Cyber Intelligence Weekly (May 31, 2026): Our Take on Three Things You Need to Know // Echelon Risk + Cyber

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

artner Promo

Come meet me in person at the Vanta Trust Tour in NYC this week!

Echelon Risk + Cyber is excited to sponsor Vanta's Trust Tour NYC :rocket:

Looking forward to connecting with security and compliance leaders, sharing insights, and helping companies scale trust more efficiently.

Join us in NYC and register HERE!

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to introduce a new Personal Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs and other cyber leaders who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

Special Edition: The Human Side of Cyber Featuring My Son, Luca. (Proud Dad Moment)

This week, I decided to take a break from interviewing CISOs, founders, and cybersecurity leaders and instead sat down with one of the most important people in my life: my nine-year-old son, Luca. What started as a fun "Bring Your Kid to Work Day" podcast quickly turned into a reminder of some simple truths that adults often forget.

When I asked what he's great at right now, Luca confidently answered golf and baseball. His description of a perfect day was equally ambitious: golf tournaments, baseball games, soccer matches, a Pirates game, and all his favorite foods packed into a single day. It was a good reminder that kids rarely think about limitations, they think about possibilities.

I also asked Luca what he thinks I do all day at work. His answer was surprisingly accurate: meetings, calls, paperwork, podcasts, and business trips. When I asked what seemed hardest about my job, he didn't mention cybersecurity or running a company. Instead, he said sitting in a chair all day and staring at screens sounded difficult. Honestly, he might be onto something. Sometimes the most obvious observations are the most insightful.

One of my favorite moments came when I asked what rule he would create if he were in charge of the company. His answer: when you're on vacation, no calls. Simple. Clear. Probably better than most corporate policies I've seen.

The rapid-fire questions revealed even more about his priorities. Sports over video games. Fun over money. Flying over invisibility. Dogs over cats. And when forced to choose between being a CEO or an athlete, he didn't hesitate: athlete.

Perhaps the biggest takeaway came from Luca's dream business idea. If he wasn't running a cybersecurity company, he'd create a kids' sports news network where he could report on golf, baseball, and other sports for kids. It was a reminder that curiosity, creativity, and enthusiasm are often the foundations of entrepreneurship long before anyone realizes it.

I've spent the past year interviewing some of the smartest minds in cybersecurity, and while this conversation was a little different, it may have been one of my favorites. Sometimes leadership lessons don't come from boardrooms, conference stages, or executive meetings. Sometimes they come from a nine-year-old who reminds us to prioritize fun, adventure, family, and the things we genuinely love doing.

And for the record, Luca believes every office should stock tea, honey, oat granola bars, Arizona Arnold Palmers, and salt-and-vinegar chips. That's advice I may actually implement.

Watch the Full Interview Here: https://youtu.be/mYNOt_479XY?si=bZ1bJr3Cy033-WXr

Echelon Events & Thought Leadership Highlight

The attacker is already inside.

Part 2 of Echelon's Purple Team simulation picks up mid-intrusion with lateral movement, cloud compromise, and data exfiltration, showing exactly what defenders see on the backend in real time.

Join experts Matt Donato, Devin Jones, and Bryce Hayes as they walk both sides of the attack chain and share recurring findings from real-world purple team engagements.

Missed Part 1? Catch up on demand first. https://lnkd.in/eka9ieQb

Away we go!

1. Exploited Trend Micro Apex One Vulnerability Turns Security Software into an Attack Tool

A newly disclosed vulnerability in Trend Micro Apex One is drawing attention not because of its severity score, but because attackers are already exploiting it in real-world environments. The flaw, tracked as CVE-2026-34926, affects the on-premises version of Apex One and has been added to CISA’s Known Exploited Vulnerabilities catalog. While the vulnerability carries a moderate CVSS score of 6.7, security experts caution that its placement inside a widely deployed endpoint protection platform makes it far more significant than the number alone suggests.

The vulnerability stems from a directory traversal weakness that allows an attacker with existing administrative access to an Apex One server to modify a critical database table and deploy malicious code to managed endpoints. In effect, an attacker who has already compromised the management server can weaponize the security platform itself, turning a trusted defensive tool into a mechanism for distributing malware throughout the enterprise. This type of attack highlights a growing trend in cybersecurity where threat actors increasingly target management infrastructure, security tools, and software distribution systems that sit at the center of organizational trust.

