Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

When Kenna launched more than a decade ago, it reshaped an industry that had grown numb to vulnerability overload. Back then, vulnerability management meant looking at mountains of CSV files, scanner reports, and a never-ending backlog of unprioritized issues. Kenna introduced the idea that risk instead of raw counts should determine what gets fixed first. For many security teams, it was the first time they realized they didn’t have a vulnerability problem.

In December 12, 2025, Arctic Wolf began observing intrusions involving malicious SSO logins on FortiGate appliances. Fortinet had previously released an advisory for two critical authentication bypass vulnerabilities (CVE-2025-59718 and CVE-2025-59719) on December 9, 2025. Arctic Wolf had also sent out a security bulletin for the vulnerabilities shortly thereafter.

AI agents connect to APIs, execute code, move data, and make decisions with real permissions in live production environments — introducing a new class of security risks. To help organizations stay ahead, the OWASP GenAI Security Project released the OWASP Top 10 for Agentic Applications 2026. In this post, we’ll provide a summary of each agentic AI risk category defined by OWASP, along with actionable next steps to begin securing your agentic AI projects in 2026 and beyond.

With 66% of B2B customers now checking for SOC 2 vulnerability compliance before signing contracts, vulnerability assessment and continuous security monitoring are now expected not just during annual audits, but as regular operational exercises.

AI agents are rapidly moving from experimentation into production across finance, healthcare, enterprise IT, and critical infrastructure. Unlike traditional applications, agents plan, reason, delegate, and act autonomously across systems and data sources. This expanded autonomy dramatically increases the security blast radius. To address this shift, OWASP released the OWASP Top 10 for Agentic Applications.

If you upgraded only to address CVE-2025-55182 (React2Shell), you may still be vulnerable. CVE-2025-55184 affects adjacent RSC code paths and can allow attackers to take your app offline, even without gaining code execution. You should ensure you’re running the latest patched React and Next.js versions, including fixes for the follow-up CVE-2025-67779.

On December 3, 2025, CVE-2025-55182, a critical remote code execution (RCE) vulnerability in React Server Components (RSC), dubbed “React2Shell.” This flaw, carrying a maximum CVSS v3.1 score of 10.0 (Attack Vector: Network; Attack Complexity: Low; Privileges Required: None; User Interaction: None; Scope: Unchanged; Confidentiality/Integrity/Availability: High), stems from unsafe deserialization in the RSC “Flight” protocol.