock resource policies, VPC endpoints, and CloudTrail logging are configured to meet your organisation’s compliance requirements, particularly if handling OFFICIAL-SENSITIVE or equivalent data in GovCloud.

Original advisory: OpenAI GPT-5.4 generally available on Amazon Bedrock in AWS GovCloud (US-West)

A vulnerability in Google Gemini’s Android integration allowed malicious content embedded in notifications from apps such as WhatsApp, Slack, Signal, and SMS to hijack the AI assistant without requiring any installed malware. An attacker could craft a poisoned notification that caused Gemini to open browser windows, impersonate contacts, initiate calls, or corrupt the assistant’s long-term memory. This is a prompt injection attack exploiting the trust Gemini places in notification content it processes.

Architect’s Take: Organisations deploying Android devices with Gemini enabled should review mobile device management (MDM) policies to restrict AI assistant access to sensitive notification streams, and treat AI assistants as untrusted data processors when designing data-handling workflows. Raise awareness with security teams about prompt injection as a realistic attack vector on enterprise mobile estates.

Original advisory: WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A prompt injection vulnerability in Google Gemini on Android allowed hostile content embedded in notifications from apps such as WhatsApp, Slack, Signal, and SMS to hijack the AI assistant without requiring any malicious app to be installed. An attacker could craft a poisoned message or notification that caused Gemini to perform unauthorised actions — including impersonating contacts, initiating calls, or corrupting its long-term memory. The attack required no user interaction beyond the assistant processing the notification, making it particularly dangerous for enterprise users relying on AI-assisted workflows.

Architect’s Take: Review your organisation’s mobile device management (MDM) policies to restrict or audit Gemini’s access to third-party app notifications, particularly on corporate Android devices. Until Google confirms a fully patched release, consider disabling Gemini’s notification-reading capabilities via app permissions and assess whether AI assistant integrations meet your acceptable risk threshold for enterprise use.

Original advisory: WhatsApp, Slack Notifications Could Hijack Google Gemini on Android

A one-click attack targeting GitHub.dev, the browser-based VS Code environment, allows an attacker to steal a victim’s GitHub OAuth token simply by having them click a crafted link. The stolen token grants full read and write access to both public and private repositories. This is particularly dangerous because it requires no malware installation and exploits a legitimate GitHub feature.

Architect’s Take: Audit OAuth token scopes granted to GitHub.dev within your organisation and consider enforcing fine-grained personal access tokens with minimal repository permissions instead of broad OAuth tokens. Ensure developer awareness training covers the risk of clicking unsolicited GitHub.dev links, and review whether your GitHub organisation policies can restrict OAuth app access.

Original advisory: One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

A one-click attack targeting Microsoft VS Code’s GitHub.dev feature allows an attacker to steal a victim’s GitHub OAuth token simply by tricking them into clicking a crafted link. The stolen token grants read and write access to all repositories the victim can access, including private ones. This poses a significant supply chain risk, as compromised tokens could be used to inject malicious code into codebases.

Architect’s Take: Enforce short-lived, scoped OAuth tokens across your organisation and audit any GitHub Apps or integrations permitted in VS Code. Consider restricting or monitoring use of GitHub.dev in your developer environment policy, and enable GitHub token scanning and push protection to limit the blast radius of any token compromise.

Original advisory: One-Click GitHub Dev Attack Lets Attackers Steal Full GitHub OAuth Tokens

AWS has added three new execution blocks to Amazon Application Recovery Controller (ARC) Region switch, automating database scaling and failover for Aurora (serverless and provisioned) and Neptune global databases during multi-region failover events. Previously, teams had to manually right-size secondary clusters under incident pressure, adding critical minutes to recovery time. These new blocks remove that manual step, reducing recovery time and human error during regional outages.

Architect’s Take: Review your existing ARC Region switch plans and incorporate the new Aurora and Neptune execution blocks to eliminate manual scaling steps from your runbooks. This is particularly relevant if you run active-passive Aurora global database configurations with scaled-down secondary clusters, as automating right-sizing directly reduces your effective RTO.

Original advisory: ARC Region switch adds Amazon Aurora scaling and Amazon Neptune global database failover

AWS has added three new execution blocks to Amazon Application Recovery Controller (ARC) Region switch, automating database scaling and failover for Aurora (serverless and provisioned) and Neptune global databases during multi-region failover events. Previously, engineers had to manually right-size secondary clusters under incident pressure, adding precious minutes to recovery time. These new blocks remove that manual step, reducing recovery time and human error during outages.

