There’s a pattern worth sitting with this week. Across the threat landscape, in policy conversations, and inside our own tooling decisions, the common thread isn’t sophistication. It’s misplaced continuity. We extend trust to things we approved once, built once, or partnered with once, and then we stop asking whether that trust still makes sense. The attack surface doesn’t expand because defenders stop caring. It expands because the environments we defend keep changing while our assumptions about them don’t.

This shows up in real ways in every organization I talk to. It’s the add-in that nobody audits because it was approved two years ago. It’s the remote access tooling that carries implicit network privilege because it was architected that way before zero trust was a budget line. It’s the telecom infrastructure that passed compliance reviews but never got the hygiene attention it deserved. And it’s the cryptographic foundations we’re all quietly planning to modernize eventually, while adversaries are collecting today’s encrypted traffic with patience we’re not matching.

What makes this week’s signal useful is that it cuts across timescales. Some of these trust failures are immediate and patchable. Others are structural and will take years to resolve, across leadership cycles, budget cycles, and technology generations. The harder question isn’t which one to address first. It’s whether your organization even has a clear picture of where its inherited trust assumptions actually live.

Top Story

Your PAM Tool Just Became a Ransomware Entry Point

Source: http://www.securityweek.com/beyondtrust-vulnerability-exploited-in-ransomware-attacks/​

TLDR

CVE-2026-1731, a critical unauthenticated RCE flaw in BeyondTrust Remote Support and Privileged Remote Access, moved from PoC to active ransomware exploitation in under 24 hours. CISA quietly updated its KEV entry to flag ransomware use, while Palo Alto’s Unit 42 observed full attack chains including lateral movement, data theft, and backdoor deployment across financial services, healthcare, and critical sectors.

Why It Matters to Enterprises

BeyondTrust RS and PRA sit at the intersection of privileged access and remote connectivity, which makes this more than a patch priority. These tools carry implicit trust across your environment: they authenticate sessions, broker elevated credentials, and often have broad network reach by design. An unauthenticated RCE on that surface means an attacker doesn’t need to defeat your identity controls or phish a privileged user — they bypass the front door entirely. The confirmed presence of web shells, backdoors, and lateral movement before any ransomware payload lands tells you the dwell time problem is real, and that initial access here is being traded and operationalized systematically. If your PAM tooling isn’t behind layered access controls and generating alerts you actually review, this flaw exposes how much blast radius you’ve quietly built around “enterprise-grade” remote access.

What to Do This Week

• Confirm BeyondTrust RS and PRA versions across all deployments and validate patch status against CVE-2026-1731 immediately
• Review network segmentation controls limiting BeyondTrust appliance reachability from untrusted zones and external surfaces
• Pull authentication and session logs from the past 30 days and hunt for anomalous session initiations, especially unauthenticated or low-context events
• Validate that privileged sessions brokered through BeyondTrust require MFA and are logged to a SIEM with active alerting
• Assess whether any BeyondTrust nodes have direct trust relationships or credential stores that could enable lateral movement if compromised

​

Big Stories

Post-Quantum Risk Doesn’t Reset When Leadership Does

Source: https://cyberscoop.com/post-quantum-state-department-transition-plans-outlive-leadership-cycles/​

What happened

Speaking at CyberTalks in Washington D.C., State Department Deputy Assistant Secretary Gharun Lacy framed post-quantum cryptography migration as a multi-generational commitment, not a project cycle. He argued that adversaries like China are targeting entire digital ecosystems, harvesting encrypted data today with the intent to break it later once quantum capability matures. Federal agencies and the private sector are broadly targeting 2035 for high-risk system transitions, but Lacy pushed for tighter cross-sector coordination and warned that organizations pursuing modernization in isolation will fail.

Lacy also raised the concept of deliberately injecting unpredictability into modernization plans to disrupt adversaries who are reading decades of historical behavior to anticipate future posture.

Why it matters

The “harvest now, decrypt later” threat model is not theoretical and does not pause between administrations or budget cycles. If your organization’s post-quantum roadmap is tied to a current leadership priority or a near-term compliance deadline, you are already misaligned with the actual threat timeline. The risk your encrypted data carries today will still be present in 10 or 15 years, regardless of whether your CISO or CTO is still in the chair. More importantly, Lacy’s ecosystem framing cuts against a common enterprise assumption: that completing your own cryptographic inventory and migration plan is sufficient. If your partners, suppliers, and sector peers are running legacy encryption, your exposure doesn’t end at your perimeter. The coordinated failure mode is what adversaries are counting on.

