Security teams at agile, fast-growing companies often have the same mandate: secure the business without slowing it down. Most teams inherit a tech stack optimized for breakneck growth, not resilience. In these environments, the security team is the helpdesk, the compliance expert, and the incident response team all rolled into one.

Securing the cloud office in this scenario is all about finding leverage: identifying the strategic control points that drive the most resilience without adding operational overhead.

Google Workspace provides an excellent security foundation, but its native tooling has inherent limitations, and relying on the default configurations can cause headaches. To build a truly resilient program, there are some common-sense first steps teams can take to secure Workspace natively, before intelligently augmenting the platform where its capabilities fall short.

Secure email, the primary attack vector and largest archive

Email remains the most reliable target for attackers, as an initial attack method, as a vector to other connected apps and systems, and as a target for sensitive data. While Gmail’s default security is solid at catching some threats, it often struggles with targeted threats and sophisticated social engineering and payload-less attacks.

The gaps in native protection

• BEC and Targeted spear phishing: business email compromise (BEC) attacks often contain no malicious links or attachments, instead relying on social engineering that bypasses traditional defenses.
• Environmental context: Google doesn’t know who your VIPs are, which partners you work with, or how frequently you receive invoices from vendors, making it difficult to flag subtle anomalies worth scrutinizing.
• Data archive at rest: for most companies, email is the largest repository of sensitive data. If an account is compromised, the attacker has access to years of confidential conversations, attachments, contracts, and more.

How to improve Gmail’s security today

While Google can’t provide all the capabilities of a modern email security platform, there are steps you can take to ensure your core Gmail configurations are as secure as possible.

• Turn on advanced scanning: enable Google’s enhanced pre-delivery message scanning and malware protection to ensure you’re making the most of Google’s capabilities.
• Implement basic email hygiene: configure SPF, DKIM, and DMARC. These protocols prove your emails are actually from you, and are critical for preventing domain spoofing.
• Automate future settings: ensure the “Apply future recommended settings automatically” option is checked to stay current as Google rolls out more security updates.

Move beyond authentication to manage access

Multi-factor authentication (MFA) is the single most important control you can implement today, but it’s not a magic bullet. Your access control can’t stop at the login page.

Too many windows and side doors

• Malicious OAuth access: compromised tokens, illicit consent grants, man-in-the-middle attacks, or simple misconfigurations can allow attackers access that appears perfectly legitimate to security tooling.
• Legacy access: protocols like IMAP and POP don’t natively support MFA, and App Passwords can be circumvented.
• Detection gaps: Google can alert on suspicious sign-ins, but connecting that signal to other suspicious activity across the environment is a manual, time-consuming process.

Harden your access control immediately

• Enforce strong MFA: not all MFA is created equal. At the very least, disable SMS or phone calls as MFA authentication methods. Ideally, adopt phishing-resistant methods like physical security keys or Yubikeys.
• Disable legacy protocols: turn off POP and IMAP access for all users within the Gmail settings.
• Deny by default for OAuth: require users to request access to unconfigured third-party apps rather than granting access by default.

Material’s inbound protection combines threat research with AI, user report automation, and custom detection rules to provide multi-layered coverage to catch and remediate sophisticated threats. Granular automated remediations protect the entire organization from the first detection or user report, and automatically triage and respond to user-reported phishing.

Material is also the only platform on the market that protects sensitive email content, automatically detecting, classifying, and securing sensitive emails and attachments behind an MFA prompt, protecting critical information even in a breach.

Context-aware account security

A richer set of signals across the entire cloud office enables Material to detect and stop account takeovers early. Material monitors all activity across the cloud office, including suspicious logins, unusual data retrieval patterns and file-sharing behavior, password resets, out-of-policy forwarding rules, and much more. This enables organizations to understand their risks and threats holistically and take action faster than with native tools alone.

Data discovery and protection

Material fills in the gaps in Google’s native data protection capabilities. Material automatically detects and classifies sensitive and confidential data in Google Drive, and enforces file-sharing and data access policies without slowing down collaboration. Risky sharing of sensitive files is flagged, and the system works with each user to self-heal or justify potentially risky sharing before revoking risky access and, when needed, updating labels.

How secure is your Workspace?

Google Workspace security spans so many domains that it can be difficult to maintain a complete picture of your posture, and this only gets harder as your organization scales and your Workspace evolves. That’s why Material built our free Google Workspace Security Scorecard.

