The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Tuesday 19 May 2026

No Patch, Active Exploitation: Microsoft Exchange Zero-Day Hits OWA Mailboxes

A zero-day in Microsoft Exchange is being actively exploited with no patch in sight — and today's brief covers a Windows SYSTEM-privilege exploit, a pre-Stuxnet nuclear sabotage tool, Anthropic's quiet SDK land-grab, and a Victorian phone scammer who finally got two years.

Lead story

No Patch, Active Exploitation: Microsoft Exchange Zero-Day Hits OWA Mailboxes

There's a live, unpatched vulnerability in Microsoft Exchange and attackers are already using it. CVE-2026-42897 is a cross-site scripting flaw in Outlook Web Access that lets an attacker compromise Exchange mailboxes without needing privileged credentials — just a target who loads the wrong page.

What's actually happening. The flaw sits in OWA, the browser-based interface that millions of organisations use to access Exchange when they're not on a corporate network. XSS vulnerabilities are often dismissed as "low severity" bugs, but in a mail server context they're anything but: a successful exploit can let an attacker read, exfiltrate, or manipulate email, steal session tokens, and pivot deeper into an environment — all without tripping traditional perimeter defences.

Why "no patch available" changes the calculus. Microsoft has acknowledged the bug but has not shipped a fix. That means defenders are in the uncomfortable position of choosing between leaving OWA exposed, restricting access to it, or deploying compensating controls — none of which are free. In practice, many organisations simply wait for a patch and hope for the best. With active exploitation confirmed, that bet is getting riskier by the hour.

Who's in scope. Any organisation running on-premises Exchange with OWA enabled is potentially exposed. Cloud-hosted Exchange Online users are in a different (and generally safer) position, though hybrid deployments complicate that picture. Exchange on-premises remains extraordinarily common in large enterprises, government agencies, law firms, and healthcare — precisely the environments attackers most want to be in.

The Australian angle. Exchange is deeply embedded in Australian federal and state government infrastructure, and the Australian Signals Directorate's Essential Eight framework explicitly calls out patching as a top mitigation. When a patch doesn't exist, that guidance effectively collapses to "restrict access and monitor." The ACSC's advisory posture on unpatched Exchange flaws has historically been swift — agencies should expect guidance shortly if they haven't already received it. Organisations covered by the SOCI Act operating critical infrastructure on Exchange on-premises should treat this as a Tier 1 priority.

What to watch. Microsoft will eventually ship a patch — the question is how long that takes and whether the vulnerability gets weaponised for something more systematic in the meantime. Previous Exchange zero-days (ProxyLogon, ProxyShell) had short windows between public disclosure and mass exploitation campaigns. CVE-2026-42897 appears to already be in that window. Watch for Microsoft's advisory to be updated with workaround guidance, and for threat intelligence feeds to report on who is exploiting this and how broadly.

Also today

MiniPlasma: A Windows SYSTEM Exploit for a Bug That's Been Sitting Open Since 2020

A researcher known as Chaotic Eclipse — the same person behind the YellowKey BitLocker bypass and the GreenPlasma privilege escalation — has dropped a working proof-of-concept exploit for a Windows zero-day targeting the Cloud Files Mini Filter Driver (cldflt.sys). Named MiniPlasma, it grants SYSTEM privileges on fully patched Windows 11 machines. The underlying CVE dates back to 2020, meaning it has gone unaddressed for six years. With a public PoC now available, the window before active exploitation is narrow. System administrators should treat this as urgent, though Microsoft has not yet released a patch.

The Hacker News

Pre-Stuxnet 'Fast16' Malware Was Designed to Corrupt Nuclear Weapons Simulations

New analysis from Symantec and Carbon Black has confirmed that Fast16, a Lua-based malware discovered earlier this year, predates Stuxnet and was engineered specifically to corrupt uranium-compression simulations — the computer modelling at the heart of nuclear warhead design. The malware used a selective hook engine that targeted only specific simulation processes, suggesting a highly resourced actor with detailed knowledge of the target environment. Researchers haven't publicly attributed the malware to a specific nation-state, but the sophistication and targeting strongly echoes the kinds of operations associated with Western intelligence programmes of the mid-2000s.

The Hacker News

'Claw Chain' Flaws in OpenClaw AI Agent Framework Allow Full Sandbox Escape

Researchers have disclosed four chained vulnerabilities — dubbed 'Claw Chain' — in OpenClaw, a rapidly growing open-source AI agent framework. Chained together, the flaws let an attacker steal credentials, escape the sandbox environment, escalate privileges, and plant a persistent backdoor. All four have been patched, but the disclosure is a reminder that AI agent frameworks are new attack surface with very little security hardening behind them. OpenClaw's growing adoption means the patch window matters: organisations using it in production should update immediately. With Australian enterprises beginning to deploy AI agent infrastructure, third-party risk assessments should explicitly include agent framework versions.

