The latest ThreatsDay Bulletin from The Hacker News covers another action-packed week in cybersecurity — and the themes are all too familiar: browser credential exposure, industrial control system vulnerabilities being exploited before patches exist, patch-or-die urgency across enterprise platforms, and a steady drumbeat of opportunistic attacks exploiting stale vulnerabilities and careless configurations.
Here is a breakdown of the week's most significant developments.
Microsoft Edge: Passwords Stored in Plaintext
One of the more alarming disclosures this week involved Microsoft Edge storing user passwords in plaintext under certain conditions. Security researchers identified a scenario in which saved credentials could be recovered from disk without requiring administrative privileges, effectively negating the value of Edge's built-in password manager for users in affected configurations.
Key details:
- The exposure affects users with specific profile or sync configurations
- Credentials stored by Edge's built-in password manager were found recoverable in cleartext
- Microsoft has been notified and is investigating; mitigations are pending
- Users relying on Edge's password manager should consider migrating to a dedicated password manager with proper encryption-at-rest guarantees
This is not the first browser-based credential exposure of recent months — attackers increasingly target credential stores in major browsers as a low-friction alternative to keyloggers and stealers.
ICS and OT Zero-Days Under Active Exploitation
Industrial control system and operational technology environments faced a wave of zero-day disclosures this week, with at least two vulnerabilities confirmed as exploited before patches were available:
Key ICS Vulnerabilities
Industrial Protocol Gateways — Multiple vendors producing protocol translation and gateway devices used in manufacturing, energy, and water treatment sectors disclosed remotely exploitable flaws. These devices often bridge IT and OT networks, making them high-value pivot points for adversaries seeking to move from corporate networks into operational environments.
SCADA / HMI Platforms — Human-machine interface software used to monitor and control industrial processes contained input validation flaws allowing code execution. In ICS environments, such access can translate to manipulation of physical processes.
Why ICS Zero-Days Matter
ICS environments present unique patching challenges:
- Patches must often be tested against production-equivalent environments before deployment
- Some OT systems run 24/7 with no maintenance windows
- Vendor support for older equipment may be limited or nonexistent
- Physical consequences of system failure create extreme caution around changes
Organizations operating OT/ICS environments should review CISA's ICS-CERT advisories and prioritize network segmentation controls to limit attacker lateral movement even when patching is delayed.
Patch-or-Die: Critical Deadlines This Week
Several vulnerabilities reached critical patch-or-die status this week due to active exploitation:
| CVE | Platform | CVSS | Status |
|---|---|---|---|
| CVE-2026-6973 | Ivanti EPMM | 7.2 | Actively exploited, patch released |
| CVE-2026-0300 | Palo Alto PAN-OS | 9.3 | Actively exploited, patch released |
| Multiple | ICS/OT platforms | Varies | Zero-day, mitigations only |
Organizations should verify these are addressed in their environments before the week is out. CISA is expected to add multiple entries to the KEV catalog in response to this week's exploitation activity.
Additional Stories From This Week
The bulletin also covers more than 25 additional developments, including:
Malware and Threat Actors
- New information-stealing malware families targeting developer environments and CI/CD pipelines
- Continued expansion of phishing-as-a-service platforms with AI-assisted lure generation
- Nation-state actors adopting living-off-the-land (LotL) techniques to evade detection in long-running campaigns
Data Breaches and Extortion
- Education technology platforms targeted in extortion campaigns affecting thousands of institutions
- Healthcare sector breaches continuing at elevated rates, with attackers prioritizing PHI theft
- Supply chain attacks via compromised developer tools and package repositories
Vulnerability Research
- Critical authentication bypass flaws in enterprise VPN and remote access products
- Memory safety vulnerabilities in widely-deployed network services
- API security issues in cloud-native platforms enabling cross-tenant data access
Policy and Enforcement
- CISA updates to the KEV catalog with new entries and shortened federal remediation timelines
- International law enforcement coordination resulting in infrastructure takedowns
- Regulatory actions against organizations with inadequate security posture
Analyst Commentary
What makes this week notable is the concentration of high-severity exploitation in products that sit at the security perimeter itself — firewalls, MDM platforms, and industrial control systems. Attackers are no longer content to phish individual users; they are systematically targeting the devices organizations depend on to enforce security policy.
The Microsoft Edge plaintext password issue is a reminder that convenience features — like built-in password managers — often introduce security tradeoffs that are invisible until a researcher looks closely. Users and organizations should apply defense-in-depth: assume that any credential store could be compromised and layer protections accordingly.
For ICS operators, this week reinforces the non-negotiable importance of network segmentation. When zero-days exist and patches aren't available, architectural controls are the only mitigation.
Staying Current
The ThreatsDay Bulletin is published weekly. Key resources for staying ahead of active exploitation:
- CISA KEV Catalog — tracks actively exploited vulnerabilities with federal remediation deadlines
- Vendor security advisories — subscribe to security advisories from your key vendors
- CISA ICS-CERT — dedicated advisories for industrial control system vulnerabilities
- Threat intelligence feeds — integrate commercial or open-source threat intelligence with your SIEM for IOC matching
Bottom Line: This week's threat landscape features the usual mix of novel and familiar attack vectors — but the targeting of perimeter security devices and industrial control systems elevates the stakes. Prioritize patching for actively exploited CVEs, enforce network segmentation for OT environments, and audit browser-stored credentials across your organization.