Today's picture
A third-party AI tool became the entry point for a breach at Vercel, the infrastructure platform behind Next.js and a significant share of enterprise web deployments. An employee granted a small AI productivity app Google Workspace OAuth access, that app was separately compromised, and attackers walked through the open door into Vercel's internal environments. Hundreds of organizations may share the same exposure through the same OAuth app. Separately, Cisco patched a CVSS 9.8 Webex flaw that let anyone impersonate any user, but the fix requires manual action from every admin running SSO.
Threat snapshot
2 new · 1 developing · 3 monitoring
New
Breach
Vercel breached through a third-party AI tool. Hundreds of orgs share the same OAuth exposure.
Context.ai OAuth compromise gave attackers Vercel's Google Workspace. API keys, env variables, and internal deployments accessed. Mandiant engaged.
New
Action Required
CVSS 9.8
Cisco Webex SSO flaw patched. Admins using SSO still need to act or they remain exposed.
Unauthenticated attackers could impersonate any Webex user. Cisco patched the cloud side. Admins must upload a new SAML certificate to Control Hub manually.
Developing
2 Unpatched
Defender RedSun and UnDefend still unpatched. No new developments.
Active exploitation of the two-step chain continues. No patch available. Monitoring for Microsoft response.
Detailed intelligence
Full analysis
01 New Breach
Vercel breached through a third-party AI tool. Hundreds of organizations share the same OAuth exposure.
Active · Apr 19
What happened
Vercel, the cloud platform behind Next.js and widely used for enterprise web and frontend deployment, disclosed a breach yesterday after a threat actor gained access to internal environments and environment variables. The attack chain started several steps removed from Vercel itself. A Vercel employee had signed up for Context.ai, a small enterprise AI productivity tool, using their corporate Google Workspace account and granted it broad OAuth permissions. Context.ai was separately compromised in a breach traced to a Lumma infostealer infection at a Context.ai employee in February 2026. That initial infection gave attackers harvested OAuth tokens, which they used to take over the Vercel employee's Google Workspace account and pivot into Vercel's infrastructure. Environment variables not marked as sensitive were accessed, potentially exposing API keys, tokens, and deployment credentials. Vercel has confirmed the investigation is ongoing with Mandiant and other firms. The scope extends beyond Vercel: the same compromised OAuth app potentially affected hundreds of organizations whose employees granted it access to their Google Workspace accounts. Vercel published an indicator of compromise for the OAuth Client ID so administrators can check whether the app is present in their environment.
CyberSip™ Take
The Vercel employee did not do anything unusual. They signed up for a productivity tool using their work account. The tool asked for Google Workspace access. They clicked allow. That is a transaction that happens thousands of times per day across every organization with knowledge workers. The problem is that "allow all" OAuth permissions on a Google Workspace account grant whoever holds that token the ability to read email, access Drive, and in environments with broad Workspace integration, reach deployment systems and infrastructure. Vercel's CEO described the attacker as gaining further access through enumeration of non-sensitive variables, which is the patient, methodical behavior of a skilled actor who is not in a hurry. The broader exposure is the point that deserves attention today. The same OAuth app potentially sits in hundreds of other organizations' Workspace environments right now. The immediate action is to audit which third-party apps hold Google Workspace OAuth access in your environment and what scopes those apps have been granted. An app that was legitimate six months ago may have been compromised since. This is not a theoretical risk. It happened over the weekend at a company with nine-figure infrastructure responsibility.
Recommended actions
- Check your Google Workspace Admin Console for the compromised OAuth Client ID: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Navigate to Security, then Access and Data Control, then API Controls, then Manage Third-Party App Access and search for that ID. Remove it if found.
- Audit all third-party apps that have been granted Google Workspace OAuth access across your organization. Review the scopes granted, particularly any app with broad read or write permissions on Workspace data.