Whether you’re a security engineer on a small security team scrambling to manage the day-to-day security of your organization, a CISO looking to better understand and report on your posture, or an IT leader responsible for Workspace administration, our quick, 5-minute assessment will not only provide a solid baseline but also actionable recommendations to improve your posture.

Check out the Google Workspace self-assessment now to find out where your gaps are.

A new malicious package discovered in the Python Package Index (PyPI) has been found to impersonate a popular library for symbolic mathematics to deploy malicious payloads, including a cryptocurrency miner, on Linux hosts.

The package, named sympy-dev, mimics SymPy, replicating the latter’s project description verbatim in an attempt to deceive unsuspecting users into thinking that they are downloading a “development version” of the library. It has been downloaded over 1,100 times since it was first published on January 17, 2026.

Although the download count is not a reliable yardstick for measuring the number of infections, the figure likely suggests some developers may have fallen victim to the malicious campaign. The package remains available for download as of writing.

According to Socket, the original library has been modified to act as a downloader for an XMRig cryptocurrency miner on compromised systems. The malicious behavior is designed to trigger only when specific polynomial routines are called so as to fly under the radar.

“When invoked, the backdoored functions retrieve a remote JSON configuration, download a threat actor-controlled ELF payload, then execute it from an anonymous memory-backed file descriptor using Linux memfd_create and /proc/self/fd, which reduces on-disk artifacts,” security researcher Kirill Boychenko said in a Wednesday analysis.

The altered functions are used to execute a downloader, which fetches a remote JSON configuration and an ELF payload from “63.250.56[.]54,” and then launches the ELF binary along with the configuration as input directly in memory to avoid leaving artifacts on disk. This memory-resident technique has been previously observed in cryptojacking campaigns orchestrated by FritzFrog and Mimo.

The end goal of the attack is to download two Linux ELF binaries that are designed to mine cryptocurrency using XMRig on Linux hosts.

“Both retrieved configurations use an XMRig compatible schema that enables CPU mining, disables GPU backends, and directs the miner to Stratum over TLS endpoints on port 3333 hosted on the same threat actor-controlled IP addresses,” Socket said.

“Although we observed cryptomining in this campaign, the Python implant functions as a general purpose loader that can fetch and execute arbitrary second stage code under the privileges of the Python process.”

Update

The Python package is no longer available for download from PyPI as of January 24, 2026.

A new security flaw in SmarterTools SmarterMail email software has come under active exploitation in the wild, two days after the release of a patch.

The vulnerability, which currently does not have a CVE identifier, is tracked by watchTowr Labs as WT-2026-0001. It was patched by SmarterTools on January 15, 2026, with Build 9511, following responsible disclosure by the exposure management platform on January 8, 2026.

It has been described as an authentication bypass flaw that could allow any user to reset the SmarterMail system administrator password by means of a specially crafted HTTP request to the “/api/v1/auth/force-reset-password” endpoint.

“The kicker of course being that said user is able to use RCE-as-a-feature functions to directly execute OS [operating system] commands,” watchTowr Labs researchers Piotr Bazydlo and Sina Kheirkhah said.

The problem is rooted in the function “SmarterMail.Web.Api.AuthenticationController.ForceResetPassword,” which not only allows the endpoint to be reached without authentication, but also leverages the fact that the reset request is accompanied by a boolean flag named “IsSysAdmin” to handle the incoming request depending on whether the user is a system administrator or not.

In case the flag is set to “true” (i.e., indicating that the user is an administrator), the underlying logic performs the following sequence of actions –

• Obtain the configuration corresponding to the username passed as input in the HTTP request
• Create a new system administrator item with the new password
• Update the administrator account with the new password

In other words, the privileged path is configured such that it can trivially update an administrator user’s password by sending an HTTP request with the username of an administrator account and a password of their choice. This complete lack of security control could be abused by an attacker to obtain elevated access, provided they have knowledge of an existing administrator username.

It doesn’t end there, for the authentication bypass provides a direct path to remote code execution through a built-in functionality that allows a system administrator to execute operating system commands on the underlying operating system and obtain a SYSTEM-level shell.

This can be accomplished by navigating to the Settings page, creating a new volume, and supplying an arbitrary command in the Volume Mount Command field that gets subsequently executed by the host’s operating system.

