Good Morning Security Gang
Today’s episode was a classic reminder that even as geopolitical cyber conflict intensifies, the fundamentals of cybersecurity, patching, vulnerability management, and infrastructure protection still dominate the daily defensive battle.
On today’s show we covered a massive global patch cycle impacting Microsoft, Adobe, Fortinet, and SAP, CISA shortening patch deadlines for federal agencies, warnings about Chinese and Russian espionage operations across Europe, the confirmation of a new NSA and Cyber Command leader, and a fascinating story about iPhone exploitation tools originally developed by a U.S. contractor allegedly being used by Russian intelligence in Ukraine.
We also explored policy changes around fraud responsibility in the United Kingdom and one of the biggest funding rounds ever for a cybersecurity startup, signaling the growing shift toward AI-driven autonomous security operations. The thread tying all these stories together is simple: the cybersecurity battlefield is expanding, but the fundamentals still win the war.
Coffee cup cheers, let’s dive in.
"Someone decided that the second Tuesday of every month should be the day where we all just get grayer in our hair. Attackers are automating exploit development faster than ever with AI, exploitation timelines have shrunk from days to hours." James Azar
Massive Patch Tuesday Across Microsoft Ecosystem
We opened the show with Microsoft’s latest Patch Tuesday, which addressed 83 vulnerabilities across its ecosystem, including several that allow remote code execution and privilege escalation. These types of vulnerabilities are among the most dangerous because they allow attackers to directly compromise systems and gain control over enterprise infrastructure.
Patch Tuesday continues to represent one of the most critical operational events for enterprise security teams. Historically, attackers move quickly after vulnerabilities are disclosed, and the window between disclosure and exploitation continues shrinking. With the growing use of AI in exploit development, attackers are now capable of automating exploit creation within hours of vulnerability announcements.
Key CVEs requiring immediate attention:
CVE-2026-26127: Denial of service issue in .NET
CVE-2026-21262: Elevation of privilege defect in SQL Server
CVE-2026-21536: Remote code execution in Device Pricing Program (already mitigated by Microsoft)
CVE-2026-26118: Azure MCP Server Tools exploitation via specially crafted input
Organizations should prioritize immediate patching of high-severity vulnerabilities such as those affecting .NET, SQL Server, and Azure MCP server tools, implementing automated patch workflows to reduce exposure time. In today’s environment, unpatched systems become targets almost immediately after disclosure.
Fortinet Releases Major Security Updates
Fortinet also released multiple security updates addressing vulnerabilities affecting several of its core products, including FortiManager, FortiAnalyzer, FortiSwitch, and FortiSandbox. These devices often sit at the perimeter of enterprise networks, meaning vulnerabilities within them can expose entire environments to compromise.
Several of the disclosed flaws involve command injection and privilege escalation vulnerabilities, which attackers could use to gain administrative control over security appliances.
Impacted Fortinet product series: FortiManager, FortiAnalyzer, FortiSwitch AX, FortiSwitch AX Fixed, and FortiSandbox. Several high-severity CVEs including:
CVE-2026-2627, CVE-2025-4820, CVE-2026-2629, CVE-2025-7268, CVE-2025-4825, CVE-2025-5836 (command injection and privilege escalation)
CVE-2026-4841, CVE-2026-8226, CVE-2026-28 and many more
Because these devices serve as defensive infrastructure, compromising them gives attackers both visibility and control over network traffic, making patching especially urgent for organizations relying on Fortinet security products.
Adobe Fixes 80 Vulnerabilities
Adobe released patches addressing 80 vulnerabilities across eight different products, including Acrobat, Reader, and Adobe Commerce. Many of the vulnerabilities involve memory corruption flaws that could allow attackers to execute arbitrary code through malicious documents.
Adobe products remain common entry points for cyberattacks because they interact directly with external content such as PDFs and documents. Attackers frequently exploit vulnerable document viewers by sending malicious files that execute code when opened by unsuspecting users.
The company fixed 19 flaws in Adobe Commerce and Magento Open Source. Apply these patches within the next 30 days. Key privilege escalation CVEs: CVE-2026-21290, CVE-2026-21361, CVE-2026-21284, CVE-2026-21311, CVE-2026-21309. Security feature bypass: CVE-2026-21289.
To reduce risk, organizations should enforce application sandboxing for document viewers and ensure Adobe patch updates are deployed quickly across enterprise endpoints.
CISA Shortens Patch Deadlines
CISA announced it is shortening patch deadlines for federal agencies addressing vulnerabilities affecting software such as Ivanti and SolarWinds. This policy change reflects growing urgency around vulnerability remediation as threat actors accelerate exploitation timelines.
SolarWinds Web Help Desk: CVE-2025-26399
Ivanti: CVE-2026-1603
Delayed patching has repeatedly allowed attackers to establish persistent access inside networks, particularly within widely deployed enterprise infrastructure platforms.
By tightening patch deadlines, federal agencies aim to reduce the time window attackers have to exploit newly disclosed vulnerabilities before they are mitigated.