Salt Typhoon Is Still Inside – The Basics Are Still Broken

Source: https://cyberscoop.com/fbi-salt-typhoon-ongoing-threat-cybertalks-2026/​

What happened

FBI Deputy Assistant Director for Cyber Intelligence Michael Machtinger confirmed at CyberTalks this week that Salt Typhoon’s intrusion campaign across U.S. and global telecommunications infrastructure remains an active, ongoing threat. The group has now impacted organizations across more than 80 countries, operating with broad access and indiscriminate collection. Machtinger noted that organizations who engaged early with the FBI and CISA were the most successful in containing the damage, but the underlying conditions that enabled Salt Typhoon’s access in the first place — basic hygiene failures, legacy systems, and consolidated patchwork networks — have not been fully resolved.

Why it matters

The FBI’s own post-mortem on one of the most consequential espionage campaigns in recent memory lands on an uncomfortable conclusion: Salt Typhoon didn’t win through sophistication. It won through the same unlocked doors defenders have been warned about for years. Phishing and unpatched legacy systems, not zero-days, were the primary entry vectors. For enterprise security leaders, this should prompt a hard look at whether foundational controls, zero trust architecture, least-privilege access, network segmentation, and end-to-end encryption, are actually implemented at the depth that telecom-scale adversarial persistence demands, or just documented in policy. The campaign also reframes telecom dependency as an enterprise risk: if your communications infrastructure was in scope, your data may have been too.

Quick Hits

Orphaned Microsoft Store Add-in Hijacked to Phish 4,000 Outlook Users

The AgreeTo compromise exposes a structural gap in Microsoft’s add-in trust model: once an add-in is approved, it retains that trust indefinitely even if the underlying infrastructure changes hands. Enterprises allowing unmanaged add-in installations should treat this as a prompt to audit what’s currently approved in their M365 tenants and whether add-in allowlisting policies are actually enforced. https://www.bleepingcomputer.com/news/security/microsoft-store-outlook-add-in-hijacked-to-steal-4-000-microsoft-accounts/​

Anthropic Embeds Vulnerability Scanning Directly into Claude Code

AI-generated code is accumulating security debt faster than traditional review processes can handle it, and this move signals that scanning will increasingly live inside the coding tool itself rather than downstream in your SAST pipeline. Enterprises adopting “vibe coding” workflows should treat this as a prompt to reassess where code security review currently sits in their SDLC — and whether that position still makes sense. https://cyberscoop.com/anthropic-claude-code-security-automated-security-review/​

Windows 11 Notepad’s Markdown Support Quietly Became a Code Execution Surface

CVE-2026-20841 is a good reminder that feature expansion in ubiquitous tools creates attack surface that rarely gets threat-modeled — Notepad’s new Markdown renderer could silently execute remote files from SMB shares with no Windows warning prompt. The patch is auto-deployed via the Microsoft Store, but it’s worth validating that Store updates aren’t blocked in your environment before treating this as closed. https://www.bleepingcomputer.com/news/microsoft/windows-11-notepad-flaw-let-files-execute-silently-via-markdown-links/​

Wrapping it up

The assumption most enterprises are quietly operating on is that trust, once established, is a solved problem. You vetted the vendor, approved the tool, architected the integration, and moved on. What this week keeps illustrating is that trust has a shelf life, and we rarely build expiration dates into our governance models. The approval was point-in-time. The risk is continuous.

What makes this particularly difficult to govern is that the failure mode is invisible by design. Inherited trust doesn’t announce itself in your dashboards. It sits in approved add-in registries, in PAM tools with broad network reach, in telecom dependencies your incident response plan hasn’t fully mapped, and in cryptographic standards your organization committed to before the threat model changed. None of these feel urgent until they are. And by the time they are, the window for orderly remediation has usually closed.

The mindset shift worth carrying into next week isn’t about moving faster or adding more controls. It’s about treating trust as something that requires active renewal rather than passive inheritance. The organizations that navigated this week’s threat landscape best were the ones already asking whether their foundational assumptions still held, not the ones responding after they didn’t. That posture is less about tooling and more about institutional discipline: the willingness to keep questioning what you already approved.