OSec

(1/2) Microsoft Exchange has an actively exploited zero-day — CVE-2026-42897 — with no permanent patch. Next Patch Tuesday isn't until June 10. This CVE affects Exchange 2016, 2019, and SE. It's serious enough that the CISA deadline for federal agencies to take action is tomorrow.

Claude Security opened up for public beta last week. It's supposed to find the flaws and write the patches. But tech is only one part of the problem. What it doesn't do: review, validate, approve, or scan anything outside the codebase. Find out if your security program is ready, with our 3-minute assessment: https://t.co/hLl3rXKecn

Threat actors are using fake Zoom, Teams, DocuSign, and Adobe links to install ScreenConnect, pre-configured for attacker-controlled C2. It's active now, and we've seen a spike recently. To do: Block .exe/.msi downloads for non-IT users. Restrict local admin rights. Flag any RMM software your team didn't provision. 🧵

CVE-2026-4190 is being exploited in the wild. cPanel/WHM auth bypass. No credentials needed to gain full admin access. Patch now — don't wait for a maintenance window. If your server was internet-facing before patching, treat it as potentially compromised. Rotate all admin + root credentials, audit SSH keys and config files, and restrict management access to known IPs or VPN.

OSec's Weekly Threat Brief is out. Adobe Acrobat zero-day actively exploited since December. Two unpatched Windows Defender privilege escalation bugs. n8n Cloud hijacked to deliver malware. Supply chain phishing targeting developers on Slack. Get the brief + IOCs + remediation guidance here → https://t.co/2zxaOa0pJJ

The 2014 Sony Pictures hack showed what's at stake when IP gets exposed. Now imagine that risk multiplied across 200-400 vendors, which is how many third parties are part of a major production. Each running AI tools, ingesting sensitive data, with no real governance or risk management. That's Hollywood's supply chain today. Read our thoughts on the risk and solution: https://t.co/1z81ltuA3c #MediaSecurity #SupplyChainRisk #AIRisk

If Mythos were actually as dangerous as claimed, announcing it publicly would be unconscionable. "We built the doomsday weapon!" is not responsible disclosure. So let's maybe pump the brakes on the apocalypse. Still, orgs will need to figure out where they stand and if they can deal with the flood of disclosures, vulns, and patches that will overwhelm them. That's why we built this readiness assessment. 3 minutes. Find out if you're ready for the flood: https://t.co/3KQvx1W3pO

Major educational institutions have been hit by cyberattacks in the last few months, including Harvard, UPenn, and Columbia. Education ransomware is up 23% year over year. We tracked the data, named the groups, highlighted what you can do to protect your organization, and put it in one place. Get our Education Sector Threat Brief today: https://t.co/CJ1MS6V6QM #CyberSecurity #Education #Ransomware #K12Security #ThreatIntel

Your phishing simulation is a training metric, not a security metric. There's a difference, and it's a big one when someone is actually trying to breach your org. Real social engineering testing covers 3 dimensions: — Physical (tailgating, badge cloning) — Technical (vishing, MFA bypass, credential harvesting) — People (pretexting, vendor impersonation, helpdesk manipulation) Find out more in our latest blog post: https://t.co/TNDD8eI29I #phishing #socialengineering #pentesting

NERC CIP-003-11 is approved. The deadline for compliance is May 26. But deploying security into legacy OT environments isn't easy. And the standard has a lateral movement gap that's critical. Compliant ≠ secure. Get our analysis on this new standard and what you need to do before the deadline: https://t.co/lwP5CyjTAm