Architect’s Take: Review your existing ARC Region switch runbooks and integrate the new Aurora and Neptune execution blocks to eliminate manual scaling steps from your recovery plans. This is particularly important if you run active-passive Aurora global database configurations with scaled-down secondaries, as automating right-sizing directly reduces your practical RTO and the risk of operator error during a live incident.

Original advisory: ARC Region switch adds Amazon Aurora scaling and Amazon Neptune global database failover

A critical remote code execution vulnerability (CVE-2026-23479) in Redis, introduced in version 7.2.0 over two years ago, has been patched following discovery by an autonomous AI-powered bug-hunting tool. The flaw is a use-after-free bug in Redis’s blocking-client handling code, allowing any authenticated user to execute arbitrary operating system commands on the host server. This is significant because Redis is widely deployed across cloud environments as a caching and data store layer, meaning exposure could lead to full host compromise.

Architect’s Take: Prioritise patching all Redis instances to the May 5 fixed release immediately, paying particular attention to managed Redis services (AWS ElastiCache, Azure Cache for Redis, GCP Memorystore) and self-hosted deployments — check with your vendors for patch availability. In the interim, enforce network segmentation and strict authentication controls to limit which services and users can reach Redis endpoints, reducing the authenticated-user attack surface.

Original advisory: Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

A use-after-free vulnerability in Redis (CVE-2026-23479) allows an authenticated user to execute arbitrary operating system commands on the host machine. Present in every stable Redis branch since version 7.2.0, the flaw went undetected for over two years before being discovered by an autonomous AI-powered code analysis tool. Because Redis is widely deployed as a caching and session layer in cloud environments, successful exploitation could lead to full host compromise.

Architect’s Take: Patch Redis to the May 5 release immediately across all environments — prioritise internet-adjacent or multi-tenant deployments. In the interim, enforce strict network segmentation so that only authorised application services can reach Redis, and audit whether any Redis instances permit external or untrusted client authentication.

Original advisory: Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

CISA has added CVE-2026-45247, a critical remote code execution vulnerability in the Mirasvit Cache Warmer Magento extension, to its Known Exploited Vulnerabilities catalogue following confirmed active exploitation. The flaw, scoring 9.8 on the CVSS scale, stems from insecure deserialisation of untrusted data, allowing an attacker to execute arbitrary code on affected systems. Any organisation running this extension on their Magento e-commerce platform should treat this as an urgent remediation priority.

Architect’s Take: Audit your Magento deployments immediately for the Mirasvit Cache Warmer extension and apply the vendor patch or remove the extension if no patch is available. Given active exploitation, also review web application firewall rules and inspect recent server logs for anomalous deserialisation payloads or unexpected outbound connections.

Original advisory: CISA Adds Exploited Magento RCE Flaw CVE-2026-45247 to KEV Catalog

Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect hop in malicious email campaigns, using its trusted reputation to bypass security filters before delivering the DesckVB remote access trojan. Because many email and web security tools whitelist or deprioritise scrutiny of well-known Google-owned domains, the technique significantly increases the likelihood of successful delivery. Once installed, a RAT gives attackers persistent remote control over the victim’s machine.

Architect’s Take: Review your email and web proxy security policies to ensure that redirects through trusted domains — including Google-owned properties like DoubleClick — are still subject to full URL chain inspection and sandbox detonation. Consider enforcing policies that follow and evaluate the final destination URL rather than trusting the initial domain at face value.

Original advisory: Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect layer in malicious spam emails, using its trusted reputation to bypass security filtering tools before routing victims to attacker-controlled infrastructure that delivers the DesckVB remote access trojan. Because DoubleClick is a widely trusted Google domain, many email and web security products will not flag the initial link as suspicious. This technique is a growing trend of abusing legitimate cloud services to obscure the early stages of an attack chain.

Architect’s Take: Review your email and web proxy security controls to ensure they inspect the full redirect chain rather than trusting links solely based on the root domain — allowlisting DoubleClick or similar Google domains without inspecting downstream redirects creates a blind spot. Consider enforcing URL rewriting and sandboxed link-following in your email security gateway, and ensure endpoint detection controls are tuned to flag RAT behaviour post-delivery.

Original advisory: Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Amazon SageMaker Unified Studio has added localisation support for twelve languages, allowing the interface to display in the user’s preferred language based on browser settings or manual selection. This is a usability enhancement with no direct security implications. It is available across all AWS regions where SageMaker Unified Studio is supported.

Architect’s Take: No security action is required for this update. Architects should note that language localisation does not affect IAM permissions, domain configurations, or access controls — existing governance and access policies remain unchanged.

