AI Data Centers Are Being Built Faster Than They Can Be Secured

The use and reliance on AI is the biggest single growth area in technology. But AI is enormously energy-intensive and requires a new quality of data center. 

The demand is fueling rapid growth in AI data center builds. The danger is that those building this new type of data center, at speed, do not readily understand the difference between traditional data centers and AI data centers – and the result is leaving the new AI data centers open to a new scale of risk. 

Traditional data centers are primarily data processing warehouses serving a known clientele. AI data centers are more akin to high power data compute factories serving a larger and unknown clientele. Traditional data centers can comprise a series of independent servers, an AI data center must function as a single engine capable of massive parallel processing to handle a much greater computational demand. AI data centers simply cannot be built in the same way as traditional data centers.

Lava Labs has examined and now reports (PDF) on the security needs of AI data centers (The Top 10 Data Center and AI Infrastructure Security Risks) and concludes they are being built faster than they are being secured. Both traditional data centers and new AI data centers carry largely similar risks; but AI changes their exploitability and blast radius: “Systems originally designed for trusted operators are now supporting high-value, multi-tenant workloads from unrelated customers,” it notes.

The Lava Labs report lists the top ten AI data center and infrastructure security risks, naming them ‘Forge’ (because the purpose is to ‘harden the metal beneath the model’).

  • Forge 01: firmware and hardware integrity compromise
  • Forge 02: network and interconnect vulnerabilities
  • Forge 03: unsafe multi‑tenant isolation and resource reuse
  • Forge 04: insecure out‑of‑band management plane
  • Forge 05: AI infrastructure supply chain compromise
  • Forge 06: insecure facility and data center management systems
  • Forge 07: insecure data and artifact handling
  • Forge 08: certification gaps and provider transparency failures
  • Forge 09: insecure operational infrastructure services
  • Forge 10: vendor embargo gaps and patch velocity failures

The sequencing of these risks is primarily based on severity. Risks 01 to 05 operate below the operating system, are difficult to detect, and have a cluster-wide blast radius. Risks 06 to 09 are generally easier to detect and recover from. Risk 10 is the easiest to detect and remediate; and is the least likely to cause catastrophic tenant compromise.

FORGE IDs are ordered by severity, from highest to lowest. The matrix groups each risk by domain and shows its likelihood, impact, and detection difficulty.

The risks arise because the nature of AI breaks the basic trust model of traditional data centers. For 03, 07, and 08. AI introduces unrelated commercial tenants, high‑value workloads, and GPU nodes that are reassigned between customers. 

For 01, 06 and 10, new hardware realities from the dense GPU clusters require complex firmware stacks, have extreme thermal sensitivity, and a larger blast radius for facility failures. 

Advertisement. Scroll to continue reading.

For 02, the required high performance fabrics such as InfiniBand, RoCE, RDMA, and NVLink are often unencrypted, poorly monitored, and highly privileged. Weak fabric isolation can expose paths to discovery, abuse, or lateral movement. 

In 04 and 09, an operational concentration of privilege can result from a heavy reliance on BMC automation, Redfish/IPMI, firmware pipelines, and orchestration systems.

For 05 and 10, a scarcity of GPU processors often means that new AI data centers opt for processors that are less suitable, with weaker isolation that can lead to more likely supply chain compromise.

The functional purpose of Lava Labs analysis and report is threefold: to expose the unique risks of AI data centers; to prioritize the most severe risks, thus effectively providing a triage sequence; and to provide example attack scenarios and practical mitigations for those risks.

The moral from the Lava Labs analysis is, yes, you will need a new data center to feed your AI; but, no, you cannot use your existing data center model as a design blueprint.

Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay

Related: Trump’s New AI Plan Leans Heavily on Silicon Valley Industry Ideas

Related: Pentagon Paid Out $290,000 for Vulnerabilities in Air Force Data Center

Related: Intel TDX Connect Bridges the CPU-GPU Security Gap

https://www.securityweek.com/ai-data-centers-are-being-built-faster-than-they-can-be-secured/




Splunk, Zoom Patch Critical Vulnerabilities

Splunk and Zoom this week announced patches for multiple vulnerabilities across their products, including several critical and high-severity security defects.

Only three of the five advisories that Splunk published address flaws that are specific to its products, while the other two resolve dozens of bugs in third-party components.

The Splunk-specific issues include CVE-2026-20296 (a high-severity command safeguards bypass), CVE-2026-20297 (a high-severity path traversal), and CVE-2026-20298 (a medium-severity information disclosure).

Successful exploitation of these weaknesses could allow attackers to access credentials and data, write files outside the intended application directory, and view stored credential hashes.

Patches for all three were included in Splunk Enterprise versions 10.4.1, 10.2.5, 10.0.8, and 9.4.13, which also address critical- and high-severity vulnerabilities in Golang, Go compiler, OpenSSL, and other third-party libraries.

