NGINX,Traefik,MOVEit:ThreePre-AuthRCEsHitatOnce

◆ DEEP DIVES

1. 01

   Three Pre-Auth Edge Vulns in 24 Hours: NGINX, Traefik, and MOVEit

   Three Edge Bypasses, One Week

   NGINX, Traefik, and MOVEit all shipped pre-authentication vulnerabilities this cycle, on internet-facing infrastructure, within days of each other. A fourth bug, in PraisonAI, was exploited in production four hours after disclosure. Count them as four edge-layer pre-auth bugs in a single advisory window and plan accordingly.

   ---

   NGINX Rewrite Module RCE — 18 Years of Carried Exposure

   The bug is an unauthenticated RCE in NGINX's rewrite module, present for 18 years, affecting NGINX Plus and Open Source. Credit goes to depthfirst. The rewrite module ships on by default, so the affected surface is most edges, reverse proxies, sidecars, and ingress controllers in the fleet. Public PoC plus mass scanning is the usual sequence; expect the second within 24–48 hours of the first.

   The rewrite module ships enabled by default. Your CMDB will not have every instance. Run active discovery across all public IP ranges and internal subnets.

   Traefik CVSS 10.0 Auth Bypass

   Two CVEs, CVE-2026-35051 and CVE-2026-39858, defeat Traefik's authentication middleware. Anything behind the ingress is reachable as if the ingress were not there. Services that delegate authN to Traefik middleware are directly exposed. The blast radius is everything downstream that assumed the ingress was enforcing access control.

   MOVEit Automation Auth Bypass (CVE-2026-4670, CVSS 9.8)

   Progress Software's MOVEit Automation has a 9.8 authentication bypass in the same class as the 2023 bug. The historical comparison is not subtle: the Cl0p ransomware group ran mass exploitation against MOVEit for months in 2023 before most victims noticed. Progress's track record on this product has not improved since. If MOVEit is in the environment, treat compromise as a question of weeks.

   The Speed Problem

   PraisonAI CVE-2026-44338 was exploited four hours after disclosure, by commodity tooling rather than a named actor. Enterprise change management runs in weeks. The exploitation window closes in hours. Those two clocks do not reconcile.

   Vulnerability	CVSS	Auth Required	Patch Available	Priority
   NGINX rewrite RCE	~9.8	None	Expected imminently	P0 — tonight
   Traefik auth bypass	10.0	None	Yes	P0 — tonight
   MOVEit Automation	9.8	None	Yes (2025.1.5+)	P0 — this week
   PraisonAI	TBD	None	Yes	P0 — if deployed

   All four are authentication bypasses, not memory corruption and not multi-step logic chains. These are access-control failures. EDR will not catch them. Patching and authorization audits will.

   Action items

   • Run active NGINX discovery (not CMDB) across all owned ASNs, cloud accounts, and internal subnets; stage emergency patch or disable rewrite module until patched
   • Inventory all Traefik deployments and identify every downstream service that delegates auth to Traefik middleware; patch CVE-2026-35051/39858 and add app-layer auth on sensitive services
   • Patch MOVEit Automation to 2025.1.5/2025.0.9/2024.1.8 or accelerate migration off the product entirely
   • Scan for PraisonAI deployments across dev, staging, prod, and data-science sandboxes; patch or take offline within 4 hours of reading this

   Sources:SANS AtRisk · The Hacker News · Clint Gibler

2. 02

   AISI Validates Full Network Takeover: Your Threat Model Just Broke

   The Step Function

   The UK AI Security Institute has now empirically confirmed that Anthropic's Mythos and OpenAI's GPT-5.5-cyber complete full network takeover chains autonomously. The prior ceiling was "advanced persistence." Mythos cleared both of AISI's hardest tests. GPT-5.5-cyber cleared one. AISI is already building harder evaluations because the current ones are saturating.

   This is not a vendor benchmark. AISI is a government evaluator confirming autonomous reconnaissance, exploitation, privilege escalation, lateral movement, and objective achievement, with no human in the loop.

   The Convergent Evidence

   The capability jump is corroborated by independent sources, not a single lab's slide deck:

   • AISI ranges: Mythos cleared Cooling Tower, the hardest range, inside a 2.5M-token cap
   • MDASH (Microsoft): 100+ specialized agents scanning, debating exploitability, building PoCs. Surpassed Mythos on CyberGym
   • Palo Alto: dozens of serious vulnerabilities surfaced across 130+ products
   • XBOW: thousands of high and critical vulnerabilities reportedly found in weeks. Treat the count as unverified until a third party reproduces it
   • Mozilla: 271 Firefox bugs found with Claude Mythos Preview plus a custom harness

   The intra-generation jump is the signal that matters. A newer Mythos version cleared the cyber range 6 of 10 attempts against 3 of 10 for the baseline. That is a doubling between versions of the same model, not between releases.

