AI joins the chain of command.

Battlefield AI sparks debate. Election cyber threats rise. A critical Windows flaw is under active attack. CISA weighs new reporting rules. Russian targets face a stealthy hacking campaign. A 19-year-old Linux bug gets its day in the sun. Today’s business update. Our guest is Heather Ceylan, CISO at Box, discussing how governed AI starts with solving the unstructured data problem. On today’s Industry Voices we are joined by Heather Ceylan discussing how governed AI starts with solving the unstructured data problem. Microsoft hits refresh on research relations. 

Today is Monday June 1st 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Military leaders debate battlefield AI. 

The Trump administration is accelerating the use of artificial intelligence across the U.S. military, arguing it is critical to maintaining America’s strategic advantage. Defense Secretary Pete Hegseth has pushed for rapid AI adoption and opposed restrictions that could limit lawful military applications, while President Trump has expressed concern that new regulations could weaken U.S. competitiveness, particularly against China.

At the same time, some military leaders and technology companies are urging caution. Adm. Frank Bradley, head of U.S. Special Operations Command, warned that humans must remain confident AI systems deliver force only where intended. Military officials described AI as both a battlefield tool that speeds targeting and decision-making and a support system that reduces administrative burdens and cognitive workload without replacing human judgment.

The debate has fueled tensions between the Pentagon and AI company Anthropic, which raised concerns about autonomous weapons and surveillance. Despite these disputes, experts note the military generally adopts new technologies carefully, balancing operational effectiveness with the need to avoid mistakes, civilian harm, and unintended consequences.

A new report warns the 2026 U.S. midterm elections face elevated cyber threats. 

A new report from Check Point warns that the 2026 U.S. midterm elections face elevated cyber threats targeting political organizations, fundraising platforms, media outlets, and voters. Researchers found a sharp rise in newly registered election-related domains, many of which could later be used for phishing, impersonation, fraudulent fundraising, or misinformation campaigns.

The report identifies phishing, AI-enabled disinformation, influence operations, and account compromise as the most likely threats. Email remains the primary attack vector, accounting for 82% of malicious file attacks. Researchers also found thousands of leaked credentials tied to major fundraising platforms ActBlue and WinRed, creating opportunities for fraud and unauthorized access.

Artificial intelligence is making scams, deepfakes, and misinformation more convincing and easier to produce at scale. The report also highlights ongoing influence efforts by foreign adversaries, including Russia, China, and Iran. While voting systems themselves are not the primary target, experts warn that attacks on communication channels, fundraising platforms, and public trust could significantly impact the election environment.

A critical Windows Netlogon vulnerability is under active exploitation. 

Belgium’s national cybersecurity agency, the Centre for Cybersecurity Belgium, is warning that attackers are actively exploiting CVE-2026-41089, a critical Windows Netlogon vulnerability patched by Microsoft in May. The flaw, a stack-based buffer overflow with a CVSS score of 9.8, allows unauthenticated remote code execution on Windows domain controllers through specially crafted network requests. It affects all supported Windows Server versions, including Windows Server 2025. While details of current attacks remain limited, the CCB is urging organizations to patch immediately to protect vulnerable servers.

Elsewhere, CISA has added CVE-2026-0257, a Palo Alto Networks PAN-OS authentication bypass flaw, to its Known Exploited Vulnerabilities catalog after reports of active attacks. The vulnerability affects GlobalProtect portals and gateways, allowing attackers to forge authentication cookies and establish unauthorized VPN access under certain configurations. Rapid7 observed exploitation across multiple organizations beginning in mid-May, with some attackers gaining internal network access. Palo Alto patched the flaw on May 13, and CISA has ordered federal agencies to remediate affected systems by June 1, 2026.

CISA holds town halls on cyber incident reporting rules. 

CISA will hold a series of virtual town halls from June 15–18 to gather final industry feedback on cyber incident reporting rules required under the 2022 Cyber Incident Reporting for Critical Infrastructure Act. The sessions are expected to help determine which critical infrastructure organizations must report cyber incidents and ransomware payments, what qualifies as a reportable incident, and what information must be disclosed. Industry groups have criticized earlier proposals as overly broad and burdensome, raising concerns about compliance costs and overlapping reporting requirements. The meetings may also signal whether the Trump administration plans to narrow the rule before CISA finalizes regulations that have been delayed amid extensive stakeholder feedback and debate.