Original advisory: Amazon SageMaker Unified Studio now supports a localized experience in twelve languages

AWS Config has added support for nine new resource types spanning Amazon Bedrock, Bedrock AgentCore, and SageMaker. This means organisations can now track, audit, and enforce compliance rules against these resources automatically if they have enabled recording for all resource types. The expansion is particularly relevant as AI/ML workloads become a growing part of enterprise cloud environments.

Architect’s Take: Review your AWS Config recording settings to confirm these new resource types are being captured, and consider authoring or adapting Config rules to enforce security baselines — such as network isolation, encryption, and access controls — for the newly supported Bedrock and SageMaker resources before they proliferate across your environment.

Original advisory: AWS Config now supports 9 new resource types

Amazon ECS Managed Instances now supports AWS Trainium and Inferentia AI accelerator instance types, allowing teams to run ML training and inference workloads without managing the underlying EC2 infrastructure. A single task per instance is automatically allocated all accelerator resources via a NEURON_CORE configuration in the task definition. This is a feature release rather than a security event, though it expands the attack surface for ECS-based AI workloads.

Architect’s Take: Review IAM task roles and ECS task definitions for any new Trainium or Inferentia capacity providers to ensure least-privilege access; single-task-per-instance placement reduces noisy-neighbour risk but means a compromised container has full access to all Neuron cores, so container isolation and image provenance controls are critical.

Original advisory: Amazon ECS Managed Instances now supports AWS Trainium and AWS Inferentia

This is a webinar announcement featuring HD Moore, creator of Metasploit, focused on network exposure and attack surface visibility rather than reactive patching. The core argument is that with zero-days arriving faster than patches and AI accelerating exploit development, organisations must shift focus to limiting what an attacker can reach once inside. It matters because it reframes security strategy around blast radius reduction rather than the increasingly futile race to patch everything in time.

Architect’s Take: Use this as a prompt to audit your cloud network segmentation and lateral movement paths — map which workloads can reach critical data stores or control planes, and enforce least-privilege network policies (e.g. security groups, VPC firewall rules, micro-segmentation) so a compromised instance has minimal onward reach.

Original advisory: Beyond the Zero-Day: See Your Network Like an Attacker | Webinar with HD Moore

This is a webinar featuring HD Moore, creator of Metasploit, focused on shifting security strategy away from reactive patching and towards understanding network exposure and attack paths. The core argument is that zero-days and AI-generated exploits make ‘patch everything in time’ an unrealistic goal. What matters more is controlling what an attacker can reach once they’re inside — a principle of blast radius reduction.

Architect’s Take: Use this as a prompt to audit your network segmentation and lateral movement paths in cloud environments — map east-west traffic flows, review VPC peering and transit gateway configurations, and validate that microsegmentation or zero-trust controls are actually limiting what a compromised workload can reach.

Original advisory: Beyond the Zero-Day: See Your Network Like an Attacker | Webinar with HD Moore

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled a security check that restricts account token sharing to trusted Microsoft applications. As a result, any app installed on the same Android device could silently request and receive the signed-in user’s authentication token, granting full access to email, files, calendar, and the ability to send messages on their behalf. No user interaction, credentials, or elevated permissions were required to exploit this.

Architect’s Take: Audit your mobile application management (MAM) and Conditional Access policies to ensure app-based controls are enforced at the resource level and are not solely reliant on client-side token handling. Until Microsoft confirms a fully patched build is deployed, consider enforcing Continuous Access Evaluation (CAE) and restricting M365 access on Android to Intune-managed devices with compliant app versions.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A debug flag accidentally left enabled in production builds of multiple Microsoft 365 Android apps disabled the trust check that normally restricts account-token sharing to authorised Microsoft applications. As a result, any app installed on the same Android device could silently request and receive a valid authentication token, granting full access to the victim’s email, files, calendar, and messaging without any user interaction or additional permissions. The flaw affects any user running a vulnerable Microsoft 365 Android app while also having a malicious or compromised app on the same device.

Architect’s Take: Mandate immediate updates to all affected Microsoft 365 Android apps across your managed device estate via your MDM/UEM solution, and review Conditional Access policies to detect anomalous token usage or unexpected app sign-ins. Consider temporarily blocking unmanaged Android devices from accessing Microsoft 365 resources until patched app versions are confirmed deployed.

Original advisory: Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag

A security researcher has publicly leaked Microsoft exploit code in protest at how the company handles vulnerability disclosures, following a similar incident by a researcher known as Nightmare Eclipse. The move bypasses responsible disclosure norms, meaning working exploits are now publicly available before Microsoft has necessarily issued patches. This significantly raises the risk for organisations running unpatched Microsoft and Azure environments.

