🚨 Three Exploited Flaws, No Patch Coming - Murali Rathinasamy on Why Micro-Segmentation Is the Destination, Not the Project

Hello from the Cloud-verse!

This week’s Cloud Security Newsletter topic: Segmentation for the week the patches didn't come — hybrid mesh firewall and staged micro-segmentation (continue reading) 

Incase, this is your 1st Cloud Security Newsletter! You are in good company!
You are reading this issue along with your friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter, who like you want to learn what’s new with Cloud Security each week from their industry peers like many others who listen to Cloud Security Podcast & AI Security Podcast every week.

Welcome to this week’s Cloud Security Newsletter

This week's Cloud Security Newsletter topic: Segmentation for the week the patches didn't come — hybrid mesh firewall and staged micro-segmentation.

No single breach carried this week. The pattern did: a cluster of actively exploited vulnerabilities in control-plane infrastructure, several added to CISA's KEV catalog within 48 hours, and vendors increasingly responding with ACLs and config changes instead of code. If your triage starts with "is there a patch," this was the week that question stopped working.

That makes the timing of this week's episode useful. Ashish Rajan sat down with Murali Rathinasamy, Senior Director of Product at Cisco, for a conversation about hybrid mesh firewall: what the category actually is, where it differs from CNAPP, and a staged approach to micro-segmentation that starts with blocking ports your own traffic data says you never use. (Disclosure: Cisco sponsored this episode. This week's news also includes an actively exploited Cisco SD-WAN flaw, covered on its merits below.)[Listen to the episode]

⚡ TL;DR for Busy Readers

• Check Point VPN auth bypass (CVE-2026-50751, CVSS 9.3) ran exploited for about a month before the June 8 hotfix, with a Qilin ransomware affiliate among the users. Apply the hotfix and retire IKEv1 now.

• Cisco SD-WAN Manager zero-day (CVE-2026-20245) is exploited with no patch or mitigation available. Restrict management-plane access to a hardened jump path and rotate netadmin credentials today.

• LiteLLM RCE (CVE-2026-42271) is the first KEV-listed AI-gateway flaw. Patch to ≥1.83.7, block the /mcp-rest/test/* endpoints, and rotate every model-provider key the proxy held.

• Arista EOS tunnel flaw (CVE-2026-7473): exploited, no patch planned, and it bypasses the VXLAN/GRE segmentation your fabric design assumes. ACLs are the permanent fix.

• From the episode: treat full micro-segmentation as the destination, not the project. Start agentless, block what observed traffic shows is unused (SMB 445 first), and save agents for crown jewels.

📰 THIS WEEK'S TOP 5 SECURITY HEADLINES

Each story includes why it matters and what to do next — no vendor fluff.

 1. LiteLLM RCE chain exploited in the wild; CISA adds first AI-gateway flaw to KEV

Primary source: CISA KEV Catalog 
Reporting: The Hacker News · Help Net Security 
Analysis: Horizon3.ai

What Happened

CISA added CVE-2026-42271, a command-injection flaw in BerriAI's LiteLLM proxy (CVSS 8.7), to the KEV catalog on June 8, citing active exploitation. Two MCP-server preview endpoints accepted a full server config in the request body and spawned the supplied command as a subprocess on the proxy host. Horizon3.ai chained it with CVE-2026-48710, a Starlette host-header validation bypass, to reach unauthenticated RCE. Fixed in LiteLLM 1.83.7 and Starlette 1.0.1.

Why It Matters

The LLM proxy is where enterprises now concentrate model-provider API keys, internal endpoint credentials, and the routing config for every AI app behind it. A shell on that host means the blast radius is every model credential the gateway holds, not one application. This is the first KEV-listed AI-gateway RCE, and it reframes the LLM proxy as a tier-0 identity asset that belongs in the same patch SLA as a domain controller.

Action for defenders: Inventory LiteLLM deployments, confirm version ≥1.83.7, block the two /mcp-rest/test/* endpoints at the reverse proxy if you cannot patch immediately, then rotate any model-provider keys the proxy stored.

