Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Threat and vulnerability management (TVM) is a continuous, risk-based cybersecurity discipline that combines vulnerability assessment with threat intelligence to identify, prioritize, and remediate security weaknesses before attackers can exploit them. Rather than treating vulnerability scanning and threat detection as separate activities, TVM integrates both into a unified lifecycle that connects visibility, context, action, and validation.

CVE-2026-1731 is a vulnerability disclosed in products developed by BeyondTrust. At the time of writing, publicly available technical details regarding the root cause, vulnerable code paths, and exploitation prerequisites remain limited. Based on initial advisory information, the issue affects components involved in privileged access or remote access workflows, which are typically deployed to manage high-value credentials, session brokering, or secure administrative access to enterprise systems.

Since our previous security bulletin, Arctic Wolf has observed malicious activities in the wild tied to suspected exploitation of CVE-2026-1731 of self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. We are sharing threat intelligence related to this activity to help defenders protect against this campaign. CVE-2026-1731 allows unauthenticated remote threat actors to execute operating system commands in the context of the site user via specially crafted requests.

Security teams are facing an attack surface that changes faster than it can be fully understood. Cloud adoption, Software-as-a-Service sprawl, and continuous delivery cycles have dissolved the traditional perimeter, replacing it with an environment where assets change with little notice. Shadow IT, abandoned infrastructure, expired certificates, and misconfigured services quietly expand exposure, often outside formal ownership.

Exposure management has outgrown visibility. With 67M+ findings per year, the real challenge is execution at scale. The 2026 Exposure Action Report shows that risk clusters in predictable places, most exposure is operational (not novel), and meaningful risk reduction comes from consolidation, prioritization, and disciplined remediation workflows — not adding more tools.

Text editors rarely show up in threat models. Installers show up even less. CVE-2025-49144 changes that. The issue is a local privilege escalation in the Notepad++ Windows installer that can allow a low-privileged user to gain SYSTEM-level execution by abusing insecure executable search behavior during installation. Affected versions include Notepad++ 8.8.1 and earlier, per the NVD record.

CISA recently published BOD 26-02, the latest Binding Operational Directive shaping how federal agencies manage cyber risk. While attention often gravitates toward highly visible directives like KEV, this one matters for a different reason: it raises the standard for how lifecycle risk must be tracked and sustained over time. BOD 26-02 is described as guidance on unsupported edge devices, which is accurate but incomplete.

If you've been paying attention to the AI agent space over the past few months, you've probably noticed a pattern: every week brings a new story about an AI agent doing something it absolutely should not have done: reading private emails, exfiltrating credentials, or executing shell commands that a human would have never approved. The OpenClaw saga alone gave us exposed databases, command injection vulnerabilities, and a $16 million scam token, all in the span of about five days.

Why don’t developers fix every AppSec vulnerability, every time, as soon as they’re found? The most common answer? Time. Modern security tools can surface thousands of vulnerabilities in a given codebase. Fixing them all would take up a development team’s entire capacity, often competing with feature development and other priorities.

For most engineering teams, AI feels like a breakthrough years in the making. Code gets written faster, reviews move quicker, and releases that once took weeks now happen in days—or even hours. But as more of the software lifecycle becomes automated, a less comfortable reality is setting in: application security hasn’t kept pace, and AI-native security practices are often missing. When AppSec foundations are immature, AI doesn’t reduce risk—it scales it.