Architect’s Take: Review your Microsoft and Azure patch status immediately and prioritise any outstanding security updates — publicly available exploit code dramatically shortens the window between disclosure and active exploitation. Ensure your vulnerability management process includes alerting on zero-day and pre-patch public exploit releases, not just CVE publication.

Original advisory: Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures

A security researcher has publicly leaked Microsoft exploit code in protest at how the company handles vulnerability disclosures, following a similar incident by a researcher known as Nightmare Eclipse. The researcher chose to bypass responsible disclosure and release exploits immediately, arguing Microsoft’s process is inadequate. This creates immediate risk as working exploit code is now publicly available before patches may be widely applied.

Architect’s Take: Review your Azure and Microsoft 365 patch status urgently and prioritise any outstanding Microsoft security updates, as publicly available exploit code significantly shortens the window between disclosure and active exploitation. Monitor Microsoft’s Security Response Center and threat intelligence feeds closely for CVE details tied to these leaks.

Original advisory: Another bug hunter leaks Microsoft exploits in defiance of company’s handling of vulnerability disclosures

Modern enterprise identity and access management (IAM) is increasingly fragmented across applications, machine identities, and decentralised teams, creating blind spots known as ‘Identity Dark Matter’ — activity that falls outside centralised IAM controls. Identity Visibility and Intelligence Platforms (IVIP) are emerging as a way to consolidate this visibility and reduce the exploitable attack surface. This matters because unmanaged identities are a primary vector for privilege abuse and lateral movement in cloud environments.

Architect’s Take: Audit your current IAM coverage gaps by mapping all human, machine, and federated identities across your cloud estate — then evaluate IVIP tooling to surface shadow identities and unmanaged service accounts that your existing IAM tooling cannot see.

Original advisory: Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)

Researchers are applying machine learning techniques to crack historical hand-written ciphers used in medieval correspondence, including diplomatic and personal communications. While academically fascinating, this work demonstrates that AI can systematically analyse and break pattern-based encryption schemes that were previously considered too obscure to decode at scale. It highlights the broader capability of AI to accelerate cryptanalysis against weak or legacy cipher designs.

Architect’s Take: No immediate action is required, but this research serves as a timely reminder to audit any legacy or proprietary encryption schemes in your environment — AI-assisted cryptanalysis lowers the bar for breaking non-standard ciphers. Ensure all sensitive data at rest and in transit is protected by modern, well-vetted standards such as AES-256 and TLS 1.3, and avoid reliance on security through obscurity.

Original advisory: AI Used to Decrypt Medieval Ciphers

Researchers are applying machine learning techniques to decode historical hand-written ciphers used in medieval correspondence, including diplomatic and personal communications. Whilst not a direct cybersecurity threat, it demonstrates AI’s growing capability to break encryption schemes that were previously considered uncrackable. This has broader implications for understanding how AI might be applied to attack legacy or weak cryptographic implementations.

Architect’s Take: No immediate action required, but treat this as a signal to audit any legacy or non-standard encryption schemes in your environment — if AI can crack medieval ciphers, weak or deprecated algorithms (e.g. DES, MD5, RC4) are increasingly at risk. Ensure your cryptographic inventory is up to date and aligned with current NCSC guidance.

Original advisory: AI Used to Decrypt Medieval Ciphers

Anthropic has expanded its Glasswing partner programme fourfold, inducting 150 new organisations including the first non-US members, while UK banks have notably been excluded from the initiative. In parallel, OpenAI is offering UK financial institutions access to GPT-5.5, highlighting a competitive dynamic in AI partnerships within the regulated financial sector. The exclusion raises questions around data sovereignty, regulatory compliance, and which AI vendors UK-regulated entities can practically partner with.

Architect’s Take: Cloud security architects at UK financial institutions should assess the compliance and data residency implications of both OpenAI and Anthropic offerings before committing to either platform, paying close attention to FCA and PRA guidance on third-party AI risk and ensuring any AI partnership agreements include robust contractual controls around data handling and model governance.

Original advisory: UK banks offered access to OpenAI’s GPT-5.5 amid exclusion from Anthropic’s Glasswing expansion

Anthropic has expanded its Glasswing partner programme fourfold, inducting 150 new organisations including the first non-US members, while UK banks have notably been excluded. OpenAI has moved to fill the gap by offering UK financial institutions access to GPT-5.5. The development highlights growing competitive dynamics in enterprise AI access and raises questions about supply chain concentration risk for financial sector security teams.