🚨 2. Check Point VPN auth bypass exploited for a month; Qilin affiliate among the users

Primary source: Check Point advisory 
Reporting: BleepingComputer · SecurityWeek 
Analysis: Rapid7

What Happened

Check Point disclosed CVE-2026-50751 on June 8, a CVSS 9.3 logic flaw in certificate validation that lets a remote, unauthenticated attacker establish a Remote Access or Mobile Access VPN session without a valid password. It affects deployments using the deprecated IKEv1 protocol and Spark firewalls. Check Point traces exploitation to May 7 (vendor's own assessment) and ties it to at least one Qilin ransomware intrusion that used Rclone for exfiltration. CISA set a June 11 federal KEV deadline. A related flaw, CVE-2026-50752, affects IKEv1 site-to-site certificate validation.

Why It Matters

Roughly a month of in-the-wild use before a fix existed, and the entry point is the appliance fronting the corporate network. A ransomware affiliate gets the same network position as an authenticated remote employee, minus the credential. The IKEv1 dependency makes this a configuration-debt story: the exposed set is everyone who never migrated to IKEv2, so remediation is an architecture audit, not just a hotfix.

Action for defenders: Apply the hotfix. If you cannot, switch Remote Access VPN to IKEv2-only, make machine-certificate authentication mandatory, enable IPS, and hunt logs for the published VPS-hosted source IPs.

☁️ 3. Cisco Catalyst SD-WAN Manager zero-day exploited; no patch available

Primary source: Cisco Security Advisory 
Reporting: Help Net Security · BleepingComputer · The Hacker News

What Happened
Cisco confirmed active exploitation of CVE-2026-20245 (CVSS 7.8) in Catalyst SD-WAN Manager, a command-injection flaw that lets an authenticated attacker with netadmin privileges execute commands as root by uploading a crafted file. Google Mandiant reported it, and Cisco observed attackers pushing configuration changes down to edge devices. No patch or mitigation is available. The netadmin role can be obtained via stolen credentials or by chaining earlier SD-WAN flaws (CVE-2026-20182, CVE-2026-20127).

Why It Matters
SD-WAN Manager is the control plane for branch and cloud-edge connectivity. Root on the manager is not one box; it is the ability to rewrite routing and policy on every managed edge device, which is pre-positioning capability rather than a single-host compromise. With no patch on offer, the defensive question shifts from "when do we deploy the fix" to "who can reach the manager's CLI at all."

Action for defenders
Restrict management-plane access to a hardened jump path, audit netadmin accounts and rotate their credentials, and review edge-device config history for unexpected pushes.

🛠 If you only do one thing this week: List which of the four exploited access-broker products you run — Check Point IKEv1 VPN, Catalyst SD-WAN Manager, Arista tunnel-decap endpoints, LiteLLM — and for each one write down either the patch version deployed or the named compensating control and its owner. Thirty minutes, and it converts this week's thesis (the patch isn't coming; compensate at the network layer) into a checklist your team can act on.

🏥 4. ServiceNow discloses unauthenticated API flaw used to query customer instance data

Primary source: BleepingComputer 
Reporting: Hackread

What Happened

ServiceNow disclosed on June 9 that attackers exploited an unauthenticated-access flaw in one of its API endpoints to run queries against customer instances. Observed activity traces to June 2–3; ServiceNow remediated hosted instances on June 5 with no customer action required. Community reporting points to a Scripted REST Resource deployed with requires_authentication=false. The bulletin centers impact on the Australia platform release and older releases with certain config changes.

Why It Matters

This is a multi-tenant SaaS auth bypass in the provider's own platform code, not a customer misconfiguration, so "harden your instance" would not have prevented it. Because the vendor fixed it server-side, most affected customers will see no signal unless they go looking. "The provider patched it for you" and "you have no exposure" are different claims; log review is the only way to know which one applies to you.

Action for defenders
Pull instance logs for requests to the affected endpoint and the published indicator IP (51.159.98.241) across the June 2–5 window, and confirm with your account team whether your release was in the impacted set.