Trend Micro addressed the issue as part of a broader security bulletin covering eight vulnerabilities in Apex One. Organizations running affected on-premises deployments are being urged to upgrade immediately to the latest supported builds, including Apex One SP1 CP Build 18012 or Apex One SP1 Build 17079, depending on their deployment path. Federal agencies have been given a remediation deadline after CISA added the flaw to its catalog of actively exploited vulnerabilities. Security teams should also verify that agents across their environment are updated to supported versions, as incomplete upgrades could leave portions of the environment exposed.

The incident raises an important strategic question for security leaders: how much infrastructure should still be managed on premises? Historically, many organizations preferred local deployments for greater control and customization. However, the growing pace of vulnerability disclosures, patch requirements, and attacker focus on management platforms has shifted that equation. While cloud-hosted security solutions are not immune to risk, they often allow vendors to respond more quickly to emerging threats and reduce the operational burden placed on internal teams. As organizations evaluate their security architecture, this vulnerability serves as a reminder that the tools designed to protect the enterprise can also become high-value targets when left unpatched or improperly maintained.

Cisco SD-WAN "Master Key" Vulnerability Demands Immediate Attention

A newly discovered critical vulnerability in Cisco SD-WAN systems is serving as a reminder that network infrastructure remains one of the most attractive targets for nation-state threat actors. Tracked as CVE-2026-20182, the flaw carries a maximum CVSS score of 10.0 and allows an unauthenticated attacker to bypass authentication and gain administrative privileges on vulnerable systems.

What makes this issue particularly concerning is that it was discovered during incident response activities tied to another Cisco SD-WAN campaign that prompted emergency warnings from CISA and allied intelligence agencies earlier this year. Researchers described the vulnerability as behaving like a "master key," allowing attackers to impersonate trusted network devices and gain privileged access to SD-WAN controllers. Because SD-WAN controllers sit at the center of trusted communications and routing decisions, they provide an ideal foothold for advanced adversaries seeking long-term persistence.

What should organizations do now?

Immediately apply Cisco's newly released patches.
Inventory all SD-WAN assets and verify software versions.
Review controller logs for suspicious authentication activity.
Conduct threat hunting for indicators of compromise dating back several months.
Restrict administrative access to trusted management networks only.

Why it matters: Many organizations treat SD-WAN infrastructure as "set it and forget it" technology. In reality, these platforms are crown jewel assets that often provide visibility into and control over entire enterprise networks. If compromised, they can become a launchpad for broader cloud, data center, and branch office attacks.

2. Microsoft Condemns Public Zero-Day Releases After Wave of Windows Vulnerabilities

A public dispute between Microsoft and a security researcher has reignited one of cybersecurity’s longest-running debates: where should the line be drawn between responsible vulnerability disclosure and public pressure on vendors? Over the past several weeks, a researcher operating under the pseudonym “Nightmare Eclipse” released a series of Windows zero-day vulnerabilities complete with proof-of-concept exploit code. Several of those vulnerabilities, including BlueHammer, UnDefend, and RedSun, were subsequently observed in real-world attacks and added to CISA’s Known Exploited Vulnerabilities catalog, increasing pressure on organizations to patch affected systems as quickly as possible.

Unlike traditional coordinated disclosure processes, where researchers privately report vulnerabilities and give vendors time to develop fixes, these flaws were publicly released before patches were available. The disclosures appeared on GitHub and other public platforms, making exploit code immediately accessible to both defenders and threat actors. Microsoft responded this week with its strongest public criticism yet, calling uncoordinated zero-day disclosures "never justifiable" and warning that releasing exploit code for unpatched vulnerabilities can create real-world harm for customers and the broader digital ecosystem.

The controversy extends beyond the vulnerabilities themselves. Nightmare Eclipse has publicly accused Microsoft of mishandling vulnerability reports, withholding bug bounty payments, and removing researcher attribution from security advisories. While those claims remain unverified, they echo concerns raised by several respected security researchers and organizations in recent years regarding communication, transparency, and recognition within large vendor vulnerability management programs. The situation has once again highlighted the often-complicated relationship between software vendors and the independent researchers who help identify security weaknesses.

