10 Apr 2026
Week in review
Greetings,
Anthropic has announced that a preview version of its new frontier model, Claude Mythos, has already uncovered thousands of previously unknown, high severity vulnerabilities across major software platforms. The findings were revealed alongside the launch of Project Glasswing, a new initiative aimed at using advanced AI systems defensively to secure critical digital infrastructure.
According to Anthropic, Claude Mythos demonstrated an exceptional ability to identify zero day flaws across every major operating system and web browser. Some discoveries included decades old bugs, such as a 27 year old vulnerability in OpenBSD and a 16 year old flaw in FFmpeg. In controlled evaluations, the model also autonomously chained together multiple vulnerabilities to escape application sandboxes and even solved complex corporate network attack simulations faster than seasoned human experts.
These capabilities, however, come with serious implications. In one test, Mythos was able to follow researcher instructions to break out of a secured sandbox environment, gain internet access, and communicate externally—behaviour Anthropic described as a “potentially dangerous capability.” The company emphasised that such abilities were not explicitly trained, but emerged from broader improvements in the model’s reasoning, coding skill, and autonomy.
To manage this risk, Anthropic is limiting access to Mythos Preview and partnering with a small group of major technology and security organisations, including AWS, Google, Microsoft, and the Linux Foundation. The company is also committing up to $100 million in usage credits and millions more in funding to support open source security efforts. Project Glasswing, Anthropic says, is an urgent effort to ensure powerful AI tools are used to fix vulnerabilities before similar capabilities are exploited by malicious actors.
Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise
Date: 2026-04-02
Author: The Hacker News
[Please see also AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.3189/ and https://portal.auscert.org.au/bulletins/ESB-2026.3199/]
[AusCERT has informed the affected members via Critical MSINs]
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges.
The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0.
Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access
Date: 2026-04-07
Author: The Hacker News
A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances.
The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024.
13-year-old bug in ActiveMQ lets hackers remotely execute commands
Date: 2026-04-08
Author: Bleeping Computer
Security researchers discovered a remote code execution (RCE) vulnerability in Apache ActiveMQ Classic that has gone undetected for 13 years and could be exploited to execute arbitrary commands.
The flaw was uncovered using the Claude AI assistant, which identified an exploit path by analyzing how independently developed components interact.
Tracked as CVE-2026-34197, the security issue received a high severity score of 8.8 and affects versions of Apache ActiveMQ/Broker before 5.19.4, and all versions from 6.0.0 up to 6.2.3
IBM Identity and Verify Access Vulnerabilities Allow Remote Attacker to Access Sensitive Data
Date: 2026-04-08
Author: Cyber Security News
A critical security bulletin highlights multiple vulnerabilities in Verify Identity Access and Security Verify Access products.
If left unpatched, these widespread security flaws could allow malicious actors to access sensitive information, escalate their system privileges, or cause a complete denial-of-service of the application.
Organizations relying on these authentication platforms must take immediate action to patch their infrastructure. A standout issue in the latest security advisory revolves around how the platform handles web traffic.
Max severity Flowise RCE vulnerability now exploited in attacks
Date: 2026-04-07
Author: Bleeping Computer
Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code.
The flaw allows injecting JavaScript code without any security checks and was publicly disclosed last September, with the warning that successful exploitation leads to command execution and file system access.
ESB-2026.3427 – Prisma Browser: CVSS (Max): 9.8
Palo Alto Networks has released a monthly Chromium security update addressing multiple vulnerabilities in Prisma Browser, including memory corruption, integer overflows, and use-after-free issues.
ESB-2026.3417 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 8.5
GitLab has released patch versions 18.10.3, 18.9.5, and 18.8.9 addressing multiple security vulnerabilities affecting both Community Edition (CE) and Enterprise Edition (EE), including issues such as improper access control, denial of service, cross-site scripting, and information disclosure.
ESB-2026.3354 – govulncheck-vulndb: CVSS (Max): 9.9
SUSE has released an important security update for the govulncheck-vulndb package on openSUSE Leap 15.6, several vulnerabilities are rated High to Critical severity, with potential impacts including system compromise, data exposure, or denial of service.
ESB-2026.3319 – FortiClientEMS: CVSS (Max): 9.8
Fortinet has disclosed a critical authentication and authorization bypass vulnerability in FortiClient EMS that could allow an unauthenticated attacker to execute unauthorized code or commands via crafted API requests, resulting in privilege escalation.
ESB-2026.3276 – chromium: CVSS (Max): 9.6
Debian has released a security update for Chromium addressing multiple vulnerabilities that could lead to arbitrary code execution, denial of service, or information disclosure if exploited. A CVE (CVE-2026-5281) has been identified on the CISA Known Exploited Vulnerabilities (KEV) list.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
