HPE Aruba Zero-Cred RCE and n8n Exploits Hit Same Week

◆ DEEP DIVES

1. 01

   Five Active Exploits, One New Attack Paradigm — Your Patch Queue and Threat Model Both Need Updating

   <h3>The Drop-Everything Patches</h3><p><strong>HPE Aruba CX switches</strong> have an unauthenticated password reset vulnerability at near-maximum CVSS severity. Any attacker with network adjacency to your switch management plane can reset the admin password and take full control — <strong>zero credentials required</strong>. Compromised switches enable traffic interception, VLAN hopping, and lateral movement that's invisible to endpoint detection. If you can't patch within hours, ACL the management interfaces to known admin IPs as a stopgap. Do not wait for a maintenance window — this exploit is trivial to execute.</p><p>Separately, <strong>CISA added n8n to its Known Exploited Vulnerabilities catalog</strong> — 24,700 instances are exposed to RCE and credential theft right now. Think about what your n8n instance knows: Postgres connection strings, third-party API keys, cloud provider tokens, Slack webhooks. An attacker who pops n8n owns <em>everything n8n can talk to</em>. This is the same pattern that hit exposed Elasticsearch, unsecured Redis, and public Jenkins dashboards — workflow automation platforms are especially dangerous because they're <strong>designed to hold credentials and have broad system access</strong>.</p><blockquote>Your internal tooling attack surface is probably larger than you think, and workflow automation platforms are the highest-value targets because they're credential stores with execution capability.</blockquote><hr><h3>McKinsey's Lilli: 46.5M Messages via SQLi in 2026</h3><p>An autonomous AI agent (CodeWall) found and exploited an <strong>unauthenticated SQL injection</strong> in McKinsey's internal AI platform, gaining full read/write access to the production database within two hours. The blast radius: <strong>46.5 million chat messages, 728,000 sensitive files</strong>, and McKinsey's entire proprietary RAG knowledge base. This wasn't a zero-day — it was a parameterized query failure on an unauthenticated endpoint. The lesson isn't that McKinsey is uniquely incompetent; it's that <strong>AI platforms create a new class of attack surface</strong> that isn't getting traditional security scrutiny. RAG pipelines ingest from diverse sources, chat interfaces accept freeform input, and backends have broader database access than typical CRUD apps.</p><hr><h3>'Living Off the Cloud' Is Now a Named Threat Category</h3><p>The evolution from LOTL (living off the land — abusing OS binaries like PowerShell) to <strong>LOTC (living off the cloud)</strong> is the most architecturally significant security development this week. CSO identified <strong>12 distinct abuse patterns</strong> where attackers use your own S3 buckets for staging, your own Lambda functions for execution, your own IAM roles for lateral movement, and your own SaaS integrations for exfiltration. Every action looks like legitimate infrastructure usage. Your SIEM sees normal API calls from expected service principals.</p><p>This isn't a vulnerability to patch — it's a <strong>threat model shift</strong>. The fix: identity-centric security with behavioral baselines. You need to know what 'normal' looks like for every service principal and alert on deviations. CloudTrail + GuardDuty is the minimum on AWS; add custom detections for your specific service principal behavior patterns.</p><hr><h3>Also Active This Week</h3><ul><li><strong>Salesforce Experience Cloud</strong>: guest user misconfigurations being actively exploited to harvest data from public portals — audit guest permissions immediately</li><li><strong>SAP patching CVE-2019-17571</strong> — a 7-year-old Log4j 1.x deserialization CVE — as critical in 2026, proving transitive dependency debt is real</li><li><strong>North Korean actors weaponizing GitLab</strong> repos to deliver malware payloads to developers and running fake IT worker infiltration campaigns</li></ul>

   Action items

   • Patch HPE Aruba CX switches immediately or ACL management interfaces to known admin IPs as stopgap
   • Audit and patch all n8n instances; enumerate every credential and API key n8n can access and rotate any that were exposed
   • Pen-test your AI platform's input paths this week — including RAG ingestion, chat interfaces, and embedding generation endpoints
   • Run a 'living off the cloud' threat modeling exercise: map every service principal, IAM role, and cross-account trust relationship
   • Run SCA scan for transitive dependencies with CVEs older than 2 years, specifically targeting Log4j 1.x family

   Sources:If you self-host n8n: 24,700 instances exposed to active RCE — patch or isolate today · Critical unauth admin takeover in Aruba CX switches + 9 Azure vulns: your patch queue just exploded · An AI agent just chained 4 low-sev bugs into admin takeover — your CVSS-based prioritization is broken · Half of SWE-bench-passing AI PRs get rejected — and McKinsey's AI got SQLi'd in 2026 · Your CLI-first tooling bet just got validated: AI agents are forcing a structured-interface renaissance