- If your organization uses Vercel, rotate any API keys, deployment tokens, and environment variable secrets as a precaution regardless of whether you received a direct notification.
- Review whether your Google Workspace policies permit employees to grant OAuth access to external apps without admin approval. Restricting this to admin-approved apps significantly reduces the exposure surface.
Derived from vendor security bulletins, incident response disclosures, and threat intelligence analysis
02 New Action Required CVSS 9.8
Cisco Webex SSO flaw patched. Admins using SSO still need to act or they remain exposed.
CVE-2026-20184
What happened
Cisco patched a critical vulnerability in Webex Services this week that allowed an unauthenticated remote attacker to impersonate any user in the service. The flaw, rated CVSS 9.8, existed in the SSO integration with Webex Control Hub. An attacker could supply a crafted token to a service endpoint and, due to improper certificate validation, gain access to legitimate Webex services as any user without providing credentials. Cisco addressed the vulnerability on the cloud infrastructure side, meaning the Webex platform itself has been updated. However, organizations using SSO still need to take one manual step: uploading a new identity provider SAML certificate through the Control Hub Alerts Center. Without that action, the SSO integration remains on the old certificate and the protection is incomplete. No exploitation in the wild has been confirmed by Cisco, but the combination of CVSS 9.8, unauthenticated access, and a required manual remediation step makes this worth elevating today. Cisco also patched three additional critical flaws in Identity Services Engine in the same advisory, with CVSS scores of 9.9, though those require authenticated admin access to exploit.
CyberSip™ Take
Cloud-hosted software creates a specific patching dynamic that is easy to misread. When a vendor says "we have patched this," organizations often assume they are protected and move on. With CVE-2026-20184, that assumption is wrong for any organization using Webex with SSO. Cisco patched their infrastructure. The broken piece in the SSO handshake was a certificate validation problem, and completing the fix requires your admin to upload a new certificate on your side. If that step does not happen, the SSO integration still trusts the old certificate and the vulnerability window stays open. This is not an edge case or an optional hardening step. It is the other half of the patch. The ISE vulnerabilities in the same advisory also warrant attention for organizations running Cisco ISE for network access control. Two of the three critical ISE flaws require only read-only admin credentials to exploit for remote code execution on the underlying OS, which is a low bar if credentials have been compromised or shared.
Recommended actions
- If your organization uses Webex with SSO, log into Cisco Control Hub and navigate to the Alerts Center. Upload the new identity provider SAML certificate to complete the CVE-2026-20184 remediation.
- Verify the update through the SSO wizard in Control Hub. The updated certificate should reflect a post-April 15, 2026 issue date.
- If your organization runs Cisco ISE, apply the patches for CVE-2026-20147, CVE-2026-20180, and CVE-2026-20186. Versions prior to 3.2 are affected along with branches 3.2 through 3.5.
- Review which accounts hold read-only admin credentials in ISE. The bar for exploiting the two RCE flaws is read-only admin access, not full admin.
Derived from vendor security advisories and independent vulnerability analysis
03 Developing 2 Unpatched
Defender RedSun and UnDefend remain unpatched and active. Microsoft has not responded with a fix.
RedSun / UnDefend
Status update
As of today, RedSun and UnDefend have no patches, no CVE identifiers, and no published remediation timeline from Microsoft. Both were introduced publicly by researcher Chaotic Eclipse on April 16, alongside BlueHammer, which Microsoft addressed in last week's Patch Tuesday as CVE-2026-33825. RedSun exploits how Windows Defender handles cloud-tagged files during its rollback mechanism. When Defender detects a cloud-tagged file and attempts to restore it, the attacker redirects that restoration to a privileged directory using NTFS junction manipulation. The result is SYSTEM-level code execution on Windows 10, Windows 11, and Server 2019 and later with near-complete reliability. UnDefend takes a different approach. Rather than escalating privileges directly, it silently blocks Defender from receiving signature updates while the endpoint continues to report as healthy to management consoles. An attacker using this combination runs UnDefend first to freeze Defender's threat intelligence, then follows with RedSun to reach SYSTEM. The sequence is designed to evade detection: from the SOC's perspective, the endpoint looks fully protected right up until it is not. Huntress has confirmed active exploitation of both techniques in observed incidents, with attackers staging the exploit files in user directories such as Pictures and Downloads.
