Three Unauth Critical RCEs Hit Cameras, OTDS, AI CI/CD

◆ DEEP DIVES

1. 01

   Three Unauthenticated Critical RCEs: Triage Order and Detection Playbook

   <h3>Simultaneous Critical Vulnerabilities Across Disparate Attack Surfaces</h3><p>Today's intelligence cycle delivered an unusually dense cluster of <strong>critical-severity vulnerabilities</strong> that share one dangerous trait: all are exploitable without authentication in default configurations. The convergence across physical security, enterprise identity, and AI-powered development toolchains means most organizations are exposed on at least one vector.</p><table><thead><tr><th>Vulnerability</th><th>CVSS / Severity</th><th>Auth Required</th><th>Blast Radius</th><th>Exploit Maturity</th></tr></thead><tbody><tr><td>CVE-2026-1670 (Honeywell CCTV)</td><td>9.8 Critical</td><td>None</td><td>Full camera takeover; physical security compromise</td><td>CISA advisory issued; weaponization imminent</td></tr><tr><td>OpenText OTDS Deserialization</td><td>Critical (no CVE yet)</td><td>None</td><td>All integrated OpenText apps (Content Server, Documentum, InfoArchive)</td><td>Technical writeup public via Assetnote</td></tr><tr><td>Cline AI Bot Prompt Injection</td><td>High (supply chain)</td><td>None (public issue title)</td><td>npm, VS Code Marketplace, OpenVSX ecosystems</td><td>PoC demonstrated</td></tr></tbody></table><h4>Honeywell CCTV: CVE-2026-1670</h4><p>CISA issued an advisory for a <strong>missing authentication flaw</strong> in Honeywell I-HIB2PI-UL and NDAA-compliant PTZ cameras. An unauthenticated attacker can remotely change the password recovery email, achieving full account takeover and unauthorized video feed access. The ATT&CK chain is clean: <strong>T1190 → T1098 → T1125</strong>. For organizations under NERC CIP, HIPAA physical security, or PCI DSS Requirement 9, this is compliance-impacting.</p><h4>OpenText OTDS: Unauthenticated Java Deserialization</h4><p>Assetnote disclosed an RCE in OpenText Directory Services exploitable via a <strong>broken HMAC signature verification</strong> where attacker-controlled length fields truncate the signed message to begin at an injected payload. The exploit required building a custom Deflate compressor with tailored Huffman codes — sophisticated engineering, but the attack surface is simple: <strong>unauthenticated, default config, network-reachable</strong>. Since OTDS is the authentication backbone for OpenText's entire ecosystem, compromise cascades to every integrated application.</p><h4>Cline AI Bot: Prompt Injection → Supply Chain Compromise</h4><p>A <strong>prompt-injected GitHub issue title</strong> can drive Cline's Claude-based triage bot to execute arbitrary commands, poison GitHub Actions caches, and steal publishing tokens for VS Code Marketplace, OpenVSX, and npm. This is the threat model most security teams haven't built: <strong>AI agents with CI/CD write access are supply chain attack surfaces</strong>. The attacker doesn't need credentials — they need a string an LLM interprets as an instruction.</p><h4>Detection Opportunities</h4><ul><li><strong>Honeywell:</strong> Alert on unauthenticated API calls to camera account management endpoints; monitor for password recovery email change requests</li><li><strong>OpenText OTDS:</strong> Deploy network-level detection for serialized Java objects in HTTP traffic to OTDS endpoints; monitor logs for deserialization exceptions</li><li><strong>CI/CD:</strong> Monitor GitHub Actions cache writes for unexpected entries; alert on publishing token usage from non-standard IPs; require human approval for workflow changes</li></ul><blockquote>Three unauthenticated critical vulnerabilities in one cycle — across cameras, identity systems, and AI bots — means your attack surface is wider than your asset inventory suggests.</blockquote>

