The danger isn't the unknown attack — it's the known one no one got around to fixing

Cybersecurity 4 min 13 sources

This week's security news has a single quiet theme: the most exploited weaknesses are flaws that already have a fix, sitting unpatched. A phone-system bug with a patch already out, a server flaw already under attack, a Microsoft app setting left switched on by mistake. Even the scary new AI-built worm mostly just hunts for holes someone forgot to close. The lesson, calmly: updating your software is the boring advice that actually matters.

Key takeaways

This week's security news shares one theme: the weaknesses being exploited are mostly ones that already have a fix (a Cisco phone-system flaw with a patch out, a Linux server flaw under active attack, WordPress plugin flaws) — the danger lives in the gap between a fix existing and a fix being installed.
Even the new AI-built, self-spreading program from University of Toronto researchers mainly hunted for known, already-fixable holes — so AI makes routine patching matter more, not less, by speeding up the race to exploit unpatched systems.
The most reliable way in is still a person: MI5 and its Five Eyes partners warned that foreign operatives use job sites like LinkedIn and Indeed to post fake roles and coax sensitive information out of applicants — a flaw no update can patch.

There’s a comforting myth in security: that the things which get you are exotic, genius, unstoppable. The week’s real news says the opposite. The weaknesses being exploited right now are, overwhelmingly, ones that were already discovered and already have a fix — just not yet applied.

The race between “fix exists” and “fix installed”

Three separate warnings this week share one shape. Cisco, which makes much of the world’s business phone and network gear, released a patch for a serious flaw in its communications software and warned that working “proof-of-concept” code — a public demonstration of how to exploit it — is already circulating [5]. Separately, the US cyber-defence agency CISA told organisations that a flaw in the Linux kernel — the core of the operating system running most of the world’s servers — is being actively exploited, and to patch it now [8]. And researchers flagged that flaws in two widely used WordPress plugins, the add-ons that power millions of websites, are being targeted, with updates available [6].

In every case the fix already exists. The danger lives entirely in the gap between a patch being released and a patch being installed. Here’s the mechanism, and it’s the whole point: when a fix ships, it also tells attackers exactly where the unlocked door is. So the moment of greatest risk isn’t before a flaw is known — it’s the days right after, when defenders are scrambling to apply the patch and attackers are racing to reach the systems that haven’t applied it yet. The fix and the risk arrive together.

AI mostly just speeds up the same race

The headline fear about artificial intelligence in security is that it will discover brand-new, unknowable flaws. The grounded news this week is more mundane and more useful to understand. Researchers at the University of Toronto showed that a small, free, publicly available AI model — running on a single graphics card — could be turned into a self-spreading program that moved through a test network on its own [2]. The notable detail isn’t sophistication. It’s that the program worked by hunting for known weaknesses and misconfigurations — exactly the kind that already have fixes [2].

That reframes the worry. AI isn’t mainly conjuring magic new attacks; it’s automating and cheapening the hunt for the holes people already left open. Security firm Sophos separately reported an unidentified group using AI to help malicious software slip past detection tools — though, notably, the defenders’ tools still caught it [4]. The takeaway is calm, not alarmist: AI raises the speed and lowers the cost of exploiting unpatched flaws, which makes the boring discipline of patching matter more, not less. The race just got faster on the attackers’ side.

When the open door is a mistake in the product

Sometimes the unlocked door isn’t yours to fix — it’s built into a product you trust. Researchers at the firm Enclave found that several Microsoft 365 apps for Android phones — including Word, Excel, PowerPoint, OneNote and the Copilot assistant — shipped with a “debug” setting, meant only for testing, mistakenly left switched on in the public release [7]. The effect was that the apps mishandled the login tokens that prove who you are, exposing accounts to takeover at large scale [7]. No clever attack was needed; a setting was simply left in the wrong position before shipping.

For an ordinary person, the action here is small and real: keep your apps updated, because the fix arrives as an update. The deeper point is that a single overlooked default — one switch, set wrong, at scale — can quietly undo the whole system that’s supposed to keep your account yours.

