Cyber Threat Intelligence 17 July 2026
-
Industrial Sector
- Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix And GuardLogix
"Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-06 - Rockwell Automation Arena
"Successful exploitation these vulnerabilities could allow an attacker to execute arbitrary code in the context of the current process."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-01 - Rockwell Automation 1756-EN2, 1756-EN3, And 1756-ENBT
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-02 - NASA Core Flight System (cFS) Health & Safety (HS) Application
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-03 - AutomationDirect Productivity Suite
"Successful exploitation of these vulnerabilities could allow an attacker with local or physical access to cause memory corruption, unintended information disclosure, application instability, or a denial-of-service condition in the affected product."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-04 - Siemens SICAM 8
"Multiple SICAM 8 products are affected by multiple vulnerabilities that could lead to denial of service, namely: - SICAM A8000 Device firmware - CPCI85 for CP-8031/CP-8050 - SICORE for CP-8010/CP-8012 - SICAM EGS Device firmware - CPCI85 - SICAM S8000 - SICORE Siemens has released new versions for the affected products and recommends to update to the latest versions."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-05 - SALTO ProAccess Space
"Successful exploitation of this vulnerability allows an authenticated attacker to escalate privileges and access spaces outside their assigned partition, within the same Salto ProAccess Space installation or system. Exploitation requires valid authenticated operator credentials and the partition feature to be enabled; installations without partitioning are not affected."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-07 - Rockwell Automation Flex 5000 Adapter
"Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected product."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-08 - Rockwell Automation FactoryTalk DataMosaix
"Successful exploitation of this vulnerability could allow an authenticated attacker to inject malicious scripts on the server."
https://www.cisa.gov/news-events/ics-advisories/icsa-26-197-09 - Legacy Systems, Real-World Impacts: The Reality Of OT Security
"I’m here today to write about one particularly thorny area of operational technology (OT) and security that I run into somewhat routinely. Given my own particular interests as an incorrigible vulnerability-gazer, and my professional role as vice president of security research at runZero, I deal with OT security issues more often than the average bear. I’ve noticed that there’s definitely a vibe of, “IT be like this, but OT be like that” going on in the wider world of vulnerability management. The process of discovering, documenting, and disclosing vulnerabilities all have their own little quirks here in OT-land, so let’s jump into it!"
https://www.securityweek.com/legacy-systems-real-world-impacts-the-reality-of-ot-security/
Vulnerabilities
- Splunk, Zoom Patch Critical Vulnerabilities
"Splunk and Zoom this week announced patches for multiple vulnerabilities across their products, including several critical and high-severity security defects. Only three of the five advisories that Splunk published address flaws that are specific to its products, while the other two resolve dozens of bugs in third-party components. The Splunk-specific issues include CVE-2026-20296 (a high-severity command safeguards bypass), CVE-2026-20297 (a high-severity path traversal), and CVE-2026-20298 (a medium-severity information disclosure)."
https://www.securityweek.com/splunk-zoom-patch-critical-vulnerabilities/ - F5 Patches Multiple NGINX, BIG-IP Vulnerabilities
"F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP. The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process. “A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains."
https://www.securityweek.com/f5-patches-multiple-nginx-big-ip-vulnerabilities/ - Trend Micro, Tanium, ESET And Tenable Patch Severe Product Vulnerabilities
"Cybersecurity companies Trend Micro, ESET, Tenable, and Tanium released product updates this month to patch severe vulnerabilities. Tenable told customers this week that it has fixed a critical-severity path traversal in the Tenable Agent. The security hole, tracked as CVE-2026-15265, may allow an attacker to achieve remote code execution. ESET informed customers on Tuesday that it has discovered and patched a high-severity local privilege escalation vulnerability in Inspect Connector for Windows. “On systems with the affected ESET product installed, an attacker could send self-crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’ interface,” ESET explained in its advisory. “Without proper authentication or origin validation in place, this message would be accepted and processed, enabling the attacker to access restricted functionality.”"
