Do secure systems exist? Or are all systems deemed secure until they are exploited and attacked? I asked myself these two questions while working on this article and I don't have an answer. If you have an answer, kindly let me know in the comments section.
Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE
The good thing about this: they addressed the vulnerability in version 2.4.67. Nonetheless, the excerpt below gives a brief overview of the vulnerability and what we can learn from it.
The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling.
Fixing the password problem is as easy as 123456
But it's not. It needs some enforcement from the right bodies. Because, why will someone use 123456 as a password? It's 2026!
From the article:
The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally. Other all-too-predictable choices, such as ‘123456789’, ‘12345678’, ‘12345’ and ‘admin’, also prove to have staying power year after year.
NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’.
Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes
If you cannot see it, that does not mean that it is not there. Meanwhile, an AI model can see it and act accordingly. Here, the "act" might be something that you would not approve, e.g., exfiltration of users' data.
From the article:
Cisco’s experts found that an attacker could create images that carry instructions the AI will follow, but which are too degraded for a human to read. The work builds on a first phase of research that established a measurable link between the visual distortion of a text-bearing image and its likelihood of succeeding as an attack against VLMs.
How Anthropic’s Mythos has rewritten Firefox’s approach to cybersecurity
Artificial Intelligence has changed the way we do things in some industries, and cybersecurity has not been left behind. Mythos from Anthropic has the potential to change the way software developers and companies approach vulnerability discovery and patching. This article quickly highlights how Firefox is doing it without eliminating humans in the process.
From the article:
It’s still not clear how AI’s emerging capabilities will change the broader balance of power in cybersecurity. One month since Mythos was previewed, most of the bugs discovered likely haven’t been patched, which makes it hard to capture the full scope of their impact.
Sophisticated Quasar Linux RAT Targets Software Developers
Dubbed Quasar Linux (QLNX), the RAT has a modular architecture, uses multiple persistence and detection evasion mechanisms, packs a rootkit, and provides attackers with remote access to the infected machines.
I have always had this belief: threat actors are willing to subvert all your defenses provided that they are determined to get or steal what you have. This is one such example. While reading the article, I kept thinking: all this effort just to steal credentials? Why?
From the article:
The malware supports 58 distinct commands, allowing attackers to interact with shells, enumerate and manipulate files and processes, create directories, download and upload files, reboot or shut down the system, open URLs, display notifications, open TCP sockets, harvest sensitive information, capture the screen, log keystrokes, and use SSH credentials to execute commands on remote hosts.
Credits
Cover photo by Debby Hudson on Unsplash.
That's it for this week, and I'll see you next time.