Zoom published four advisories that resolve as many vulnerabilities across its clients and tools for Windows.

Advertisement. Scroll to continue reading.

The most severe is CVE-2026-53412 (CVSS score of 9.8), a critical bug in Zoom’s Workplace and Workplace VDI Client for Windows that could allow remote, unauthenticated attackers to mount account takeover attacks.

The company’s updates also resolve three high-severity flaws: a time-of-check-to-time-of-use (TOCTOU) race condition and two privilege elevation issues.  

Neither Splunk nor Zoom makes any mention of these vulnerabilities being exploited in the wild.

Related: F5 Patches Multiple NGINX, BIG-IP Vulnerabilities

Related: Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day

Related: Old UEFI Shims Expose Systems to Secure Boot Bypass

Related: CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities

https://www.securityweek.com/splunk-zoom-patch-critical-vulnerabilities/




F5 Patches Multiple NGINX, BIG-IP Vulnerabilities

F5 on Wednesday announced an out-of-band security rollout that patches eight vulnerabilities in NGINX and BIG-IP.

The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process.

“A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains.

An attacker can exploit the security defect without authentication, but only under conditions they cannot control. On systems with Address Space Layout Randomization (ASLR) disabled, the attacker can achieve code execution.

F5’s patches also resolve several high-severity NGINX bugs, including weaknesses in the ngx_http_slice_module module and the ngx_http_ssi_module module that can be exploited without authentication.

Successful exploitation of the flaws allows attackers to leak memory contents, restart the NGINX worker process, or cause a use-after-free in the NGINX worker process to modify memory or restart the process.

Advertisement. Scroll to continue reading.

Two high-severity vulnerabilities addressed in NGINX Ingress Controller could allow authenticated attackers to inject arbitrary NGINX configuration directives to delete files and disable services, or create or modify Ingress or TransportServer resources to cause a denial-of-service (DoS) condition.

F5 also resolved a high-severity security defect in BIG-IP that could be exploited by remote, unauthenticated attackers to increase memory resource utilization when an HTTP/2 profile is configured on a virtual server, causing a DoS condition.

F5 makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found in the company’s out-of-band security notification.

Related: Trend Micro, Tanium, ESET, and Tenable Patch Severe Product Vulnerabilities

Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow

Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Rockwell

Related: Critical Vulnerabilities Patched With Fresh Chrome 150, Firefox 152 Updates

https://www.securityweek.com/f5-patches-multiple-nginx-big-ip-vulnerabilities/




Nightmare Eclipse Drops ‘LegacyHive’ Windows Zero-Day 

Nightmare Eclipse, the disgruntled security researcher who has been dropping zero-day exploits targeting Microsoft products, released another unpatched Windows vulnerability this week, right on the July 2026 Patch Tuesday.

The fresh exploit, named LegacyHive, is a local privilege escalation bug in the Windows User Profile Service that allows an attacker to load other users’ hives, including those of administrators.

Also known as Chaotic Eclipse, Nightmare Eclipse released proof-of-concept (PoC) exploit code that works on systems running Microsoft’s July 2026 patches.

“The PoC requires another standard user credentials and a third username (which can be an administrator account), if the PoC is successful, it will end up mounting the target user hive in current user classes root,” the researcher explains.

Unlike previously dropped zero-day exploits from Nightmare Eclipse, LegacyHive was released with a stripped PoC to prevent the security defect’s in-the-wild exploitation.

According to the researcher, the exploit originally did not require user credentials and allowed any hive to be loaded, not just the usrclass.dat hive. That is still possible, the researcher says, but would require some work.

Advertisement. Scroll to continue reading.

To date, Nightmare Eclipse released over half a dozen zero-days in Microsoft products, including BlueHammer, RedSun, and UnDefend, which have been exploited in attacks, along with GreenPlasma, RoguePlanet, YellowKey, and GreatXML.

Microsoft has yet to acknowledge the LegacyHive exploit. SecurityWeek has emailed the company for a statement and will update this article if it responds.

Related: Unpatched Cursor Vulnerability Exposes Users to Code Execution

Related: CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities

Related: Windows Bind Link Attacks Can Hide Malware From EDR Tools

Related: Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption

https://www.securityweek.com/nightmare-eclipse-drops-legacyhive-windows-zero-day/




Unpatched Cursor Vulnerability Exposes Users to Code Execution

An unpatched vulnerability in Cursor on Windows can be triggered for code execution when a developer opens a repository in the application, Mindgard reports.

Cursor is one of the most popular AI-assisted development environments, with more than 7 million active users.

The security defect, Mindgard says, is straightforward: when opening a repository, Cursor would automatically execute a malicious git.exe binary in the project’s root without warning the user or asking for approval.