https://www.securityweek.com/trend-micro-tanium-eset-and-tenable-patch-severe-product-vulnerabilities/
https://www.tenable.com/security/tns-2026-18
https://support.eset.com/en/ca8970-eset-customer-advisory-local-privilege-escalation-via-unauthenticated-alpc-in-eset-inspect-connector-for-windows-fixed
https://security.tanium.com/TAN-2026-016/
https://helpcenter.trendlife.com/en-us/article/tmka-12951 - CISA Adds Three Known Exploited Vulnerabilities To Catalog
"CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability
CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability
CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability"
https://www.cisa.gov/news-events/alerts/2026/07/16/cisa-adds-three-known-exploited-vulnerabilities-catalog - Same Subject, Wrong User: A Cross-Issuer Account Takeover In n8n
"Months ago, we ran Strix against n8n and it came back with an authentication bug in the token-exchange flow. We submitted the finding and forgot about it. Then, a few weeks ago, we learned it had been assigned CVE-2026-59208 (High). Short version: n8n trusts who signed a token when it verifies it — but forgets who signed it when it decides whose account you are. This is a small post about a small diff with a large blast radius."
https://www.strix.ai/blog/n8n-cross-issuer-account-takeover
https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html - New Agent Data Injection Attack Can Make AI Agents Misclick Or Run Attacker Commands
"Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you asked for. That is the shape of a new class of attack laid out in a paper posted July 6 by researchers from Seoul National University, the University of Illinois Urbana-Champaign, and Largosoft."
https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
https://arxiv.org/abs/2607.05120 - No Shark Is Safe: Millions Of Shark Vacuums Are Vulnerable To RCE
"Millions of Shark vacuums are currently vulnerable to remote code execution. This critical vulnerability leaves hackable cameras with wheels inside the homes of Shark vacuum owners. The vulnerability is trivially exploited as demonstrated in the writeup below. Attempts to remediate the issue with Shark have been unsuccessful as they have downplayed the severity and questioned whether "a CVE is appropriate" for the situation (really?)."
https://tokay0.com/posts/millions-of-shark-vacuums-vulnerable-to-rce.html
https://thehackernews.com/2026/07/unpatched-shark-vacuum-flaw-could-let.html - OpenAI Admits GPT-5.6 Occasionally Deletes Files – But It's An 'honest Mistake'
"OpenAI has confirmed reports that GPT-5.6 has deleted users' files without authorization but insists these rare erasures represent an "honest mistake." Following the release of OpenAI's GPT‑5.6 family of models on July 9, 2026, tech investor Matt Shumer reported, "GPT-5.6-Sol just accidentally deleted almost ALL of my Mac's files." A few days later, software engineer Bruno Lemos said, "GPT-5.6 Sol just deleted my whole production database. That's it. Not a joke. This had never happened to me before, with any other model, ever. It's not safe.""
https://www.theregister.com/ai-and-ml/2026/07/16/openai-admits-gpt-56-occasionally-deletes-files-but-its-an-honest-mistake/5274008 - 7-Zip XZ Decompression Heap-Based Buffer Overflow Remote Code Execution Vulnerability
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of XZ chunked data. Crafted XZ-compressed data can trigger an overflow of a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process."
https://www.zerodayinitiative.com/advisories/ZDI-26-444/
Malware
- ClickLock Stealer: Paste Once, Lose Everything
"Malware targeting macOS users are usually considered rare and advanced: the system’s built-in protections like Gatekeeper, TCC, System Integrity Protection, mandatory code signing and lower number of users require higher commitments and bring less profit for the attackers compared to other platforms. Although the macOS threat landscape has grown considerably in recent years, with malware like Atomic Stealer (AMOS), Banshee Stealer, Poseidon, Cuckoo, Cthulhu Stealer and MacStealer, the total number of known macOS malware families remains relatively small in contrast to other systems, which means the discovery of a previously undocumented sample with zero detections is always something worth digging into."
https://www.group-ib.com/blog/clicklock-stealer-macos-malware/
https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
https://www.bleepingcomputer.com/news/security/new-clicklock-macos-malware-traps-users-into-revealing-login-password/
https://www.infosecurity-magazine.com/news/clicklock-macos-stealer-clickfix/
https://www.securityweek.com/clicklock-stealer-bypasses-macos-security-with-social-engineering-process-killing/
https://www.theregister.com/cyber-crime/2026/07/16/cmon-just-copy-this-text-string-and-paste-it-into-your-macos-terminal-itll-fix-your-computer-honest/5273701 - UAT-11795 Deploys Novel Starland RAT And Bespoke WLDR C2 Implant In Financially Motivated Campaign
"Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. Talos has discovered that the actor in this campaign delivers a Python-based remote access tool (RAT) that we track as “Starland RAT” and a command-and-control (C2) memory implant known as the “WLDR agent.” The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads. UAT-11795 also has CastleStealer and Remcos RAT as alternative payload implants in their arsenal."
