Cato CTRL’s Vitaly Simonovich (senior security researcher) has discovered a vulnerability (CVE-2025-64496 with a “High” severity rating of 7.3 out of 10) in Open WebUI in versions 0.6.34 and older. This flaw affects the Direct Connections feature, which lets users connect to external AI model servers (ex: OpenAI’s API). If a threat actor tricks a user into connecting to a malicious server, it can lead to an account takeover attack.

While Hamlet asked the existential question “to be or not to be,” most security teams ask an equally esoteric question that ultimately defines their ability to manage alerting and detection: “to deploy on-prem or in the cloud?” When adopting a security information and event management (SIEM) solution, organizations must make a foundational decision around whether to deploy the solution on-premises or in the cloud.

As IoT and operational technology environments expand, organisations are discovering that a large portion of their device estate simply cannot be secured using traditional methods. Many devices cannot run agents, cannot be patched regularly, or cannot tolerate downtime. In 2025, this reality is no longer the exception—it is the norm.

Zero Trust is a security mindset and architecture that assumes no user, device, or network is inherently trustworthy, requiring continuous verification for every access request. Unlike a single tool or product, it requires a holistic strategy that integrates strong identity controls, such as MFA and least privilege access. Success with Zero Trust hinges on cultural shifts, executive buy-in, and ongoing adaptation to threats that emerge beyond the initial setup.

New York has started a movement to reshape the AI compliance landscape for companies doing business in the state. Other states are following suit making Governance and AI Compliance an increasingly critical endeavor.

Whenever you press the update button on your phone, or your server requests a new container image, an act of faith is being performed. You are relying on the fact that the code that you are downloading is what the developer wrote. You are hoping that a hacker didn’t place a backdoor in between. Our years of verifying trust with a basic digital handshake: Code Signing. But here is the thing. It is a weakened handshake. I call CTOs and security leaders weekly, and they are afraid.