🛡️ 5. Google patches fifth actively exploited Chrome zero-day of the year

Primary source: CISA KEV 
Reporting: Help Net Security · BleepingComputer · The Hacker News

What Happened

Google patched CVE-2026-11645, an out-of-bounds read/write in the V8 JavaScript engine allowing arbitrary code execution in the browser sandbox via a crafted HTML page. An exploit exists in the wild; CISA added it to KEV on June 9. It is the fifth actively exploited Chrome zero-day of 2026 and, because the bug is in Chromium, it also affects Edge, Opera, and other Chromium-based applications. Fixed in Chrome 149.0.7827.102/.103.

Why It Matters

The exposure is not just user browsers. Chromium is embedded across cloud workloads, headless automation, and CI rendering, so "patch the browser" understates where the engine runs. The instances that stay exploitable after every desktop updates are the build pipelines and serverless functions shipping a bundled Chromium nobody patches on Google's cadence.

Action for defenders: 
Force-update managed Chrome/Edge fleets, then inventory container images and Lambda/Cloud Run layers that bundle Chromium or Puppeteer and rebuild against the patched version.

🎯 Cloud Security Topic of the Week:

Segmentation for the week the patches didn't come!

Three of this week's exploited flaws shipped with no patch, and the vendor guidance in each case was a network-layer control: ACLs on Arista fabric, access restriction on SD-WAN Manager, protocol migration on Check Point. That is compensating-control work, and it lands on whoever owns segmentation. Murali Rathinasamy's argument on the podcast is that this work stalls for a predictable reason. As he put it: "Micro-segmentation always stalls in the phase of how do I know what I need to go protect, and what policy should I go use?" His staged answer, starting from observed traffic and agentless enforcement rather than a multi-year agent rollout, is the practical core of this edition's insights section. [Listen to the full episode →]

Featured Experts This Week 🎤

• Murali Rathinasamy - Senior Director of Product, Cisco

• Ashish Rajan - CISO | Co-Host AI Security Podcast , Host of Cloud Security Podcast

Definitions and Core Concepts 📚

Before diving into our insights, let's clarify some key terms:

• Hybrid mesh firewall — As the guest describes it: the evolution after perimeter and next-gen firewalls, recognizing that enterprise networks now span data centers and clouds. A distributed set of enforcement points (physical, virtual, container, cloud-native; inline and out-of-band) managed uniformly: "uniformly managing this entire distribution of inline and out-of-band detection and threat capabilities." A category, not a single product.

• Micro-segmentation — Locking down communication at the level of individual VMs, containers, and devices. The guest's framing: the end state where "every individual VM, every individual container, every individual device is really locked down."

• North-south vs east-west — Perimeter traffic (inspection, decryption, DLP, WAF-style inbound protection) versus traffic between internal workloads (segmentation territory).

• Compensating control — A control that reduces exploitability when fixing the flaw itself isn't possible: a virtual-patch rule, step-up MFA in front of a vulnerable app, or an ACL where no patch is coming. The connective tissue between this week's news and the episode.

• KEV (Known Exploited Vulnerabilities) catalog — CISA's list of flaws with confirmed active exploitation, carrying federal remediation deadlines. Four of this week's stories involve KEV additions inside one 48-hour stretch.

• Blue-green upgrade — Standing up the new version alongside the old and cutting traffic over, eliminating upgrade downtime. The operational expectation cloud teams now hold firewalls to, per the RCSI example.

• IKEv1 — The deprecated IPsec key-exchange protocol whose continued use defines the exposed population for CVE-2026-50751.

This week's issue is sponsored by Varonis

AI Security Requires More Than Visibility. It Requires Control. 

Security leaders are under pressure to enable AI innovation while managing a rapidly expanding attack surface across cloud, identity, and data layers. AI agents and copilots can introduce new access paths, automated high-impact actions, and accelerate threat timelines. 

Varonis Atlas helps organizations secure AI end-to-end - from understanding usage and enforcing guardrails to detecting suspicious activity and reducing risk dynamically. watch the recording to learn how Varonis Atlas can help security teams operationalize AI security at scale. 

