Cyber Brief: Active exploitation & access abuse

Cyber reporting today focuses on three areas placing immediate pressure on organisations. Authorities have confirmed active exploitation of newly disclosed vulnerabilities, identity abuse continues to bypass traditional controls and UK organisations are again seeing disruption linked to supplier dependency. Together, these stories reinforce why speed, visibility and resilience planning remain critical.

CISA confirms active exploitation of newly disclosed vulnerabilities

The US Cybersecurity and Infrastructure Security Agency has added multiple vulnerabilities to its Known Exploited Vulnerabilities catalogue today, confirming that threat actors are actively exploiting newly disclosed flaws in widely deployed technologies. These vulnerabilities affect enterprise software commonly exposed to the internet and are being weaponised rapidly following public disclosure.
Security teams report that attackers are prioritising initial access and persistence rather than immediate disruption. Once a vulnerable system is identified, attackers focus on credential harvesting, establishing footholds and blending activity with legitimate behaviour. This approach increases dwell time and reduces the likelihood of early detection.
The update reinforces a growing challenge for organisations operating under year-end change restrictions. Delays in patching, even when temporary, create windows of opportunity that attackers are quick to exploit. CISA has urged organisations to apply mitigations or compensating controls immediately where full patching is not yet possible.

Why it matters
Exploitation timelines are shrinking. Organisations should prioritise remediation for internet-facing assets, maintain accurate asset inventories and ensure emergency change processes can be executed quickly when exploitation is confirmed.

Source
CISA

Microsoft highlights ongoing identity abuse and session misuse

Microsoft Security has published updated threat intelligence today highlighting continued abuse of identity systems across cloud and hybrid environments. The report notes that attackers increasingly avoid malware and instead rely on stolen credentials, session tokens and misused legitimate access to compromise organisations quietly.
Once access is obtained, attackers operate within expected user permissions to avoid triggering alerts. In many incidents reviewed, compromised accounts retained access far longer than expected due to permission sprawl and limited access review processes. Hybrid environments were particularly affected, with synchronised identities obscuring true privilege levels.
Microsoft warns that traditional perimeter-focused controls are insufficient against this style of attack. Identity systems themselves have become the primary attack surface, requiring stronger governance, monitoring and enforcement of least privilege.

Why it matters
Identity abuse enables stealthy compromise. Regular access reviews, tighter session controls and monitoring for anomalous behaviour within legitimate accounts are essential to reducing risk.

Source
Microsoft Security

UK organisations disrupted by supplier and service dependency failures

UK technology and business press reporting today highlights further disruption experienced by organisations due to supplier outages and third-party service failures. In several cases, core internal systems remained operational, but dependencies on external providers caused loss of availability, delayed recovery or reduced visibility during incidents.
Post-incident analysis shows that many organisations underestimated the operational impact of supplier disruption. Escalation routes were unclear, communication with providers was slow and recovery timelines exceeded expectations. These issues were most acute where suppliers provided identity services, managed infrastructure or critical operational platforms.
The reporting reinforces that supplier risk extends beyond data breaches. Availability, resilience and coordination are equally critical to maintaining business continuity, particularly during periods of reduced staffing.

Why it matters
Supplier dependency is a resilience issue. Organisations should map critical third-party dependencies, validate recovery capabilities and ensure escalation processes are clear and tested.

Source
Computer Weekly

Today’s Key Actions

1. Review CISA Known Exploited Vulnerabilities updates and prioritise remediation.
2. Strengthen identity governance through access reviews and session monitoring.
3. Map critical supplier dependencies and validate recovery expectations.
4. Ensure emergency change and escalation processes are approved and documented.
5. Update risk registers to reflect exploitation, identity and supplier risks.

Secarma Insight

Today’s stories reinforce a consistent theme. Attackers and operational failures alike exploit the gaps created by speed, complexity and trust. Organisations that combine rapid remediation, disciplined identity governance and realistic supplier assurance are far better positioned to withstand both targeted attacks and unexpected disruption.

Get in touch with us to prioritise your next steps and strengthen your security posture.