Safe Mode Podcast – Episode Summary

Episode Title: The Access‑Trust Gap: Why Security Can’t See What Work Depends On
Date: December 18, 2025
Host: Greg Otto (A), Editor in Chief at Cyberscoop
Guests:

Matt Kapko (B), Cybersecurity Reporter
Dave Lewis (C), Global Advisory CISO, 1Password

Episode Overview

This episode tackles two major security issues:

The escalating "React 2 Shell" vulnerability sweeping the web, with an in-depth update from reporter Matt Kapko.
An exploration of the "Access Trust Gap" and the state of identity management in 2025 with Dave Lewis from 1Password, based on their latest report.

Listeners will gain insights on current threats, organizational gaps in access controls, and why both technology and human behavior are central to risk management.

Segment 1: The “React 2 Shell” Vulnerability

[00:32 – 09:05]

Key Discussion Points

Severity and Scope:
- Massive, max-severity vulnerability in React server components (an open source library used across the internet).
- Attackers from all groups—nation states, ransomware, financially motivated criminals—are actively exploiting it.
- Exploits enable attackers to gain initial access, elevate privileges, and move laterally.
Exploitability & Impact:
- “If you're an organization that's online... there's probably like a 1 in 3 chance that React is somewhere in your system.” — Matt Kapko [02:21]
- Over 60 confirmed victims reported by Palo Alto Networks’ Unit 42 (known victims, actual number likely higher).
- GreyNoise sensors report record-high attempted exploits.
Attack Methods & Actors:
- Multiple attack types: financial, ransomware, espionage.
- Google Threat Intelligence: at least five China state-sponsored groups, Iran-linked actors, and various financially motivated hackers all spotted exploiting the bug.
  - “It's attracting attention from all corners of the globe.” — Matt Kapko [03:08]
Patching Mess & Persistent Risk:
- Multiple, successive patches: original patch not fully effective, three new CVEs have emerged.
- “One of those vulnerabilities is a patch for a patch that wasn't patching.” — Matt Kapko [06:35]
- Industry-wide scrutiny is unearthing more flaws.
Detection Difficulty:
- Vulnerability used as an “initial access point”; exploit is trivial to trigger.
- At least 200 valid public exploits have been confirmed—the most ever for a CVE.
Future Outlook:
- Researchers expect long-term, Log4Shell-like consequences.
- “They're comparing it to vulnerabilities that have lived on in infamy, like log4shell... expecting this to be a problem for years.” — Matt Kapko [07:54]

Notable Quotes

Greg Otto [01:50]:
“React components are in just about everything… Is it connected to the internet? Yes? There's probably some React code in it.”
Matt Kapko [03:08]:
“No, not at all. That’s right on. Cyber criminals are exploiting the vulnerability for financially motivated attacks... Nation state threat groups from China, Iran, it’s attracting attention from all corners.”
Matt Kapko [06:35]:
“One of those vulnerabilities is a patch for a patch that wasn’t patching. …The original patch for the original React to Shell vulnerability will not address those new vulnerabilities.”
Matt Kapko [07:54]:
“Researchers... are fearful, really, that this is going to get worse. They expect it to have long tail implications down the line. They're comparing it to vulnerabilities that have lived on in infamy, like log4shell.”

Segment Timestamps

[00:32] Episode topic introduction and handoff to Matt Kapko
[01:17] Scope and severity of React 2 Shell
[03:08] Types of attackers and attack methods
[04:19] Volume and scope of exploitation
[05:30] How exploit works: entry point and lateral movement
[06:15] The patching mess and emergence of more CVEs
[07:20] Implications for holidays and long-term forecast
[08:31] Outlook for continuing risk

Segment 2: Access Trust Gap & Identity Management with Dave Lewis

[10:10 – 31:54]

Key Discussion Points

Defining the “Access Trust Gap”

What is it?
- “It is that difference between the assets you control versus the assets you don’t control.” — Dave Lewis [10:53]
- Example: BYOD (Bring Your Own Device) and unmanaged personal devices as sources of risk.
Why it’s hard:
- Loss of control, lack of visibility, and the human element remain key issues.
- “The most common issue, quite literally is that lack of control, that lack of observability, that lack of transparency as to what exactly is happening within their organizations.” — Dave Lewis [11:39]