For enterprise security teams, the broader lesson is clear: vulnerability disclosure disputes ultimately matter less than operational readiness. Whether vulnerabilities emerge through coordinated disclosure programs, bug bounty platforms, or public zero-day releases, organizations must maintain the ability to rapidly assess exposure, deploy mitigations, and accelerate patching when active exploitation begins. As vulnerability discovery continues to accelerate and proof-of-concept exploits become more readily available, the time between disclosure and attack is shrinking. Security leaders should assume that publicly released vulnerabilities may be weaponized almost immediately and adjust their patch management and threat detection processes accordingly.

AI Helps Attackers Target Critical Infrastructure Faster Than Ever

A recent investigation into attacks against multiple Mexican government entities and a major water utility provides one of the clearest examples yet of how AI is changing offensive cyber operations. Between late 2025 and early 2026, attackers reportedly leveraged commercial AI models, including Claude and GPT-based systems, to accelerate reconnaissance, map network architectures, customize exploits, harvest credentials, and identify high-value targets.

The most notable finding came when the attackers discovered operational technology (OT) systems inside a water utility environment. According to researchers, the AI model quickly identified an industrial gateway as a critical asset and even generated attack recommendations against the system. Fortunately, the attempted password spraying attack failed due to strong password controls and basic cyber hygiene.

This incident demonstrates that AI is not replacing skilled attackers, but it is dramatically increasing their speed and efficiency. Tasks that once required days of manual effort can now be completed in minutes, allowing threat actors to move faster through the cyber kill chain and scale attacks across multiple targets simultaneously.

What should organizations do now?

Review and strengthen identity and access management controls.
Implement MFA across all IT and OT environments.
Segment operational technology networks from traditional IT systems.
Maintain accurate asset inventories and continuously monitor for anomalous activity.
Assume adversaries can now perform reconnaissance and attack planning at machine speed.

Why it matters: The attack ultimately failed where it mattered most because foundational security controls worked. As AI accelerates offensive operations, organizations that maintain strong fundamentals such as MFA, least privilege, network segmentation, vulnerability management, and continuous monitoring will remain far better positioned to withstand the next generation of AI-assisted attacks.

3. Critical Drupal SQL Injection Vulnerability Under Active Attack

A newly disclosed vulnerability in Drupal is quickly becoming one of the most significant web application security stories of 2026. Tracked as CVE-2026-9082, the flaw carries a critical CVSS score of 9.8 and allows unauthenticated attackers to perform arbitrary SQL injection attacks against vulnerable Drupal installations running PostgreSQL databases. Security researchers and government agencies moved quickly after the vulnerability was disclosed on May 20, but attackers appear to have moved even faster. Within days, evidence emerged that threat actors were actively probing and exploiting exposed systems, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add the vulnerability to its Known Exploited Vulnerabilities catalog.

At the heart of the issue is a weakness in Drupal’s core database extraction API, where specially crafted requests can bypass protections and manipulate backend database queries. Successful exploitation could allow attackers to extract sensitive data, modify content, create administrative accounts, or potentially gain broader control over affected websites. According to security firm Imperva, more than 15,000 exploitation attempts were observed shortly after disclosure, with organizations in financial services, gaming, technology, and business sectors among the most heavily targeted. The rapid weaponization of the vulnerability highlights a growing trend in cybersecurity: the window between disclosure and exploitation continues to shrink.

The response from the Drupal community has been unusually aggressive, reflecting the seriousness of the threat. In addition to releasing patches for supported versions, Drupal developers also issued backported fixes for several unsupported end-of-life releases, a step rarely taken except in the most severe circumstances. However, security experts caution that applying temporary fixes to unsupported versions should not be viewed as a long-term solution. Organizations still running Drupal 8 or Drupal 9 face ongoing security risks that extend far beyond this specific vulnerability and should prioritize migration to supported versions of Drupal 10 or Drupal 11.

For organizations operating public-facing websites, this incident serves as another reminder that content management systems remain highly attractive targets for cybercriminals. SQL injection vulnerabilities have existed for decades, yet they continue to produce devastating compromises because of the sensitive data and administrative access they can expose. Security teams should immediately verify their Drupal versions, apply available updates, review logs for suspicious database activity, and conduct compromise assessments if patching was delayed. In today's threat landscape, attackers are increasingly monitoring security advisories as closely as defenders, often launching scans and exploitation campaigns within hours of public disclosure.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about