CyberSip™ Take
This situation is now five days old and Microsoft has not published a patch or a public timeline. That gap matters because the public proof-of-concept code is still accessible and confirmed to work. Any threat actor who wants to run this chain can. The detection problem is the piece that keeps this elevated in the brief. An endpoint running UnDefend reports green across the board. Signature updates stop flowing, but the service is running, the agent is connected, and nothing in a standard health dashboard will flag it. The only reliable signal is checking whether signature update timestamps have actually moved on connected endpoints in the last few hours. A Defender endpoint that has not updated signatures in six or more hours on a healthy network connection is worth investigation. Organizations that have layered endpoint protection beyond Defender have more options here. Organizations that rely on Defender as their sole endpoint security layer on Windows are carrying elevated risk until Microsoft ships fixes for both exploits. This item stays Developing until that happens.
Recommended actions
- Confirm Defender Antimalware Platform is on version 4.18.26050.3011 or later across the environment. This addresses BlueHammer only, not RedSun or UnDefend.
- Check actual signature update timestamps on endpoints, not just whether the Defender service is running. Endpoints that stopped receiving updates recently are a UnDefend indicator.
- Monitor user directories including Pictures and Downloads for unexplained executables. Attackers have been staging exploit files in these locations in observed incidents.
- Consider supplementary endpoint detection that does not depend solely on Defender for the duration of this unpatched gap.
- Watch Microsoft Security Response Center for out-of-band patch announcements for RedSun and UnDefend.
Derived from Huntress threat research, vendor security advisories, and independent vulnerability analysis
Still watching
Aging items · days 2–7
Items here remain operationally relevant. No significant new developments since last issue. They drop off after 7 days.
Defender RedSun and UnDefend (Issue 7, see Item 3 above for full detail). Active exploitation continues. No patches available. Status remains Developing.
Day 2
NIST NVD enrichment change (Issue 7). Organizations relying solely on NVD CVSS scores for patch triage should add a second signal source. CISA KEV remains authoritative for confirmed exploitation.
Day 2
Apache ActiveMQ CVE-2026-34197 (Issue 6). Federal deadline April 30. Active exploitation ongoing. Patch to version 5.19.4 or 6.2.3.
Day 4
Cross-source standouts
What connects this week
01
Third-party AI tools are the new shadow IT problem
The Vercel breach traces directly to an employee using a small AI productivity tool with their corporate credentials without IT visibility. This is the 2026 version of a problem organizations spent a decade trying to solve with SaaS apps: employees adopt tools that are useful, grant them broad access to work accounts, and security teams often have no inventory of what is connected or what permissions those apps hold. The difference with AI tools is that many of them are deeply integrated into productivity workflows and have been granted access to email, documents, and calendar data. An audit of Google Workspace and Microsoft 365 OAuth grants in most organizations will surface dozens of apps that nobody in IT approved or is monitoring. The Vercel situation is a demonstration of what that exposure looks like when one of those apps gets compromised.
02
Patching is often only half the job
The Cisco Webex situation this week and the BitLocker recovery loop from last week share a common thread: the vendor shipped a fix, but the work was not done. With Webex, organizations using SSO still need to upload a new certificate. With BitLocker, teams needed to verify recovery key availability before rebooting. Neither of these are obscure edge cases. They are the standard gap between a vendor announcing a patch and an environment actually being protected. The actionable habit is to read the remediation steps fully before marking a vulnerability as addressed, not just confirm that an update was applied.
Past issues · 7-day archive