“Patch management is still the most important cybersecurity control most organizations fail to execute well.” James Azar
SAP NetWeaver Vulnerabilities Highlight ERP Risks
SAP released patches addressing vulnerabilities affecting NetWeaver, one of the most widely used enterprise ERP platforms globally. These systems contain sensitive financial and operational data, making them highly valuable targets for attackers.
Compromising an ERP system can provide attackers with deep visibility into a company’s internal processes, financial records, and business operations. In past attacks, adversaries have exploited ERP vulnerabilities for espionage and financial fraud.
Continuous monitoring of privileged activity and strict logging within ERP environments remain essential defensive measures.
HP Enterprise Warns of Networking OS Vulnerability
HP Enterprise warned customers about a critical vulnerability affecting its AOS-CX network operating system. The flaw could allow attackers to reset administrative passwords and gain control of networking infrastructure devices.
Network operating systems often receive less attention from security teams compared to endpoints or servers. However, gaining administrative access to network devices can give attackers deep visibility into traffic flows and potentially allow them to manipulate network communications.
Enforcing multi-factor authentication for administrative access to network devices is a critical step in reducing this risk.
iPhone Exploits Used by Russian Intelligence
One of the most fascinating geopolitical stories today involves reports that iPhone hacking tools used by Russian intelligence operations in Ukraine may have originally been developed by U.S. defense contractor L3Harris.
This highlights the complicated ecosystem surrounding offensive cyber capabilities. Tools developed for intelligence and law enforcement purposes sometimes leak or are repurposed by adversaries.
We have seen similar dynamics before with the Shadow Brokers leak, where offensive cyber tools developed by government agencies eventually ended up being used by criminals and foreign adversaries. This raises ongoing questions about how governments manage the lifecycle and control of cyber weapons.
China and Russia Increase Espionage Across Europe
Finland’s intelligence services issued warnings about increased espionage activity by China and Russia across Europe. These campaigns involve cyber espionage, influence operations, and reconnaissance targeting critical infrastructure and research institutions.
European security agencies are increasingly concerned about hybrid warfare strategies that combine cyber operations with political and economic intelligence gathering.
Organizations involved in research, defense technology, and critical infrastructure should strengthen insider threat monitoring and actively hunt for espionage indicators within their networks.
Joshua Rudd Confirmed as NSA and Cyber Command Leader
The U.S. Senate confirmed Lieutenant General Joshua Rudd to lead both the NSA and U.S. Cyber Command with a bipartisan vote of 71-29.
"Ron Wyden was shut out—71-29 bipartisan support for Lieutenant General Rudd. He's the only one grandstanding from Oregon. How about we smack him around a little bit more and get Sean Plankey confirmed ASAP while the Senate feels like they can actually get their job done for a change?" James Azar
This leadership transition comes during a period of heightened global cyber competition and geopolitical tensions. The direction of both defensive and offensive cyber strategies within these agencies will significantly influence the future of U.S. cyber operations.
UK Pushes Fraud Responsibility onto Tech Platforms
The United Kingdom is considering a policy shift that would place more responsibility for preventing fraud on telecommunications providers and technology platforms. The idea is to push fraud prevention closer to the platforms where scams originate, such as messaging platforms and social media networks.
However, this raises difficult questions around privacy, platform monitoring, and the balance between enforcement and user protections. Governments increasingly expect platforms to police cybercrime while simultaneously limiting the amount of data those platforms can analyze.
Kevin Mandia Raises $190M for Autonomous Security Startup
Finally, cybersecurity industry veteran Kevin Mandia has raised $190 million for a new autonomous security startup called Armadin, focused on AI-driven agent-based cybersecurity defense.
The funding round one of the largest early-stage investments in cybersecurity history reflects the industry’s growing shift toward AI-powered security operations capable of detecting and responding to threats automatically. As cyber threats continue to scale, security teams increasingly rely on automation and AI-driven tools to keep up with the volume and speed of attacks.
Key Action Items for Security Teams
Deploy Microsoft Patch Tuesday updates immediately for critical vulnerabilities
Patch Fortinet security appliances and perimeter devices
Update Adobe Acrobat, Reader, and other affected products
Prioritize patching for Ivanti and SolarWinds vulnerabilities
Monitor privileged activity within SAP ERP environments
Enforce MFA for administrative access to network infrastructure devices
Implement automated vulnerability remediation workflows
Monitor geopolitical threat intelligence tied to Russia and China
Evaluate emerging AI-driven security tools to support SOC operations
James Azar’s CISOs Take
What today’s stories reinforce is something many of us in cybersecurity already know but sometimes forget: the fundamentals still matter more than anything else. While we talk about AI, cyber warfare, and sophisticated espionage campaigns, the majority of successful attacks still start with unpatched systems, weak infrastructure security, or poorly managed vulnerabilities.
At the same time, the strategic landscape is shifting. Cyber operations are increasingly tied to geopolitical competition, intelligence activities, and national security priorities. As CISOs, we now have to operate at the intersection of technical defense and geopolitical awareness, ensuring our organizations are prepared for both cybercrime and state-sponsored threats.
If we execute the basics well while keeping an eye on the broader strategic environment, we put ourselves in the best position to stay resilient — no matter how complex the threat landscape becomes.
Stay cyber safe.