Researchers uncover a hacking group quietly targeting Russian critical infrastructure. 

Researchers at Kaspersky have uncovered a previously unknown hacking group that quietly targeted Russian maritime universities, energy organizations, diplomatic missions, government agencies, and financial institutions for nearly two years. The campaign, active since at least 2024, used long dormant periods to avoid detection. Recent attacks relied on the Ravage penetration-testing framework and began with phishing emails containing malicious ZIP files disguised as Microsoft Excel configuration files. More than half of the observed attacks targeted maritime educational institutions. Kaspersky said the group appears well-established and highly stealthy but did not attribute the campaign to any known threat actor or identify its motive.

A 19-year-old Linux privilege escalation vulnerability allows low-privileged users to gain root access.  

Researchers have disclosed a 19-year-old Linux privilege escalation vulnerability, dubbed CIFSwitch, that can allow low-privileged users to gain root access on affected systems. The flaw resides in the Linux kernel’s CIFS subsystem and the cifs-utils authentication helper used for SMB network file sharing. According to researcher Asim Viladi Oglu Manizada, attackers can manipulate authentication requests to trick the root-privileged helper into switching namespaces and executing attacker-controlled code. The issue stems from insufficient validation of request origins and key descriptions. Several Linux distributions are vulnerable, particularly those with cifs-utils installed by default, though some distributions block the attack path by default or are unaffected. Major Linux vendors have already released patches, and proof-of-concept code has been published to help organizations test their defenses.

India’s government-run exam board identified and contained vulnerabilities. 

India’s Central Board of Secondary Education said it has identified and contained vulnerabilities in its OnMark online grading portal after they were publicly reported by a teenage cybersecurity researcher. The government-run exam board stated it has been closely monitoring the issue and taking corrective action. OnMark, introduced this year, allows teachers to digitally grade scanned copies of students’ physical exam answer sheets for one of India’s most important school-leaving examinations. The board did not disclose additional details about the vulnerabilities or their impact.

Monday business breakdown. 

Cybersecurity investment activity remained strong with several funding rounds and acquisitions announced across the sector. London-based RevEng.ai raised $15 million in a Series A round led by the NATO Innovation Fund to advance software supply chain security. Canadian identity security company Lastwall secured $11.5 million to expand beyond its U.S. federal customer base, while London-based threat intelligence startup Infrawatch raised $3 million in pre-seed funding. Spain’s Orbik Cybersecurity obtained €2 million to support growth, international expansion, and hiring, and Maryland-based Provision IAM received $1.25 million in strategic investments.

Mergers and acquisitions were equally active. Zscaler announced plans to acquire Symmetry Systems to strengthen identity visibility and AI governance capabilities. Check Point agreed to acquire Deepchecks to accelerate its AI security roadmap. Eurazeo will acquire Germany’s Nextron Systems to expand digital forensics capabilities, while Cycurion acquired Secuvant to enhance managed detection, vulnerability management, and compliance services. Overall, the deals highlight continued investor focus on AI security, identity management, threat intelligence, and digital forensics.

Microsoft hits refresh on research relations. 

After a week of turbulence with the security research community, Microsoft is clarifying that it does not intend to take legal action against researchers who discover and publish vulnerabilities. The reassurance follows backlash over a company blog post that criticized recent uncoordinated Windows zero-day disclosures and warned that Microsoft’s Digital Crimes Unit would continue pursuing those who enable criminal activity. Many researchers interpreted the message as a veiled warning aimed at the pseudonymous researcher Nightmare Eclipse.

In a follow-up statement posted on social media, Microsoft effectively walked back the concern, acknowledging that some interactions with researchers had “fallen short” and emphasizing its commitment to good-faith engagement. Observers also noted the company quietly swapped the more controversial phrase “responsible disclosure” for the less loaded “Coordinated Vulnerability Disclosure,” a bit of terminology housekeeping that did not go unnoticed.

Meanwhile, Nightmare Eclipse appears unfazed. The researcher says others have begun sharing vulnerabilities directly and has promised another disclosure in June, suggesting this particular chapter in the long-running vendor-researcher relationship may be ending with a handshake, or at least a slightly less tense email exchange.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.