TRENDS, THREATS & TACTICS FOR CYBER CERTAINTY™
BY DANIEL TOBOK
February 2026
O N E M I S T A K E , 1 , 8 0 0 E X P O S E D : The Pax8 Leak That Uncovered Supply Chain Weaknesses
Cloud marketplace Pax8 accidentally exposed sensitive internal business data related to approximately 1,800 managed service providers (MSPs) by emailing a spreadsheet to fewer than 40 partners. While no personal data was leaked, the file contained valuable commercial information, prompting interest from threat actors and raising concerns about supply chain exposure and internal data handling practices.
My thoughts
This incident with Pax8 is a textbook example of how even a small internal misstep can ripple out into major reputational and operational risks. When internal business intelligence — like partner IDs, customer lists, license data — is accidentally exposed, it becomes a goldmine for threat actors looking to exploit supply chain relationships. What concerns me most isn’t just the accidental nature of the exposure, but the fact that external actors were quick to seize the opportunity. That tells me the threat landscape is watching closely — not just for breaches, but for human errors they can monetize. In today’s climate, accidental data exposure is no longer just a mistake — it’s an opening.
What can we do?
Organizations must treat internal business data with the same level of security controls as customer PII. This includes applying data loss prevention (DLP) tools, automating access controls, and auditing outbound communications — especially when dealing with spreadsheets or partner-related files. Second, we need to build stronger review protocols before any bulk communication goes out — email is still one of the easiest places for sensitive data to slip through. Finally, the Pax8 case reinforces the importance of continuous security awareness at all levels. Cybersecurity isn’t just about defending against outside attacks — it’s about building systems and processes that don’t leave the front door open by accident.
F O R T I N E T P A T C H E S S E V E R E F O R T I S I E M F L A W : Remote Code Execution Possible Without Login
Fortinet has patched a critical vulnerability (CVE-2025-64155) in its FortiSIEM platform that could allow unauthenticated attackers to remotely execute commands on affected systems via a specially crafted TCP request. Rated 9.4 in severity, the flaw posed a serious risk to enterprise environments, prompting urgent updates and network access restrictions to mitigate potential exploitation.
My thoughts
Anytime I see a critical unauthenticated remote code execution vulnerability in an enterprise-grade security product — especially a SIEM — it’s deeply concerning. FortiSIEM is designed to be the nerve center of security visibility, and when its own components can be hijacked without credentials, it’s a dangerous reversal of trust. This isn’t just a flaw in functionality — it’s a flaw in the foundation of cyber resilience for the organizations relying on it. When you combine high severity (CVSS 9.4), remote access, and no authentication required, you’re looking at a perfect entry point for a threat actor to silently take over critical infrastructure.
What can we do?
Patching is non-negotiable — updates need to be applied immediately across all affected instances. Second, restrict external access to the phMonitor port and any other unnecessary services — it’s critical we reduce the attack surface before it’s exploited. But more importantly, this is a reminder to every organization: don’t assume your security tools are secure by default. They must be subject to the same rigorous vulnerability management lifecycle as any other critical asset. Security starts with visibility — but visibility must never come at the cost of exposure.
P A I D L L M S E R V I C E S E X P O S E D : Threat Actors Exploit Proxy Misconfigurations in Stealth Campaign
Threat actors are systematically scanning the internet for misconfigured proxy servers that expose access to paid large language model (LLM) services like OpenAI, Google, and Anthropic, aiming to abuse them for free usage or future exploitation. Using stealthy, low-noise prompts and server-side request forgery (SSRF) techniques, the attackers are conducting reconnaissance at scale, highlighting the urgent need for securing AI infrastructure.
My thoughts
As someone who has spent nearly two decades navigating the evolving landscape of cyber warfare, I view this latest activity by threat actors as a warning shot. The misuse of misconfigured proxies to access and fingerprint paid LLM services is not just about free compute — it’s about mapping out the future attack surface of AI. This isn’t just probing infrastructure; it’s probing the digital intelligence economy. We’re witnessing the early stages of how AI systems themselves will become both targets and tools in the next phase of cyber crime. The quiet nature of these attacks — low-noise prompts, subtle SSRF tactics — speaks to the sophistication of today’s adversaries and the complacency that exists around securing AI endpoints.
What can we do?
We need to move fast and think smarter. First, organizations must conduct a full audit of any proxy infrastructure sitting in front of LLMs, APIs, or cloud-based AI tools. That means verifying that every exposed endpoint is authenticated, access-controlled, and not publicly available without purpose. Many companies deploy reverse proxies or gateways without realizing that improper configuration can turn them into open doors for external exploitation.
It’s not enough to monitor for brute-force or high-volume abuse anymore. These threat actors are deliberately staying under the radar by making minimal, benign-looking requests. Security teams should implement behavioral monitoring that can detect repeated, simplistic queries coming from the same IP ranges or user agents — especially if they’re targeting known AI endpoints.
If Cyber CertaintyTM matters to you, your company or business, then subscribe to Daniel’s thought leadership today
©2026 Daniel Tobok. All rights reserved.