The cybersecurity company said it chose to make the finding public following a post on the SmarterTools Community Portal, where a user claimed that they lost access to their admin account, with the logs indicating the use of the same “force-reset-password” endpoint to change the password on January 17, 2026, two days after the release of the patch.

This likely indicates that the attackers managed to reverse engineer the patches and reconstruct the flaw. To make matters worse, it doesn’t help that SmarterMail’s release notes are vague and do not explicitly mention what issues were addressed. One item in the bulleted list for Build 9511 simply mentions “IMPORTANT: Critical security fixes.”

In response, SmarterTools CEO Tim Uzzanti hinted that this is done so to avoid giving threat actors more ammunition, but noted they plan to send an email every time a new CVE is discovered and again when a build has been released to resolve the issue.

“In our 23+ years, we have had only a few CVEs, which were primarily communicated through release notes and critical fix references,” Uzzanti said in response to transparency concerns raised by its customers. “We appreciate the feedback that encouraged this change in policy moving forward.”

When reached for comment, SmarterTools told The Hacker News that it released a fix for the vulnerability on January 15, 2026, adding it sent out notifications to all customers, asking them to update to the latest version.

“At the time of that release, we did notify all SmarterMail customers that a new version was released that fixed a critical security issue, and we strongly urged them to upgrade,” Derek Curtis, chief operating officer at SmarterTools, said. “As we don’t manage installations ourselves – our SmarterMail software is on-premises – we have to rely on customers to read our notifications, then upgrade as soon as they feel it’s prudent to do so.”

The development comes less than a month after the Cyber Security Agency of Singapore (CSA) disclosed details of a maximum-severity security flaw in SmarterMail (CVE-2025-52691, CVSS score: 10.0) that could be exploited to achieve remote code execution.

Update

The vulnerability has been assigned the CVE identifier CVE-2026-23760 (CVSS score: 9.3), with Huntress noting that it has observed in-the-wild exploitation of the privileged account takeover vulnerability that could result in remote code execution.

The cybersecurity company also said CVE-2025-52691 has come under mass exploitation, making it essential that users of SmarterMail update to the latest version as soon as possible.

Jai Minton, senior manager of detection engineering and threat hunting at Huntress, told The Hacker News that CVE-2025-52691 is being exploited to deliver low sophistication web shells and “suspected loaders of malware written to Startup directories in order to achieve persistence and execution when the system is restarted.”

Minton also stated that all the IP addresses attempting to exploit CVE-2026-23760 are tied to virtual infrastructure in the U.S., and that the exact origin of the attacks is unknown. As for attribution, there is no evidence to suggest either vulnerabilities being exploited are tied to any particular threat actor.

“Given the severity of this vulnerability, active exploitation, and exploitation of the additional CVE-2025-52691 being observed in the wild, businesses should prioritize the deployment of SmarterMail updates and review any outdated systems for signs of infection,” it added.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the SmarterMail flaws to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the patches by February 16, 2026.

(The story was updated after publication on January 27, 2026, to reflect the latest developments.)

Cybersecurity company Arctic Wolf has warned of a “new cluster of automated malicious activity” that involves unauthorized firewall configuration changes on Fortinet FortiGate devices.

The activity, it said, commenced on January 15, 2026, adding it shares similarities with a December 2025 campaign in which malicious SSO logins on FortiGate appliances were recorded against the admin account from different hosting providers by exploiting CVE-2025-59718 and CVE-2025-59719.

Both vulnerabilities allow for unauthenticated bypass of SSO login authentication via crafted SAML messages when the FortiCloud single sign-on (SSO) feature is enabled on affected Devices. The shortcomings impact FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager.

“This activity involved the creation of generic accounts intended for persistence, configuration changes granting VPN access to those accounts, as well as exfiltration of firewall configurations,” Arctic Wolf said of the developing threat cluster.

Specifically, this entails carrying out malicious SSO logins against a malicious account “cloud-init@mail.io” from four different IP addresses, following which the firewall configuration files are exported to the same IP addresses via the GUI interface. The list of source IP addresses is below –

• 104.28.244[.]115
• 104.28.212[.]114
• 217.119.139[.]50
• 37.1.209[.]19

In addition, the threat actors have been observed creating secondary accounts, such as “secadmin,” “itadmin,” “support,” “backup,” “remoteadmin,” and “audit,” for persistence.

“All of the above events took place within seconds of each other, indicating the possibility of automated activity,” Arctic Wolf added.