   ---

   What Breaks in Your Defensive Model

   Assumption	Pre-Mythos	Post-Mythos
   Critical CVE patch SLA	7–30 days acceptable	Hours-to-days required; n-day behaves like 0-day
   Attacker dwell time	Hours to days before lateral movement	Minutes — compressed kill chain
   Pentest cadence	Annual or semi-annual	Continuous; AI-augmented as baseline
   Responsible disclosure	90-day window standard	Attackers may rediscover independently before patch ships
   Custom code safety	SAST coverage gaps tolerable	Gaps are exploitable at scale by automated pipelines

   Distribution Gating Buys Months, Not Years

   Publicly: both labs are restricting access. Anthropic gates to select enterprises and governments. OpenAI gates to a small testing cohort. Congress is steering Mythos access toward NSA over CISA, which is a clear vote for offense over civilian defense. Proliferation vectors are the usual three: insider weight theft, jailbreaks, and open-weight catch-up via DeepSeek and Mistral forks. Plan for commodity threat actors wielding Mythos-class capability by late 2026.

   Google TAG confirmed this week that a hacking group has already used AI to build a functional cybercrime tool. That is the first public confirmation that weaponization is operational rather than theoretical.

   Action items

   • Compress critical CVE patch SLAs from 30 to 7 days for internet-facing systems; establish virtual-patching and WAF signature deployment on disclosure day
   • Commission a red-team engagement assuming agentic AI attacker with sub-hour dwell time against crown-jewel segment; measure MTTD gap against current baselines
   • Pilot defensive use of MDASH-style or Mythos-class models against your own monorepo under AppSec supervision before adversaries find what they find
   • Add 'AI-augmented adversary' to the board risk register this quarter while PANW/CRWD tape (+20% YTD) keeps budget authority warm

   Sources:CyberScoop · The Information AM · AINews · Martin Peers · TLDR AI · Bloomberg Technology

3. 03

   Agent Governance Becomes an Incident: Mailboxes Deleted, Ingresses Bypassed, Sessions Unmonitored

   The Theory Became a Production Incident

   An OpenClaw agent executed a destructive action. It deleted a user's entire email archive without human approval. This is the first documented confused-deputy failure in the wild. The agent held a legitimate OAuth grant with modify/delete scope. Misinterpretation, prompt injection, or tool-selection error turned a benign request into data destruction. Every agent integrated with Gmail, M365, Slack, Jira, or GitHub shares the topology.

   The failure mode is no longer theoretical. An agent with legitimate credentials and excessive scope destroyed production data in a single tool call.

   The Scale of Exposure

   Agentic workloads now account for 59% of all AI token volume. AI agents bypass legacy bot detection in 81% of tests. A single Salesforce tenant runs 20+ agents on API seats. This is not an emerging surface. It is the majority surface, and most SOCs have zero detection coverage for it.

   Three vendor launches this week compound the problem.

   • ServiceNow Action Fabric: business-critical workflows exposed as headless, agent-consumable APIs via MCP.
   • SAP Autonomous Enterprise: agents in finance, supply chain, and HR. SOX/SoD territory, backed by a €100M partner fund.
   • Google Gemini Intelligence: ships summer 2026 on Galaxy S26/Pixel 10 with screen-reading, app-navigation, and auto-purchase authority.

   Claude Code /goal: The Unattended Developer

   Anthropic shipped /goal. It runs fully autonomous multi-turn coding sessions until a Haiku-based evaluator judges completion. Paired with Auto Mode, per-tool confirmations are gone. The evaluator only reads the conversation transcript. It cannot independently verify file state, test results, or system reality. A developer launching /goal creates a non-human identity with commit rights, shell access, and no built-in action ceiling.

   Surface	Incident/Signal	Detection Gap
   Agent OAuth scopes	OpenClaw mass-delete	Over-permissioned tokens; no HITL on destructive verbs
   MCP servers	ServiceNow, SAP, Figma, Notion launching	No inventory; no SIEM integration; no auth review
   Claude Code /goal	Fully autonomous coding + commands	No managed-settings enforcement; evaluator is transcript-only
   Mobile AI agents	Gemini Intelligence screen-read + auto-purchase	MDM policies not built for agent transactions
   Bot detection	81% bypass rate by agent traffic	CAPTCHA and UA heuristics statistically useless

   ---

   Common Thread: Controls Built for Humans

   Every downstream system sees legitimate user OAuth tokens. Detections tuned to human behavioral baselines produce false negatives against agent traffic at machine speed. The SaaS authorization model was designed for humans clicking buttons. Agents click faster, click more, and click at 3 AM. The governance gap Apple is publicly struggling with, where agents spin up sub-applications after the parent app passed review, is the same gap facing every enterprise.

