When “safe” documents aren’t. [Research Saturday]

Omer Ninburg, CTO of Novee Security, joins us on this episode of Research Saturday to discuss their work on "From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs." Historically, Portable Document Formats – the immutable, localized PDF – was once considered a “safe” component inside enterprise environments. That is no longer the case. To demonstrate how PDF services and engines can be exploited, the team at Novee used their proprietary, multi-agent LLM system to uncover vulnerability patterns, and systematically scale them into a broad discovery campaign across two PDF vendor ecosystems. The research uncovered 16 verified vulnerabilities across client-side PDF viewers, embedded plugins, and server-side PDF services. The research and executive brief can be found here: ⁠From PDF to Pwn: Scalable 0day Discovery in PDF Engines and Services Using Multi-Agent LLMs Hacker-Trained AI Discovers 16 New 0-Day Vulnerabilities in PDF Engines Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA warns of actively exploited Langflow vulnerability. CISA flags critical PTC Windchill vulnerability. Phishing activity surges amid war in Iran. Google moves up their post-quantum timeline. Alleged RedLine infostealer developer faces thirty years in a US prison. Bearlyfy hacktivists launch disruptive ransomware campaign in Russia. FCC moves to crack down on robocallers and foreign call centers. Anti-piracy group takes down AnimePlay streaming platform. N2K’s  Maria Varmazis and Dave Bittner are previewing the biggest breaches in the past 10 years. And what happens when hackers call the game? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Daily at 10: The breaches we still talk about.   This installment celebrating 10 years of the CyberWire Daily podcast finds N2K’s  Maria Varmazis and Dave Bittner previewing the biggest breaches in the past 10 years. You can tune in Sunday to your CyberWire Daily podcast feed to hear their full conversation. Selected Reading CISA: New Langflow flaw actively exploited to hijack AI workflows (Bleeping Computer)  CISA Flags Critical PTC Vulnerability That Had German Police Mobilized (SecurityWeek) War in the Middle East Triggers Surge in Phishing and Malware Campaigns Targeting Gulf Countries (Bitdefender) Google moves post-quantum encryption timeline up to 2029 (CyberScoop) Alleged RedLine malware developer extradited to US, faces up to 30 years (The Record) Pro-Ukraine hacker group Bearlyfy targets Russian companies with custom ransomware (The Record) FCC pushes new rules to crack down on robocallers, foreign call centers (CyberScoop) Anti-piracy coalition takes down AnimePlay app with 5 million users (Bleeping Computer)  AFC Ajax drops ball as hackers transfer tickets, lift bans (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

As the emphasis on improving cybersecurity has continued to grow, so has the number of vendors offering a range of cybersecurity services. However, despite the value many of these vendors bring, the relationship between vendors and clients has become strained. In this episode, Kim explores this relationship, offering his thoughts on this relationship and what both sides can do to better to improve this dynamic. Want more CISO Perspectives? Check out a companion ⁠⁠blog post⁠⁠ by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices

RSAC wraps. CISA warns shutdown furloughs are weakening cyber defenses. China-linked actors burrow into global telecom infrastructure. Iran’s Pay2Key resurfaces. India probes suspected Pakistan-linked CCTV spying. Florida suspends a firm over offshore medical data exposure. Cisco patches fresh flaws. Russian police arrest the alleged LeakBase operator. Intern Kevin files his latest man-on-the street report. Google gets grabby with your homepage.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest aka Intern Kevin Intern Kevin is back from the floor at RSAC 2026. By day, he’s Global Director of Cybersecurity Startups at Microsoft for Startups, but this week, Kevin Magee is trolling the floor at RSAC to get the pulse of what is really happening in and around the Moscone Center. Kevin chats with Ann Johnson, Corporate Vice President and Executive Security Advisor at Microsoft, David Shipley, Chief Executive Officer and Field CISO at Beauceron Security , and Dr. Jessica Barker and FC, Co-Founders and Co-CEOs at Cygenta. Selected Reading RSAC Cryptographers' Panel Highlights AI Defense Challenges (GovInfo Security) Only Trump can decide when cyberwar turns into real war (The Register) Jen Easterly, cybersecurity's 'relentless optimist' (The Register) CISA Forced Into 'Reactive' Cyber Posture Amid Shutdown (GovInfo Security) Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure (SecurityWeek) Iran-Linked Pay2Key Ransomware Group Re-Emerges (Infosecurity Magazine) Indian government probes CCTV espionage operation linked to Pakistan (The Register) Florida Suspends Firm for Unlawfully Offshoring Claims Data (GovInfo Security) Cisco Patches Multiple Vulnerabilities in IOS Software (SecurityWeek) Russia arrests suspected owner of LeakBase cybercrime forum (Bleeping Computer) Google Just Patented The End Of Your Website (Forbes) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.  Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