Architect’s Take: Cloud security architects in UK financial services should assess the security posture, data residency commitments, and compliance certifications of any AI provider they are offered as an alternative — do not treat OpenAI’s GPT-5.5 access as a like-for-like replacement for Anthropic without conducting due diligence on API security controls, data handling agreements, and regulatory alignment with FCA/PRA expectations.

Original advisory: UK banks offered access to OpenAI’s GPT-5.5 amid exclusion from Anthropic’s Glasswing expansion

An unpatched vulnerability in Windows’ ‘search:’ URI handler can be exploited to leak a user’s NTLMv2 credential hash to an attacker, similar to a recently disclosed flaw in the Windows Snipping Tool (CVE-2026-33829). NTLMv2 hashes can be cracked offline or used in relay attacks to authenticate as the victim. The vulnerability remains unpatched, making it an active risk for any Windows environment, including cloud-connected hybrid setups.

Architect’s Take: Block or restrict outbound SMB traffic (TCP 445) at the network perimeter and enforce NTLM restrictions via Group Policy or Azure AD Conditional Access to reduce relay attack exposure. Additionally, consider deploying Defender for Endpoint or equivalent EDR rules to flag suspicious search: URI handler invocations until a patch is available.

Original advisory: Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

A vulnerability in BusyBox wget versions up to 1.3.7 allows attackers to inject arbitrary HTTP headers by embedding carriage return, line feed, or other control characters into the URL path or query string — a technique known as HTTP response splitting or header injection. This can enable request smuggling, session hijacking, or cache poisoning depending on the backend infrastructure. Any Azure or cloud workload using an affected BusyBox version to make outbound HTTP requests may be at risk.

Architect’s Take: Audit container images and lightweight Linux environments (particularly Alpine-based or IoT-adjacent workloads) for BusyBox wget versions at or below 1.3.7, and update to a patched release immediately. Enforce input validation at API gateways and WAF layers to strip raw control characters from HTTP request targets as a defence-in-depth measure.

Original advisory: CVE-2025-60876 BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20).

CVE-2026-25541 is an integer overflow vulnerability in the Rust ‘bytes’ crate, specifically within the BytesMut::reserve function. Integer overflows in memory management libraries can lead to heap buffer overflows, potentially enabling arbitrary memory corruption or remote code execution. This is particularly significant given the widespread use of the ‘bytes’ crate across cloud-native Rust applications and frameworks such as Tokio.

Architect’s Take: Audit your Rust-based services and container images for dependency on the ‘bytes’ crate and update to a patched version immediately. Pay particular attention to any Azure-hosted workloads or pipelines that process untrusted input, as memory corruption vulnerabilities of this class can be exploited to achieve code execution.

Original advisory: CVE-2026-25541 Bytes is vulnerable to integer overflow in BytesMut::reserve

CVE-2025-29923 affects go-redis, a popular Go client library for Redis, where a timeout during the CLIENT SETINFO command at connection establishment can cause responses to be returned out of order. This race condition can result in a client receiving incorrect data, potentially leading to data corruption or unintended application behaviour. Applications using go-redis in Azure or other cloud environments that rely on connection pooling may be silently affected.

Architect’s Take: Audit any workloads using the go-redis library and upgrade to the patched version as soon as possible. Pay particular attention to services with high connection churn or aggressive connection timeouts, as these are most likely to trigger the out-of-order response condition.

Original advisory: CVE-2025-29923 go-redis allows potential out of order responses when CLIENT SETINFO times out during connection establishment

CVE-2024-7598 is a race condition vulnerability in Kubernetes namespace termination that can allow an attacker to bypass network restrictions within Azure-hosted clusters. During the brief window when a namespace is being deleted, network policies may not be correctly enforced, potentially permitting unauthorised traffic between pods or services. This matters because it could allow lateral movement or data exfiltration in multi-tenant or segmented environments.

Architect’s Take: Review any workloads relying solely on Kubernetes network policies for isolation in Azure Kubernetes Service (AKS); consider supplementing with Azure Network Security Groups or Calico-enforced policies and monitor for unexpected cross-namespace traffic, particularly during namespace lifecycle events. Apply any available patches or mitigations from Microsoft promptly.

Original advisory: CVE-2024-7598 Network restriction bypass via race condition during namespace termination

A newly discovered vulnerability dubbed ‘HTTP/2 Bomb’ allows attackers to remotely crash major web servers — including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora — without authentication. The flaw exploits default HTTP/2 configurations, meaning most deployments are vulnerable out of the box. Because it affects such a broad range of widely used infrastructure, the potential impact is significant across cloud and on-premises environments alike.