Persistent Security Challenges

Same old problems, new tech:
- Many conversations from 20-30 years ago still apply; now AI and SaaS add complexity.
- Organizations rush to adopt new tech (AI, SaaS) without security “guardrails,” broadening the “blast radius” when things go wrong.
Top CISO Moves (First 90 days):
- Gap analysis to identify problems.
- Prioritize fixing identity (human & non-human).
- “The foundational element of any security program is the human element. And now by extension, we have the non human identities as well.” — Dave Lewis [13:44]

Weak Credentials: The Ongoing Struggle

44% of CISOs say employees using weak/compromised credentials is the top challenge.
“We have this preponderance of placing blame on the user… that is not a good approach by any measure.” — Dave Lewis [15:25]
Vilifying users drives shadow IT, encourages bypassing controls.

Making Security Work for Humans

Empower end users with simple, effective tools (password managers, seamless controls).
Security awareness should be empathetic and relevant—“your end users are in HR, they're in finance… Cybersecurity is not front of mind for them.” [16:05]
Developers must be engaged—not just end users—since secure coding is foundational.

BYOD, Device Trust, & SaaS

73% of employees use personal devices for work; half aren't managed by MDM.
“We have to put in technologies that are going to be, you know, seamless to the user, are going to be effective.” [20:06]
SaaS and AI platforms compound governance and visibility problems; shadow/rogue adoption is rampant.
CISO Quote:
“We have closed the door to AI projects coming into the environment, but they're now coming through the window.” [20:55]

Modern Asset & Application Inventory

Legacy tools required manual inventory input—no longer scalable.
True solution is intelligence-driven, automated discovery and observability.
Example:
- A CISO ran a manual asset inventory update and found 8,000 endpoints instead of 2,000—exposing a massive blind spot. [21:53]

AI, Agents, and Emerging Risks

Agentic AI:
- Current “level 2” (driver-assist), not fully autonomous yet.
- All agentic AI needs credentials and access to sensitive data and APIs—a new risk domain.
Anecdote:
- Internal LLM agent retrieved HR data to answer an employee’s question about who disliked them—poor guardrails, real data exposure. [24:04]
- “They had not put proper guardrails in place. So it actually was bona fide information.” [24:16]

SaaS Failure Modes & Risk Playbook

Overpermissioned roles and agents, “public sharing,” misconfiguration, and poor credential management named as top SaaS risk factors.
New tactics exploit invisible/white text instructions in emails to hijack agents and cover tracks (“echo leak” scenario).
“...the agent on that system read the email, executed the instructions and then deleted any evidence… and then gave remote control to the other party.” — Dave Lewis [25:45]

AI Security, Regulation, & Cost

Security is lagging behind AI and SaaS adoption; “mad rush” leaves holes.
Cost of tokens, failed AI governance, and readiness for new EU/US AI rules are real headaches ahead. [27:47]
“...the EU AI Act is very, very specific and it's very granular...and some of the stipulations are coming into effect very soon.” — Dave Lewis [28:56]

What Leaders Don’t Want to Hear

Fixing credentials and going “wall-to-wall” on password management, MFA, and SaaS governance are non-negotiable—but often neglected.
“Luck is not a strategy. It may play out for a lot of organizations out there, but it will potentially backfire.” — Dave Lewis [31:48]

Notable Quotes & Moments

On user blame:
“We have this preponderance of placing blame on the user... And if you are putting in a culture of fear, unfortunately, the users are going to do everything they can do to avoid being called out.” — Dave Lewis [15:25]
On the SaaS explosion:
“We have closed the door to AI projects coming into the environment, but they’re now coming through the window.” — Quoted by Dave Lewis, relaying a fellow CISO [20:55]
On wall-to-wall protection:
“Making sure that you have good password management, multifactor authentication, credential management, passwordless authentication, all of these elements help to reduce risk for the organization.” — Dave Lewis [31:08]
On the realities of AI and organizational readiness:
“We have to make sure that we’re not letting this get away from us because there is a real impact. You know, there are consequences and the ramifications thereof.” — Dave Lewis [28:57]

Segment Timestamps

[10:10] Interview with Dave Lewis begins
[10:53] Defining the “Access Trust Gap”
[11:39] Observability and control problems
[13:44] Top CISO priorities: gap analysis & identity
[14:29] Weak credentials still top challenge
[15:25] Why blaming users backfires—building a better culture
[19:10] BYOD, device trust, and MDM challenges
[20:06] Need for seamless, user-friendly security technology
[20:55] SaaS and AI governance headaches (“through the window”)
[21:53] Modern software asset inventory
[24:04] Agentic AI gone wrong—LLM querying real HR data
[25:21] SaaS failure modes: overpermissioned agents, new attack tactics
[27:47] AI security risks include both cost and compliance
[28:56] Looming AI legislation (EU AI Act)
[29:23] Advice leaders ignore but regret: “wall-to-wall” credential defense
[31:08] Wall-to-wall security: passwordless, MFA, credential management for all
[31:48] “Luck is not a strategy”

Takeaways for Listeners

React 2 Shell is an urgent, active threat. If your organization is online, assume some React exposure and review your patch status—multiple fixes may be required.
Access Trust Gaps manifest from device sprawl, SaaS chaos, BYOD, shadow AI, and basic credential weaknesses—organizations need continuous discovery and automation, not just policy.
Blaming users drives shadow IT and ultimately undermines security; empathy and user-centric design matter.
Credential, identity, and access management must be “wall-to-wall,” supported by modern, adaptive controls and not neglected in favor of “high profile” issues.
AI and SaaS introduce fundamentally new access risks, both technical and regulatory—observability, governance, and cost controls cannot be afterthoughts.

Summary by Safe Mode Podcast Summarizer | For more, visit cyberscoop.com or follow Safe Mode Podcast.

Safe Mode Podcast – Episode Summary

Episode Title: The Access‑Trust Gap: Why Security Can’t See What Work Depends On
Date: December 18, 2025
Host: Greg Otto (A), Editor in Chief at Cyberscoop
Guests:

Matt Kapko (B), Cybersecurity Reporter
Dave Lewis (C), Global Advisory CISO, 1Password

Episode Overview

This episode tackles two major security issues:

The escalating "React 2 Shell" vulnerability sweeping the web, with an in-depth update from reporter Matt Kapko.
An exploration of the "Access Trust Gap" and the state of identity management in 2025 with Dave Lewis from 1Password, based on their latest report.

Listeners will gain insights on current threats, organizational gaps in access controls, and why both technology and human behavior are central to risk management.

Segment 1: The “React 2 Shell” Vulnerability

[00:32 – 09:05]

Key Discussion Points

Severity and Scope:
- Massive, max-severity vulnerability in React server components (an open source library used across the internet).
- Attackers from all groups—nation states, ransomware, financially motivated criminals—are actively exploiting it.
- Exploits enable attackers to gain initial access, elevate privileges, and move laterally.
Exploitability & Impact:
- “If you're an organization that's online... there's probably like a 1 in 3 chance that React is somewhere in your system.” — Matt Kapko [02:21]
- Over 60 confirmed victims reported by Palo Alto Networks’ Unit 42 (known victims, actual number likely higher).
- GreyNoise sensors report record-high attempted exploits.
Attack Methods & Actors:
- Multiple attack types: financial, ransomware, espionage.
- Google Threat Intelligence: at least five China state-sponsored groups, Iran-linked actors, and various financially motivated hackers all spotted exploiting the bug.
  - “It's attracting attention from all corners of the globe.” — Matt Kapko [03:08]
Patching Mess & Persistent Risk:
- Multiple, successive patches: original patch not fully effective, three new CVEs have emerged.
- “One of those vulnerabilities is a patch for a patch that wasn't patching.” — Matt Kapko [06:35]
- Industry-wide scrutiny is unearthing more flaws.
Detection Difficulty:
- Vulnerability used as an “initial access point”; exploit is trivial to trigger.
- At least 200 valid public exploits have been confirmed—the most ever for a CVE.
Future Outlook:
- Researchers expect long-term, Log4Shell-like consequences.
- “They're comparing it to vulnerabilities that have lived on in infamy, like log4shell... expecting this to be a problem for years.” — Matt Kapko [07:54]

Notable Quotes

Greg Otto [01:50]:
“React components are in just about everything… Is it connected to the internet? Yes? There's probably some React code in it.”
Matt Kapko [03:08]:
“No, not at all. That’s right on. Cyber criminals are exploiting the vulnerability for financially motivated attacks... Nation state threat groups from China, Iran, it’s attracting attention from all corners.”
Matt Kapko [06:35]:
“One of those vulnerabilities is a patch for a patch that wasn’t patching. …The original patch for the original React to Shell vulnerability will not address those new vulnerabilities.”
Matt Kapko [07:54]:
“Researchers... are fearful, really, that this is going to get worse. They expect it to have long tail implications down the line. They're comparing it to vulnerabilities that have lived on in infamy, like log4shell.”

Segment Timestamps

[00:32] Episode topic introduction and handoff to Matt Kapko
[01:17] Scope and severity of React 2 Shell
[03:08] Types of attackers and attack methods
[04:19] Volume and scope of exploitation
[05:30] How exploit works: entry point and lateral movement
[06:15] The patching mess and emergence of more CVEs
[07:20] Implications for holidays and long-term forecast
[08:31] Outlook for continuing risk

Segment 2: Access Trust Gap & Identity Management with Dave Lewis

[10:10 – 31:54]

Key Discussion Points

Defining the “Access Trust Gap”

What is it?
- “It is that difference between the assets you control versus the assets you don’t control.” — Dave Lewis [10:53]
- Example: BYOD (Bring Your Own Device) and unmanaged personal devices as sources of risk.
Why it’s hard:
- Loss of control, lack of visibility, and the human element remain key issues.
- “The most common issue, quite literally is that lack of control, that lack of observability, that lack of transparency as to what exactly is happening within their organizations.” — Dave Lewis [11:39]

Persistent Security Challenges

Same old problems, new tech:
- Many conversations from 20-30 years ago still apply; now AI and SaaS add complexity.
- Organizations rush to adopt new tech (AI, SaaS) without security “guardrails,” broadening the “blast radius” when things go wrong.
Top CISO Moves (First 90 days):
- Gap analysis to identify problems.
- Prioritize fixing identity (human & non-human).
- “The foundational element of any security program is the human element. And now by extension, we have the non human identities as well.” — Dave Lewis [13:44]

Weak Credentials: The Ongoing Struggle

44% of CISOs say employees using weak/compromised credentials is the top challenge.
“We have this preponderance of placing blame on the user… that is not a good approach by any measure.” — Dave Lewis [15:25]
Vilifying users drives shadow IT, encourages bypassing controls.

Making Security Work for Humans

Empower end users with simple, effective tools (password managers, seamless controls).
Security awareness should be empathetic and relevant—“your end users are in HR, they're in finance… Cybersecurity is not front of mind for them.” [16:05]
Developers must be engaged—not just end users—since secure coding is foundational.

BYOD, Device Trust, & SaaS

73% of employees use personal devices for work; half aren't managed by MDM.
“We have to put in technologies that are going to be, you know, seamless to the user, are going to be effective.” [20:06]
SaaS and AI platforms compound governance and visibility problems; shadow/rogue adoption is rampant.
CISO Quote:
“We have closed the door to AI projects coming into the environment, but they're now coming through the window.” [20:55]

Modern Asset & Application Inventory

Legacy tools required manual inventory input—no longer scalable.
True solution is intelligence-driven, automated discovery and observability.
Example:
- A CISO ran a manual asset inventory update and found 8,000 endpoints instead of 2,000—exposing a massive blind spot. [21:53]

AI, Agents, and Emerging Risks

Agentic AI:
- Current “level 2” (driver-assist), not fully autonomous yet.
- All agentic AI needs credentials and access to sensitive data and APIs—a new risk domain.
Anecdote:
- Internal LLM agent retrieved HR data to answer an employee’s question about who disliked them—poor guardrails, real data exposure. [24:04]
- “They had not put proper guardrails in place. So it actually was bona fide information.” [24:16]

SaaS Failure Modes & Risk Playbook

Overpermissioned roles and agents, “public sharing,” misconfiguration, and poor credential management named as top SaaS risk factors.
New tactics exploit invisible/white text instructions in emails to hijack agents and cover tracks (“echo leak” scenario).
“...the agent on that system read the email, executed the instructions and then deleted any evidence… and then gave remote control to the other party.” — Dave Lewis [25:45]

AI Security, Regulation, & Cost

Security is lagging behind AI and SaaS adoption; “mad rush” leaves holes.
Cost of tokens, failed AI governance, and readiness for new EU/US AI rules are real headaches ahead. [27:47]
“...the EU AI Act is very, very specific and it's very granular...and some of the stipulations are coming into effect very soon.” — Dave Lewis [28:56]

What Leaders Don’t Want to Hear

Fixing credentials and going “wall-to-wall” on password management, MFA, and SaaS governance are non-negotiable—but often neglected.
“Luck is not a strategy. It may play out for a lot of organizations out there, but it will potentially backfire.” — Dave Lewis [31:48]