The UK’s cyber security chief urges a “full court press” against threats. RSAC highlights. The U.S. State Department has launched a Bureau of Emerging Threats. The TeamPCP cybercriminal group targets an open source library. TP-Link patches multiple router vulnerabilities. A critical vulnerability hits Windchill and FlexPLM platforms. A phishing campaign impersonates Palo Alto Networks recruiters. Malicious Chrome extensions are harvesting users’ conversations with AI tools. Intern Kevin files his latest report from the RSAC show floor. Your “private” zoom call may already have a podcast deal.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest aka Intern Kevin Intern Kevin joins us from the floor at RSAC 2026. By day, he’s Global Director of Cybersecurity Startups at Microsoft for Startups, but this week, Kevin Magee is trolling the floor at RSAC to get the pulse of what is really going on in San Francisco. Kevin caught up with Dale Hoak, CISO at RegScale, David DellaPelle, CEO at Dune Security, and Jason Williams, Senior Director Global Solutions Architecture at Arms Cyber.  Selected Reading UK cyber chief urges ‘full court press’ to counter rising cyber threats (The Record) Operation Henhouse Nets Over 500 Arrests in UK Fraud Crackdown (Infosecurity Magazine) State Department launches effort to counter cyberattacks, AI risks from Iran, others (ABC News) LiteLLM PyPI packages compromised in expanding TeamPCP supply chain attacks (Help Net Security) TP-Link warns users to patch critical router auth bypass flaw (Bleeping Computer) PTC warns of imminent threat from critical Windchill, FlexPLM RCE bug (Bleeping Computer) Palo Alto Networks Phishing Scam Targets Professionals (TechNadu) Experts Sound Alarm Over “Prompt Poaching” Browser Extensions (Infosecurity Magazine) This Company Is Secretly Turning Your Zoom Meetings into AI Podcasts (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.   Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

RSAC spotlights public-private partnership gaps. DarkSword leaks to GitHub. The FCC blocks new foreign-made routers. Citrix patches a critical NetScaler flaw. DOE rolls out an energy-sector cyber strategy. CanisterWorm spreads through npm. Researchers flag suspected KACE SMA exploitation. QualDerm reports a 3.1-million-record breach. A Russian access broker gets 81 months. Intern Kevin checks in from RSAC. Maria Varmazis speaks with Jake Braun, longtime DEF CON organizer and former White House official about the DEF CON 33 Hackers' Almanack. Slow down, you vibe too fast.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Maria Varmazis speaks with today’s guest Jake Braun, longtime DEF CON organizer, former White House official, and lead on DEF CON Franklin, about the DEF CON 33 Hackers' Almanack. You can read more about it here. Selected Reading Public-private partnerships vital in disrupting China's Typhoons, says RSA panel with no government speakers (The Register) Someone has publicly leaked an exploit kit that can hack millions of iPhones (TechCrunch) US bans any new consumer-grade routers not made in America (The Register) Critical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn (SecurityWeek) DOE Sets 5-Year Plan to Harden US Grid Against Cyberattacks (GovInfo Security) New CanisterWorm Targets Kubernetes Clusters, Deploys “Kamikaze” Wiper (Hackread) CVE-2025-32975 (Arctic Wolf) 3.1 Million Impacted by QualDerm Data Breach (SecurityWeek) Russian hacker who helped Yanluowang ransomware gang gets nearly 7-year prison sentence (The Record) This Web Tool Sabotages AI Chatbots By Making Them Really, Really Slow (404 Media) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Despite being adopted and prioritized by many organizations, cybersecurity still faces a significant challenge where leaders still cannot articulate their needs, and find and develop talent. Rather, organizations oftentimes follow the same strategy many others are utilizing, which involves poaching talent with enticing salaries. In this episode of CISO Perspectives, host ⁠Kim Jones⁠ sits down with Ed Vasko, the CEO at High Wire Networks, to discuss this approach and the impacts it is having on the cyber talent ecosystem. Throughout the conversation, Ed and Kim discuss their experience when assessing talent and some of the mistakes made by the industry, and what can be done to begin correcting this approach. Want more CISO Perspectives? Check out a companion ⁠⁠blog post⁠⁠ by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices

The White House rolls out its AI legislative framework. The FBI warns Iranian actors are using Telegram for command and control, while Russian operators phish Signal users. Authorities dismantle a massive fake CSAM network, Tycoon 2FA rebounds after disruption, VoidStealer debuts a stealthy Chrome key-theft trick, QNAP patches Pwn2Own flaws, and CISA orders urgent fixes for a critical Cisco firewall bug. Plus, our Monday business breakdown. Brandon Karpf and Maria Varmazis ponder the practicality of orbital data centers. One radio to rule the range.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, N2K CyberWire’s Dave BIttner and Maria Varmazis are joined by Brandon Karpf to discuss the practicality of orbital data centers. Selected Reading President Donald J. Trump Unveils National AI Legislative Framework (The White House) FBI warns of Handala hackers using Telegram in malware attacks (Bleeping Computer) Russian hackers target Signal users in phishing campaign, FBI and CISA warn (Cybernews) Police Shut Down 373,000 Dark Web Sites in Single-Operator CSAM Network (Hackread) Tycoon 2FA Fully Operational Despite Law Enforcement Takedown (SecurityWeek) VoidStealer Steals Chrome Secrets Without Injection or Privilege Escalation (GB Hackers) QNAP Patches Four Vulnerabilities Exploited at Pwn2Own (SecurityWeek) CISA Orders US Government to Patch Maximum Severity Cisco Flaw (Infosecurity Magazine) Surf AI has emerged from stealth with $57 million in funding led by Accel. (N2K Pro Business Briefing) Military ‘Smartphone’: Comms, Jammer, Drone Control And More In One (Forbes) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show.  Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this special edition of CyberWire Daily’s 10th anniversary series, Maria Varmazis hosts a thoughtful and engaging conversation with N2K CyberWire CEO Peter Kilpe and CyberWire Daily host Dave Bittner, exploring the origin story of the podcast that started it all. From early ambitions to behind-the-scenes turning points, they trace how the show found its voice and evolved from a startup experiment into a trusted cornerstone of the cybersecurity community. Along the way, they share candid anecdotes, hard-earned lessons, and reflections on how both the industry and CyberWire Daily have transformed over the past decade. Learn more about your ad choices. Visit megaphone.fm/adchoices

Please enjoy this encore of Career Notes. Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a Control Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices