Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
McGraw Hill Confirms 13.5 Million Account Breach After ShinyHunters Exploits Salesforce Misconfiguration
Education publisher McGraw Hill has confirmed a data breach affecting 13.5 million accounts after the ShinyHunters cybercriminal group threatened to publish 45 million Salesforce records. The breach stemmed from a misconfiguration within Salesforce's environment β one McGraw Hill acknowledges is part of a broader issue affecting multiple organisations. Over 100GB of data has been publicly released.
Payouts King Ransomware Deploys Hidden QEMU VMs to Blind Endpoint Security β New EDR Evasion Technique
The Payouts King ransomware operation, linked to former BlackBasta affiliates, has introduced a novel EDR bypass: deploying a legitimate QEMU virtual machine running Alpine Linux on compromised Windows hosts. Because endpoint security agents cannot inspect inside the VM, attackers operate the full intrusion β credential theft, lateral movement, and data exfiltration β completely invisible to host-level detection.
Five-Year-Old ShowDoc RCE Flaw CVE-2025-0520 (CVSS 9.4) Now Under Active Exploitation β Over 2,000 Instances Exposed
Threat actors are actively exploiting CVE-2025-0520, a critical unauthenticated remote code execution vulnerability in ShowDoc β an IT documentation tool used by developers and operations teams. The flaw, patched in October 2020 but present in thousands of unupgraded installations, allows file upload exploitation to deploy web shells. More than 2,000 publicly accessible ShowDoc instances remain vulnerable.
April Patch Tuesday Bug Crashes LSASS on PAM-Enabled Domain Controllers β No Fix Yet
KB5082063, Microsoft's April 2026 cumulative update, is causing LSASS to crash on non-Global Catalog domain controllers in Privileged Access Management environments, triggering unrecoverable reboot loops that take down Active Directory authentication. Microsoft has confirmed the issue across all Windows Server versions from 2016 to 2025 and is developing a corrected update, but none is available yet.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 β Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited β CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
NIST Ends Full NVD Enrichment β What It Means for Your Vulnerability Management Programme
NIST has announced it will no longer enrich every CVE record in the National Vulnerability Database, shifting to a risk-based model that prioritises only the most critical submissions. With CVE volumes up 263% since 2020 and the NVD backlog now officially unresolvable, security teams that rely on NVD CVSS scores and CPE data for vulnerability prioritisation must urgently adapt their tooling and workflows.
Opinion & Analysis
Commentary
The Shared Responsibility Model Is a Liability Shield, Not a Security Framework
McGraw Hill's statement that its Salesforce breach 'appears to be part of a broader issue involving a misconfiguration within Salesforce's environment' exposes what the shared responsibility model actually is: a contractual arrangement that tells you who to blame after a breach, not a security control that prevents one.
CipherWatch Editorial
Security Intelligence Platform
Patch Tuesday Is Not a Patching Programme
Every second Tuesday, the industry runs a collective sprint to triage, test, and deploy hundreds of Microsoft patches before the next cycle begins. We call this a patching programme. It isn't. It's a treadmill β and the real security question is whether we're measuring the right thing.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
Ransomware Group Uses Virtual Machines to Operate Invisibly Inside Enterprise Networks
The Payouts King ransomware operation, linked to former BlackBasta affiliates, deploys a legitimate QEMU virtual machine on compromised Windows hosts to conduct credential theft and data exfiltration in a zone where endpoint security cannot see. The technique directly defeats EDR investment and is now actively used in attacks. Organisations must extend detection beyond endpoint telemetry.
April Patch Tuesday Defect Triggers Authentication Outage on PAM Domain Controllers
KB5082063 causes LSASS to crash on non-Global Catalog domain controllers in PAM-enabled environments, creating unrecoverable reboot loops that take Active Directory authentication offline. No corrected update is available. All organisations with PAM-enabled AD must immediately pause KB5082063 deployment on domain controllers and engage Microsoft Support if affected DCs are already looping.
Critical Windows IKE Vulnerability Allows Unauthenticated Remote Takeover of All Windows Servers
A severity-9.8 flaw in Windows networking software allows an attacker on the internet to seize complete control of any unpatched Windows server or workstation with no login credentials required. Microsoft has confirmed the flaw was exploited before the patch was released. All organisations running Windows must apply the April 2026 security update as an emergency measure.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β