💡Our Insights from this Practitioner 🔍

1. Cloud and on-prem are one network; treating them as islands is the root failure

The tooling split, CNAPP and CSPM for cloud and appliance firewalls for on-prem, forces a divide that the org chart doesn't actually have. The same network security team usually owns both halves.

"What we've seen in the industry is the challenge is that customers will often think about their cloud security as one island in one pocket of the world, but then their on-prem is a different pocket of the world. Really though no enterprise thinks about them separately. It's all one hybrid network, and wherever the application are and wherever the users are, they wanna pro- uh, protect that in totality." — Murali Rathinasamy

The practical version of this insight: asking an on-prem firewall admin to also master CNAPP, CSPM, and per-cloud native tooling for only half their environment is a skills tax most teams can't pay. Royal College of Surgeons in Ireland (RCSI) is the worked example below.

2. AI agents look like users but don't behave like users

Murali's sharpest AI observation is about identity, not models. Agents inherit a user's identity and then access things in patterns no human baseline predicts.

"You now have new applications because at the end of the day, everyone is now an application developer because they can go and create their own applications. These agents now can sort of look like a user, but they're doing things in ways that users don't do. So even traditional behavioral analysis tools may not work because you'll see user Murali traditionally uses this application, and now his agents are going all over the place." — Murali Rathinasamy

This pairs directly with the LiteLLM story above. If agents defeat behavioral baselines and the AI gateway concentrates credentials, the controls that still work are the structural ones: segmentation that limits what an agent can reach, and inspection at the choke point between workload and model.

3. The single-cloud security story collapses at enterprise reality

A former AWS product manager arguing against all-in on cloud-native firewalling carries some weight:

"As a former AWS product manager, I would tell you that I would've said the exact same thing. 'Hey, you're in the AWS ecosystem. We have, we've got the best in class services. Go and use ours entirely.' However, the reality for all the enterprises I work with, literally all of the enterprises that I work with is none of them are one cloud provider. A, none of them are one cloud provider. All of them have at least two cloud providers, and then B, they all have on-prem deployments as well." — Murali Rathinasamy

His decision lens is ownership: if a centralized security team is responsible for every workload everywhere, per-cloud native tooling means re-skilling that team on each platform and stitching policy visibility across VPCs, Azure, and GCP by hand. Where cloud providers win, he concedes, is scalability; where customers tell him they're not there yet is security feature depth.

4. RCSI: virtual firewalls in the cloud fail on operations, not security

RCSI, a 200-year-old institution , ran Cisco FTD on-prem and lifted virtual firewalls into the cloud, then hit route-table plumbing, transit gateway config, self-managed scaling, and upgrade downtime.

"What RCSI realized was like, hey, this is just not a scalable model. Like, any time I need to do a software upgrade for the firewall, I have to go take downtime? My cloud application teams are like, 'That's crazy.' Like, no cloud team really thinks about downtime to do an upgrade. It's always a blue-green upgrade." — Murali Rathinasamy

The fix wasn't a different security product; it was operating the same firewall like a cloud service (orchestrated deployment, auto-scaling, blue-green upgrades via Multicloud Defense). The lesson generalizes beyond Cisco: when network security tooling can't match the operational bar cloud teams hold everything else to, the security tool loses the argument.

5. Micro-segmentation stalls on "what do I protect?" — make it the destination, not the project

Ashish's framing set up the episode's most useful exchange:

"Micro-segmentation. It's probably the most spoken, yet least implemented space of the industry." — Ashish Rajan

Murali's response is the staged model. First, recognize you've already started: a perimeter firewall is one segment, and most enterprises already firewall crown jewels or cloud boundaries. Second, use observed traffic to cut obvious attack surface agentlessly, without touching applications:

"While we, you know, uh, enterprises talk quite a bit about segmentation and micro-segmentation, at the end of the day, micro-segmentation always stalls in the phase of how do I know what I need to go protect, and what policy should I go use?" — Murali Rathinasamy

His concrete examples: Windows Server SMB (445) is among the most exploited ports in a data center and almost never legitimately used; block it. SSH should only originate from jump hosts; block 22 from everywhere else. A large healthcare provider in California (unnamed) deployed micro-segmentation agents only on its EMR, the crown jewels, and used existing Cisco firewalls agentlessly for everything else, cutting the lateral path from systems like payroll to the EMR.