The disclosure coincides with a post on Reddit in which multiple users reported seeing malicious SSO logins on fully-patched FortiOS devices, with one user stating the “Fortinet developer team has confirmed the vulnerability persists or is not fixed in version 7.4.10.”

The Hacker News has reached out to Fortinet for comment, and we will update the story if we hear back. In the interim, it’s advised to disable the “admin-forticloud-sso-login” setting.

Cisco has released fresh patches to address what it described as a “critical” security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild.

The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.

“This vulnerability is due to improper validation of user-supplied input in HTTP requests,” Cisco said in an advisory. “An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.”

The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added. The vulnerability impacts the following products –

• Unified CM
• Unified CM Session Management Edition (SME)
• Unified CM IM & Presence Service (IM&P)
• Unity Connection
• Webex Calling Dedicated Instance

It has been addressed in the following versions –

Cisco Unified CM, CM SME, CM IM&P, and Webex Calling Dedicated Instance –

• Release 12.5 – Migrate to a fixed release
• Release 14 – 14SU5 or apply patch file: ciscocm.V14SU4a_CSCwr21851_remote_code_v1.cop.sha512
• Release 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.V15SU2_CSCwr21851_remote_code_v1.cop.sha512 or ciscocm.V15SU3_CSCwr21851_remote_code_v1.cop.sha512

Cisco Unity Connection

• Release 12.5 – Migrate to a fixed release
• Release 14 – 14SU5 or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512
• Release 15 – 15SU4 (Mar 2026) or apply patch file: ciscocm.cuc.CSCwr29208_C0266-1.cop.sha512

The networking equipment major also said it’s “aware of attempted exploitation of this vulnerability in the wild,” urging customers to upgrade to a fixed software release to address the issue. There are currently no workarounds. An anonymous external researcher has been credited with discovering and reporting the bug.

The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by February 11, 2026.

The discovery of CVE-2026-20045 comes less than a week after Cisco released updates for another actively exploited critical security vulnerability affecting AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager (CVE-2025-20393, CVSS score: 10.0) that could permit an attacker to execute arbitrary commands with root privileges.

As many as 3,136 individual IP addresses linked to likely targets of the Contagious Interview activity have been identified, with the campaign claiming 20 potential victim organizations spanning artificial intelligence (AI), cryptocurrency, financial services, IT services, marketing, and software development sectors in Europe, South Asia, the Middle East, and Central America.

The new findings come from Recorded Future’s Insikt Group, which is tracking the North Korean threat activity cluster under the moniker PurpleBravo. First documented in late 2023, the campaign is also known as CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, Void Dokkaebi, and WaterPlum.

The 3,136 individual IP addresses, primarily concentrated around South Asia and North America, are assessed to have been targeted by the adversary from August 2024 to September 2025. The 20 victim companies are said to be based in Belgium, Bulgaria, Costa Rica, India, Italy, the Netherlands, Pakistan, Romania, the United Arab Emirates (U.A.E.), and Vietnam.

“In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target,” the threat intelligence firm said in a new report shared with The Hacker News.

The disclosure comes a day after Jamf Threat Labs detailed a significant iteration of the Contagious Interview campaign wherein the attackers abuse malicious Microsoft Visual Studio Code (VS Code) projects as an attack vector to distribute a backdoor, underscoring continued exploitation of trusted developer workflows to achieve their twin goals of cyber espionage and financial theft.

The C2 servers, hosted across 17 different providers, are administered via Astrill VPN and from IP ranges in China. North Korean threat actors’ use of Astrill VPN in cyber attacks has been well-documented over the years.

It’s worth pointing out that Contagious Interview complements a second, separate campaign referred to as Wagemole (aka PurpleDelta), where IT workers from the Hermit Kingdom actors seek unauthorized employment under fraudulent or stolen identities with organizations based in the U.S. and other parts of the world for both financial gain and espionage.

While the two clusters are treated as disparate sets of activities, there are significant tactical and infrastructure overlaps between them despite the fact that the IT worker threat has been ongoing since 2017.

“This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity,” Recorded Future said.

To make matters worse, candidates who are approached by PurpleBravo with fictitious job offers have been found to take the coding assessment on company-issued devices, effectively compromising their employers in the process. This highlights that the IT software supply chain is “just as vulnerable” to infiltration from North Korean adversaries other than the IT workers.

