Alex: Welcome to Cleartext. It's Friday, June 5th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. A Cisco SD-WAN zero-day with no patch and active exploitation. Two major CISA stories that, taken together, paint a pretty striking picture of where federal cyber defense is headed. A password manager breach that should make every CISO audit their vault strategy. Anthropic publishing hard data on AI-enabled attackers. China's TA4922 going global. And we'll touch on what the CrowdStrike and Palo Alto earnings tell us about where security budgets are actually going. Let's start where it hurts.

Jordan: Yeah, let's start with the one that's going to ruin someone's Friday. CVE-2026-20245. Privilege escalation zero-day in Cisco Catalyst SD-WAN Manager. No patch. Cisco has confirmed active exploitation in the wild.

Alex: And the details matter here. This isn't unauthenticated remote code execution. You need netadmin credentials on the box, or you need to chain it with one of two other CVEs, 20182 or 20127. So the attack surface is constrained, but constrained is not the same as safe.

Jordan: Right. If you're running Cisco SD-WAN, and a lot of enterprises are, you need to be asking your network team right now whether those two chaining CVEs are patched. Because if they're not, this becomes a much more accessible attack path. And netadmin credentials? In environments with weak credential hygiene, that's not a high bar.

Alex: Compensating controls. Segment your management plane. Audit who has netadmin access. Monitor for anomalous privilege changes. This is the kind of thing where you can't wait for the patch. You need to reduce exposure now and monitor aggressively.

Jordan: And frankly, if your SD-WAN management interface is reachable from anything other than a hardened jump box, we need to have a different conversation.

Alex: Agreed. Let's shift to Washington, because two stories out of the Hill this week are connected and they matter. First, House Appropriations is marking up FY2027 DHS funding today, Friday, with a proposed $250 million cut to CISA's budget. Democrats are loudly opposing it, but the markup is proceeding.

Jordan: And simultaneously, we learn that Shyam Sankar, the CTO of Palantir, is the leading candidate for the CISA director role, which has been vacant for a long time now.

Alex: Take these together. You have an agency that's already been losing staff and resources, now facing a quarter-billion-dollar cut, and the person being considered to lead it comes from a company whose entire model is large-scale data analytics and AI-driven intelligence. That's a philosophical pivot, not just a personnel change.

Jordan: Look, Sankar is a serious technologist. Palantir's platform capabilities are real. But leading CISA isn't a technology problem. It's a coalition problem. CISA's value to the private sector has been in its role as a neutral convener, a trusted information-sharing hub, the entity that coordinates across critical infrastructure sectors. If you shift that toward an AI-first, data-platform orientation, you potentially lose the trust that makes the sharing work.

Alex: And if you cut $250 million on top of that, you're not just changing direction, you're reducing capacity. For CISOs, the action item is concrete. You cannot assume CISA services you've relied on, KEV catalog maintenance, advisory quality, sector coordination, will continue at the same level. Start strengthening your private-sector threat sharing relationships. ISACs, direct vendor channels, peer networks. Diversify your intelligence inputs.

Jordan: This isn't speculative. The degradation has already started. This just accelerates it.

Alex: Now let's talk about a breach that hits enterprise credential management directly. Dashlane disclosed that attackers successfully accessed some customer accounts through credential stuffing and brute force, and they copied encrypted password vaults.

Jordan: This is the nightmare scenario for any password manager, and it's the second time we've seen it in the industry. The parallels to the LastPass incident are obvious. Dashlane says their internal systems weren't compromised. The attackers used valid or brute-forced user credentials to log into accounts and then exported the encrypted vaults.

Alex: So the vaults are encrypted. But they're now in the hands of attackers who can run offline cracking at their leisure. The strength of your master password is now the only thing standing between an attacker and every credential in that vault.

Jordan: And let's be honest about enterprise password manager deployments. How many organizations actually enforce master password complexity? How many have MFA on the vault itself, not just on SSO, but on the actual password manager authentication? In a lot of deployments, the answer is not enough.

Alex: If you're a Dashlane enterprise customer, the response is immediate. Force master password resets. Enforce MFA if you haven't. Audit which accounts were affected. And start rotating credentials stored in those vaults, especially service accounts and privileged access credentials. Don't wait for Dashlane to tell you whether your specific tenant was hit.

Jordan: And this is a good moment for any CISO to stress-test their password manager deployment regardless of vendor. What happens if vaults are exfiltrated? How strong are your master passwords? Is your threat model current?

Alex: Let's pivot to the AI threat landscape, because Anthropic dropped something genuinely useful this week. They published an analysis of 832 accounts they banned for malicious cyber activity between March 2025 and March 2026, and they mapped the observed behaviors to MITRE ATT&CK.

Jordan: This is the kind of empirical data the industry has been missing. We've had a lot of hand-waving about AI lowering the bar for attackers. Anthropic is showing the receipts. And what the data shows is that low-skill actors are using AI to execute attack techniques that previously required significant expertise. We're talking about things like defense evasion, lateral movement, credential access, stages that used to require real tradecraft.

Alex: The strategic implication is clear. Your threat model's assumption about attacker capability needs to shift. The population of actors who can execute a competent attack chain just got larger. Not because individual tools got better, but because AI is bridging the skill gap.

Jordan: And this connects directly to volume. More capable attackers means more attacks that get past the initial filter. Your SOC is going to see more sophisticated-looking activity from actors who, two years ago, would have been stopped at the phishing stage. The middle of the funnel is getting fatter.

Alex: Which brings us to budget. CrowdStrike and Palo Alto both beat earnings estimates this week, driven by AI-related security demand. The narrative that AI tooling would cannibalize traditional security spend? The market just rejected it.

Jordan: Enterprise security budgets are expanding, not reallocating. And the platform consolidation trend is real. Both companies are benefiting from CISOs who want fewer vendors doing more, with AI capabilities baked in rather than bolted on.

Alex: For CISOs heading into budget season or mid-year reviews, this is useful ammunition. The market is validating that security spend is increasing, not contracting. If your CFO is pushing back on security investment, the earnings data from the two largest independent platform vendors says demand is accelerating. Use it.

Jordan: Now, on the threat actor front, let's talk about TA4922. Dark Reading reported this week that this Chinese-linked cybercrime group is expanding globally beyond its traditional East Asian footprint.

Alex: What makes TA4922 interesting and dangerous is that they're described as one of the most diverse and least-focused cybercrime groups operating. They're opportunistic. They don't have a narrow targeting profile, which means the probability of incidental compromise goes up for enterprises that never considered themselves targets of Chinese-linked cybercrime.

Jordan: And I want to emphasize the word cybercrime here, not espionage. We've trained boards to think about China-linked threats in terms of intellectual property theft and state-sponsored espionage. TA4922 is a financially motivated operation. It's a different risk category, and it needs to be briefed that way. Chinese-linked cybercrime is distinct from Chinese state-sponsored espionage, and your board needs to understand both.

Alex: The geographic expansion also signals operational maturity and possibly increased resourcing. This isn't a scrappy crew anymore. They're scaling.

Jordan: Two more stories to touch on quickly. The UN World Food Programme disclosed a breach of its self-registration application for Palestine, exposing data on 600,000 Gaza households. For most of our listeners, this isn't a direct operational concern. But if you're in the NGO space, government contracting, or any multinational operating in conflict zones, this is a signal. Humanitarian data systems are high-value targets, and they're often under-resourced from a security perspective.

Alex: And on the supply chain front, 36 npm packages were compromised with a new infostealer malware called IronWorm. If your development teams are consuming open-source dependencies, and they are, make sure your software composition analysis tooling is scanning for IronWorm indicators. Infostealers in dev environments can harvest credentials, tokens, and source code. This is pipeline hygiene.

Jordan: One more. The FTC is considering setting aside or modifying the $150 million privacy penalty against X, formerly Twitter. X is arguing the order was issued against a company that no longer exists. If the FTC accepts that reasoning, it creates a template for using corporate restructuring to escape legacy enforcement orders.

Alex: That's a precedent every privacy and legal team should be watching. If rebranding and restructuring become viable strategies for shedding regulatory obligations, it changes the calculus for enforcement accountability across the board.

Jordan: All right, looking at the week as a whole, what's the thread?

Alex: The thread this week is that the assumptions underpinning your security program are shifting faster than most organizations are updating them. Attacker skill floors are dropping because of AI. A major federal cyber defense agency is being simultaneously defunded and restructured. Your password vaults might be in someone else's hands. And a Chinese cybercrime group you've never briefed your board on is now operating in your geography. The common action is the same across all of these. Revisit your assumptions. Update your threat models. Don't coast on last year's risk assessment.

Jordan: And don't assume the cavalry is coming from Washington. Build your own resilience. Strengthen your private-sector relationships. Test your controls against the threat landscape as it actually exists today, not as it existed when you last updated your strategy deck.

Alex: That's the show for Friday, June 5th. Show notes and links to every story we covered are at cleartext.fm. Have a good weekend. Stay sharp.

Jordan: See you Monday.