CISO Talk by James Azar
CyberHub Podcast
CISA Accelerates Emergency Patching, 6.99 Million Driver's Licenses Exposed, and Chinese Hackers Expand Espionage Against Universities
0:00
-18:42

CISA Accelerates Emergency Patching, 6.99 Million Driver's Licenses Exposed, and Chinese Hackers Expand Espionage Against Universities

Why today's cybersecurity battle is no longer about discovering vulnerabilities, it's about whether defenders can move as fast as attackers.

☕ Good Morning Security Gang,

Preparing today’s show, I found myself asking the same question I’ve been asking more and more this year:

Didn’t we just talk about this?

Unfortunately, the answer is yes, but it’s happening again. Attackers continue exploiting vulnerabilities within days, sometimes hours, of patches becoming available. Today’s stories spanned actively exploited Adobe ColdFusion flaws, Langflow AI vulnerabilities, Joomla extensions, Ubiquiti infrastructure, Chinese espionage campaigns targeting universities, ransomware and data destruction at a Canadian university, and the largest driver’s license data breach reported this year.

What stood out wasn’t a brand-new attack technique.

It was the speed.

The cybersecurity industry has entered a world where the difference between a routine patch cycle and an incident response engagement may only be measured in days.

Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.

🧭 Executive Summary

Today’s threat landscape demonstrated that speed has become the defining metric in cybersecurity.

CISA continues accelerating emergency vulnerability notifications, attackers are weaponizing newly disclosed vulnerabilities almost immediately, ransomware groups are combining data theft with destructive wiping attacks, and nation-state actors are conducting highly targeted espionage against academic research institutions supporting national security initiatives.

Meanwhile, AI continues reshaping both offense and defense. Google patched vulnerabilities in its Dialogflow platform, CISA has begun leveraging Anthropic’s Mythos model to identify software vulnerabilities across federal repositories, while criminal organizations are increasingly incorporating AI into phishing campaigns, malware development, and mobile spyware.

Organizations that still measure vulnerability management in weeks are no longer operating at the speed of today’s threat landscape.

📰 Top Stories & Deep Dive Analysis

“Attackers are operating at machine speed. We can’t keep defending at meeting speed.” James Azar

🚨 CISA Adds Four Actively Exploited Critical Vulnerabilities to the KEV Catalog

The most urgent development today comes from CISA, which added four actively exploited maximum-severity vulnerabilities across three separate technology platforms to its Known Exploited Vulnerabilities (KEV) Catalog in a single day. The affected products include Adobe ColdFusion, Langflow, and two popular Joomla extensions, with federal agencies receiving an accelerated remediation deadline under Binding Operational Directive 22-01.

“Your vulnerability management program should assume single-digit-day exploitation not hope it won’t happen.” James Azar

Among the additions is CVE-2026-2244, a critical ColdFusion arbitrary file upload vulnerability already being exploited in the wild. CISA also added CVE-2026-3248, an insecure direct object reference flaw affecting Langflow that attackers are actively chaining with an earlier remote code execution vulnerability (CVE-2026-33017) to enumerate workflow identifiers, conduct reconnaissance, and execute malicious AI workflows.

The final two additions impact Joomla extensions widely deployed across business websites and portals.

What makes today’s announcement especially important isn’t simply the vulnerabilities themselves.

It’s the pace.

CISA continues demonstrating dramatically faster operational response times than in previous years, providing defenders with immediate intelligence while vulnerabilities are still entering active exploitation.

For organizations running ColdFusion, Langflow, or affected Joomla components, the guidance is straightforward: patch immediately, verify previous mitigations remain in place, and assume attackers are already scanning for vulnerable systems.

🌐 Ubiquiti Fixes Seven Critical Vulnerabilities Affecting More Than 100,000 Internet-Facing Devices

Ubiquiti released security updates addressing seven critical vulnerabilities across the UniFi ecosystem, including CVE-2026-50746, a maximum-severity command injection flaw allowing attackers with network access to execute arbitrary commands on affected devices.

The remaining vulnerabilities impact UniFi Talk, Access, Protect, UniFi OS Server, routers, gateways, NAS appliances, and surveillance products. Six require no user interaction and remain relatively simple to exploit.

According to Census, more than 100,000 UniFi OS systems remain publicly accessible from the internet, with nearly half located within the United States.

This matters because Ubiquiti infrastructure has repeatedly appeared in nation-state campaigns.

The FBI previously dismantled the MooBot botnet built upon compromised Ubiquiti routers, while CISA has already issued multiple emergency directives this year involving actively exploited UniFi vulnerabilities.

Organizations should immediately update UniFi Connect to version 3.4.20 or later, deploy current UniFi OS updates, and remove management interfaces from public internet exposure wherever possible.

🇨🇳 Chinese Espionage Campaign Targets U.S. and Canadian Universities

Proofpoint researchers disclosed a highly targeted Chinese espionage campaign exploiting known vulnerabilities in Roundcube Webmail to compromise researchers working in physics, engineering, astrophysics, and national security-related academic programs across the United States and Canada.

The attacks begin with phishing emails sent from previously compromised accounts. Opening the email inside vulnerable Roundcube environments triggers CVE-2024-42009, allowing attackers to deploy an information stealer known as IceCube, which harvests usernames, passwords, authentication cookies, and multi-factor authentication artifacts.

Attackers then attempt to exploit CVE-2025-49113, a deserialization vulnerability enabling deployment of a PHP web shell called SquareShell. If that effort fails, they transition to an in-memory Go-based backdoor called VShell, maintaining persistent access without writing traditional malware to disk.

