Good Morning Security Gang,

It’s Patch Tuesday, and today’s episode is exactly what you’d expect when everything hits at once breaches, insider threats, SaaS exposure, and one of the largest patch cycles we’ve seen in a while.

If there’s one thing that stood out today, it’s this: attackers are no longer trying to break your defenses, they’re exploiting the systems you already trust to operate your business.

Double espresso in hand—let’s break it all down.

McGraw-Hill Salesforce Breach: Shiny Hunters Claims 45 Million Records

We start with McGraw-Hill because it fits a pattern we’ve been talking about for weeks: attackers are not always breaching the company you think they are. Reports say the attackers exploited a Salesforce misconfiguration and accessed data from a web page hosted on the Salesforce platform.

While the company emphasized that its Salesforce accounts, customer databases, courseware, and internal systems were not accessed, McGraw-Hill also said the exposed information did not include social security numbers, financial account information, or student platform data. But Shiny Hunters is claiming they hold 45 million Salesforce records and they’re threatening to leak the data if they don’t get paid.

This correlates directly with how the Shiny Hunters Salesforce campaign has played across other victims. That blast radius often starts in a shared SaaS layer, not the victim’s core environment.

The risk is trusted SaaS pages and integrations exposing sensitive business data without a full enterprise compromise. Inventory every externally reachable SaaS-hosted page and validate access control on each one—not just the main platform tenant.

RCI Hospitality IDOR Vulnerability Exposes Contractor Data

Anyone here go to nightclubs? I haven’t in ages. I don’t even go to the nightclub parties during hacker summer camp in Vegas. I don’t like the club scene call me old, but I never really liked it to begin with.

RCI Hospitality is the second example of how small web app flaws can create very real business exposure. Reports say the company disclosed in an SEC filing that an IDOR vulnerability in their RCI Internet Services exposed contractor data.

This matters because IDORs are not glamorous, but they are brutally effective when no one is watching object-level authorization closely. This correlates with recent customer and employee data incidents in retail and hospitality. Attackers do not always need malware or ransomware if the application will simply hand them the data.

Direct object reference flaws exposing business records to unauthorized parties without tripping traditional alarms is a key risk and blind spot. Add authorization testing for object-level access into your application security release gate, especially for portals that handle workforce and contractor records.

Kraken Insider Threat: Cybercrime Group Extortion Attempt

My friends over at Kraken are in the news, and this one is a useful reminder that not every crypto incident starts with a smart contract bug or wallet exploit. This one is insider.

Kraken disclosed that a cybercrime group tried to extort the exchange by threatening to release videos showing internal systems hosting client data. Kraken’s CSO said the incident involved two instances of improper access to limited customer data by support employees. Importantly, Kraken said client funds were not at risk and described the case as an insider threat issue.

This lines up with the theme we keep coming back to: when sensitive environments are heavily instrumented and externally hardened, attackers often pivot to support, process, and people. People will sell you out, especially in a globalized workforce where wage disparities become targets for social engineering through LinkedIn and other platforms.

Insider-enabled exposure of customer information becoming extortion leverage even when core financial systems stay intact carries significant risk. Apply just-in-time access and strong session recordings on support functions that can touch customer data.

Microsoft Patch Tuesday: SharePoint Zero-Day + 167 Fixes Second Largest Ever

Patch Tuesday is the other major lead today. Microsoft fixed an exploited SharePoint zero-day plus 167 other vulnerabilities. Security Week is calling it the second largest Microsoft Patch Tuesday ever based on CVE count alone. That should tell you the tempo is not slowing down.

Jason Clinton (CISO for Anthropic) and Kevin Mandia (the legend, founder of Mandiant, now with a new startup) both said something very smart I’ve heard them say over the last six months: the next two to three years for practitioners are going to be a punching bag day after day, month after month, as more AI tools like Mythos just increase the scale of finding vulnerabilities. And then AI helps build exploits for those vulnerabilities at scale we’ve never seen before.

We’ve been saying for months that identity, collaboration, and management platforms are drawing the most heat. SharePoint living on that list is no surprise at all.

The SharePoint Zero-Day (CVE-2026-29231) was publicly disclosed before patches were released. Exposed collaboration and content systems becoming initial access or privilege escalation footholds before organizations can catch up is a significant risk.

Maintain a separate fast lane for patching internet-facing collaboration platforms so they don’t wait on the same cycle as ordinary workstation updates.

Adobe Patches 55 Vulnerabilities—ColdFusion Critical

Adobe is patching 55 vulnerabilities across their stack. No zero-day headline, but the patch covers 11 products with a critical ColdFusion vulnerability being most likely to get hit in real-world attacks.

That tracks with ColdFusion’s history, it keeps showing up because it sits in exactly the kind of internet-facing application layer that attackers absolutely love.

Legacy application platforms serving as remote code execution paths in otherwise modern environments is the risk. If you still run ColdFusion, put it behind additional network controls and treat it as a high-risk exception, not just another application server.

Fortinet Broad Patch Set: CVE-2026-27813 Across Multiple Products

The Fortinet security vendor patch set is broad, but there’s clear prioritization. Defenders should patch CVE-2026-27813 across FortiAnalyzer, FortiManager, FortiOS, FortiProxy, FortiPAM, and FortiSwitch Manager.

That matches the Fortinet drumbeat we’ve been covering across multiple weeks. The perimeter and management plane are still where the blood is in the water.

Compromise of security appliances and management products giving attackers visibility and leverage at the control layer is a significant risk. Treat every security appliance as production infrastructure patch by attack surface, not by product popularity.