https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/
https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/ - Spirals: New Stealthy Ransomware Deployed Against Asian IT Company
"A previously unseen ransomware family, named Spirals by its operators, was deployed in a double extortion attack against an IT services company in South Asia in June 2026, the Symantec Threat Hunter Team can reveal. The Rust-based payload is either a new ransomware threat or one purpose-built for this attack. The actor behind the attack remains unknown. The attackers moved quickly. Less than 24 hours after the initial breach, the ransomware payload was being pushed to machines on the network. They obtained initial access by compromising an internet-facing IIS web server and uploading an ASP.NET web shell. Over a rapid three-hour interactive session, they established persistent access, uninstalled endpoint security software, dumped the Security Account Manager (SAM) hive, and set up covert remote access before later deploying the payload across the network."
https://www.security.com/threat-intelligence/ransomware-spirals-extortion
https://www.bleepingcomputer.com/news/security/new-spirals-ransomware-encrypts-victim-network-in-under-24-hours/ - Threat Spotlight: How ‘text Salting’ Confuses AI-Powered Email Defenses
"Traditional spam filters work by scoring emails on the prevalence of unwanted or malicious terms. Hiding large amounts of harmless-looking text inside an email that can only be seen by security tools helps to dilute the concentration of “bad” words. This makes the emails look benign and legitimate, while the recipient sees only the intended phishing content. The techniques used to hide content are known as “text salting.” Over the last year, researchers have seen an escalation in the use of text salting to confuse not just language detection and keyword analysis, but also machine learning models and, increasingly, LLM-based security tools into misclassifying phishing or spam messages as legitimate and allowing them to be delivered to recipients."
https://blog.barracuda.com/2026/07/16/text-salting-ai-email-security
https://www.darkreading.com/threat-intelligence/1m-emails-hidden-text-dupe-ai-security-filters - The TTF Trap: A Global Campaign Of a Low-Detection Lua Loader
"Since late March, 2026, we have been observing large-scale campaigns that use a combination of fileless techniques and Lua-based loaders with low detection rates to deploy various malware families, including Agent Tesla, Remcos, XWorm, and Best Private LOGGER. In these attack campaigns, the threat actor impersonates several well-known companies, using the guise of business cooperation to launch phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file."
https://www.fortinet.com/blog/threat-research/the-ttf-trap-a-global-campaign-of-a-low-detection-lua-loader
https://www.infosecurity-magazine.com/news/phishing-lua-loader-truetype-font/ - HelloNet Campaign — New Malicious Modules Launched Through The ViPNet Update System
"We discovered a new APT attack using previously unknown tooling, which started at least in May 2026 and remains active at the time of publication. It is notable in that the implants used during it were launched through the ViPNet update system (a software suite for creating secure networks). During our research, we identified attempts of targeted infection of large Russian organizations from the government, energy, transport, education, and logistics sectors, as well as industry. This is not the first time an advanced group has targeted computers connected to ViPNet networks. For example, last year we discovered a complex backdoor mimicking ViPNet updates."
https://securelist.com/tr/hellonet-vipnet/120700/ - GoSerpent: a Persistent Threat Evolves With Sophisticated Data Collection And Exfiltration
"In February 2026 we discovered a set of malicious activities that have been ongoing since late 2025. These activities involved a RAT module written in Go with proxy capabilities, serving as the main stage of the attack. The attack targeted government and diplomatic entities in Southeast Asia and showed a level of sophistication which caught our attention. During the attack, the main malware, dubbed GoSerpent, received an encrypted argument and started communication with a remote server. It was also used to deploy further malicious tools for sensitive data collection and credential dumping on the system."
https://securelist.com/goserpent-backdoor-in-southeast-asia/120687/ - TELEPUZ: a Modular MaaS Malware Spreading Via CLICKFIX-VIDAR Chains
"Elastic Security Labs is tracking an emerging threat named TELEPUZ, which we have discovered spreading widely via a CLICKFIX-VIDAR chain. This malware is in active development and has been operating since late April 2026, according to the infrastructure information we collected. The malware is full-featured, lightweight, and modular. While the number of C2 domains is currently small, the daily volume of builds uploaded to VirusTotal and the rapid pace of updates indicate active development and likely further growth."
