This week brought two maximum-severity vulnerabilities with hard patch deadlines, a ransomware operator that changed the playbook on victim communication, and fresh evidence that AI is reshaping how security teams are built and staffed. Here’s everything cybersecurity professionals and aspiring practitioners need to know from the past seven days.

CISA Orders Feds to Patch a Max-Severity Joomla Plugin Flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency issued a directive requiring federal agencies to patch a maximum-severity vulnerability in the Widget Factory Joomla Content Editor (JCE) plugin by this Friday. The flaw is being actively exploited in real-world attacks, which is what triggered the compressed timeline rather than the standard patch cycle.

For practitioners, this is a useful case study in how CISA’s Known Exploited Vulnerabilities process works: a directive with a hard deadline signals confirmed, active exploitation — not a theoretical risk. If you administer Joomla sites with the JCE plugin, treat this as immediate-action, not backlog.

Read more: CISA orders feds to patch max severity Joomla plugin flaw by Friday

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Splunk shipped fixes for CVE-2026-20253, a critical vulnerability carrying a CVSS score of 9.8. The flaw allows unauthenticated attackers to perform arbitrary file operations, with a credible path to remote code execution. Versions below 10.2.4 and 10.0.7 are affected.

This one deserves extra attention because of where Splunk sits in the stack: it’s the platform many SOCs rely on for detection and logging. An unauthenticated RCE in your detection tooling is a worst-case scenario — it threatens both the environment you’re protecting and your visibility into the attack itself. Confirm your version, patch now, and review logs for anomalous activity predating the patch.

Read more: Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are actively exploiting CVE-2026-4020, a medium-severity (CVSS 5.3) information-disclosure vulnerability in the Gravity SMTP plugin, installed on roughly 100,000 WordPress sites. Unauthenticated attackers can extract configuration data, API keys, secrets, and OAuth tokens — even though the flaw has already been patched upstream.

The CVSS score undersells the real-world risk here. A “medium severity” information leak that hands over API keys and OAuth tokens is a credential-theft vulnerability in disguise, and those credentials get chained into far more damaging follow-on attacks. If you run WordPress sites with Gravity SMTP, verify you’re on the patched version immediately and rotate any credentials that may have been exposed.

Read more: Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

New “Prinz Eugen” Ransomware Prioritizes Recent Files for Encryption

A newly identified ransomware operation called Prinz Eugen introduces two notable changes to the usual playbook: it prioritizes encrypting the most recently modified files on a victim’s system, and it leaves no ransom note at all.

Targeting recent files maximizes disruption to active work — the files someone was using yesterday are the ones most likely to be irreplaceable without a fresh backup. The absence of a ransom note is arguably the more interesting design choice: it strips victims of a clear path to understanding what happened or how to respond, complicating incident response and making early detection (through file-modification monitoring and endpoint protection) the primary line of defense rather than negotiation.

Read more: New Prinz Eugen ransomware prioritizes recent files for encryption

‘Popa’ Botnet Linked to a Publicly-Traded Israeli Firm

Krebs on Security traced the Popa botnet — an Android-based network that has compromised millions of consumer TV boxes over the past four years to run ad fraud, account takeovers, and large-scale data scraping — back to NetNut, a residential proxy service operated by Alarum Technologies Ltd, a company listed on NASDAQ under the ticker ALAR.

The story is a reminder that botnet infrastructure doesn’t always live in obviously criminal corners of the internet. Residential proxy services occupy a gray zone between legitimate business and traffic laundering for malicious actors, and the IoT devices being hijacked — consumer TV boxes — remain chronically under-secured and rarely monitored by their owners.

Read more: ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm

The Top 10 Attack Surface Exposures Heading Into 2026

A new roundup of the top attack surface exposures for 2026 makes a point worth repeating: most breaches still start with exposed admin panels vulnerable to brute force, or with reused credentials from prior breaches — not zero-days. That said, the report also flags “MongoBleed,” a vulnerability that let attackers extract credentials and session tokens from server memory without authentication, as a reminder that when a genuine zero-day does surface, the window between disclosure and mass exploitation keeps shrinking.

For teams setting security priorities, this is a useful gut check: the highest-leverage work is often unglamorous — locking down exposed admin interfaces and eliminating credential reuse — rather than chasing the next headline CVE.

Read more: The Top 10 Attack Surface Exposures in 2026

Stressors and AI Are Forcing Changes to Cybersecurity Teams

Dark Reading reports that the combination of an expanding threat landscape and AI-driven complexity is making the CISO role harder than it’s ever been — and pushing more organizations to bring in cybersecurity expertise on a part-time or fractional basis rather than committing to full-time hires.

This trend matters most for people trying to break into the field. Fractional and contract security work is becoming a legitimate entry point rather than a stopgap, giving newer practitioners a way to build experience across multiple environments before landing a full-time role. It also signals that organizations are looking for adaptable, AI-literate security generalists rather than narrow specialists.

Read more: Stressors, AI Forcing Changes to Cybersecurity Teams

A “Day Off” Email That Was Actually a Phishing Test

Healthcare workers at Newfoundland and Labrador Health Services received an email promising an unexpected day off — only to learn afterward that it was a simulated phishing exercise designed to test their awareness.

It’s a sharp illustration of how effective social engineering works: it exploits hope, routine, and the desire for good news, not just fear or urgency. For security awareness programs, the lesson cuts both ways — phishing simulations that mirror real attacker psychology are more effective precisely because they’re uncomfortable, but organizations also need to manage the trust and morale cost of catching employees off guard, especially in high-stress sectors like healthcare.

Read more: Healthcare workers emailed about a day off — but it was a cybersecurity test

💡 Want to lead with clarity in the AI era? If you’re aiming to lead a security team, break into cybersecurity, or operate with greater speed and confidence, this is the toolkit you’ve been missing: 🔗 Cybersecurity Leadership OS: Battle-Tested Mental Models for Clarity, Speed & Command

That’s the week. Every patch deadline and every new ransomware variant is also a free study guide — pull the CVE, read the advisory, trace the attack chain. Follow CyberShield for the weekly rundown and keep building the habits that separate the professionals who react from the ones who anticipate.