“Many of these [potential victim] organizations advertise large customer bases, presenting an acute supply-chain risk to companies outsourcing work in these regions,” the company noted. “While the North Korean IT worker employment threat has been widely publicized, the PurpleBravo supply-chain risk deserves equal attention so organizations can prepare, defend, and prevent sensitive data leakage to North Korean threat actors.”

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution.

The most severe of the lot is a critical security flaw impacting Zoom Node Multimedia Routers (MMRs) that could permit a meeting participant to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844 and discovered internally by its Offensive Security team, carries a CVSS score of 9.9 out of 10.0.

“A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access,” the company noted in a Tuesday alert.

Zoom is recommending that customers using Zoom Node Meetings, Hybrid, or Meeting Connector deployments update to the latest available MMR version to safeguard against any potential threat.

There is no evidence that the security flaw has been exploited in the wild. The vulnerability affects the following versions –

• Zoom Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0
• Zoom Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0

GitLab Releases Patches for Severe Flaws

The disclosure comes as GitLab released fixes for multiple high-severity flaws affecting its Community Edition (CE) and Enterprise Edition (EE) that could result in DoS and a bypass of two-factor authentication (2FA) protections. The shortcomings are listed below –

• CVE-2025-13927 (CVSS score: 7.5) – A vulnerability that could allow an unauthenticated user to create a DoS condition by sending crafted requests with malformed authentication data (Affects all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
• CVE-2025-13928 (CVSS score: 7.5) – An incorrect authorization vulnerability in the Releases API that could allow an unauthenticated user to cause a DoS condition (Affects all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
• CVE-2026-0723 (CVSS score: 7.4) – A vulnerability that could allow an individual with existing knowledge of a victim’s credential ID to bypass 2FA by submitting forged device responses (Affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 )

Also remediated by GitLab are two other medium-severity bugs that could also trigger a DoS condition (CVE-2025-13335, CVSS score: 6.5, and CVE-2026-1102, CVSS score: 5.3) by configuring malformed Wiki documents that bypass cycle detection and sending repeated malformed SSH authentication requests, respectively.

Every managed security provider is chasing the same problem in 2026 — too many alerts, too few analysts, and clients demanding “CISO-level protection” at SMB budgets.

The truth? Most MSSPs are running harder, not smarter. And it’s breaking their margins. That’s where the quiet revolution is happening: AI isn’t just writing reports or surfacing risks — it’s rebuilding how security services are delivered.

The Shift

Until now, MSSPs scaled by adding people. Each new client meant another analyst, another spreadsheet, another late-night ticket queue.

AI automation flips that model. It handles assessments, benchmarking, and reporting in minutes — freeing your team to focus on strategy, not data entry.

Early adopters are already seeing double-digit margin gains and faster onboarding cycles — without increasing headcount.

Real Proof — Not Theory

When Chad Robinson, CISO at Secure Cyber Defense, applied Cynomi’s AI platform, his team stopped drowning in manual checklists. He didn’t just automate reports; he turned junior analysts into “virtual CISOs,” expanding coverage and growing revenue from advisory services — all by standardizing delivery through AI.

Secure your spot for the live session ➜

What You’ll Learn

In this session, Cynomi CEO David Primor and Chad Robinson unpack the real operating blueprint:

• How AI eliminates the grunt work that eats profit
• How to tier and package cybersecurity services for steady MRR
• What actually moved the needle for a growing MSSP — and how you can copy it
• How AI enables consistent, CISO-grade service at scale

If you’re still hiring your way out of the workload crisis, you’re already behind. The MSSPs winning 2026 aren’t bigger — they’re smarter.

Join the live session to see how AI can scale your security business without scaling your payroll.

Register for the Webinar ➜

Gartner® doesn’t create new categories lightly. Generally speaking, a new acronym only emerges when the industry’s collective “to-do list” has become mathematically impossible to complete. And so it seems that the introduction of the Exposure Assessment Platforms (EAP) category is a formal admission that traditional Vulnerability Management (VM) is no longer a viable way to secure a modern enterprise.

The shift from the traditional Market Guide for Vulnerability Assessment to the new Magic Quadrant for EAPs represents a move away from the “vulnerability hose”, i.e., the endless stream of CVEs, and toward a model of Continuous Threat Exposure Management (CTEM). To us, this is more than just a change in terminology; it is an attempt to solve the “Dead End” paradox that has plagued security teams for a decade.

In the inaugural Magic Quadrant report of this category, Gartner evaluated 20 vendors for their ability to support continuous discovery, risk-informed prioritization, and integrated visibility across cloud, on-prem, and identity layers. In this article, we’ll take a deep dive into the key findings of the report, the drivers behind the new category, the features that define it, and what we see as the takeaways for security teams.

Why Exposure Assessment Is Gaining Ground

Security tools have always promised risk reduction, but they’ve mostly delivered noise. One product would reveal a misconfiguration. Another would log a privilege drift. A third would flag vulnerable external-facing assets. The result is a crisis of volume that has led to chronic alert fatigue in the SOC. Each tool provided a piece of the puzzle, yet none were able to put all the pieces together and explain how exposure forms…or what to fix first to avoid it.

The skepticism toward legacy VM tools is well-earned. Data from over 15,000 environments shows that 74% of identified exposures are “dead ends”, existing on assets that have no viable path to a critical system. In the old model, a security team might spend 90% of its remediation effort fixing these dead ends, yielding effectively zero reduction in risk to business processes.

This is what EAPs are designed to address. They pull all those pieces into a unified view that tracks how systems, identities, and vulnerabilities interact in real environments and show how an attacker could actually use it to move from a low-risk dev environment to critical assets.

To learn more about why XM Cyber was named a challenger in the 2025 Magic Quadrant for exposure assessment platforms, grab your copy of the report here.

Note: This article was expertly written and contributed by Maya Malevich, Head of Product Marketing at XM Cyber.

Security vulnerabilities were uncovered in the popular open-source artificial intelligence (AI) framework Chainlit that could allow attackers to steal sensitive data, which may allow for lateral movement within a susceptible organization.

Zafran Security said the high-severity flaws, collectively dubbed ChainLeak, could be abused to leak cloud environment API keys and steal sensitive files, or perform server-side request forgery (SSRF) attacks against servers hosting AI applications.

Chainlit is a framework for creating conversational chatbots. According to statistics shared by the Python Software Foundation, the package has been downloaded over 220,000 times over the past week. It has attracted a total of 7.3 million downloads to date.

Details of the two vulnerabilities are as follows –

• CVE-2026-22218 (CVSS score: 7.1) – An arbitrary file read vulnerability in the “/project/element” update flow that allows an authenticated attacker to access the contents of any file readable by the service into their own session due to a lack of validation of user-controller fields
• CVE-2026-22219 (CVSS score: 8.3) – An SSRF vulnerability in the “/project/element” update flow when configured with the SQLAlchemy data layer backend that allows an attacker to make arbitrary HTTP requests to internal network services or cloud metadata endpoints from the Chainlit server and store the retrieved responses

Following responsible disclosure on November 23, 2025, both vulnerabilities were addressed by Chainlit in version 2.9.4 released on December 24, 2025.

“As organizations rapidly adopt AI frameworks and third-party components, long-standing classes of software vulnerabilities are being embedded directly into AI infrastructure,” Zafran said. “These frameworks introduce new and often poorly understood attack surfaces, where well-known vulnerability classes can directly compromise AI-powered systems.”

Flaw in Microsoft MarkItDown MCP Server

The disclosure comes as BlueRock disclosed a similar SSRF vulnerability in Microsoft’s MarkItDown Model Context Protocol (MCP) server dubbed MCP fURI that enables arbitrary calling of URI resources, exposing organizations to privilege escalation, SSRF, and data leakage attacks. The shortcoming affects the server when running in an Amazon Web Services (AWS) EC2 instance using IDMSv1.

“This vulnerability allows an attacker to execute the Markitdown MCP tool convert_to_markdown to call an arbitrary uniform resource identifier (URI),” BlueRock said. “The lack of any boundaries on the URI allows any user, agent, or attacker calling the tool to access any HTTP or file resource.”

“When providing a URI to the Markitdown MCP server, this can be used to query the instance metadata of the server. A user can then obtain credentials to the instance if there is a role associated, giving you access to the AWS account, including the access and secret keys.”

The agentic AI security company said its analysis of more than 7,000 MCP servers found that over 36.7% of them are likely exposed to similar SSRF vulnerabilities. To mitigate the risk posed by the issue, it’s advised to use IMDSv2 to secure against SSRF attacks, implement private IP blocking, restrict access to metadata services, and create an allowlist to prevent data exfiltration.