SecurityWeek

7-Eleven Australia Parent Confirms Breach After ShinyHunters Ransom Demand

7-Eleven has confirmed a data breach after the ShinyHunters group claimed to have stolen more than 600,000 Salesforce records containing personal and corporate data. The incident follows a ransom demand the company declined to pay publicly. ShinyHunters, the group also linked to the Grafana breach via its associated Coinbase Cartel cluster, has been one of the most prolific data theft and extortion actors over the past two years. 7-Eleven operates hundreds of stores across Australia, meaning Australian customer records could be among those exposed. Affected individuals should be alert to targeted phishing attempts using personal details from the stolen data.

SecurityWeek

Victorian Bulk Phone-Porting Scammer Jailed for Over Two Years

A Victorian man has been sentenced to more than two years in prison after successfully porting 44 phone numbers without the account holders' consent. Bulk SIM-porting scams — where attackers hijack a victim's mobile number to intercept SMS-based authentication codes — remain one of the most effective and underappreciated account-takeover techniques in Australia. The conviction is a notable enforcement outcome in a space where prosecutions are rare. The ACMA has been pushing telcos to tighten porting verification processes, and cases like this add pressure to operators who have been slow to implement stronger customer-identity checks before authorising number transfers.

iTnews

Anthropic Acquires Stainless, the SDK Factory Behind OpenAI, Google, and Cloudflare's Dev Tools

Anthropic has quietly acquired Stainless, a New York startup that automates the creation and maintenance of software development kits. It might sound like boring plumbing — but Stainless's SDKs are what developers at OpenAI, Google, and Cloudflare use to wire up API integrations. By bringing Stainless in-house, Anthropic gets control over a critical layer of developer experience: the tooling that makes Claude easy (or hard) to integrate into products. It's a sharp move in the developer mindshare war, where ease of integration often matters more than raw model performance. Expect Claude's SDK quality to improve meaningfully in the coming quarters.

TechCrunch

Google I/O Preview: The Company Entering Its Developer Conference in Third Place

Google opens its annual I/O developer conference this week in an unusual position: widely regarded as third in the foundation model race behind OpenAI and Anthropic, despite having invented many of the underlying techniques. MIT Technology Review maps out what to expect — Gemini updates, more aggressive AI integration into Search and Workspace, and likely some traction on long-context and multimodal capabilities where Google genuinely leads. The stakes are high: I/O is Google's best annual opportunity to reset the developer narrative, and after a year of playing catch-up, the company needs a credible statement of momentum rather than a product roadmap.

MIT Tech Review

Musk v. Altman: Jury Took Two Hours to Dismiss the Tech Trial of the Year

Nine jurors deliberated for just two hours before delivering a unanimous verdict in Musk v. Altman: the claims were filed too late, barred by the statute of limitations. US District Judge Yvonne Gonzalez Rogers immediately accepted the advisory verdict. Musk has said he'll appeal. The legal outcome was almost anti-climactic — but three weeks of testimony produced a detailed public record of OpenAI's internal dynamics, its relationship with Microsoft, and the governance decisions that took it from a nonprofit lab to a capped-profit structure. That record will be litigated in regulatory and public forums long after the court case is forgotten.

TechCrunch

NYC Health + Hospitals Breach: 1.8 Million Records Gone, Including Fingerprints

New York City's public hospital system has disclosed one of 2026's largest healthcare breaches, with attackers stealing medical records, personal data, and biometric scans — including fingerprints — belonging to at least 1.8 million people. Unlike a stolen password, a fingerprint can't be reset. The incident joins a growing list of major US healthcare breaches added to the HHS tracking database this month, pointing to systemic security problems across an industry that holds some of the most sensitive data imaginable. Australian healthcare organisations covered under the Notifiable Data Breaches scheme should treat this as a case study in what a reportable breach at scale actually looks like.

TechCrunch

AI Is Flooding Bug Bounty Programmes With Slop — and Security Teams Are Drowning

Bug bounty programmes at major technology companies are being swamped by AI-generated vulnerability reports — most of them low quality, duplicative, or entirely fabricated. Security teams describe the volume as unmanageable, with triage staff spending more time filtering noise than investigating real findings. The irony is sharp: the same AI capabilities that vendors like Anthropic and OpenAI promote as security tools are also arming low-effort researchers with the ability to mass-produce plausible-sounding reports. Some programmes are now considering score penalties or submission throttling. It's a preview of what happens when AI lowers the cost of participation in security research without raising its quality floor.

Ars Technica

Telstra and Ericsson Team Up to Research and Test 6G on the Gold Coast

Telstra and Ericsson have announced a joint research and testing programme for 6G technology, with some of the testing to be conducted on the Gold Coast. The partnership puts Australia in a small group of countries actively trialling next-generation network standards while 5G is still being rolled out. 6G isn't a near-term commercial reality — most timelines put it in the early 2030s — but the standards and spectrum allocation decisions being made now will shape who controls the technology and at what cost when it does arrive. Telstra's involvement in early testing is also relevant to Australia's ongoing effort to reduce dependence on Chinese network equipment vendors.

iTnews

Sources consulted