   Action items

   • Identify and patch or network-isolate all Honeywell I-HIB2PI-UL and NDAA-compliant PTZ cameras by end of day Monday
   • Audit OpenText OTDS endpoint exposure by Wednesday; block serialized Java object payloads via WAF rules if no vendor patch is available
   • Inventory all AI bots with CI/CD pipeline access (Cline, Copilot agents, custom LLM bots) and restrict to read-only permissions by end of week
   • Deploy detection rules for all three vectors within 48 hours using the IOC patterns described above

   Sources:1.2M French Accounts Exposed 🇫🇷, INTERPOL Africa Arrests 🌍, Deutsche Bahn DDOS 🚆

2. 02

   AI Agents Are Your New Privileged Insiders — And They're Unmonitored

   <h3>Converging Evidence Across Five Intelligence Streams</h3><p>A pattern emerged today across five independent sources that, taken together, constitutes the most significant <strong>emerging attack surface</strong> for enterprise security: AI coding agents, marketing automation bots, and LLM-powered triage systems are operating with <strong>privileged access, minimal sandboxing, and zero security telemetry</strong> across your organization.</p><h4>The Data Exfiltration Problem</h4><p>A researcher intercepted <strong>3,177 API calls</strong> across four AI coding tools and found that Gemini Pro sends up to <strong>350,000 tokens</strong> of code context to Google's API for a single bug fix — 15x more than Claude Opus for the identical task. Every token is proprietary code, potentially including secrets, architecture details, and customer data patterns. Meanwhile, Anthropic's own research on Claude Code shows experienced developers <strong>auto-approve more agent actions over time</strong>, granting increasing autonomy without increasing oversight.</p><p>This isn't limited to engineering. Marketing teams are building <strong>multi-API AI pipelines</strong> chaining Ahrefs, Gemini, Anthropic, and Telegram — processing competitive intelligence and customer data through unsanctioned workflows that bypass CASB and DLP entirely.</p><h4>The Supply Chain Compromise Vector</h4><p>The Cline prompt injection attack demonstrated today shows the offensive potential: a crafted GitHub issue title drives an AI triage bot to <strong>execute arbitrary commands, poison CI caches, and steal publishing tokens</strong>. New developer tooling (Expo MCP Server, cmux) is integrating agents directly into build systems with expanding access. AI agent frameworks are reinventing concurrency patterns <strong>without the fault-isolation guarantees</strong> of battle-tested systems like Erlang/BEAM.</p><h4>The Governance Gap</h4><p>Cursor published its agent sandboxing architecture — implicitly acknowledging the threat — but it's <strong>opt-in security with approval gates most developers click through reflexively</strong>. Jailbreak research is maturing from novelty to weaponizable tradecraft, meaning LLM safety guardrails are a usability feature, not a security control. And Google's Gemini 3.1 Pro rollout across its entire ecosystem simultaneously constitutes a <strong>silent supply chain change</strong> that can alter prompt-based guardrail behavior without notice.</p><table><thead><tr><th>AI Tool Risk</th><th>Data Exposure</th><th>Control Gap</th></tr></thead><tbody><tr><td>Gemini Pro coding</td><td>~350K tokens/task sent externally</td><td>No DLP coverage on AI API traffic</td></tr><tr><td>Claude Code auto-approve</td><td>Full filesystem + shell access</td><td>Autonomy increases with experience, oversight doesn't</td></tr><tr><td>Marketing AI pipelines</td><td>Competitive intel + customer data</td><td>Built outside security review entirely</td></tr><tr><td>CI/CD AI bots</td><td>Publishing tokens, build artifacts</td><td>Prompt injection = arbitrary execution</td></tr></tbody></table><blockquote>AI coding agents are the next shadow IT crisis: your developers are already using them, your security team hasn't sandboxed them, and the exfiltration path is one unsandboxed API call away.</blockquote>

