Aggregator

Bold Plan Raises Hard Questions About Execution, Liability and Oversight
The Trump administration's national cyber strategy calls for a stronger partnership between the federal government and private companies, heralding a shift in the ways private enterprise could participate in offensive operations against nation-state adversaries, ransomware gangs and cybercriminals.

Also: the Pentagon-Anthropic AI Legal Showdown, the New Reality of Document Fraud
In this week's panel, four ISMG editors discuss the cyber activity tied to the U.S.-Israel-Iran conflict, the Pentagon's standoff with AI firm Anthropic and a new report that reveals how document fraud reflects deeper weaknesses in verification systems.

New Startup Says Cloud-Heavy Models Do Not Scale for Large Enterprises
Bold Security exited stealth with $40 million to build an endpoint platform for the artificial intelligence era. CEO Nati Hazut said companies can no longer rely on older controls as employees and AI agents access data locally, creating new blind spots around apps, files and device activity.

You have Sentinel. You have Defender. Here is what fills the autonomous investigation gap between detection and autonomous resolution.

The post D3 Morpheus for Your Microsoft Security Environment appeared first on D3 Security.

The post D3 Morpheus for Your Microsoft Security Environment appeared first on Security Boulevard.

A vulnerability, which was classified as problematic, was found in angular up to 19.2.19/20.3.17/21.2.3. Affected by this issue is some unknown functionality. The manipulation results in cross site scripting. This vulnerability is identified as CVE-2026-32635. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in leanprover vscode-lean4 up to 0.1.x. Affected by this vulnerability is an unknown functionality. The manipulation leads to basic cross site scripting. This vulnerability is referenced as CVE-2026-32732. Remote exploitation of the attack is possible. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability classified as problematic was found in Mintplex-Labs anything-llm up to 1.11.1. Affected is an unknown function of the component HTTP Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The identification of this vulnerability is CVE-2026-32617. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as problematic has been found in emmansun gmsm up to 0.41.0. This impacts an unknown function of the component SM2/SM3/SM4/SM9/ZUC. Performing a manipulation results in improper verification of cryptographic signature. This vulnerability was named CVE-2026-32614. The attack may be initiated remotely. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability described as problematic has been identified in Mintplex-Labs anything-llm up to 1.11.1. This affects an unknown function of the file frontend/src/utils/chat/markdown.js of the component PromptReply Component. Such manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-32626. The attack can be launched remotely. No exploit exists.

A vulnerability marked as critical has been reported in ctfer-io monitoring up to 0.2.0. The impacted element is an unknown function. This manipulation causes improper access controls. This vulnerability is handled as CVE-2026-32720. The attack can be initiated remotely. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as problematic has been found in Mintplex-Labs anything-llm up to 1.11.1. The affected element is an unknown function of the component Generic Endpoint. The manipulation results in incorrect authorization. This vulnerability is known as CVE-2026-32715. It is possible to launch the attack remotely. No exploit is available.

A vulnerability identified as critical has been detected in PX4 PX4-Autopilot up to 1.17.0-rc1. Impacted is the function tattu_can of the component CAN Handler. The manipulation leads to stack-based buffer overflow. This vulnerability is traded as CVE-2026-32707. It is possible to launch the attack on the physical device. There is no exploit available. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in PX4 PX4-Autopilot up to 1.17.0-rc1. This issue affects some unknown processing. Executing a manipulation can lead to buffer overflow. This vulnerability appears as CVE-2026-32706. The attacker needs to be present on the local network. There is no available exploit. It is advisable to upgrade the affected component.

Currently trending CVE - Hype Score: 3 - Fabio is an HTTP(S) and TCP router for deploying applications managed by consul. Prior to version 1.6.6, Fabio allows clients to remove X-Forwarded headers (except X-Forwarded-For) due to a vulnerability in how it processes hop-by-hop headers. Fabio adds HTTP headers like ...

A vulnerability was found in SiYuan up to 3.6.0. It has been rated as critical. This vulnerability affects unknown code of the file /api/template/renderSprig of the component Custom Attributes Handler. Performing a manipulation results in improper authorization. This vulnerability is reported as CVE-2026-32704. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability was found in kasuganosoras Pigeon up to 1.0.200. It has been declared as problematic. This affects an unknown part of the component Message Handler. Such manipulation of the argument HTTP_HOST leads to injection. This vulnerability is documented as CVE-2026-32616. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

This week’s McKinsey incident should be a wake-up call for every enterprise moving fast to deploy AI.

Not because AI itself is inherently insecure.

But because too many organizations are still thinking about AI security at the model layer, while the real enterprise risk sits in the action layer: the APIs, MCP servers, internal services, and shadow integrations that AI agents can reach, invoke, and manipulate.

That is the part most companies still do not see.

The technical details matter here. Public reporting described an internal AI platform with a broad API footprint, including more than 200 documented endpoints and a set of unauthenticated APIs that could allegedly be reached externally. The same reporting described potential exposure paths to tens of millions of chat messages, hundreds of thousands of files, user accounts, and system prompts. Whether or not every possible impact was realized, the takeaway for security leaders is clear: when internal AI systems are wired into weakly governed APIs, the blast radius can become enormous very quickly.