Notable Quotes & Moments

On user blame:
“We have this preponderance of placing blame on the user... And if you are putting in a culture of fear, unfortunately, the users are going to do everything they can do to avoid being called out.” — Dave Lewis [15:25]
On the SaaS explosion:
“We have closed the door to AI projects coming into the environment, but they’re now coming through the window.” — Quoted by Dave Lewis, relaying a fellow CISO [20:55]
On wall-to-wall protection:
“Making sure that you have good password management, multifactor authentication, credential management, passwordless authentication, all of these elements help to reduce risk for the organization.” — Dave Lewis [31:08]
On the realities of AI and organizational readiness:
“We have to make sure that we’re not letting this get away from us because there is a real impact. You know, there are consequences and the ramifications thereof.” — Dave Lewis [28:57]

Segment Timestamps

[10:10] Interview with Dave Lewis begins
[10:53] Defining the “Access Trust Gap”
[11:39] Observability and control problems
[13:44] Top CISO priorities: gap analysis & identity
[14:29] Weak credentials still top challenge
[15:25] Why blaming users backfires—building a better culture
[19:10] BYOD, device trust, and MDM challenges
[20:06] Need for seamless, user-friendly security technology
[20:55] SaaS and AI governance headaches (“through the window”)
[21:53] Modern software asset inventory
[24:04] Agentic AI gone wrong—LLM querying real HR data
[25:21] SaaS failure modes: overpermissioned agents, new attack tactics
[27:47] AI security risks include both cost and compliance
[28:56] Looming AI legislation (EU AI Act)
[29:23] Advice leaders ignore but regret: “wall-to-wall” credential defense
[31:08] Wall-to-wall security: passwordless, MFA, credential management for all
[31:48] “Luck is not a strategy”

Takeaways for Listeners

React 2 Shell is an urgent, active threat. If your organization is online, assume some React exposure and review your patch status—multiple fixes may be required.
Access Trust Gaps manifest from device sprawl, SaaS chaos, BYOD, shadow AI, and basic credential weaknesses—organizations need continuous discovery and automation, not just policy.
Blaming users drives shadow IT and ultimately undermines security; empathy and user-centric design matter.
Credential, identity, and access management must be “wall-to-wall,” supported by modern, adaptive controls and not neglected in favor of “high profile” issues.
AI and SaaS introduce fundamentally new access risks, both technical and regulatory—observability, governance, and cost controls cannot be afterthoughts.

Summary by Safe Mode Podcast Summarizer | For more, visit cyberscoop.com or follow Safe Mode Podcast.

The Access‑Trust Gap: Why security can’t see what work depends on

Get Free Podcast Summaries in Your Inbox

Pick Your Shows

Subscribe Free

Get Instant Summaries

Summary

Safe Mode Podcast – Episode Summary

Episode Overview

Segment 1: The “React 2 Shell” Vulnerability

Key Discussion Points

Notable Quotes

Segment Timestamps

Segment 2: Access Trust Gap & Identity Management with Dave Lewis

Key Discussion Points

Defining the “Access Trust Gap”

Persistent Security Challenges

Weak Credentials: The Ongoing Struggle

Making Security Work for Humans

BYOD, Device Trust, & SaaS

Modern Asset & Application Inventory

AI, Agents, and Emerging Risks

SaaS Failure Modes & Risk Playbook

AI Security, Regulation, & Cost

What Leaders Don’t Want to Hear

Notable Quotes & Moments

Segment Timestamps

Takeaways for Listeners

Summary

Safe Mode Podcast – Episode Summary

Episode Overview

Segment 1: The “React 2 Shell” Vulnerability

Key Discussion Points

Notable Quotes

Segment Timestamps

Segment 2: Access Trust Gap & Identity Management with Dave Lewis

Key Discussion Points

Defining the “Access Trust Gap”

Persistent Security Challenges

Weak Credentials: The Ongoing Struggle

Making Security Work for Humans

BYOD, Device Trust, & SaaS

Modern Asset & Application Inventory

AI, Agents, and Emerging Risks

SaaS Failure Modes & Risk Playbook

AI Security, Regulation, & Cost

What Leaders Don’t Want to Hear

Notable Quotes & Moments

Segment Timestamps

Takeaways for Listeners