A (0:00)

Cybersecurity Today we'd like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST CISA flags six actively exploited Microsoft vulnerabilities all in one month phishing that comes from your own servers Claude's zero click vulnerability raises bigger question Bug or design risk? Think romance scams? Target elderly women, McAfee says. Think again. This is cybersecurity today. I'm your host Jim Love. CISA has just added six new vulnerabilities to its known exploited vulnerabilities catalog, and what makes this stand out is simple. All six are Microsoft flaws, and all six are already being exploited in the wild. That's the trend line that matters. The vulnerabilities span core Windows components in Microsoft Office. Two of them, CVE2026 21510 and CVE2026 21 53, are security bypass flaws in Windows Shell and the MSHTML engine, both rated 8.8 out of 10. In plain terms, attackers can slip past built in protections designed to warn users before malicious code run. There's also a word security bypass, CVE2026 21:514, which allows a crafted document to evade safeguards that's familiar territory. Document based lures remain one of the most reliable initial access vectors. The remaining issues are privilege escalation flaws, one in Desktop Window Manager, another in Remote Desktop Services, and one affecting the remote access connection management. Once an attacker gets a foothold, these bugs can help them climb out to system level access. So six actively exploited Microsoft vulnerabilities in a single cycle. This is not routine. It reinforces something we keep seeing. Attackers are targeting the most common components in enterprise environments because that's where scale lives. So if you haven't prioritized patching against these issues, this is your friendly reminder. Here's a twist on phishing that should get your attention. Researchers from Praetorian have detailed a technique where attackers aren't spoofing domains. They're using your own infrastructure to send malicious mail. By manipulating input fields in public, facing APIs like newsletter signups, contact forms, or even password resets, they can force your system to generate phishing emails. And because these originate from authorized servers, they're going to pass the SPF and DMARC authentication and land in the primary inbox, just like any legitimate message. This isn't about tricking email filters. It's about abusing the trust those filters place in messages that come from valid senders. Email authentication tells you where the mail came from, not whether it should have been sent in the first place, and that's what makes this effective. Praetorian's analysis also notes how this can pair with flaws in error handling that leak OAuth tokens, giving attackers authenticated access without needing user credentials. The takeaway is clear authentication checks alone aren't enough. You need strict input validation on every public API that can trigger outgoing mail, suppression of verbose debug output in production, and controls around how and when systems send messages on behalf of users. A newly disclosed vulnerability in Anthropic's cloud desktop extensions has exposed more than 10,000 users to what researchers describe as zero click remote code execution. The flaw was identified by researchers at LayerX. It affects Claude desktop extensions tools built on Anthropic's Model Context Protocol, or MCP, which allows Claude to connect to external apps and automate tasks. The problem is that these extensions run with full user level system privileges, and they're not sandboxed the way browser extensions typically are. LayerX demonstrated that an attacker could send a malicious Google Calendar invite containing hidden instructions, and if the user later asked Claude something routine like Check my calendar and handle it, the AI could interpret and execute the embedded payload automatically. No warning, no click, just execution under the user's permissions. As a result, researchers assigned it a CVSS score of 10. What makes this different from traditional exploits is it doesn't rely on memory corruption or classic injection. It exploits trust boundaries. Claude is doing exactly what it's designed to do interpret context and act autonomously. The issue is that untrusted external content can be treated as actionable Instructions, according to LayerX, anthropic declined to treat this as a conventional vulnerability because the behavior aligns with the intended MCP architecture. Which leaves us with an uncomfortable question. When AI agents are given deep system access and autonomy, are these zero click executions bugs or an inevitable consequence of the actual design? If you think romance scams mostly target lonely elderly women, McAfee's latest research suggests you need to rethink that assumption. Two in five adults aged 18 to 24 said they'd encountered potential romance scams every week. That compares with just 1 in 20 adults over 65. But men are 65% more likely than women to report weekly exposure, and 21% of men say they've lost money, compared with 10% of women. Now we know from our conversations with groups like Project Shamrock an organization that educates law enforcement and the public, that both women and men can suffer devastating losses, sometimes in the hundreds of thousands of dollars. But in this McAfee study, specifically the higher dollar losses cluster among men aged 35 to 44, losses above $5,000 were reported only by men. Younger adults tend to lose smaller amounts, typically under $500. Now on the dollar and the reporting, we have to be careful because as studies will show, only about 15% of people actually report the losses. And maybe the bigger losses are masked because people are ashamed. But it's not just a direct outreach that we have to worry about. One in three respondents say they received a fake exclusive or invite only dating app invitation, and 14% actually signed up and shared personal or payment information. The McAfee Labs data shows the scale behind the survey. Between December 1, 2025 and January 22, 2026, the company blocked hundreds of thousands of romance related malicious URLs, including thousands tied to dating app themed content. Researchers also saw fake AI dating bots surging, some sending more than 60 messages in 12 hours, even when the target had no profile photo. And there's a mobile twist. McAfee detected tens of thousands of attempts to install malicious dating apps cloned from platforms like Tinder, Bumble and eharmony. Plenty of Phish accounted for 78% of of all detected fake dating app installation in this year's analysis, so the stereotypes don't hold. The target is broad, automated and increasingly AI driven. We're going to take a deeper dive into what's behind these trends. We're going to bring in some experts and a person who can actually tell their story about how they fell into this. That's all in our Weekend edition, available Saturday morning. Hope you can join us. And that's our show for today. We'd like to thank Meter for their support in bringing you the podcast. Meter delivers a full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments and even run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses, all the way to data centers. Book a demo@meter.com CST that's M E T E R.com CST I'm your host Jim Love. Thanks for listening.