And this is not an isolated case.

The McDonald’s AI hiring incident points to the same structural problem. Different companies. Different workflow. Same core mistake. Reporting on that case described exposed administrative access, weak authentication practices, and the potential exposure of a massive pool of applicant records. Again, the story was not just about the chatbot. It was about the application and API infrastructure around it.

That is the lesson the market needs to understand.

The real risk is not the LLM. It is what the agent can do.

A lot of the AI security market today is focused on prompts, model behavior, jailbreaks, and output controls.

Those matter.

But they are only one layer.

In the enterprise, AI agents do not create value by talking. They create value by taking action. They retrieve data, call APIs, invoke tools, access systems, trigger workflows, and increasingly operate through MCP servers and connected services.

That means the real blast radius of AI is determined by the action layer.

• If an internal API is left exposed without authentication, an agent can find it.
• If a shadow service is internet-accessible, an agent can reach it.
• If an MCP server is misconfigured, an agent can use it.
• If sensitive business logic is sitting behind undocumented or forgotten endpoints, an agent can chain those calls together at machine speed.

This is why the industry framing of “AI security” is still too narrow. The attack surface is no longer just the model. It is the full connected system around it.

McKinsey and McDonald’s security breaches are the same story

At first glance, these incidents look different. McKinsey was an internal AI platform. McDonald’s was an AI-powered hiring workflow.

But structurally they are the same. Both point to a growing enterprise reality: organizations are connecting AI systems to internal and external application infrastructure faster than they are securing that infrastructure.

And in many cases, the weakest point is not a sophisticated model exploit. It is a plain old exposed API, weak authentication, forgotten endpoint, misconfigured access control, or third-party integration that quietly became internet reachable.

That is exactly why I believe one of the most dangerous categories emerging right now is shadow APIs connected to agents.

These are internal or lightly governed APIs that were never meant to become part of an external attack surface, but once they are connected to copilots, workflows, MCP servers, browser agents, coding agents, or AI applications, they effectively become part of one.

The company still thinks of them as “internal.” The attacker does not.

The blind spot: shadow APIs plus agent connectivity

This is the gap I worry about most for enterprises today. Every company has APIs it knows about. Many also have APIs it has forgotten, never fully documented, or does not realize are externally reachable.

Now add AI. The moment an agent is connected to those systems, or an MCP server is exposed with access to them, the attack surface expands dramatically.

What used to be obscure, low traffic, and semi-internal becomes:

• Discoverable
• Callable
• Chainable
• Exploitable at machine speed

That is the shift. In the pre-agentic world, a hidden or weakly governed API might sit quietly for months or years. In the agentic world, it only needs to be reachable once.

The new security model enterprises need

If you are deploying AI, you need to stop asking only: Is the model safe? and start asking:

• What can this agent reach?
• What APIs back this workflow?
• Which endpoints are exposed externally?
• Which MCP servers exist across the company?

The next generation of AI incidents will come from agents sitting on top of weak action layers: exposed APIs, unauthenticated services, forgotten integrations, and misconfigured MCP servers.

This is exactly why we built Salt Surface

At Salt, we have spent years helping enterprises discover and secure APIs they did not know were exposed. That problem now matters even more in the age of AI.

With Salt Surface, organizations can map their exposed API footprint, including AI-related APIs and externally reachable services, without deploying an agent or installing anything in their environment.

If you are building with AI, the first question should not be whether your prompt is protected. It should be whether your action layer is exposed.

The model is not the whole attack surface. The API layer is.

Get your free exposure scan

If you want to know whether your company has exposed APIs, AI-connected endpoints, or internet-reachable services, we will show you. No installation. No heavy lift. Just a domain and you get visibility into the attack surface you need to understand now.

Request your free Salt Surface scan today.

Roey Eliyahu is the Co-Founder and CEO of Salt Security, the leader in Agentic Security.

‍

‍

The post An AI Agent Didn’t Hack McKinsey. Its Exposed APIs Did. appeared first on Security Boulevard.

A vulnerability was found in apollo federation-internals, gateway and query-planner up to 2.9.5/2.10.4/2.11.5/2.12.2/2.13.1. It has been classified as critical. Affected by this issue is some unknown functionality. This manipulation causes improperly controlled modification of object prototype attributes. This vulnerability is registered as CVE-2026-32621. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

A vulnerability was found in GNU inetutils up to 2.7 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component telnet. The manipulation results in incorrect resource transfer. This vulnerability is cataloged as CVE-2026-32772. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in Mintplex-Labs anything-llm up to 1.11.1 and classified as critical. Affected is the function importCommunityItemFromUrl of the file server/utils/agents/imported.js of the component ZIP File Parser. The manipulation leads to path traversal. This vulnerability is listed as CVE-2026-32719. The attack may be initiated remotely. There is no available exploit.