“The vulnerability is not theoretical and does not depend on a complex chain of exploitation, prompt injection, model manipulation, jailbreaks, memory corruption, or sophisticated attacker tradecraft. Exploitation simply requires a developer to open a project containing a git.exe binary in the repository at the root,” Mindgard says.

According to Mindgard, the issue exists because, when loading a project, Cursor looks for Git binaries in multiple locations, including the workspace itself.

“If an attacker planted a malicious git.exe in the repository root, Cursor will execute it automatically as part of its path resolution logic without warning, approval, or even an indication that executable content from the repository is about to run,” Mindgard explains.

Advertisement. Scroll to continue reading.

Mindgard has disclosed the vulnerability publicly after reporting it to Cursor on December 15, 2025, and receiving no response regarding a potential patch for seven months.

The company says Cursor’s CISO invited Mindgard to its bug bounty program on HackerOne in January, where the security defect was resubmitted and confirmed as reproducible, but it has not received a response from Cursor.

“But coordinated disclosure only works when there is coordination. Seven months after initial disclosure, we have no indication that users are being protected, that remediation is underway, or that affected organizations have been informed. And at this point, withholding information no longer serves users; it serves silence,” Mindgard notes.

SecurityWeek has emailed Cursor for a statement on the matter and will update this article if the company responds.

Related: Windows Bind Link Attacks Can Hide Malware From EDR Tools

Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow

Related: Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption

Related: NIST Opens Updated IoT Security Guidance to Public Review

https://www.securityweek.com/unpatched-cursor-vulnerability-exposes-users-to-code-execution/




CISA Urges Immediate Patching of Exploited SharePoint Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday urged immediate hardening of Microsoft SharePoint servers in light of recently disclosed zero-day vulnerabilities.

The freshest of the exploited flaws is CVE-2026-56164, a privilege escalation issue that can be exploited remotely without authentication, and which was resolved with Microsoft’s July 2026 Patch Tuesday updates.

On Tuesday, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch it within three days, in line with BOD 26-04 recommendations.

Microsoft’s latest round of security updates also resolved CVE-2026-55040 and CVE-2026-58644, critical-severity SharePoint bugs that could be exploited remotely to bypass a security feature and to execute arbitrary code.

Although not flagged as exploited, these vulnerabilities pose a risk to organizations if they are not patched in due time, CISA warns.

The cybersecurity agency also draws attention to CVE-2026-32201, a spoofing issue in SharePoint patched in April after being exploited in attacks as a zero-day.

Advertisement. Scroll to continue reading.

Another exploited SharePoint flaw is CVE-2026-45659, a code execution issue patched in May via an out-of-band security update, which was added to CISA’s KEV list in early July.

“These vulnerabilities affect all supported on-premises SharePoint Server versions (Subscription Edition, 2019, and 2016) and involve establishing remote code execution (RCE) and post-exploitation activities, such as stealing Internet Information Services (IIS) machine keys and performing deserialization techniques, to gain persistence and deploy malware,” CISA warns.

The agency recommends that organizations monitor their SharePoint servers to identify any signs of unusual activity, which could point to active exploitation.

In addition to applying Microsoft’s patches, organizations are advised to ensure that their security products cover all SharePoint web applications, hunt for intrusions, rotate IIS machine keys, enable tailored logging, ensure that SharePoint servers are not directly exposed to the internet, and restrict access to the administration interfaces.

Related: White House Launches AI-Driven ‘Gold Eagle’ Vulnerability Coordination Initiative

Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

Related: SonicWall Issues Urgent SMA Patch Warning for Two Zero-Day Exploits

Related: US, Allies Warn of Russian Cyberattacks Targeting Critical Infrastructure Routers

https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-sharepoint-vulnerabilities/




Google pays $250K for Linux vulnerability allowing guest VM escapes

A Linux vulnerability that allows untrusted virtual machines to gain root access to host machines is one of two high-severity flaws to surface this week in the open source operating system.

The vulnerability resides in KVM, which is, in essence, a virtual machine app included in the kernel of many Linux distributions. The vulnerability, tracked as CVE-2026-53359, allows guest virtual machines—such as those used in cloud platforms to isolate one user’s instance from the host OS and other user instances—to break out of that container.

Januscape: A threat to cloud platforms

The vulnerability affects KVM running on both AMD and Intel processors. It exploits bugs residing in the KVM guest-side, the portion of the VM that consists of only resources like the OS or drivers present in the guest VM, rather than resources present on the host machine. The threat went unnoticed in the Linux kernel for 16 years.

“With guest-side actions alone, an attacker can compromise the host that runs their VM,” Hyunwoo Kim, the researcher who discovered the flaw, wrote. “For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE).”