SAP Releases 19 Security Notes Critical SQL Injection CVE-2026-27681

SAP deserves airtime because the company released 19 new security notes covering more than a dozen products, including a critical ABAP vulnerability.

We’ve talked many times about how ERP and core business platforms are too often patched like back-office software when they should be treated like crown jewel infrastructure. If an attacker lands in SAP, they are not just stealing data—they are learning how your business runs.

Exploitation of enterprise business logic platforms leading to financial, operational, and identity impact all at once is the risk. Prioritize SAP remediation based on process criticality and direct business exposure, not just CVSS.

The biggest one is CVE-2026-27681, a CVSS score of 9.9. It’s an SQL injection bug in Business Planning and Consolidation and Business Warehouse that could lead to arbitrary code execution. That’s the one you want to pay the most attention to.

Synology SSL VPN Client Flaws—Remote Access Risk

If Synology is your thing, Synology’s SSL VPN client flaws are another reminder that remote access remains one of the easiest ways to turn a user problem into a network problem.

Vendor guidance pushes customers to upgrade to version 1.4.5-0684 or newer and specifically calls out the need to monitor for unauthorized configuration changes and odd traffic behavior.

The correlation is easy to draw: from VPN credential theft to device code phishing to fake support flows, attackers keep going where trust and remote access meet.

Monitor VPN configuration changes with the same urgency you monitor failed logins and brute force attempts.

PHP Composer Flaws Enable Arbitrary Command Execution

PHP Composer is another developer ecosystem story that matters more than it may sound. The Hacker News reports that new Composer flaws can enable arbitrary command execution and patches are available.

We’ve already seen Team PCP move from open source compromise into cloud and build environments. Tooling vulnerabilities inside the dependency chain are exactly how that kind of compromise keeps scaling.

Compromise of software build or dependency management workflows leading to code or credential theft is the risk. Pin Composer and other build chain tooling to approved internal baselines rather than letting developer environments drift.

"Attackers keep winning by abusing things we already trust, SaaS pages, support workflows, app authorization, collaboration platforms, and even our own security appliances, ERP systems, and VPN clients. The defensive move is not magic. It is knowing which trusted systems have the highest blast radius and hardening those first. That is how you reduce risk." James Azar

Cloud Security Alliance Releases Mythos AI Threat White Paper

Before we get into the FCC story, let’s talk about what Gadi Evron and the team at Cloud Security Alliance put together in a matter of days. I’m part of the group, unfortunately, newborn in the house, very busy with work stuff and catching up, so I wasn’t able to participate. But Gadi brought in all the heavy hitters around cyber to talk about Anthropic’s Mythos, the AI model that the industry’s panicking about because of its ability to supercharge cyber attacks.

Cloud Security Alliance and Gadi started the conversation with John Yeoh and some really great people. They put together a phenomenal white paper. If you haven’t seen it, you should go download it right now I’ll put the link at cyberhubpodcast.com.

This is significant. It’s how we should be looking at Mythos, how teams should be looking at it from a staffing perspective, from a patching perspective, and so much more. It was reviewed by over 100 CISOs. I would have desperately wanted to be part of anything Gadi puts his hands on because it’s gold. But personal life took precedent, I don’t regret it. Gadi doesn’t need me to be brilliant. A hundred CISOs don’t need James Azar to be brilliant because they’re all brilliant in their own way, fantastic contributors helping us understand how fast AI is evolving and how fast it evolves our ability to prepare.

FCC Cybertrust Mark Gets New Administrato IoXT Alliance

The FCC Cybertrust mark is worth watching because it signals government still wants a consumer-facing baseline for connected device security. According to reports, the FCC’s selection of a new lead administrator for the Cybertrust mark puts the program on a path to success, tied directly to both consumer protection and national security.

Before, it was with UL under the Biden administration. UL pulled out after they went under investigation by the Trump administration for some of their practices. Everyone thought it was going to die, but the FCC picked the non-profit IoXT Alliance to be the new lead.

This matters because we keep covering router, IoT, and unmanaged device exploitation. Just the other day we talked about how the FBI was asking people to restart their SOHO routers. Anything that raises the floor on connected device security helps. Glad to see this program back up and running.

Action Items for Security Leaders

• Inventory and secure all externally accessible SaaS components and integrations

• Implement object-level authorization testing in application development pipelines

• Enforce just-in-time access and session monitoring for support teams

• Prioritize patching for internet-facing collaboration platforms like SharePoint

• Treat ERP and business systems like SAP as crown jewel infrastructure

• Harden security appliances and management platforms as critical assets

• Monitor VPN configurations and remote access systems for anomalies

• Lock down developer pipelines with strict dependency and execution controls

• Prepare for AI-driven threat acceleration with faster patch and response cycles

• Support baseline security improvements for IoT and unmanaged devices

Leave a comment

James Azar’s CISOs Take

What stood out to me today is how interconnected risk has become. Every story—from McGraw-Hill to Kraken to SharePoint, points to the same reality: our environments are no longer isolated systems. They’re ecosystems. And attackers are exploiting the connections between them, not just the components themselves.

The second takeaway is the pace of change. Between AI accelerating vulnerability discovery and the sheer volume of patches we’re seeing, defenders are under more pressure than ever. This isn’t about working harder it’s about working smarter. Prioritizing based on blast radius, focusing on trusted systems, and building resilience into how we operate. Because at this scale, perfection isn’t possible but preparedness is.

Stay Cyber Safe.