And the cost of these gaps lands on regular people. A US firm, IMA Diligence Services, is notifying more than 525,000 people that their personal data — names, addresses, Social Security numbers and driver’s licence numbers — was stolen after attackers reached a neglected, third-party “legacy” server it had largely forgotten about [9]. There was better news on the other side of the ledger, too: an international law-enforcement crackdown disrupted more than 1.4 million criminal accounts, a reminder that the defenders score wins that rarely make the headlines [3].

The oldest unpatched flaw is a person

End with the weakness no software update can close. Britain’s security service MI5, alongside its partners in the “Five Eyes” intelligence alliance — the UK, US, Australia, Canada and New Zealand — warned that foreign intelligence operatives are using ordinary job websites like LinkedIn, Indeed and Upwork to post fake analyst roles, then pressure applicants into handing over sensitive, non-public information [13]. No hacking required; just a plausible job offer and human trust.

It’s a useful note to close on. Most of this week was about machines and the patches they need. But the most reliable way in has always been a person — a convincing message, a too-good opportunity, a small request that seems harmless. You can patch a server. You can’t patch the instinct to trust a friendly stranger offering you a dream job — you can only learn to notice when an offer is asking for a little more than it should.

02 · Lesson · why it matters

The risk you already know about

The comforting story about disaster is that it arrives from nowhere — exotic, clever, impossible to foresee. This week's security news quietly says the opposite. The holes being exploited had already been found. The fixes already existed. They just hadn't been applied yet. That gap, between knowing and doing, is where almost all the damage lives.

Knowing is not the same as having handled it

Look at what actually happened. A patch was released for a serious flaw — and the very release announced to the world exactly where the unlocked door was. A server weakness was publicly flagged as under attack, with the fix already available. An app shipped with a setting left in the wrong position, and once spotted, the danger was simply the time it took to correct.

In every case the knowledge was there. What was missing was the doing. And notice the cruel timing: the moment a problem becomes known is often the exact moment the risk goes up, not down — because now both you and everyone else know. Knowing about a problem can feel like progress. Sometimes it just starts the clock.

The unlocked door you walk past every day

Take this out of computers, because the shape is everywhere in a life.

The smoke alarm chirping with a dead battery you keep meaning to replace. The strange noise the car has been making for a month. The medical check-up you’ve postponed twice. The backup of your photos you’ve been “about to set up” for a year. The savings you know you should start. The conversation with someone you love that you know you need to have and keep not having.

None of these are unknown risks. Not one of them is a mystery. They are known, fixable, and sitting on a list — and that is precisely what makes them dangerous. We brace for the freak accident and walk straight past the open door we already know about, every single day.

Why “known” disguises itself as “done”

Here’s the trap underneath it. The moment you notice a problem and even figure out the fix, your mind quietly files it as handled. The alarm in your head goes quiet — you’ve “dealt with it” by deciding to deal with it later. But nothing actually changed. The battery is still dead. The flaw is still unpatched. The conversation still hasn’t happened.

Awareness feels like safety, and it isn’t. Your mental to-do list is full of things you believe you’ve taken care of, when all you’ve really done is acknowledge them. The distance between “I know about that” and “that is fixed” is the most underestimated gap there is — small enough to keep ignoring, wide enough to fall through.

What to carry out of today

When you next stop to ask what could go wrong — in your home, your money, your health, your work — resist reaching first for the dramatic unknowns. The genius attack, the freak event, the thing no one could have seen coming. Those make for better stories and worse risk management.

Instead, look at the list of things you already know are wrong and haven’t fixed. That’s almost always where the real exposure is — and, crucially, it’s the only kind you can actually do something about today. You can’t patch a hole no one has found yet. But the dead battery, the skipped backup, the postponed appointment, the door you know is open — those you can close right now. Most safety isn’t cleverness. It’s just doing the boring, known thing before the gap catches up with you.

And keep one exception in view: a few risks can’t be “fixed” once and filed away — the human ones, like the instinct to trust a too-good offer. Those aren’t a patch you apply; they’re an attention you keep. But the rest? The rest is sitting on your list, waiting. Go close one.

03 · Lab · your turn

First Thing Monday

Triage five security tasks with time to fix only three, then let the week pass — feeling that the known, fixable, actively-exploited holes are what bite if left, not the dramatic headlines you cannot act on.