Crestvale Newsroom

Tomcat auth bypass breaks security-constraint protections

6 min · 2. heinä 2026
jakson Tomcat auth bypass breaks security-constraint protections kansikuva

Kuvaus

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Authentication controls failing silently is a different kind of risk. Today's episode breaks down how newly disclosed Apache Tomcat vulnerabilities allowed attackers to bypass protections that teams believed were enforced, and why this changes how you validate access controls. For security and IT leaders, the shift is clear. Configuration is no longer proof of enforcement. You need to test real access paths, verify behavior, and assume gaps exist until proven otherwise. At the same time, active exploitation of an Oracle E-Business Suite flaw shows how quickly attackers move once patches are released, while new federal deadlines on post-quantum cryptography turn long-term planning into near-term operational work. We also cover Zscaler's move into AI agent control planes and what it signals about identity in autonomous systems, along with several other key developments shaping the threat landscape. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

Kommentit

0

Ole ensimmäinen kommentoija

Rekisteröidy nyt ja liity Crestvale Newsroom-yhteisöön!

Aloita maksutta

14 vrk ilmainen kokeilu

Kokeilun jälkeen 7,99 € / kuukausi. · Peru milloin tahansa.

  • Podimon podcastit
  • 20 kuunteluaikaa / kuukausi
  • Lataa offline-käyttöön

Kaikki jaksot

160 jaksot

jakson Tomcat auth bypass breaks security-constraint protections kansikuva

Tomcat auth bypass breaks security-constraint protections

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Authentication controls failing silently is a different kind of risk. Today's episode breaks down how newly disclosed Apache Tomcat vulnerabilities allowed attackers to bypass protections that teams believed were enforced, and why this changes how you validate access controls. For security and IT leaders, the shift is clear. Configuration is no longer proof of enforcement. You need to test real access paths, verify behavior, and assume gaps exist until proven otherwise. At the same time, active exploitation of an Oracle E-Business Suite flaw shows how quickly attackers move once patches are released, while new federal deadlines on post-quantum cryptography turn long-term planning into near-term operational work. We also cover Zscaler's move into AI agent control planes and what it signals about identity in autonomous systems, along with several other key developments shaping the threat landscape. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

2. heinä 20266 min
jakson EY grads accused of PM bank snooping kansikuva

EY grads accused of PM bank snooping

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Today's episode focuses on a quiet but critical failure point: access control. A real-world incident involving contractor access to sensitive financial data shows how authorization gaps, not external attackers, are often the weakest link. For security and IT leaders, this is a shift in where risk lives. Insider misuse, third-party exposure, and inherited liability from vendors are becoming more consequential than perimeter threats. From financial filings to endpoint security, the common thread is clear. If you do not tightly control who can access what, and when, you are carrying unseen risk. We also cover a major IRS liability ruling, active ransomware exploitation of a Windows privilege escalation flaw, and key signals from across the security landscape. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

Eilen6 min
jakson ACSC warns FortiBleed: rotate creds, enforce MFA kansikuva

ACSC warns FortiBleed: rotate creds, enforce MFA

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Credential-based security is breaking in multiple directions at once. Old passwords are being reused to breach networks, unpatched ERP systems are getting exploited in the wild, and attackers are shifting toward token theft that bypasses traditional login defenses entirely. For security and IT leaders, this is a shift from protecting logins to continuously validating identity across sessions, systems, and now AI-driven actors. The common thread is clear: identity is the new control plane, and gaps in credential hygiene, patching, and token visibility are turning into real-world incidents. This episode also covers a major Oracle EBS vulnerability under active exploitation, the rise of device-code phishing attacks targeting Microsoft environments, and new funding aimed at rebuilding IAM for AI agents. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

30. kesä 20266 min
jakson UK banks pilot consent-led reusable digital ID kansikuva

UK banks pilot consent-led reusable digital ID

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] Banks are moving into identity, and that could reshape how authentication and onboarding work across the digital economy. A new UK pilot shows how bank-verified identity attributes may become reusable across services, shifting control away from fragmented KYC systems. For security and IT leaders, this signals a change in where trust lives. Identity may consolidate around institutions that already hold strong signals, while access to advanced AI tools becomes uneven and employee behavior continues to outpace policy. The result is a more fragmented, less controllable environment that requires new approaches to integration, governance, and visibility. This episode also covers OpenAI's restricted GPT-5.6 launch, the rise of shadow AI in the workplace, and a new browser-based surveillance technique using WebRTC. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

29. kesä 20266 min
jakson Bucket hijacking silently reroutes cloud audit logs kansikuva

Bucket hijacking silently reroutes cloud audit logs

Send us Fan Mail [https://www.buzzsprout.com/2602483/fan_mail/new] A new cloud attack pattern is quietly undermining one of the most trusted parts of your security stack: logging. By deleting and recreating storage buckets, attackers can reroute audit logs without triggering alerts, leaving teams blind while data continues to flow. This matters because detection, response, and forensics all depend on trustworthy telemetry. At the same time, access to advanced AI security models is becoming restricted by governments, creating uneven capabilities across organizations. Add in a breach that disrupted core insurance risk calculations, and the pattern is clear: control over data and tools is becoming a primary risk surface. We also cover consolidation in industrial security, AI orchestration trends, and the rise of automated exploit discovery. Learn more at https://crestvale.io Support the show [https://www.buzzsprout.com/2602483/support]

28. kesä 20265 min