Architect’s Take: Audit your HTTP/2 configurations across all edge and origin servers immediately, and apply vendor patches or mitigations as they are released — prioritising internet-facing NGINX, Apache, IIS, and Envoy instances. In the interim, consider enforcing HTTP/2 connection and stream limits at your load balancer or WAF layer to reduce exposure.

Original advisory: New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare

CVE-2020-8561 is a vulnerability in the Kubernetes API server (kube-apiserver) that allows an attacker to redirect webhook traffic, potentially enabling server-side request forgery (SSRF) against internal network resources. By manipulating admission webhook configurations, a malicious actor could cause the API server to make requests to arbitrary internal endpoints, bypassing network controls. This affects Azure Kubernetes Service (AKS) and any Kubernetes environment where untrusted users can modify webhook configurations.

Architect’s Take: Review and restrict who has permission to create or modify ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in your Kubernetes clusters — limit this to highly trusted administrators only. Audit existing webhook configurations for unexpected or suspicious target URLs, and consider network policies that restrict where the kube-apiserver can make outbound connections.

Original advisory: CVE-2020-8561 Webhook redirect in kube-apiserver

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT Keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These logs help operators identify devices struggling to maintain connections and quickly diagnose certificate or credential failures across IoT fleets. This is an observability improvement rather than a security fix, but it meaningfully strengthens the ability to detect and respond to authentication anomalies.

Architect’s Take: Enable these new log event types in your AWS IoT Core logging configuration and consider creating CloudWatch Metric Filters or alarms on Connection.AuthNError events to surface potential credential misuse or certificate expiry issues proactively — particularly useful in large-scale fleets where silent authentication failures are easy to miss.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication

AWS IoT Core has introduced two new CloudWatch log event types: Ping logs for MQTT keep-alive messages and Connection.AuthNError logs for failed authentication attempts. These additions give security and operations teams better visibility into device connectivity failures and credential or certificate issues across IoT fleets. This is a positive observability improvement rather than a vulnerability disclosure.

Architect’s Take: Enable event-level logging in AWS IoT Core and opt into both new event types immediately — feed Connection.AuthNError logs into your SIEM or CloudWatch alarms to detect potential credential stuffing or certificate misconfiguration across your IoT fleet at scale.

Original advisory: AWS IoT Core adds new logs to troubleshoot connectivity and authentication

A malware-as-a-service campaign dubbed Weedhack has been targeting Minecraft players since January 2026, distributing malicious software disguised as game clients and mods via YouTube. The operation has already compromised approximately 86,000 systems and includes components such as CountLoader and cryptocurrency miners. The campaign highlights how gaming communities remain a significant vector for delivering credential-stealing and system-control malware at scale.

Architect’s Take: If your organisation permits personal devices or BYOD access to cloud workloads, ensure endpoint detection controls can identify MaaS-delivered loaders such as CountLoader, and audit whether compromised personal credentials could pivot into corporate cloud environments via SSO or reused passwords.

Original advisory: Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content

A malware-as-a-service campaign dubbed Weedhack has been targeting Minecraft players since January 2026, distributing malware through YouTube by impersonating legitimate Minecraft clients and mods. The campaign has compromised thousands of systems and is linked to a loader dubbed CountLoader, which has recorded over 86,000 infections. The threat is notable for its exploitation of gaming communities and pirated software channels as a delivery mechanism for system-control malware.

Architect’s Take: While this campaign primarily targets consumers, architects should review endpoint security policies for corporate devices that may have gaming software installed, and ensure DNS filtering and web proxies block known malicious YouTube redirect chains and payload-hosting domains associated with Weedhack. Consider adding gaming and piracy-related domains to URL category block lists on managed endpoints.

Original advisory: Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content

A critical vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento/Adobe Commerce allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw stems from unsafe deserialisation of a crafted PHP object passed via the CacheWarmer cookie, requiring no login or prior access. This vulnerability is actively being exploited in the wild, confirmed by CISA’s inclusion in its Known Exploited Vulnerabilities catalogue.

Architect’s Take: Identify any Magento or Adobe Commerce instances running the Mirasvit Full Page Cache Warmer extension and apply the vendor patch immediately ahead of the 6 June 2026 remediation deadline. Where patching is not immediately possible, implement a WAF rule to inspect and block malicious serialised PHP objects in the CacheWarmer cookie as an interim control.

Original advisory: CVE-2026-45247: Mirasvit Mirasvit Full Page Cache Warmer

A ransomware operator has broken the unwritten but widely observed rule among Russian-speaking cybercriminal groups by attacking targets within Russia or CIS countries, drawing attention to themselves and likely facing consequences from both law enforcement and criminal peers. This norm has historically served as an informal shield, with many ransomware variants including code to abort execution if a CIS locale is detected. The incident highlights the internal politics and geographic conventions that shape how ransomware gangs operate.

