Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
CISA Adds Quest KACE (CVSS 10.0), Kentico Xperience, and Zimbra ZCS to Known Exploited Vulnerabilities β Federal Deadline May 4
CISA's April 2026 KEV additions include a CVSS 10.0 unauthenticated SQL injection in Quest KACE Systems Management Appliance, active exploitation of Kentico Xperience CMS, and Zimbra Collaboration Suite vulnerabilities. Federal agencies have a May 4 remediation deadline; enterprise organisations should treat confirmed KEV additions as indicators of active attacker tooling and prioritise these systems immediately.
Microsoft Entra ID Entitlement Management SSRF (CVE-2026-35431, CVSS 10.0) β Cloud IAM Attack Surface Disclosed Before Silent Server-Side Fix
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?
SAP BPC SQL Injection (CVE-2026-27681, CVSS 9.9) Gives Low-Privilege Users Full Access to Financial ERP Data
A near-perfect CVSS 9.9 SQL injection vulnerability in SAP Business Planning and Consolidation and BW/4HANA allows any authenticated user with standard access to read, modify, and delete financial consolidation data. SAP patched the flaw in its April 2026 Security Patch Day; organisations should treat unpatched SAP financial systems as having their financial data integrity at risk from any internal user with SAP credentials.
CISA Advisory: TPM 2.0 Out-of-Bounds Read in Siemens SIMATIC Industrial PCs (CVE-2025-2884)
CISA advisory ICSA-26-111-01 covers a TPM 2.0 out-of-bounds read vulnerability in Siemens SIMATIC CN 4100, Field PG M5/M6, and IPC BX series industrial computers. The flaw enables information disclosure or denial of service against the hardware root of trust, with direct implications for Secure Boot integrity and the trusted execution environment of industrial control systems.
TeamPCP Supply Chain Campaign Expands to npm and Docker Hub β Bitwarden CLI and Checkmarx KICS Both Backdoored
The TeamPCP supply chain threat group has extended its campaign beyond GitHub Actions and PyPI to poison the @bitwarden/cli npm package and overwrite Checkmarx KICS Docker images and VS Code extensions. The campaign now spans four developer distribution channels across six weeks, deploying a self-propagating worm that exfiltrates SSH keys, cloud credentials, and MCP configuration files from compromised developer environments.
Wormable Windows TCP/IP Race Condition RCE (CVE-2026-33827) β IPv6-Enabled Networks Face EternalBlue-Class Propagation Risk
A race condition in the Windows TCP/IP stack allows unauthenticated remote code execution against systems with IPv6 or IPSec enabled, demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday. The vulnerability's wormable characteristics β no user interaction, no authentication, network-adjacent propagation β place it in the same risk category as EternalBlue for environments that have not applied the April update.
Opinion & Analysis
Commentary
TeamPCP Has Now Hit Every Developer Distribution Channel. The Pipeline Is the Perimeter.
In six weeks, one supply chain threat group has successfully backdoored GitHub Actions, PyPI, npm, Docker Hub, and the VS Code Marketplace. The security industry's response has been to treat each incident as a separate patching problem. It isn't. It's a systematic demonstration that the developer distribution stack has no defence-in-depth, and that the security controls the industry has built β SCA, SBOM, SAST β operate at entirely the wrong layer.
CipherWatch Editorial
Security Intelligence Platform
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic β it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
Microsoft's Cloud Identity Platform Had a CVSS 10.0 Vulnerability β And Patched It Silently
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management β the governance layer controlling access requests to Azure resources and Microsoft 365 β was disclosed and confirmed patched by Microsoft. No customer action is required. But the disclosure raises a governance question organisations cannot avoid: how do you detect exploitation of a vulnerability in cloud infrastructure you cannot inspect?
Wormable Windows Network Vulnerability Requires Immediate Patching β All IPv6-Enabled Networks at Risk
A race condition in the Windows TCP/IP stack allows self-propagating, unauthenticated remote code execution across networks with IPv6 enabled β which is the default configuration for all modern Windows systems. Demonstrated at Pwn2Own 2026 and patched in April's Patch Tuesday, unpatched organisations face a threat capable of spreading automatically from a single compromised host across entire network segments, comparable in propagation characteristics to EternalBlue.
Kyber Ransomware Targets Enterprise Windows Servers and VMware ESXi in Coordinated Dual-Platform Attacks
A new ransomware operation named Kyber has been analysed by Rapid7 following an enterprise incident response engagement. The group deploys two simultaneous variants β one targeting Windows file servers, one targeting VMware ESXi β using the same campaign infrastructure. The ESXi variant terminates virtual machines and defaces the management interface; the Windows variant implements genuine post-quantum key encapsulation and includes experimental Hyper-V targeting.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β