2. 02

   AI Agent Security Just Got Its 'Assume Breach' Doctrine — Here's How to Architect It

   <h3>OpenAI's Paradigm Shift: Contain, Don't Filter</h3><p>OpenAI published guidance this week explicitly stating that <strong>prompt injection defenses should shift from input detection to impact limitation</strong> — treating successful manipulation as inevitable and designing for containment. If you've built distributed systems, you'll recognize this immediately: it's the 'assume breach' model that network security adopted years ago, now applied to AI agents. The practical implication is that every tool your agent can invoke needs <strong>its own privilege boundary</strong>. Your agent shouldn't have a single credential set that lets it read databases, write files, call external APIs, and send emails.</p><blockquote>Think of it like microservice-level IAM policies, but for every step in your agent's execution graph. Prompt-level guardrails are necessary but insufficient — exactly like perimeter firewalls.</blockquote><hr><h3>CodeWall Proves Compound Vulnerability Exploitation Is Automated</h3><p>The most architecturally significant validation of this paradigm: <strong>CodeWall's autonomous AI agent chained four individually-low-severity bugs</strong> (permissive CORS + IDOR + weak session token + privilege escalation) into full admin access on a production hiring platform. No human guidance. This is the first widely-reported instance of an AI agent replicating what experienced pentesters do intuitively — systematically exploring combinatorial attack paths.</p><p>If your security program triages vulnerabilities by CVSS score and shelves anything below 7.0, <strong>you now have empirical evidence this approach has a critical blind spot</strong>. Defense-in-depth — which sometimes feels like unnecessary belt-and-suspenders paranoia — is the primary defense against adversaries that can systematically explore combinations.</p><hr><h3>Perplexity's Comet: Your Agent Is the Victim, Not the Human</h3><p>Perplexity's agentic AI browser was tricked into executing a <strong>full phishing attack in under 4 minutes</strong>. The fundamental insight: AI agents that browse the web inherit all web attack surfaces minus the human judgment that usually prevents worst outcomes. A web page the agent visits can contain adversarial instructions. An email the agent reads can social-engineer it. The agent's <strong>context window is an input vector</strong> attackers will target.</p><h3>Architectural Requirements for Agent Systems</h3><table><thead><tr><th>Control</th><th>Implementation</th><th>Purpose</th></tr></thead><tbody><tr><td><strong>Scoped permissions</strong></td><td>Per-tool IAM policy, not agent-wide credentials</td><td>Limit blast radius per capability</td></tr><tr><td><strong>Capability allow-lists</strong></td><td>Agent can GET from domain list, never POST</td><td>Prevent state-changing side effects</td></tr><tr><td><strong>Confirmation gates</strong></td><td>Human approval for irreversible actions</td><td>Circuit breaker on destructive operations</td></tr><tr><td><strong>Rate limits</strong></td><td>Per-tool, per-session action budgets</td><td>Contain automated exploitation loops</td></tr><tr><td><strong>Input sanitization</strong></td><td>Filter external content before agent context</td><td>Reduce adversarial prompt surface</td></tr></tbody></table><hr><h3>Where Sources Converge and Diverge</h3><p>Five independent sources this week identified AI agent security as a first-class architectural concern — not a niche research topic. They converge on the containment model: <strong>assume the agent will be manipulated, design to limit what manipulation can achieve</strong>. Where they diverge is on timeline. OpenAI frames this as guidance for systems being built today. The CodeWall demo suggests systems already in production are already vulnerable. The McKinsey breach proves the simplest attack vectors (SQLi) are being overlooked in the rush to ship. <em>The most urgent gap isn't sophisticated attacks — it's basic hygiene on novel surfaces.</em></p>

   Action items

   • Map every tool and API your AI agents can call; verify each has least-privilege access with separate credentials
   • Add confirmation gates before all irreversible agent actions (writes, deletes, external API calls with side effects)
   • Review your vulnerability triage framework — implement compound risk scoring that evaluates chains, not just individual CVSS
   • Sandbox any agent web browsing in isolated environments with explicit domain allow-lists

   Sources:Prompt injection → social engineering: OpenAI's agent defense shift changes how you architect trust boundaries · An AI agent just chained 4 low-sev bugs into admin takeover — your CVSS-based prioritization is broken · If you self-host n8n: 24,700 instances exposed to active RCE — patch or isolate today · Half of SWE-bench-passing AI PRs get rejected — and McKinsey's AI got SQLi'd in 2026 · Your vendor trust model is broken: $75M insider attack exploited the negotiator→attacker trust boundary

3. 03

   Your Interfaces Were Built for Humans — AI Agents Need Something Different

   <h3>Managed RAG Arrives Inside the Model API</h3><p>Google DeepMind shipped <strong>File Search Tool as managed RAG inside the Gemini API</strong>, collapsing document ingestion, chunking, embedding, vector indexing, and retrieval into a single API call. This is the same move AWS made with Kendra, but now it's happening <em>inside the foundation model API itself</em> — retrieval and generation are tightly coupled with no network hop between them.</p><p>For teams maintaining custom RAG pipelines (Pinecone/Weaviate + custom embeddings + bespoke chunking + re-ranking), the question isn't whether managed RAG is good enough — it's whether your custom pipeline is <strong>enough better to justify the engineering overhead</strong>. For most internal-facing use cases (doc search, knowledge bases, support automation), the honest answer is probably no.</p><p><strong>Where custom still wins:</strong> domain-specific retrieval with tuned chunking, hybrid dense/sparse search, and deterministic control over retrieval. Multimodal retrieval is flagged as the 'next phase' — if your knowledge base includes diagrams, screenshots, or mixed PDFs, managed multimodal RAG will leapfrog most custom text-only pipelines within a quarter.</p><hr><h3>The CLI Renaissance Is Agent-Driven</h3><p>AI agents need <strong>structured, scriptable, deterministic interfaces</strong> to reliably operate systems. GUIs are built for human cognition; CLIs are built for programmatic composition. When your new 'user' is an LLM-driven agent that needs to discover capabilities, invoke them precisely, and parse output, <strong>CLI wins by a mile</strong>. Every service and internal tool should expose a CLI with <code>--output json</code> as a first-class citizen.</p><blockquote>The cost of retrofitting CLI interfaces later when agent integration becomes table stakes is 5× what it costs to design them in now.</blockquote><p>Consider generating CLIs from existing API specs (OpenAPI → CLI generators) rather than maintaining both surfaces manually. The <strong>Agent Browser Protocol (ABP)</strong> takes this further — a specialized Chromium build that pauses JS execution between agent actions, converting the browser into a discrete state machine. Each action operates on a frozen, stable page state, solving the root cause of flaky browser automation rather than treating symptoms with waits and retries.</p><hr><h3>The SaaS Moat Is Shifting from UI to API</h3><p>When an AI agent is your primary consumer, most SaaS assumptions break. Agents need <strong>structured error codes</strong> (not 'Something went wrong'), <strong>idempotent operations</strong> (they'll retry), <strong>cursor-based pagination</strong> (they'll traverse everything), and auth that doesn't require OAuth browser redirects. Per-seat pricing is eroding — decouple your billing from user identity and instrument on richer dimensions: API calls, data volume, workflows completed.</p><p><strong>Mistral acquiring Koyeb</strong> signals model providers are vertically integrating into deployment infrastructure. Your defensive architecture: ensure model interaction layers use clean abstractions so you can swap providers without rewriting application logic. The vertical integration trend will repeat across every major model provider within 12 months.</p><hr><h3>Context Engineering: The Layer That Actually Matters</h3><p>The bottleneck for AI agents has shifted from data access to <strong>contextual reasoning across disparate knowledge sources</strong>. The problem: you give an agent codebase access via MCP, and it generates syntactically correct code that completely misses your architectural patterns — because those are documented in ADRs, debated in PR reviews, and explained in Slack. Context-Driven Development (CDD) proposes treating LLM context as a <strong>first-class engineering concern</strong> with ownership, structure, and maintenance processes. The quality of AI-assisted output is bounded by context quality.</p>

   Action items

   • Benchmark Google's File Search Tool against your current RAG pipeline on your top 3 use cases — measure retrieval precision, latency, and total engineering cost
   • Audit every internal tool for CLI accessibility — ensure JSON output, proper exit codes, and scriptable flags for all automation surfaces
   • Decouple billing/metering infrastructure from user-seat identity; instrument API calls, data volume, and workflow completions
   • Establish structured LLM context management — move beyond ad-hoc /docs directories to owned, hierarchical, maintained context layers

   Sources:Google's managed RAG in Gemini API just changed your build-vs-buy calculus for retrieval pipelines · Your CLI-first tooling bet just got validated: AI agents are forcing a structured-interface renaissance · Your SaaS product's API surface is now its moat — not its UI. Here's what to rearchitect first. · Half of SWE-bench-passing AI PRs get rejected — and McKinsey's AI got SQLi'd in 2026