Architect’s Take: Use this as a reminder to review whether your ransomware detection and response playbooks account for threat actors who may no longer respect traditional geographic boundaries — do not assume CIS-origin malware will avoid your organisation based on locale checks alone.

Original advisory: ‘Dumbass’ criminal breaks the ‘first rule of ransomware club’

A ransomware operator has been caught after violating one of the unwritten rules of Russian-linked cybercrime: never target victims in Russia or other CIS nations. This breach of convention drew attention from Russian authorities, who typically turn a blind eye to ransomware gangs operating abroad. The case highlights the implicit geopolitical arrangement that has allowed many ransomware groups to operate with near-impunity.

Architect’s Take: While this story is primarily threat-intelligence context rather than a technical vulnerability, cloud security architects should use it as a prompt to review their ransomware resilience posture — ensure immutable, offline-tested backups exist in cloud environments, and verify that incident response plans account for ransomware-as-a-service actors who may face reduced operational risk depending on their geography.

Original advisory: ‘Dumbass’ criminal breaks the ‘first rule of ransomware club’

A vulnerability in Graph Explorer (versions 1.1.0 to 3.0.1), an open-source tool used with Amazon Neptune, can cause the application to silently fall back from HTTPS to unencrypted HTTP when TLS certificates are unavailable. This means sensitive data, potentially including graph database queries and results, may be transmitted in cleartext without any visible warning. The issue is tracked as CVE-2026-10584 and requires an explicit upgrade to version 3.0.1 or later.

Architect’s Take: Audit any Graph Explorer deployments running versions 1.1.0 through 3.0.1 and upgrade to 3.0.1 immediately; additionally, enforce network-level controls (e.g. VPC security groups or WAF rules) to block plain HTTP traffic to Neptune endpoints as a defence-in-depth measure while patching is underway.

Original advisory: CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer

AWS has published guidance on identifying unused KMS encryption keys and protecting them from accidental deletion across large, multi-account environments. Orphaned or forgotten keys can inflate costs, create compliance gaps, and pose a risk if unexpectedly deleted — potentially making encrypted data permanently inaccessible. The post outlines tooling and processes to audit key usage and apply deletion safeguards at scale.

Architect’s Take: Implement regular KMS key usage audits using AWS CloudTrail and CloudWatch metrics, and ensure deletion windows and key policies are configured to prevent accidental removal — particularly in multi-account organisations where key ownership can become unclear over time.

Original advisory: Identify unused AWS KMS keys and prevent accidental key deletions

Google’s June 2026 Android security update addresses 124 vulnerabilities, including a high-severity privilege escalation flaw (CVE-2025-48595) in the Android Framework component that is actively being exploited in the wild. The flaw requires no user interaction, making it particularly dangerous as attackers can escalate privileges silently. Organisations with Android devices in their mobile fleet or BYOD programmes should treat this update as urgent.

Architect’s Take: Prioritise enforcement of this patch across managed Android devices via your MDM solution (e.g. Intune, Jamf, or Google Endpoint Management) — focus first on devices accessing corporate cloud resources or sensitive SaaS applications. Review your mobile threat defence policies to detect any exploitation attempts against unpatched devices in the interim.

Original advisory: Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited

Cisco has publicly praised its AI model ‘Mythos’ for its performance in automated vulnerability discovery but has declined to disclose the number of bugs it actually found. Separately, Anthropic has expanded its Project Glasswing initiative by adding 150 new partners, signalling growing industry investment in AI-driven security tooling. The opacity around Mythos’ results raises questions about transparency and how organisations should evaluate AI security claims.

Architect’s Take: Treat vendor claims about AI-driven vulnerability discovery with scepticism until independently verifiable metrics are published — when evaluating AI security tooling, demand concrete, auditable outputs such as CVE counts, false-positive rates, and coverage scope before committing to any platform.

Original advisory: Cisco sings Mythos’ praises - but doesn’t say how many bugs the model uncovered

Russian state-linked threat group Gamaredon is actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deploy a chain of malware against Ukrainian targets. The attack begins with an HTML Application payload (GammaPhish) which then downloads further malware including GammaWorm and GammaSteel, designed for data theft and lateral propagation. This is a targeted, state-sponsored campaign with significant implications for organisations operating in or with Ukraine.

