Picus Security

FortiClient EMS is under active exploitation. CVE-2026-21643 (CVSS 9.8) is a pre-auth SQL injection in FortiClient Enterprise Management Server, the console that manages your entire endpoint agent fleet. A single crafted HTTP request to /api/v1/init_consts gives an unauthenticated attacker database-level access, and from there they escalate to remote code execution, extract sensitive data, and modify system configurations. The vulnerability affects only version 7.4.4. Patch to 7.4.5 or above. Huseyin Can Yuceel from Picus Labs breaks down the root cause, including how the Site HTTP header lands in a PostgreSQL search_path without validation. Read more: https://hubs.li/Q04cFRW40 #CVE #SQLInjection #ThreatIntel

The Frost Radar™ for Automated Security Validation tracks how the market responds when attacker behavior changes faster than defender processes. The pattern is clear: organizations that still rely on periodic, manual testing are falling behind a market that's moving to real-time, autonomous validation. At the Autonomous Validation Summit, Frost & Sullivan's Ying Ting Neoh will map exactly where this shift is heading and which organizations are already adapting. May 12 (1:00 PM EST) | May 14 (10:00 AM BST) Link in comments. #AutonomousValidationSummit #FrostRadar #SecurityValidation

Your last validation exercise was a week ago. Your posture assumptions are a week old. An autonomous attacker does not wait for your next engagement window. That timing gap is not a minor inefficiency. It is the actual exposure most teams carry without realizing it. The findings are stale before the remediation even starts. What changes this is not faster testing. It is eliminating the manual steps between CTI ingestion, simulation, and remediation entirely. When those three run as one continuous automated loop, the validation cycle collapses from weeks to minutes. Picus Security walks through exactly how that architecture works at The Hacker News. Link in comments. #CyberSecurity #ExposureValidation #SecurityValidation

Atlassian's CISO, Kraft Heinz's head of offensive security, and Glow Financial Services' global CISO are all presenting at the same event on May 12 and 14. The thread connecting them: how they validate defenses continuously instead of relying on periodic assessments. The Autonomous Validation Summit 2026 is a free virtual event built for security leaders and practitioners who want to move beyond CVE noise and focus on the exposures that actually create risk. Sessions cover AI-driven adversaries, signal-driven exposure prioritization, and how to operationalize autonomous validation at scale. If you run a security program, this lineup is worth two hours of your week. Learn more in the latest press release: https://lnkd.in/esHTtazP #SecurityValidation #CISO #CyberSecurity #AutonomousValidation

CitrixBleed 3 is live and being actively exploited. CVE-2026-3055 (CVSS 9.3) is a pre-auth memory overread in NetScaler ADC and Gateway appliances configured as SAML Identity Providers. A single malformed request to /saml/login or /wsfed/passive?wctx returns kilobytes of heap memory to the attacker, base64-encoded in the NSC_TASS cookie. The leaked bytes typically include session tokens, SAML assertions, and LDAP credentials from other users' authentication flows. Sıla Ozeren from Picus Labs published the full technical breakdown, including detection signatures and why patching alone is not enough. Read it: https://hubs.li/Q04cFjht0 #CitrixBleed #NetScaler #CVE #ThreatIntel

AI models can now discover and weaponize vulnerabilities faster than any team can patch them. A 27-year-old bug in OpenBSD. A 17-year-old RCE in FreeBSD. Both in hardened, security-focused codebases. Both found and exploited autonomously. Over 99% of Mythos-discovered vulnerabilities remain unpatched. The Glasswing public report lands in July. Every patch published after that becomes a blueprint for AI-powered reverse engineering. Organizations that depend on patching as their primary defense are structurally unable to keep up. The process itself must be redesigned, not just accelerated. We published a practical guide: 12 vendor-neutral recommendations organized into four themes: Validate, Detect & Respond, Harden, and Organize & Prepare. Start with the Week One checklist on page 6: https://hubs.li/Q04cFszM0 #cybersecurity #ProjectGlasswing #exposuremanagement #securityvalidation

Axios sees roughly 83 million weekly downloads. During a 19-hour window on March 31, every default npm install pulled in two poisoned versions that shipped a remote access trojan across Windows, macOS, and Linux. CISA issued its formal alert yesterday. The mechanics matter. The attacker stole the maintainer's classic npm token, changed the registered email to lock the legitimate owner out of recovery, and pushed axios@1.14.1 and axios@0.30.4 straight to the registry. A single added line in package.json pulled in plain-crypto-js@4.2.1 as a transitive dependency. Its postinstall hook executed node setup.js, which performed OS detection and dropped platform-specific RATs from the same C2 server. The dropper then deleted itself and swapped package.json with a clean copy, erasing any trace in node_modules. Picus Labs published the full attack chain three weeks ago and added threat simulations to the library the same day. Teams that have already validated their controls against this campaign know where their coverage stands today. Read the breakdown: https://hubs.li/Q04cVz3s0 #SupplyChainSecurity #npm #ThreatIntel

Anthropic's Mythos Preview chained four zero-day vulnerabilities into a single exploit that escaped both renderer and OS sandboxes. Some of these bugs survived 27 years of human audits. Over 99% of what Mythos found remains unpatched. It's not a research paper. It's an engineering reality that changes the math for every security team. The Autonomous Validation Summit brings together the people building the defensive answer. May 12 (1:00 PM EST) | May 14 (10:00 AM BST) Atlassian's CISO on what AI adversaries look like inside enterprise environments. Frost & Sullivan on the market shift to real-time validation. A live demo of agentic, signal-driven validation in a real environment. Practitioners from Kraft Heinz and Glow Financial Services on how they prepare for Mythos-class adversaries. All registrants receive the Surviving the Post-Mythos Era research brief. Link in comments👇 #AutonomousValidationSummit #SecurityValidation #CyberSecurity

The new Iranian-affiliated campaign against U.S. critical infrastructure is not built on malware or exploits. It is built on the same engineering software OT teams open every morning. CISA, the FBI, and NSA issued a joint alert confirming operational disruptions across energy and water sectors, with attackers using Rockwell Studio 5000 Logix Designer and other legitimate tools to reach PLCs directly. Dr. Suleyman Ozarslan, Co-founder of Picus Security and VP of Picus Labs, laid out what makes this different in eSecurity Planet: "The most notable aspect of this campaign is the attackers' skill. They use the same engineering software and trusted connections that OT teams use daily, making it difficult to spot malicious activity." The deeper issue is architectural. When segmentation, access controls, and hardening are weak, legitimate tools become the quietest cover an attacker can ask for. Read the full piece: https://hubs.li/Q04cF8Jk0 #OTSecurity #CriticalInfrastructure #ICS #CISA

The only reliable way to know what your security controls stop is to test them against the techniques attackers actually use. That is the core of what Netsmart Security and Picus Security will cover in this free webinar on April 21. Evrim Özsoy and Korcan Erdoğan from Netsmart Security will walk through how adversarial exposure validation gives defenders a clear, evidence-based picture of where their controls hold and where to focus next. No theory. No generic advice. Practical methods your team can apply. Register: https://hubs.li/Q04cFN5w0 #AdversarialExposure #SecurityValidation