   Action items

   • Survey all engineering teams for AI coding tool usage (Claude Code, Gemini, Copilot, Cursor, Codex) and document auto-approve settings by end of next week
   • Deploy DLP/proxy rules to log and alert on API calls to api.anthropic.com, generativelanguage.googleapis.com, and api.openai.com within 5 business days
   • Isolate secrets (.env files, cloud credentials, API keys) from AI agent execution contexts by end of month using vault-based injection
   • Publish AI coding assistant acceptable use policy defining which actions require human confirmation vs. auto-approve by end of quarter
   • Audit marketing and content teams for unsanctioned AI API integrations and third-party data flows by end of month

   Sources:1.2M French Accounts Exposed 🇫🇷, INTERPOL Africa Arrests 🌍, Deutsche Bahn DDOS 🚆 · Gemini 3.1 Pro 🧠, optimize anything 📈, agent sandboxing 🔐 · Gemini 3.1 Pro 🚀, AI exoskeleton 💀, AI autonomy in practice 🤖 · Gemini 3.1 Pro 🤖, OpenAI's strategic issues 💡, building AI eng culture 👨‍💻 · Marketing to AI chatbots 🤖, narrow your audience 🎯, GTM launch canvas 📝

3. 03

   Insider Threat Escalation: AI Is the Accelerant, Not the Cause

   <h3>Two Google Cases + 20% YoY Federal Surge = Pattern, Not Coincidence</h3><p>The insider threat landscape shifted measurably this cycle. Three independent intelligence streams converge on the same conclusion: <strong>AI tools have created a DLP-invisible exfiltration channel</strong> that insiders are actively exploiting, and traditional controls aren't catching it.</p><h4>The Google Signal</h4><p>U.S. prosecutors indicted three Silicon Valley engineers on <strong>14 felony counts</strong> for stealing hundreds of confidential files containing Pixel processor and <strong>Tensor chip designs</strong>, then funneling them to contacts in Iran via personal devices and third-party messaging. This comes weeks after a separate conviction of another Google engineer for stealing AI trade secrets. The exfiltration path was devastatingly simple: <strong>legitimate access → personal device → third-party messaging → Iran-based storage</strong>. No zero-days. No supply chain compromise. Just authorized users copying files through channels that didn't trigger alerts.</p><p>The DOJ's response — <strong>14 felony counts with up to 20 years imprisonment</strong> — signals federal prosecutors are treating tech IP theft as a national security priority, particularly with nation-state connections.</p><h4>The Macro Trend</h4><p>Approximately <strong>1,500 federal trade secret cases</strong> were filed last year — a <strong>20% increase</strong> year-over-year — with AI explicitly identified as a contributing factor. The attack pattern: an insider pastes proprietary code, formulas, or strategic documents into an external AI service. The AI synthesizes or reformulates the content. The insider extracts the output. <strong>No file was copied. No USB was mounted. No email attachment was sent.</strong> Traditional DLP triggers don't fire.</p><h4>The Credential Weakness</h4><p>Compounding the insider problem, cybersecurity firm Irregular found that <strong>LLM-generated passwords contain predictable, repeatable patterns</strong> vulnerable to brute-force attacks. LLMs are deterministic pattern generators, not cryptographically secure RNGs. An attacker studying LLM password output can build targeted dictionaries that dramatically narrow the search space — especially dangerous for accounts without MFA.</p><h4>Cross-Source Pattern</h4><p>The Google case, the trade secret surge, and the LLM password weakness all point to the same structural gap: <strong>security controls designed for file-based, network-based exfiltration are blind to AI-mediated data movement</strong>. The Prince Andrew arrest — sharing confidential British trade reports with Epstein over years while serving as UK trade envoy — provides a historical case study of the same pattern: authorized access, slow exfiltration to external contacts, detection lag measured in decades.</p><blockquote>AI didn't create a new threat category; it gave insiders a DLP-invisible exfiltration channel, and your 2024-era controls aren't catching it.</blockquote>