Architect’s Take: Ensure WinRAR is patched to a version addressing CVE-2025-8088 across all endpoints, and consider blocking HTA file execution via AppLocker or Windows Defender Application Control policies. Cloud-connected environments should review egress controls and data exfiltration detection rules, particularly for workloads with access to sensitive data stores.

Original advisory: Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

A high-severity vulnerability in Oracle WebLogic Server (CVE-2024-21182) has been added to CISA’s Known Exploited Vulnerabilities catalogue following confirmed active exploitation in the wild. The flaw allows an unauthenticated attacker with network access to take full control of affected servers without any credentials. Any organisation running Oracle WebLogic in cloud or on-premises environments should treat this as an urgent remediation priority.

Architect’s Take: Audit your cloud environments immediately for internet-exposed or network-accessible WebLogic instances and apply Oracle’s patch from the January 2024 Critical Patch Update without delay. As an interim control, restrict network access to WebLogic admin ports using security groups or firewall rules, and consider placing instances behind a WAF or application gateway.

Original advisory: Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation

AWS Config now supports internal service linked rules, allowing AWS services like Security Hub CSPM to deploy and manage their own Config rule evaluations independently of customer-managed rules. Evaluation results are delivered directly to the originating AWS service at no additional charge to customers. This separation means AWS services can run compliance checks without interfering with customer-configured Config setups.

Architect’s Take: No immediate action is required, but architects should review their AWS Config cost models and compliance dashboards — internal service linked rules operate independently and won’t affect existing customer rules or recorders, so there is no risk of unintended interference. Take note that Security Hub CSPM will now leverage this mechanism, which may affect how you interpret Config rule counts and evaluation results in your environment.

Original advisory: AWS Config now supports internal service linked rules

AWS Deadline Cloud now supports persistent EBS volumes for Service-Managed Fleet workers, preserving software environments and assets across worker lifecycle events. Previously, workers used only ephemeral storage, meaning software had to be reinstalled on every recycle. This change reduces startup times and improves job throughput for compute-intensive rendering and simulation workloads.

Architect’s Take: Review IAM policies and EBS volume access controls to ensure persistent volumes cannot be accessed by unintended workers or principals across lifecycle boundaries. Consider enabling EBS encryption at rest for all SMF persistent volumes and validate that TTL policies are configured to minimise unnecessary data retention in line with your data classification requirements.

Original advisory: AWS Deadline Cloud now supports persistent storage for Service Managed Fleets

Amazon SageMaker Studio’s quick setup time has been reduced from over two minutes to under twenty seconds. New Studio environments now automatically receive a managed IAM policy granting serverless model customisation permissions, including fine-tuning, evaluation, and deployment to SageMaker or Bedrock endpoints. This reduces friction for ML practitioners but introduces pre-configured IAM permissions that security teams should review.

Architect’s Take: Review the scope of the automatically attached AmazonSageMakerModelCustomizationCoreAccess managed policy against your least-privilege baselines — auto-provisioned IAM policies with deployment permissions to Bedrock and SageMaker endpoints may exceed what individual users or teams require. Consider whether your landing zone or Service Control Policies should restrict or audit automatic policy attachment in SageMaker Studio environments.

Original advisory: Amazon SageMaker Studio now sets up in seconds with model customization ready from the start

AWS has published guidance on securing multi-tenant AI agent deployments using Amazon Bedrock AgentCore resource-based policies. SaaS providers can use these controls to isolate tenants, enforce VPC-only traffic for regulated workloads, and manage cross-account access — all from a shared infrastructure. This matters because poorly isolated multi-tenant AI systems can expose one customer’s data or capabilities to another.

Architect’s Take: If you are building or reviewing a multi-tenant SaaS platform on Bedrock AgentCore, implement resource-based policies now to enforce tenant isolation boundaries — pay particular attention to cross-account trust conditions and VPC endpoint restrictions to meet regulatory obligations such as UK GDPR and financial sector requirements.

Original advisory: Secure multi-tenant AI agents with Amazon Bedrock AgentCore resource-based policies

A vulnerability in AWS’s Kiro agentic IDE (versions prior to 0.11) allows remote unauthenticated attackers to write to execution-sensitive files such as .vscode/tasks.json, which can trigger automatic command execution when a folder is opened. The flaw stems from insufficient access control restrictions in the IDE’s file write tool. This is particularly concerning as it can be exploited via crafted instructions, potentially through AI agent interactions.

Architect’s Take: Ensure all developers using Kiro IDE have updated to version 0.11 or later immediately, and consider enforcing this via endpoint management tooling. Review developer workstation security policies to restrict auto-execution behaviours in IDE environments, particularly for AI-assisted or agentic tooling.

Original advisory: CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths