Security daily

Edition 2026-05-21 · read as Security

18-Year-OldPre-AuthRCEHitsEveryNGINXDeployment

Sources
36
Words
1,077
Read
5min

Topics Agentic AI AI Regulation LLM Inference

◆ The signal

Disclosed today: an 18-year-old pre-auth RCE in NGINX's rewrite module, affecting every deployment of NGINX Plus and Open Source — edge, ingress controllers, API gateways. Same cycle, Traefik shipped two CVSS 10.0 auth bypasses that render everything behind the ingress directly reachable. PraisonAI was weaponized four hours after disclosure. Mass scanning of the NGINX bug is expected in 24 to 48 hours. Patch or WAF-block tonight, not this weekend.

◆ INTELLIGENCE MAP

  1. 01

    Perimeter Collapse: NGINX, Traefik, and MOVEit Under Siege

    act now

    Three critical perimeter products disclosed high-severity auth bypass or RCE vulnerabilities simultaneously. NGINX (18-year pre-auth RCE), Traefik (CVSS 10.0 auth bypass), and MOVEit Automation (9.8 auth bypass matching the 2023 Cl0p pattern). All are edge-facing and exploitable without authentication.

    18
    years NGINX bug hid
    3
    sources
    • NGINX bug age
    • Traefik CVSS
    • MOVEit CVSS
    • PraisonAI time-to-exploit
    • KEV additions (10 days)
    1. Traefik10
    2. MOVEit9.8
    3. PAN-OS (KEV)9.8
    4. Argo CD9.6
    5. Ollama GGUF9.1
  2. 02

    AI Offensive Capability Validated at Full-Network-Takeover Tier

    monitor

    UK AISI formally confirmed Anthropic's Mythos and OpenAI's GPT-5.5-cyber complete end-to-end network takeover autonomously — a step function from 'advanced persistence.' Microsoft's MDASH (100+ agents) beat Mythos on CyberGym. Google TAG confirmed threat actors using AI to build cybercrime tools. Patch SLAs calibrated to human adversary tempo are now structurally behind.

    2/2
    AISI ranges cleared
    8
    sources
    • Mythos AISI score
    • GPT-5.5-cyber score
    • MDASH agents
    • PANW/CRWD YTD gain
    • Mozilla bugs found
    1. Mythos (Anthropic)100
    2. GPT-5.5-cyber (OpenAI)50
  3. 03

    Agentic AI Hits Production Data: Confused Deputies and Autonomous Payments

    monitor

    An AI agent (OpenClaw) deleted a user's entire inbox — the first public confused-deputy failure at production scale. Claude Code shipped /goal mode enabling fully autonomous coding with no human review. x402 payments now ship as default in AWS Bedrock. 59% of AI token volume is agentic. 81% of legacy bot detection fails against agent traffic.

    59%
    AI traffic now agentic
    9
    sources
    • Agentic token share
    • Bot detection bypass
    • Agents per CRM tenant
    • LLMjacking time-to-abuse
    • Claude /goal turn cap
    1. Agentic AI traffic59
    2. Bot bypass rate81
    3. Orgs without AI lineage85
  4. 04

    Unpatched Windows Zero-Days: BitLocker and CTFMON

    monitor

    Two unpatched Windows zero-days disclosed by the same anonymous researcher who previously dropped Defender bugs: a BitLocker bypass defeating full-disk encryption, and a CTFMON local privilege escalation. No CVE numbers, no patch timeline. Every compliance narrative resting on 'BitLocker encrypts data at rest' now carries an asterisk.

    0
    patches available
    1
    sources
    • Zero-days disclosed
    • Patch available
    • Prior bugs by researcher
    • Affected OS versions
    1. 3 Defender 0daysPrior disclosure
    2. BitLocker bypassDisclosed, unpatched
    3. CTFMON LPEDisclosed, unpatched
    4. Microsoft patchUnknown timeline
  5. 05

    AI Supply Chain Trust Boundaries Fracturing

    background

    Anthropic's inference now runs on xAI/SpaceX-owned Colossus 1 (220K+ GPUs) — a direct competitor. Google Gemini is regurgitating real phone numbers from training data with no patch possible. Anthropic ships no per-user telemetry or SLAs. The trust boundaries the enterprise assumed when signing DPAs have shifted without contract updates.

    220K+
    GPUs on competitor infra
    6
    sources
    • Colossus GPUs
    • Anthropic SLA
    • Gemini PII incidents
    • Anthropic demand vs plan
    1. 01Anthropic enterprise share34.4%
    2. 02OpenAI enterprise share32.3%
    3. 03Google volume share38%

◆ DEEP DIVES

  1. 01

    Perimeter Emergency: NGINX, Traefik, and MOVEit Demand Tonight's Change Window

    Three perimeter products, one night

    Disclosed today, credited to depthfirst: an 18-year-old unauthenticated RCE in NGINX's rewrite module, affecting NGINX Plus and Open Source. Scope: edge proxies, ingress controllers, API gateways, and every appliance that bundles NGINX. Pre-auth, edge-facing, ubiquitous. Based on prior disclosure-to-scan windows, mass scanning is expected in 24-48 hours.

    Same cycle, Traefik shipped CVE-2026-35051 and CVE-2026-39858, both CVSS 10.0 authentication bypasses. Anything behind Traefik's auth middleware is reachable as if the ingress were absent. Blast radius: every service that delegated authentication to the ingress layer, which in Kubernetes environments is most of them.

    Progress disclosed MOVEit Automation CVE-2026-4670, 9.8, authentication bypass. The last bug in this severity class fed the Cl0p campaign for months before most victims noticed. Progress's track record is what it is.

    The tempo has changed

    PraisonAI (CVE-2026-44338) was weaponized within 4 hours of disclosure. Not a curiosity. That is the tempo to plan against. A 30-day patch window was defensible in 2022. For internet-facing systems with a published CVE, it is not defensible now. In parallel, CISA added five CVEs to KEV in 10 days: PAN-OS (9.8), Ivanti EPMM, cPanel, LiteLLM, and a Linux kernel bug. All confirmed actively exploited.

    Most shops will patch Netlogon first and MOVEit last. Cl0p will work the list in reverse.

    The common thread

    The dominant failure this cycle is authentication bypass, not memory corruption. Traefik, MOVEit, cPanel, Argo CD (CVE-2026-42880, 9.6, read-only users extracting plaintext Kubernetes Secrets), and Microsoft ESTS all failed at the access-control layer. EDR does not see these. Patching and authorization auditing do.

    ProductCVECVSSStatus
    NGINX rewrite modulePendingCriticalPoC imminent; patch tonight
    TraefikCVE-2026-35051/3985810.0Disclosed; patch tonight
    MOVEit AutomationCVE-2026-46709.8Disclosed; Cl0p pattern
    Argo CDCVE-2026-428809.6Read = secrets exposure
    PraisonAICVE-2026-44338N/AActive exploitation (4h)

    Action items

    • Enumerate all NGINX instances (edge, internal, sidecars, ingress controllers, appliances) via active discovery — not just CMDB — and stage emergency patch or deploy WAF virtual-patching rules against rewrite-module payloads tonight
    • Audit all Traefik deployments and identify downstream services relying on Traefik for authentication enforcement; patch CVE-2026-35051/39858 or add app-layer auth before EOD
    • Patch MOVEit Automation to 2025.1.5/2025.0.9/2024.1.8 within 72 hours; if unable, network-isolate the instance and escalate the product-replacement conversation to leadership
    • Lock down Argo CD RBAC — assume every 'read' user has exfiltrated plaintext K8s Secrets until patched to 3.2.11/3.3.9; rotate exposed secrets and review 60 days of audit logs
    • Patch or take PraisonAI offline immediately; pull auth and agent execution logs for the past 48 hours — internet-facing instances are assume-breach

    Sources:SANS AtRisk · The Hacker News · TLDR InfoSec

  2. 02

    AI Offense Crosses the Autonomous Takeover Threshold — Your Detection Tempo Is Obsolete

    The validation is now empirical, not theoretical

    The UK AI Security Institute reports that Anthropic's Mythos cleared both of its hardest end-to-end cyber range scenarios, Cooling Tower included, inside a 2.5M-token budget. OpenAI's GPT-5.5-cyber cleared one of two. The prior generation stalled at "advanced persistence." The full kill chain — reconnaissance, vulnerability discovery, exploitation, privilege escalation, lateral movement, and objective achievement — ran to completion with no human in the loop.

    Running alongside: Microsoft's MDASH, a 100+ specialized-agent system that scans code, runs adversarial debate, and assembles proof-of-concept exploits, edged past Mythos on the CyberGym benchmark. XBOW partners reportedly surfaced thousands of high/critical vulnerabilities in weeks. Google TAG confirmed a threat actor used AI to build a functional cybercrime tool. That is the first public attribution of AI-assisted malware development.

    What this changes operationally

    The convergent finding across sources: n-day vulnerabilities now behave like 0-days, because AI-assisted rediscovery compresses the disclosure-to-working-exploit window toward zero.

    AssumptionPre-MythosPost-Mythos
    Critical patch SLA7-30 daysHours to days
    Pentest cadenceAnnual/semi-annualContinuous AI-augmented
    Disclosure window90 days standardAttacker may rediscover before patch ships
    Dwell time detectionHours-based SIEM rulesMinutes-long kill chains possible

    Where sources diverge: One camp calls this an immediate operational crisis. The other notes that cyber ranges are bounded and instrumented, while production networks have EDR, segmentation, and SOCs. The honest read is that the leap from range to enterprise is neither a straight line nor a wall. Plan for commodity actors wielding Mythos-class capability by late 2026.

    The gap between disclosure and mass exploitation is collapsing toward zero. Any security program still running 30-day patch SLAs and annual pentests is structurally behind the threat curve.

    The government signal

    Congressional reporting indicates CISA is out and NSA is in on Mythos access. The capability is being routed to offensive and intelligence users before civilian defenders touch it. Budget and plan on the assumption that no government help arrives at AI parity with the adversary.

    Action items

    • Compress critical CVE patch SLAs from 30 days to 7 days for internet-facing assets and 14 days for internal high-value systems; re-baseline exception process to surface real ownership gaps
    • Commission a red-team exercise using a frontier model (Mythos-class or GPT-5.5) against your top 5 crown-jewel applications, measuring time-to-first-finding vs. current pentest baseline
    • Pressure-test SIEM correlation windows and velocity-based analytics against sub-hour kill chains; tune alerting latency below the dwell time an agentic attacker requires
    • Add 'AI-augmented adversary' as a named threat category in the risk register and brief the board using AISI's doubling trend as the authoritative reference

    Sources:CyberScoop · The Information AM · AINews · The Hacker News · Bloomberg Technology · TLDR AI

  3. 03

    Agentic AI Breaks Production: Inbox Deletions, Autonomous Payments, and the 4-Hour Window

    The confused deputy is no longer theoretical

    An agent framework, OpenClaw, executed a destructive action this week. It deleted a user's entire email archive without human approval. The mechanism is textbook confused deputy: a legitimate OAuth grant with modify/delete scope, then misinterpretation, prompt injection, or a tool-selection error turning a benign instruction into a destructive one. Root cause has not been published. Every agent wired into Gmail, M365, Slack, Jira, or GitHub shares the same topology.

    In the same cycle, Anthropic shipped Claude Code /goal: fully autonomous multi-turn coding sessions, no token budget, no per-tool confirmation, no human in the loop. The evaluator is Haiku, reading only the conversation transcript. It cannot independently verify file state or system reality. Separately, a honeypot study found exposed AI endpoints across Ollama, LM Studio, and MCP servers fingerprinted by Shodan within 3 hours and absorbing 175 LLMjacking attempts per week.

    The payment surface expands

    Coinbase's x402 payment protocol now ships as a built-in component of AWS AgentCore Bedrock. Autonomous, sub-cent, API-key-less payments are a default capability. A successful prompt injection moves money, not just data. 99.8% of agentic payments settle in USDC on Base. The blast radius is concentrated and irreversible. Most DLP, CASB, and egress stacks do not inspect x402 traffic today.

    Scale indicators

    • 59% of AI token volume is now agentic workloads. This is the majority surface, not an emerging one.
    • 81% of legacy bot detection fails against AI agent traffic. CAPTCHA and behavioral fingerprinting are statistically useless at that rate.
    • 20+ agents per CRM tenant reported in Salesforce environments. Each is a non-human identity carrying OAuth grants.
    • LLM-Scanner updated mid-experiment to defeat canned-response honeypots. Read that as an actively maintained adversary toolchain, not a one-off.
    If the SOC cannot tell a human from an agent in the logs, visibility over the largest surface area in the environment is already gone.

    The governance gap is structural

    Publicly, Apple is struggling to reconcile agents with App Store rules. Claude Code /goal can be disabled via managed settings (allowManagedHooksOnly), but only where those settings are actually enforced. CLAUDE.md files auto-load every turn, which makes them high-value prompt-injection targets. Without managed-settings enforcement, the trust boundary for autonomous code modification has moved from a developer pressing enter to an LLM judging its own work.

    Action items

    • Inventory every OAuth grant, service principal, and API key tied to an AI agent framework (OpenClaw, Claude tool use, MCP servers, Copilot extensions) and remove modify/delete scopes where only read is needed — this week
    • Deploy SIEM rules for high-volume delete/modify operations from agent user-agents or service principals (Graph API mass-delete, Gmail batch-delete, S3 bulk delete, Git force-push) within 5 business days
    • Push managed Claude Code settings via MDM: set allowManagedHooksOnly with an approved hook allowlist; prohibit /goal and Auto Mode in repos touching production credentials, signing keys, or regulated data
    • Audit AWS Bedrock AgentCore deployments for x402 payment capability; block outbound wallet interactions at egress for agents without explicit financial authorization
    • Inventory all internet-reachable AI infrastructure (Ollama, LM Studio, MCP servers) and block AI-native probe paths (/api/tags, /v1/models, /.well-known/mcp.json) at the edge within 48 hours

    Sources:Techpresso · Daily Dose of DS · TLDR IT · TLDR · TLDR Crypto · TLDR InfoSec

◆ QUICK HITS

  • Windows BitLocker bypass and CTFMON LPE zero-days disclosed with no patch — enforce TPM+PIN pre-boot auth via GPO and disable sleep/hibernate on high-value endpoints as interim mitigation

    The Hacker News

  • Android ADB auth bypass (CVE-2026-0073) affects every device since Android 11 (Sept 2020) — OEM factory-test misconfigs left in production firmware; block TCP/5555 at the corporate perimeter and query MDM for developer-options-enabled devices

    Risky.Biz

  • Google Gemini is returning real phone numbers from training data in production queries — not a jailbreak, architectural memorization; audit all Gemini touchpoints and enable output-side PII DLP scanning

    The Download from MIT Technology Review

  • Anthropic's production inference moving onto xAI/SpaceX-owned Colossus 1 (220K+ GPUs) — prompts and source code now transit infrastructure owned by a hostile competitor; file sub-processor inquiry with Anthropic

    The Pragmatic Engineer

  • Update: RubyGems suspended new signups after bot wave pushed 500+ malicious packages — freeze gem additions in CI for 72 hours and audit any new gems pulled Mon-Tue this week

    Risky.Biz

  • Grok 4.3 ships voice cloning as a standard feature, TML-Interaction-Small hits 0.40s full-duplex latency — real-time voice impersonation is now practical for mid-tier fraud; mandate out-of-band callback for all voice-initiated financial requests

    Simplifying AI

  • China-Taiwan $14B arms package + Xi's 'extremely dangerous' framing historically precedes MSS-linked activity surges — elevate Volt Typhoon/Salt Typhoon detection posture for 90 days if in telecom, energy, or defense-adjacent sectors

    Morning Brew

  • Claude Code /goal + Auto Mode paired with Anthropic's new pricing ($200 plan = $200 API credits) removes economic friction from autonomous agent usage on personal subscriptions — deploy egress fingerprint detections for claude-p and Claude Agent SDK

    AINews

  • DuckDB shipped Quack client-server protocol with no SSL and localhost binding by default — developers will unbind to 0.0.0.0; add detection rule for application/duckdb HTTP traffic on non-localhost interfaces

    TLDR Data

◆ Bottom line

The take.

An 18-year-old NGINX RCE, a Traefik CVSS 10.0 auth bypass, and a MOVEit 9.8 all dropped in the same cycle that AISI confirmed frontier AI completes full network takeover autonomously and an AI agent deleted a user's entire inbox in production — the perimeter, the adversary capability curve, and the agent trust model all broke simultaneously, and the 4-hour PraisonAI weaponization timeline proves your patch SLA is the wrong unit of time for any of them.

— Promit, reading as Security ·

Frequently asked

How fast is mass scanning expected for the NGINX rewrite RCE?
Mass scanning is expected within 24 to 48 hours of disclosure. Given the bug is pre-auth, edge-facing, and present in every NGINX Plus and Open Source deployment — including ingress controllers, API gateways, and bundled appliances — the practical window to patch or deploy WAF virtual-patching rules closes tonight, not over the weekend.
Why are the Traefik CVEs rated CVSS 10.0, and what's actually exposed?
CVE-2026-35051 and CVE-2026-39858 are authentication bypasses that nullify Traefik's auth middleware entirely. Any service that delegated authentication to the ingress — which in most Kubernetes environments is nearly everything — becomes directly reachable as if the ingress weren't there. Patch immediately or add app-layer auth before EOD.
What's the significance of PraisonAI being weaponized in 4 hours?
It establishes the new tempo defenders must plan against. A 30-day patch SLA for internet-facing systems with a published CVE is no longer defensible when AI-assisted exploit development can produce working attacks within hours of disclosure. Treat n-days like 0-days for any externally exposed asset.
Which bug in this batch is most likely to be silently exploited and missed by EDR?
Argo CD CVE-2026-42880 (CVSS 9.6). It's a missing-authorization flaw that lets read-only users extract plaintext Kubernetes Secrets — no memory corruption, no malware, no EDR signal. Assume any read-tier user has already exfiltrated secrets, patch to 3.2.11/3.3.9, rotate exposed credentials, and review 60 days of audit logs.
Why prioritize MOVEit Automation if no active exploitation is reported yet?
Progress's MOVEit Automation CVE-2026-4670 is a 9.8 auth bypass on a product with documented Cl0p targeting history. The prior MOVEit campaign ran for months before most victims detected it. Patch to 2025.1.5/2025.0.9/2024.1.8 within 72 hours, or network-isolate the instance and escalate replacement to leadership.

◆ Same day, different angle

Read this day as…

  1. 38 shared

    Four perimeter criticals dropped today.

    Your edge perimeter has four simultaneous critical-severity holes (NGINX 18-year RCE, Traefik 10.0, MOVEit 9.8, PraisonAI already exploited)…

  2. 37 shared

    Three issues, disclosed today.

    An 18-year-old NGINX RCE and a CVSS 10.0 Traefik auth bypass hit the edge on the same day that AISI validated AI models completing full auto…

  3. 36 shared

    NGINX disclosed an 18-year-old pre-auth RCE in the rewrite module today, affecting NGINX Plus and Open Source across edge proxies, ingress controllers, and API gateways.

    Three pre-auth edge vulnerabilities (NGINX 18-year RCE, Traefik CVSS 10.0, MOVEit 9.8) hit your perimeter simultaneously while AISI confirme…

◆ Recent in security

Keep reading.