From SecurityWeek · 8 stories
US Lifts Export Controls on Anthropic's AI Models Fable 5 and Mythos 5
The US government has lifted export restrictions on Anthropic's AI models, Claude Fable 5 and Mythos 5, after negotiations ensured certain safety protocols. The initial bans were due to security concerns linked to potential model misuse. This change restores access to Fable 5 globally and Mythos 5 to select US organizations, addressing previous concerns. The case showcases the evolving regulatory landscape for AI models.
FortiBleed Campaign Compromises Fortinet Devices, Linked to Ransomware Groups
The FortiBleed campaign has been connected to the INC and Lynx ransomware groups, compromising credentials from Fortinet devices. Researchers found the operation entailed scanning 11,250 FortiGate portals and compromised 354 targets, leading to 12 ransomware deployments. The breach highlights significant cybersecurity risks, affecting organizations globally.
CISA Adds Actively Exploited Microsoft SharePoint RCE Vulnerability to KEV Catalog
CISA added CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint, to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, affecting SharePoint Server Subscription Edition, Server 2019, and Enterprise Server 2016, allows authenticated attackers to execute code without elevated privileges. Federal agencies are required to patch the issue by July 4, 2026.
Citrix Patches Six Critical NetScaler Vulnerabilities, Including HTTP/2 Bomb
Citrix released patches for six vulnerabilities in NetScaler ADC and Gateway, including a critical HTTP/2 Bomb exploit. These flaws, affecting versions 14.1 and 13.1, pose severe risks like denial-of-service attacks and data breaches. Organizations using these configurations should urgently update to protect against active threats.
Cisco Acknowledges Exploitation of Unified CM Vulnerability CVE-2026-20230
Cisco has confirmed active exploitation of a critical vulnerability (CVE-2026-20230) in its Unified Communications Manager (Unified CM). This flaw, found in systems with the WebDialer service enabled, allows attackers to execute server-side request forgery attacks and potentially gain root access. Cisco urges users to upgrade to patched versions immediately.
LayerX Reveals AI Browser Vulnerability Exploited by 'BioShocking' Attack
Security firm LayerX has discovered a vulnerability in AI-driven browsers, known as the 'BioShocking' attack, where browsers can be tricked into leaking user credentials. The attack uses game-like puzzle contexts to manipulate AI agents into bypassing security protocols, potentially exposing sensitive data. This discovery raises concerns about the security of AI-assisted browsing applications.
Adobe Releases Patches for Critical ColdFusion and Campaign Classic Vulnerabilities
Adobe issued critical security updates for ColdFusion and Campaign Classic, addressing several maximum-severity vulnerabilities with CVSS scores of 10.0. These flaws could allow arbitrary code execution, impacting system security and necessitating prompt user action to apply updates.
Microsoft Introduces Controls to Block Unauthorized AI Bots in Teams Meetings
Microsoft has launched a new Teams admin policy to control external bots joining meetings. By requiring organizer confirmation for bots, the company aims to enhance security and privacy during sensitive discussions.