Kim has named the vulnerability Januscape. The flaw is a use-after-free vulnerability—a form of memory corruption vulnerability that injects malicious code into recently freed regions of memory. The vulnerability resides in the shadow MMU emulation, a process that translates host memory addresses to hypervisor memory addresses and vice versa.

Exploits will trigger guest-side actions alone to corrupt the host kernel’s shadow page, a data structure in the host that assists in the address translation. Kim has released a proof-of-concept exploit that runs in the guest VM to trigger a crash on the host OS. He said an exploit that fully escapes the guest also exists but won’t be released until “the very distant future.”

https://arstechnica.com/security/2026/07/high-severity-guest-vm-escape-is-1-of-2-linux-vulnerabilities-to-surface-this-week/




Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username.

Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says.

The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains.

If placed behind a proxy, Gitea should trust only a header set by the proxy when reverse-proxy authentication is enabled. Because of the flaw, anyone who could provide a valid username in a header could connect to a vulnerable instance, bypassing authentication.

“Any process that can reach the Gitea container’s HTTP port directly — not through the intended authenticating proxy — can impersonate any user whose login name is known or guessable. Admin accounts are the obvious targets,” the researcher notes.

The patch that was introduced in Gitea versions 1.26.3 / 1.26.4 makes reverse-proxy authentication an opt-in feature.

Advertisement. Scroll to continue reading.

According to Clark, CVE-2026-20896’s exploitation started 13 days after public disclosure. The attempt was associated with a “VPN-exit scanner that grabbed access”.

“No password. No token. One header. Sysdig sensors caught the first in-the-wild hit 13 days after the advisory,” Clark notes.

While Sysdig’s research revealed approximately 6,200 Gitea instances accessible from the internet, it is unclear how many of them are vulnerable.

Users are advised to update their Gitea deployments as soon as possible, as the successful exploitation of the vulnerability could lead to the complete compromise of all the code and secrets Gitea holds.

“A Gitea user can read and write their repositories, private ones included: the code they ship, the secrets developers committed by accident (API keys, DB credentials, deploy tokens), their CI/CD config, and deploy keys,” Clark notes.

Related: Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Related: CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

Related: Apple Patches Dozens of Vulnerabilities Across iOS, macOS, and Safari

Related: Gitea Vulnerability Exposed 30,000 Deployments to Attacks

https://www.securityweek.com/critical-gitea-flaw-under-active-exploitation-researchers-warn/




Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.

It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.

Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.

However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.

However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure.

Advertisement. Scroll to continue reading.

“KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.

Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.

Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds.

“Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.

“The challenge is determining which systems are reachable, which vulnerabilities create attack paths, and what compensating controls can reduce exposure while remediation is underway. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added.

Related: Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

https://www.securityweek.com/critical-adobe-coldfusion-vulnerability-exploited-in-attacks/




Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

A newly disclosed Linux kernel vulnerability can be exploited to escape virtual machines (VMs) and execute code on the underlying host, security researchers warn.

Tracked as CVE-2026-53359 and referred to as Januscape, the security defect impacts the shadow MMU code in Linux Kernel-based Virtual Machine (KVM) hypervisor.

The guest-to-host vulnerability poses a major threat to multi-tenant x86 public clouds running untrusted guests and exposing nested virtualization. It is known to be the first KVM exploit that can be triggered on both Intel and AMD architectures.

The flaw was discovered by security researcher Hyunwoo Kim (@v4bel), who demonstrated it as a zero-day in Google kvmCTF, the bug bounty program that works like a CTF event and offers up to $250,000 for full VM escape weaknesses.

According to Kim, the vulnerability is a use-after-free vulnerability that can be triggered from the VM to corrupt the shadow page state of the host’s kernel.

Successful exploitation of Januscape, the researcher explains, can lead to the full compromise of the host on which the VM is running.

Advertisement. Scroll to continue reading.

“For example, an attacker who has rented just a single instance on a public cloud could panic the host kernel to take down every other tenant VM on the same physical machine (DoS), or run code with root privilege on the host to take over the host and all the guests on it (RCE),” Kim explains.

On certain Linux distributions, such as Red Hat Enterprise Linux (RHEL), the security defect can be exploited by unprivileged users to escalate their privileges to root.

Januscape’s exploitation requires root privileges on the guest machine, which is typically available by default when a user is allocated a VM instance on a public cloud. If root access is not available, an attacker could chain the flaw with a privilege escalation bug, such as Dirty Frag, Kim says.

CVE-2026-53359 stayed dormant in the Linux kernel for 16 years. It was patched in mainline on June 19, when commit 81ccda30b4e8 was merged.

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related: Organizations Warned of Exploited Linux Kernel Vulnerability

Related: 19-Year-Old Linux Kernel Vulnerability Exposes Systems to Root Access

https://www.securityweek.com/linux-kernel-vulnerability-allows-vm-escape-on-intel-and-amd-systems/