AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started

cPanel Auth Bypass, Claude AI Code Risks, and Trigona Ransomware

This episode explores how access is being created, scaled, and kept with less friction, from a critical cPanel authentication bypass to AI-generated vulnerable code, AI-assisted attacks, persistent footholds in trusted systems, and stealthier data exfiltration.

Five stories this week, one thread: the friction between attackers and access keeps shrinking. Here's what stood out from the operator chair.

When every version is vulnerable, speed beats targeting.
WatchTowr disclosed a cPanel/WHM auth bypass affecting every version in the wild: tens of millions of domains, no credentials required. From the operator chair, you don't bother fingerprinting: if it has a pulse, it's in scope. The real adversary inside an unpatched panel won't be you; it'll be whoever got there an hour earlier (the MongoDB ransom-on-ransom era is the playbook). For end-of-life systems where patching isn't possible, segment from the internet and assume the race has started.

AI writes plausible code, not secure code.
Researchers are finding high vulnerability rates in AI-generated code (like unsafe input handling, weak auth) reaching production through devs who don't know what to look for. The deeper issue is statistical: model outputs reflect the average of their training data, and as that corpus gets noisier, "plausible" drifts further from "secure." Banning AI from the SDLC process is a losing strategy; your engineers are already and will continue to use it. Track it, review it, treat its output like a junior dev's first commit.

Mediocre operators are using AI to scale, not to learn.
A North Korean campaign used AI to write malware, build phishing sites, stand up fake companies, and run victim interactions, pulling in millions despite operators who weren't elite. It's not a tradecraft story; it's a volume story. With AI, the technical floor dropped, but the volume ceiling didn't. The targeted recruiter infiltration into engineering roles is the part defenders should sit with.

Patching the firewall doesn't evict the attacker on it.
New malware on Cisco Firepower devices survives patches; eviction requires offline reset. The real lesson is upstream of the CVE: stop treating edge devices as your source of truth for what's normal on the network. They need golden-image drift detection and change control like any other asset, and your endpoint visibility should flag traffic the firewall claims isn't there.

Custom exfil tools mean your signatures are lying to you.
Trigona operators ditched off-the-shelf tools like Rclone for a custom utility that splits transfers, rotates connections, and skips media files to stay quiet. The pattern they're leaning into is what makes this dangerous: a public exploit handles the front door, but everything after that runs on tooling your defenses have never seen. Patching the CVE feels like closure — the headline vulnerability is gone — but it does nothing about the operator already inside, moving with utilities you can't fingerprint. Signature-based detection won't catch that second half. Anomaly and traffic-flow analysis is the bar.

Security Headlines: 

Sean McMillan Headshot

About the speaker, Sean McMillan

Community Manager

Sean McMillan is Community Manager at Bishop Fox, focused on making complex security topics easier to understand and more interesting to follow. He holds a bachelor’s degree in Mass Communication and Media Studies from Arizona State University and brings over a decade of experience in podcasting, live hosting, and audience engagement. As host of Initial Access, he works with practitioners to explore how real-world attacks actually happen.

More by Sean McMillan
Richard Brown headshot

About the speaker, Richard Brown

Senior Managing Operator II

Richard Brown is a Senior Managing Operator II at Bishop Fox, where he leads a team focused on tracking and notifying customers of Emerging Threats, and identifying and helping expand what the operators do; which includes tool development, automation, and working with other business units in Bishop Fox.

Before joining Bishop Fox, Richard served in various security and consulting roles, including positions at MasterCard, Mercy, and Focal Point Data Risk. He also spent several years in law enforcement with the St. Louis Metropolitan Police Department, where he served as a detective in the Intelligence Division. This experience informs his ability to think like an attacker—and uncover what others miss.

Richard holds a Bachelor’s degree in Information Technology from Lindenwood University and an Associate’s degree in Electrical System Design from Ranken Technical College. He has held several certifications, including Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH), as well as others from Cisco, Splunk, NW3C, and FEMA.

More by Richard Brown
Dillon Sparks Bio Photo

About the speaker, Dillon Sparks

Senior Operator

Dillon Sparks is a Senior Operator at Bishop Fox, serving on the Threat Enablement Team with a focus on Attack Surface Intelligence and Emerging Threat Analysis. He applies deep expertise in offensive security, network exploitation, and systems analysis to help organizations understand and mitigate real-world risk across complex software and infrastructure environments.

More by Dillon Sparks
Shad Malloy Headshot

About the speaker, Shad Malloy

Managing Senior Consultant II

Shad Malloy is a Managing Senior Consultant II at Bishop Fox focused on network penetration testing, vulnerability risk management, and application security. He has advised multiple industries including health care, financial services, energy, and technology. In addition to time working and managing security for education, health care, and national government agencies. Shad holds a Bachelor of Science in Computer Information Systems as well as industry certifications like the CISSP.

More by Shad Malloy
Bfx25 John Untz Author Bio 1

About the speaker, John Untz

Senior Security Engineer, Exploit Developer

John is a Senior Security Engineer, Exploit Developer, where he focuses on reverse engineering emerging threats and developing advanced capabilities to protect our customers' attack surfaces. Prior to joining Bishop Fox, John served in a number of selectively manned US Air Force teams, and is a graduate of the NSA's Computer Network Operations Development Program (CNODP).

More by John Untz

Extend Your Knowledge

Check out these related resources.

Datasheet ai powered apt
Datasheet

AI-Powered Application Penetration Testing Datasheet

Most enterprises are managing dozens — sometimes hundreds — of applications with the same constrained budgets and headcount. Bishop Fox AI-Powered Application Penetration Testing delivers validated, expert-reviewed findings across your entire portfolio without the noise or overhead.

Learn More
Bishop Fox guide: 15 guardrails for shipping AI-generated code safely.
Guide

Secure AI-Assisted Development: 15 Guardrails for Shipping AI-Generated Code

Before releasing AI-developed software, use our recommended security guardrails checklist to learn how to constrain generated code, enforce security controls, and prevent silent risk from prompt to production.

Learn More
GigaOm Radar Report 2026 Attack Surface Management with security risk radar graphic and Bishop Fox branding.
Report

2026 GigaOm Radar for Attack Surface Management

Get an overview of the 2026 Attack Surface Management (ASM) market — along with the key features and business criteria met by the top solutions — and learn why Bishop Fox was named Leader and Fast Mover by the analysts at GigaOm.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.