   Action items

   • Red-team your DLP controls against the Google exfiltration path this week: test whether an engineer can bulk-download restricted files to a personal device and upload via Telegram, Signal, or WhatsApp
   • Add detection rules for data pasted into known LLM endpoints (api.openai.com, claude.ai, gemini.google.com) and monitor for large clipboard operations to browser-based AI tools by end of month
   • Issue guidance prohibiting LLM-generated passwords and verify password manager adoption rates exceed 80% by end of quarter
   • Update departure protocols to flag download spikes in the 30 days before separation, and coordinate with HR on recruitment outreach from ByteDance Seed and similar foreign AI labs

   Sources:🎰 Zuck vs. Instagram addiction · Gemini 3.1 Pro 🤖, OpenAI's strategic issues 💡, building AI eng culture 👨‍💻 · ☕ Ice cream dumper · ☕️ RESCUE AND LIBERATION ☙ Friday, February 20, 2026 ☙ C&C NEWS 🦠

4. 04

   Your Threat Intel Has a Structural Blind Spot — China Publishes First

   <h3>~1,400 Vulnerabilities Published Before CVE Assignment</h3><p>Bitsight's analysis of China's two national vulnerability databases — <strong>CNNVD</strong> (Ministry of State Security) and <strong>CNVD</strong> (CNCERT) — reveals a deeply concerning intelligence asymmetry. Approximately <strong>1,400 vulnerability entries</strong> were published in Chinese databases before becoming public in CVE, often by <strong>several months</strong>. Some entries have no CVE equivalent at all, representing vulnerabilities potentially unknown to Western defenders entirely.</p><h4>The Regulatory Mechanism</h4><p>China's 2021 RMSV regulations create a structural advantage: mandatory <strong>48-hour government reporting</strong> of discovered vulnerabilities combined with <strong>prohibitions on sharing PoC exploits</strong> publicly. The Chinese government receives early notification while simultaneously restricting information flow to the global security community. Post-2021, CNVD saw a decline in non-CVE publications, but <strong>CNNVD has recently seen a resurgence</strong> — suggesting the MSS-affiliated database is actively expanding independent vulnerability collection.</p><h4>Compounding Factors</h4><p>This intelligence gap is worsened by two concurrent developments. First, the <strong>partial US government shutdown</strong> is degrading federal cyber services — during the 2018-2019 shutdown, TLS certificates for federal websites expired unrenewed and NIST's NVD fell behind on CVE processing. Second, <strong>US-Iran military escalation</strong> (carrier groups deployed, potential strikes within 10 days) historically precedes Iranian APT cyber retaliation campaigns. APT33/Peach Sandstorm, APT35/Charming Kitten, and MuddyWater all escalated operations during prior kinetic confrontation periods.</p><p>The implication: your vulnerability management program is operating with a structural blind spot that Chinese state actors can exploit during the gap, your federal threat intelligence sources may be degraded by the shutdown, and geopolitical escalation is elevating the likelihood of state-sponsored cyber operations.</p><blockquote>If CVE is your only source of vulnerability truth, you're operating months behind adversaries who read CNNVD.</blockquote>

   Action items

   • Evaluate Chinese vulnerability database monitoring services (Bitsight, VulnCheck, or direct CNNVD/CNVD feeds) for integration into your vulnerability management workflow by end of quarter
   • Verify commercial threat intelligence platforms (Recorded Future, Mandiant, CrowdStrike Intel) are active and filling gaps during the government shutdown by end of week
   • Refresh Iranian APT detection rules (APT33, APT34, APT35, MuddyWater) against latest CISA advisories and validate EDR coverage for OAuth token abuse, password spraying, and credential harvesting
   • Validate out-of-band communication plans for any personnel or operations in the Middle East that don't depend on local internet infrastructure

   Sources:1.2M French Accounts Exposed 🇫🇷, INTERPOL Africa Arrests 🌍, Deutsche Bahn DDOS 🚆 · Defense Expert Dana Stroul on Iran, Syria, and the Illusion of Clean War · ☕ Ice cream dumper