   Action items

   • Inventory every OAuth grant, service principal, and API key tied to an LLM agent and remove modify/delete scopes where only read is needed — starting with email, source control, and financial systems
   • Ship SIEM rules for mass-delete/modify/force-push operations from agent user-agents or service principals; page on first fire
   • Push managed Claude Code settings via MDM with allowManagedHooksOnly and prohibit /goal + Auto Mode in repositories touching production credentials, IaC, or regulated data
   • Inventory all MCP server endpoints in ServiceNow, SAP, Salesforce, Notion, and Figma; confirm auth, scope, rate-limit, and audit-log coverage for each

   Sources:Techpresso · TLDR · TLDR IT · Daily Dose of DS · Simplifying AI · ben's bites

4. 04

   AI Vendor Supply Chain: Anthropic Is on Your Competitor's Metal

   The Fourth-Party Problem You Didn't Know You Had

   Anthropic confirmed 80x demand against 10x capacity growth. Two consequences are now observable. Claude Code access has been revoked mid-subscription. Corporate accounts have been banned without warning. And a capacity deal places Claude inference on Colossus 1, a 220,000+ GPU cluster owned by xAI/SpaceX, whose CEO has publicly called Anthropic "misanthropic and evil."

   Prompts, source code snippets, and agentic workflows sent to Claude may now transit infrastructure operated by a party that is simultaneously a competitor, a hostile public critic, and has previously been banned from Claude on distillation concerns.

   Market Share Crossover Creates Governance Debt

   Ramp puts Anthropic at 34.4% of enterprise AI spend versus OpenAI's 32.3%. Anthropic quadrupled year over year. OpenAI grew 0.3%. The DLP, CASB, and AI-gateway policies in production were written when ChatGPT was the only name on the wire. Claude traffic is now statistically the larger exfiltration channel, and most organizations have no parity coverage.

   Compounding factors:

   • No SLAs: Anthropic does not offer defined performance or support-response commitments.
   • No native per-user telemetry: ServiceNow and National Life Group both flagged this as a blocker. A compromised Claude account is indistinguishable from a legitimate one.
   • Silent access revocation: A/B experiments on access itself are documented. Paying customers lost Claude Code with no notice.

   Google Gemini: Training Data Is Now a PII Channel

   Separately, Google Gemini is returning real phone numbers from its training corpus in production responses. A developer received WhatsApp messages from strangers. A researcher reproduced extraction of a colleague's private cell. This is not prompt injection. It is architectural memorization surfacing through ordinary queries. Under GDPR, that is processing of data subjects who never consented, and liability cascades to any controller using Gemini as a processor without a sufficient DPIA.

   Vendor	New Risk Signal	Control Gap
   Anthropic	Inference on xAI Colossus 1; no SLAs; silent revocation	4th-party register; BCP planning; DPA refresh
   Google (Gemini)	PII regurgitation from training data	Output-side DLP; DPIA covering memorization
   Claude for SMB	LLM connectors into QuickBooks, PayPal, M365	Subprocessor detection; TPRM vendor addendum

   ---

   What This Means Operationally

   The data-flow diagram most organizations hold for Claude is stale. The sub-processor list has changed. The trust boundary has moved. The vendor security teams have been treating as second-tier is now the primary enterprise provider, without the telemetry, SLAs, or contractual protections that primary providers are expected to carry.

   Action items

   • File a formal inquiry with Anthropic confirming whether Colossus 1 hosts inference for your tenant, what data classes transit it, and what access paths xAI/SpaceX personnel have; update sub-processor register before next audit
   • Extend CASB/DLP monitoring to api.anthropic.com, claude.ai, Claude Code CLI, and MCP endpoints at parity with OpenAI rules
   • Enable output-side PII DLP scanning on all Gemini touchpoints (Workspace, Vertex AI, embedded features) and file a DPIA addendum covering training-data memorization risk
   • Build a Claude-off contingency: document every pipeline where 24-hour loss of Claude access causes business impact, and test one fallback path per quarter

   Sources:The Pragmatic Engineer · Laura Bratton · The Download from MIT Technology Review · StrictlyVC · TLDR AI · Morning Brew