"Worry about the north star of true micro-segmentation where every individual VM, every individual container, every individual device is really locked down. Think of that as the destination, don't think of that as the journey." — Murali Rathinasamy

6. AI doesn't change the threats; it changes the volume and the timeline

"To me, like the AI world is really more about, it's not a different set of threats. It, it's the same sort of threats, it's just a much higher volume of those threats on a much shorter timeline, right?" — Murali Rathinasamy

That reframe has a budget implication: the answer to AI-era threats is mostly not new threat categories or new tools, it's shrinking time-to-control on the ones you have. On the prompt layer specifically, his point is architectural: there is already a firewall between your users or workloads and the LLM, so that's where inspection belongs, including prompt-injection detection and blocking responses that leak what they shouldn't.

7. Compensating controls are the answer to software you can't patch

The quote that could have been written about this week's news: "Cisco is, uh, working very closely with Mythos on being able to identify vulnerabilities in our own software to patch them very quickly, and we're realizing that Mythos is the new reality in the world of all CISOs and CIOs, CTOs have known that all software is gonna have vulnerabilities. It's really about how do you close those vu- vulnerabilities quickly and use compensating controls to make sure that they're not, uh, exploited w- before you can kind of fix it." — Murali Rathinasamy

For COTS applications and legacy systems (his example: MRI machines on Windows XP-era software), patching is not in your control. The realistic play is a virtual-patch rule for a Log4j-style flaw, or step-up MFA in front of an app you know is vulnerable, while the vendor or app team builds the fix. Set against Arista's "no patch planned" and Cisco SD-WAN's "no patch available," this stopped being a vendor talking point and became the week's operating reality.

Practical Takeaways for Cloud Security Leaders

• Embed AppSec in the engineering loop not after it. If your team is still receiving code and generating tickets, you are operating legacy AppSec. Start conversations with engineering about where security testing can run inside the CI/CD pipeline itself.

• Shift from false positive tolerance to true positive precision. A 90% false positive rate is a testing architecture problem, not a signal problem. Test inside the development environment to eliminate WAF and CDN interference.

• Treat AI agents as service identities, not applications. Apply your IAM governance framework to every agentic workload before production deployment. Default permissions are almost always too broad. BYOSA on Vertex AI; scoped service accounts everywhere else.

• Audit your CI/CD supply chain assumptions today. Pin GitHub Actions to full commit SHAs, not floating tags. Assume any runner that executed Trivy, LiteLLM, Telnyx, or Axios between March 19–31 is compromised until proven otherwise.

Position security as a business enabler for AI transformation. CISOs who approach AI as purely a risk management exercise will be sidelined. Those who help engineering teams ship AI features securely and at speed will own one of the most important mandates in their organization.

📚 RELATED RESOURCES 🎧

AppSec & DevSecOps Guidance

• CISA Known Exploited Vulnerabilities Catalog — authoritative exploitation status for this week's CVEs

• Cisco Security Advisory — SD-WAN Manager CVE-2026-20245

• Check Point hotfix advisory — IKEv1 VPN flaws

• Arista Security Advisory 0137 — EOS tunnel decapsulation

• Horizon3.ai — LiteLLM RCE chain analysis

• Rapid7 — Check Point VPN zero-day analysis

Podcast Episode

• Cloud Security Podcast Episode with Murali

Question for you? (Reply to this email)

🤔  Which of your controls exist because a patch never shipped — and would you know if one quietly stopped working?

Next week, we'll explore another critical aspect of cloud security. Stay tuned!

📬 Want weekly expert takes on AI & Cloud Security? [Subscribe here]”

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, to join our growing readership.

Want to sponsor the next newsletter edition! Lets make it happen

Have you joined our FREE Monthly Cloud Security Bootcamp yet?

checkout our sister podcast AI Security Podcast