Perhaps the most concerning observation is that attackers appear to identify vulnerable Roundcube deployments before launching phishing campaigns, demonstrating careful reconnaissance and highly selective targeting rather than broad indiscriminate attacks.

Organizations operating Roundcube particularly universities, research institutions, and government partners should prioritize patching immediately and treat webmail infrastructure with the same security rigor traditionally reserved for VPN gateways and identity platforms.

🎓 Calgary University Faces Data Theft and Destructive Wiping Attack

Mount Royal University in Calgary confirmed that attackers stole sensitive information from university network shares before wiping multiple file servers during a June cyberattack. The incident affected current and former students, employees, and additional unidentified individuals.

A threat group calling itself CMD Organization claimed responsibility, publishing samples of stolen passport information while demanding 30 Bitcoin, approximately $1.9 million, and threatening to auction stolen information if payment is not received.

Unlike traditional ransomware, the attackers didn’t stop after stealing data.

They intentionally destroyed university file shares, significantly complicating recovery efforts and reinforcing the industry’s shift toward combined extortion and destructive operations.

Mount Royal is offering two years of identity monitoring while acknowledging that portions of the destroyed data may never be recoverable.

The incident reinforces an increasingly important lesson: backup strategies must assume attackers will both steal and destroy data simultaneously.

Immutable backups are no longer optional, they’re becoming foundational.

⚡ Need to Know

🚗 Nearly Seven Million Driver’s License Records Exposed

Insurance provider AssuranceAmerica confirmed a breach impacting approximately 6.99 million individuals after attackers compromised employee credentials and accessed names, driver’s license numbers, policy information, vehicle details, and claims data. Organizations managing driver’s license information should review identity protection controls and ensure phishing-resistant authentication protects employee accounts.

🤖 Google Fixes Dialogflow “Rogue Agents” Vulnerability

Varonis disclosed a critical vulnerability allowing malicious modifications to Google Dialogflow CX playbooks. Google has fully remediated the issue, but organizations should review historical chatbot playbook modifications for unauthorized changes.

🛡️ CISA Deploys Anthropic’s Mythos AI for Code Scanning

CISA confirmed it is using Anthropic’s Mythos AI model to identify vulnerabilities across federal software repositories. Early deployments have reportedly uncovered numerous previously unknown software weaknesses, highlighting AI’s growing role in defensive security operations.

💰 Cash App Pays $45 Million Settlement

Cash App owner Block agreed to pay $45 million following allegations from 46 states that it misrepresented fraud protection capabilities while lacking adequate customer support and fraud detection processes. Organizations evaluating fintech providers should validate security claims through independent due diligence rather than relying solely on vendor marketing.

📱 Android Spyware Uses Google Gemini

Researchers documented Android malware dynamically interacting with Google’s Gemini AI model to interpret device screens and adapt user interface interactions in real time, demonstrating another example of AI being incorporated directly into offensive tooling.

🇪🇺 European Union Expands AI Cybersecurity Strategy

The European Commission announced new initiatives aimed at strengthening domestic AI cybersecurity capabilities while reducing long-term dependence on foreign AI infrastructure and models.

🎯 Key Takeaway

Today’s show wasn’t about ColdFusion.

It wasn’t about Ubiquiti.

And it wasn’t about Roundcube.

It was about speed.

The speed of disclosure.

The speed of exploitation.

The speed of patching.

The speed of recovery.

Organizations that continue measuring vulnerability management in weeks are increasingly defending against attacks that unfold in days.

🧠 James Azar’s CISOs Take

What stood out to me today is how dramatically the timeline has shifted between disclosure and exploitation. Four maximum-severity vulnerabilities across completely different technologies landed in CISA’s KEV catalog on the same day. That’s not a coincidence. It’s evidence that attackers have fundamentally changed how they operate. They’re monitoring vendor advisories, developing exploit chains almost immediately, and targeting organizations before traditional change management processes even begin. If your patch management program still measures success in weeks, you’re no longer simply behind schedule, you’re operating on a timeline attackers have already abandoned.

The second takeaway is that CISA deserves recognition for setting a new operational pace. Faster KEV updates provide practitioners with the information we need to justify emergency patching and communicate urgency to executive leadership. That leadership matters. At the same time, organizations need to match that urgency internally. Whether it’s ColdFusion, Langflow, Ubiquiti, or Roundcube, every internet-facing platform should now be evaluated under the assumption that active exploitation begins almost immediately after disclosure. That’s no longer the exception. It’s becoming the baseline.

Leave a comment

🛠️ Action Items

  • Patch Adobe ColdFusion immediately.

  • Upgrade Langflow and verify protection against both linked vulnerabilities.

  • Update affected Joomla extensions without delay.

  • Deploy all current UniFi OS and UniFi Connect security updates.

  • Remove internet exposure from UniFi management interfaces where possible.

  • Patch Roundcube webmail servers immediately.

  • Review webmail authentication logs for suspicious activity.

  • Validate immutable backup and recovery capabilities.

  • Protect employee accounts with phishing-resistant MFA.

  • Audit AI chatbot configurations and Dialogflow playbook history.

  • Review internet-facing applications under accelerated patch management timelines.

🔥 Stay Cyber Safe.

Thanks for reading CISO Talk by James Azar! This post is public so feel free to share it.

Share

Discussion about this episode

User's avatar

Ready for more?