Cyber Brief: Vulnerability exploitation, identity drift and supplier resilience

Today’s cyber activity highlights three pressures facing organisations as year-end approaches. Active exploitation of newly disclosed vulnerabilities continues, identity access drift is increasing operational risk and supplier resilience remains a concern where assurance is inconsistent. Together, these stories underline the importance of visibility, control and preparedness during periods of reduced capacity.

Attackers exploit newly disclosed vulnerabilities at pace

Security teams have issued warnings following confirmation that threat actors are actively exploiting vulnerabilities disclosed within the last 48 hours. These flaws affect widely used enterprise software components and are being targeted rapidly after public disclosure.
Researchers report that attackers are using automated scanning to identify exposed systems and deploying exploitation attempts within hours. In several cases, organisations that delayed patching due to change freezes or operational constraints were compromised before mitigations could be applied. Once access was gained, attackers focused on credential harvesting, persistence and lateral movement rather than immediate disruption.
This pattern reflects a broader trend where attackers closely monitor vulnerability disclosures and weaponise proof-of-concept material almost immediately. Environments with limited asset visibility, incomplete patch inventories or reliance on manual update processes remain particularly vulnerable.

Why it matters
Speed now matters as much as severity. Organisations should prioritise rapid patching for internet-facing systems, maintain accurate asset inventories and ensure emergency change processes are clearly defined and approved.

Source
CISA and international vulnerability monitoring reports

Identity access drift increases risk across cloud and hybrid environments

Recent identity security assessments have highlighted growing access drift across cloud and hybrid estates. Over time, users, service accounts and integrations accumulate permissions that exceed their current role or purpose. This drift is often driven by temporary access granted during projects, incomplete offboarding or inherited permissions that are never reviewed.
Attackers increasingly exploit this condition by compromising low-privilege accounts and using existing access pathways to expand reach without triggering alerts. In multiple incidents reviewed today, attackers avoided privilege escalation entirely, instead relying on legitimate permissions that had not been removed.
The problem is amplified in hybrid environments where identity synchronisation between on-prem and cloud systems obscures true access levels. Without regular review, organisations struggle to identify which accounts present the highest risk.

Why it matters
Access drift turns identity into an attack surface. Regular access reviews, least-privilege enforcement and monitoring for unusual use of legitimate permissions are essential to reducing exposure.

Source
Identity security and access governance reporting

Supplier resilience gaps exposed during operational disruption

UK organisations have reported continued disruption linked to supplier outages and degraded third-party services. In several cases, primary systems remained operational, but dependencies on external providers caused service delays, data processing issues or loss of visibility during incidents.
Post-incident reviews show that many organisations lack clear understanding of supplier dependencies or rely on assurances that are not regularly validated. When disruption occurred, escalation paths were unclear and recovery timelines were longer than expected. These issues were most pronounced where suppliers held privileged access or provided critical operational services.
The findings reinforce that supplier risk is not limited to security breaches. Availability, communication and recovery capability are equally important components of resilience.

Why it matters
Supplier resilience is business resilience. Organisations should map critical dependencies, validate supplier recovery capabilities and ensure escalation and communication routes are tested before disruption occurs.

Source
UK operational resilience and supplier assurance reviews

Today’s Key Actions

1. Prioritise patching of newly disclosed vulnerabilities affecting internet-facing systems.
2. Conduct targeted access reviews to identify and reduce identity drift.
3. Review supplier dependencies and validate resilience and recovery expectations.
4. Ensure emergency change and escalation processes are approved and understood.
5. Update risk registers to reflect vulnerability exposure, identity and supplier risk.

Secarma Insight

Today’s stories reinforce a familiar message. Attackers succeed when visibility is limited and controls drift over time. Rapid patching, disciplined identity governance and realistic supplier assurance help organisations stay resilient, even during periods of reduced staffing and heightened threat activity.

Get in touch with us to prioritise your next steps and strengthen your security posture.