https://www.elastic.co/security-labs/telepuz-maas-malware-clickfix
https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html - 20+ Hijacked Government Websites Became
an Attack Channel
"More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign putting banks and public agencies at risk. By connecting hundreds of seemingly unrelated sandbox sessions, ANY.RUN researchers exposed the operation’s broader scope and showed how trusted .gov.br links and authenticated emails helped the activity remain hidden."
https://thehackernews.com/2026/07/20-hijacked-government-websites.html - Daxin Returns: Stealthy Malware Resurfaces In Taiwan Alongside a New Backdoor
"More than four years after Symantec first uncovered Backdoor.Daxin, the malware has resurfaced. Symantec's Threat Hunter Team uncovered Daxin in active use on a compromised host in Taiwan in May 2026, long after the tool was last found. Alongside it, our researchers found a previously undocumented backdoor (Backdoor.Stupig) that uses a technically distinctive approach to persistence and pre-authentication code execution. No code-level relationship between the two tools has been established. However, their co-deployment on the same host, complementary functions, and similarities in development practices suggest a link. The two samples also carry compile timestamps a few weeks apart in early 2013. While such timestamps can be edited, it is more likely that both samples were created within a short window of one another, which would be consistent with their use by the same actor."
https://www.security.com/threat-intelligence/daxin-returns-stupig
https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html - Sandworm Hackers Have a CAPTCHA Trick For Ukrainians
"Russian military intelligence hackers have begun using fake CAPTCHA prompts on compromised websites to trick Ukrainian targets into infecting their own computers, researchers have found. In a report published Wednesday, Ukraine's computer emergency response team (CERT-UA) said it observed a shift this spring and summer in how the Kremlin-backed hacking group Sandworm gains initial access to the systems of Ukrainian targets. The agency said the group has increasingly adopted a version of the social engineering technique known as ClickFix. In this case, victims are directed to compromised websites displaying a fake CAPTCHA security check designed to distinguish humans from computers."
https://therecord.media/ukraine-sandworm-hacks-captcha-powershell
Breaches/Hacks/Leaks
- Coca-Cola Says Fairlife Ransomware Attack Halts US Dairy Production
"The Coca-Cola Company disclosed today that a ransomware attack impacting its Fairlife dairy subsidiary has disrupted operations, temporarily suspending production of Fairlife products across the United States. In a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), Coca-Cola said Fairlife detected unauthorized access to some of its systems, including its production-related systems, in connection with a ransomware attack. "After detecting the issue, the Company promptly activated its incident response and business continuity protocols," Coca-Cola said in the filing."
https://www.bleepingcomputer.com/news/security/coca-cola-says-fairlife-ransomware-attack-halts-us-dairy-production/ - Romania’s Land Registry Hit By Cyber Attack, Data Allegedly For Sale
"Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a major disruption on Tuesday, July 14, when its e-Terra cadastre and land registry app became unavailable to users. What was first declared to be a “major technical incident” has now been confirmed as a cyber attack. While the circumstances are still being investigated by the competent state institutions, ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident."
https://www.helpnetsecurity.com/2026/07/16/romania-ancpi-cyber-attack/ - Cyberattack On Japan's Largest Cold-Chain Operator Disrupts KFC, Supermarket Supplies
"A cyberattack on Japan's largest refrigerated logistics company has rippled through the country's food supply chain, leaving Kentucky Fried Chicken restaurants short on ingredients and major restaurant chains struggling to keep up with deliveries. Nichirei Logistics Group, which transports frozen and refrigerated food for about 5,000 customers across Japan, said it experienced a system outage on Monday. The company confirmed Thursday that hackers breached its servers. To contain the attack and protect customer data, the company disconnected key systems, bringing parts of its logistics network to a standstill."
https://therecord.media/cyberattack-japan-nichirei-logistics-impacts-kfc
https://www.theregister.com/security/2026/07/16/cyberattack-threatens-utterly-critical-infrastructure-in-japan-kfc/5272220 - Tech Support Scam Caused Massive Data Breach At Australian Airline Qantas
"Australia’s Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn’t breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner’s report goes deeper, explaining a crook who claimed to represent “Qantas IT help” made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket."
https://www.theregister.com/cyber-crime/2026/07/16/tech-support-scam-caused-massive-data-breach-at-australian-airline-qantas/5272267
https://www.oaic.gov.au/privacy/privacy-assessments-and-decisions/privacy-decisions/Investigation-inquiry-reports/report-into-preliminary-inquiries-of-qantas
General News
- Scattered Spider Members Behind TfL Hack Get Five Years In Prison
"Two leading members of the Scattered Spider cybercrime collective were sentenced to five years and six months in prison each for hacking Transport for London (TfL) in 2024. On September 2, 2024, TfL (which provides transportation services to more than 8.4 million Londoners) disclosed that its network was breached in August 2024, with the attack disrupting internal systems and online services. Affected services and platforms included TfL's Dial-a-Ride service, concessionary travel cards, digital payments, and contactless ticketing rollout, as well as the public transportation agency's ability to process refunds. Additionally, 148 systems became inoperable across TfL's network, and all 27,000 TfL employees had to reset their passwords in person after the breach."
https://www.bleepingcomputer.com/news/security/scattered-spider-members-behind-transport-for-london-hack-get-five-years-in-prison/
https://www.infosecurity-magazine.com/news/selfish-bravado-behind-tfl/
https://www.theregister.com/cyber-crime/2026/07/16/brit-scattered-spider-duo-handed-tickets-to-prison-over-transport-for-london-attack/5272446
https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
https://therecord.media/scattered-spider-hackers-tfl-sentenced
https://hackread.com/two-scattered-spider-members-sentenced-tfl-cyberattack/
https://www.securityweek.com/two-scattered-spider-hackers-sentenced-to-jail-in-uk/
https://securityaffairs.com/195501/cyber-crime/two-scattered-spider-members-sentenced-to-prison-over-29-million-tfl-cyberattack.html
https://www.helpnetsecurity.com/2026/07/16/ransport-for-london-cyberattack-prison-time/ - The Hunter's Paradox: Is It Time To Embrace Automated Threat Hunting?
"Should we let AI run our threat hunts? The debate usually splits into two camps. One says, "Yes, obviously! The sheer scale of our security telemetry is impossible for humans to deal with." The other says, "Absolutely not! You can't trust an AI with something this important." The thing is, I think both are wrong, or at least incomplete. I've spent a long time as one of the louder voices saying that hunting is specifically a human-driven process. I created the first widely recognized definition of threat hunting back in 2015, and the version I'd have given you until very recently put a human firmly at the center of it."
https://blog.talosintelligence.com/the-hunters-paradox-is-it-time-to-embrace-automated-threat-hunting/ - Agentic AI Is Untamable: Ask The Right Security Questions
"Agentic security challenges stem from a mindset, not the technology so solving them requires a fundamental shift in how organizations think about control. While agentic systems can save organizations time across several operations, from cybersecurity and software development to customer support, agents also introduce significant risks to the organization. These systems require alarmingly high levels of access to sensitive information, as well as the use of external tools, to complete tasks with little to no human oversight. They constitute yet another attack surface for threat actors to target."
https://www.darkreading.com/cybersecurity-operations/agentic-ai-untamable-ask-the-right-security-questions - Reading Between The Lines Of a Cyber Insurance Policy
"Enterprises in regulated industries often carry cyber insurance policies because contracts require it or boards ask for documented risk transfer. The global market for these policies reached about $16 billion in premiums in 2024. Coverage has become widespread. Payouts have grown less predictable. The Global Federation of Insurance Associations, which represents insurers accounting for close to 90 percent of premiums worldwide, quantified the cyber protection gap at about $900 billion in a 2023 report, with annual economic losses from cyber incidents exceeding that figure."
https://www.helpnetsecurity.com/2026/07/16/cyber-insurance-coverage-gap/ - Companies Keep Getting Breached By Vulnerabilities They Already Knew About
"Scanning tools have gotten good at their work. Organizations now find more weaknesses across more of their systems than at any earlier point in the industry’s history. A survey from the security firm Vicarius points to a gap that opens after that discovery, in the work of assigning, approving, deploying, and confirming a fix. The company surveyed 300 IT and cybersecurity leaders in the United States and the United Kingdom, at organizations with 500 to 2,000 employees. On average, 58% of remediation activities require direct human intervention. Automated discovery, scanning, and reporting have become common across the sample. The work of deciding what to fix and pushing the change through still runs on people. Only a small share of organizations have removed people from the loop entirely, at 7%, and that pattern held steady across company sizes and industries."
https://www.helpnetsecurity.com/2026/07/16/ciso-vulnerability-remediation-gap/
อ้างอิง
Electronic Transactions Development Agency (ETDA)
- Rockwell Automation CompactLogix, ControlLogix, Compact GuardLogix And GuardLogix