Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
AI Coding Agents in CI/CD Pipelines: Mapping the Attack Surface After Pwn2Own AI Category Results
The Pwn2Own Berlin 2026 AI category results β five products exploited β have a compounding implication for organisations where AI coding agents are integrated with CI/CD pipelines, code repositories, and cloud deployment infrastructure. An exploited AI agent running in a pipeline is not a developer workstation compromise; it is a supply chain entry point.
Pwn2Own Week Exposes the Limits of Identity as a Security Control β What IAM Teams Should Review
The week of 12β18 May 2026 produced two distinct scenarios where identity controls β Conditional Access, MFA, and Zero Trust enforcement β provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.
The Pwn2Own 90-Day Clock: How Defenders Should Use the Patch Window Before Public Disclosure
Pwn2Own's 90-day coordinated disclosure rule gives vendors time to patch before technical details are made public. For enterprise defenders, the same 90 days is a known timeline during which the confirmed existence of specific zero-days β but not their technical details β is public. Understanding how to use that window is an underexplored aspect of enterprise vulnerability management.
After Pwn2Own Berlin 2026: A Risk Manager's Assessment of 47 Zero-Days in Enterprise Infrastructure
Pwn2Own Berlin 2026 produced 47 unique zero-day vulnerabilities across Windows 11, VMware ESXi, Exchange Server, SharePoint, Oracle VirtualBox, Red Hat Enterprise Linux, and five AI products. For enterprise risk managers and CISOs, the results require a structured response that goes beyond individual CVE patches and addresses the systemic implications.
Red Hat Enterprise Linux LPE at Pwn2Own: What the Results Mean for Enterprise Linux Patch Strategy
Red Hat Enterprise Linux was successfully exploited twice at Pwn2Own Berlin 2026 via local privilege escalation vulnerabilities. For enterprise security teams running RHEL, and the broader family of RHEL-derived distributions including CentOS Stream, Rocky Linux, and AlmaLinux, the results inform how Linux patching SLAs should be evaluated against the demonstrated threat model.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
Pwn2Own Berlin 2026 Closes: DEVCORE Wins Master of Pwn with $505K and 50.5 Points β $1.3M Total Across 47 Zero-Days
Pwn2Own Berlin 2026 concluded with DEVCORE Research Team winning the Master of Pwn title with $505,000 in earnings and 50.5 points, driven by Orange Tsai's Exchange SYSTEM RCE chain and consistent results across multiple targets. The three-day competition produced 47 unique zero-day vulnerabilities across enterprise products, cloud infrastructure, and AI tools, with $1,298,250 in total prize money awarded.
Pwn2Own Demonstrates Second Distinct SharePoint RCE Chain β Five Days After Patch Tuesday Fixed CVE-2026-40365
Researchers at Pwn2Own Berlin 2026 demonstrated a multi-bug SharePoint Server remote code execution chain that is entirely distinct from CVE-2026-40365, the SharePoint RCE patched in the 12 May Patch Tuesday. The new chain, targeting SharePoint's server-side processing pipeline, has no patch and will not receive one for up to 90 days.
Opinion & Analysis
Commentary
The 90-Day Patch Clock Is a Threat Actor Countdown Timer β We Should Use It That Way
Pwn2Own's 90-day coordinated disclosure window is designed to give vendors time to patch. But for enterprise defenders, it is also a confirmed, public notice that specific classes of zero-day vulnerability exist in named products. Most organisations wait for the patch to act. The ones that prepare during the 90-day window have a meaningful advantage.
CipherWatch Editorial
Security Intelligence Platform
Hypervisor Escapes Should Change How Enterprise Architects Design Isolation β They Rarely Do
VMware ESXi cross-tenant code execution at Pwn2Own Berlin 2026 demonstrates again that virtualisation is not a security boundary. Yet enterprise architecture continues to treat hypervisor isolation as equivalent to physical isolation. The security implication of this assumption has been known for years and consistently under-acted upon.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
Microsoft Exchange Server Has an Unpatched SYSTEM-Level Remote Code Execution Vulnerability β Here Is What That Means for Your Organisation
Security researchers publicly demonstrated an unpatched three-bug exploit chain against Microsoft Exchange Server at Pwn2Own Berlin 2026, achieving the highest possible privilege level (SYSTEM) on a fully updated Exchange Server without any password or user account. The patch will arrive within 90 days. Organisations must prepare defensive measures immediately and plan for emergency patching when it arrives.
VMware ESXi Zero-Day: Attacker in One Virtual Machine Can Execute Code in a Neighbouring Tenant's VM
Security researchers at Pwn2Own Berlin 2026 demonstrated a vulnerability in VMware ESXi that allows an attacker with code execution inside one virtual machine to execute code inside a completely separate virtual machine on the same physical host. No patch is available. The bug has been disclosed to Broadcom under the 90-day Pwn2Own coordinated disclosure process.
Microsoft Exchange Zero-Day: Attackers Hijacking Employee Email Sessions Without Passwords via OWA Exploit
Microsoft disclosed an actively exploited zero-day in Exchange Server's Outlook Web App that allows attackers to hijack authenticated email sessions and read all email without knowing passwords. No patch is available. Microsoft has deployed an automatic mitigation but on-premises Exchange customers must verify it has applied. Nation-state targeting of government and finance sectors has been confirmed.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β