Dispatches. Practitioner-first cybersecurity coverage.
Independent reporting on AI security, SOC automation, identity, data and the adversarial edge. Every piece is rewritten in-house and credits every source — never a press-release copy.
Featured On-Prem Exchange Hit: CVE-2026-42897 Lets a Crafted Email Run Code in OWA
Microsoft confirms active exploitation of an XSS spoofing flaw in on-prem Exchange Server. A crafted email opened in Outlook Web Access is enough to execute attacker-supplied JavaScript in the victim's browser context, and CISA has set a federal KEV deadline for May 29.
Archive
Page 1 of 4-
AI Security Google Discloses First Confirmed AI-Authored Zero-Day, a 2FA Bypass Used for Mass Exploitation
Google's threat intel team says an unknown actor used a large language model to find and weaponise a zero-day 2FA bypass in a web admin tool. The Python exploit shipped with hallucinated CVSS scores and educational docstrings — the smoking gun that an LLM, not a human, wrote it.
-
AI Security UK AI Security Institute Finds GPT-5.5 Matches Claude Mythos at Vulnerability Discovery
A new evaluation from the UK's AI Security Institute concludes that OpenAI's generally-available GPT-5.5 performs on par with Anthropic's restricted Claude Mythos at finding software vulnerabilities — and that a smaller model with the right prompting scaffolding gets close enough to matter.
-
Code Security An 18-Year-Old NGINX Bug Reopens One of the Internet's Most-Reached Code Paths
A heap buffer overflow in NGINX's rewrite module, undisclosed since 2008, can be triggered by a single crafted HTTP request and reaches unauthenticated RCE on hosts running with ASLR disabled. F5 has shipped patches for Open Source, Plus, and every derivative.
-
Vendor Cisco SD-WAN Controllers Hit by 10.0 Auth Bypass — Active Exploitation Confirmed
A maximum-severity authentication bypass in Cisco Catalyst SD-WAN Controller (CVE-2026-20182, CVSS 10.0) lets unauthenticated attackers gain administrative control over the SD-WAN fabric via UDP 12346. Cisco has confirmed limited in-the-wild exploitation; the vulnerable component has now produced two 10.0-rated bypasses in three years.
-
AI Security OpenAI's Daybreak Hands Defenders a Frontier Vulnerability Model
OpenAI launched Daybreak, a defensive cyber initiative pairing three GPT-5.5 variants with Codex Security to give vendors access to AI vulnerability discovery, threat modeling, and patch validation. The release confirms that frontier labs now treat vuln-finding capability as gated infrastructure rather than a public product.
-
AI Security Anthropic's Mythos and the Asymmetry Problem in AI Vulnerability Discovery
Anthropic held back its Claude Mythos Preview from public release because it finds software vulnerabilities at a rate defenders cannot match in their patch cycles. Bruce Schneier argues the deeper concern isn't software at all — it's every other rule-based system AI can now mine for exploits.
-
Threat Intel Active Exploitation of Ivanti EPMM Forces a 72-Hour Federal Patch Window
A high-severity flaw in Ivanti's on-prem mobile device management platform, CVE-2026-6973, hit CISA's Known Exploited Vulnerabilities list with one of the tightest deadlines of the year. The exploitation requires admin authentication — which means previously compromised credentials are the live attack path.
-
Vulnerabilities Critical cPanel Auth Bypass CVE-2026-41940 Hits Asia-Pacific Governments and MSPs Within 24 Hours of Disclosure
A critical authentication-bypass in cPanel and WHM was weaponized within a day of public disclosure, with multiple operators using AdaptixC2, Mirai variants, and Sorry ransomware against government targets in Southeast Asia and managed service providers across five countries.
-
Threat Intel Scattered Spider's 'Tylerb' Pleads Guilty in California, Faces 22 Years for SIM-Swap Spree That Defined the Crew
A 24-year-old Scottish national admitted to wire-fraud conspiracy and aggravated identity theft tied to the 2022 phishing campaign that put Scattered Spider on the map, the second senior member to plead guilty in US federal court and a useful read on how durable the loose-knit crew remains a year after its first conviction.