PCI COMPLIANCES by Udi Levin, AI Risk PCI and Cybersecurity

Category: CISO

  • Top Critical Vulnerabilities May 2026

    Top Critical Vulnerabilities May 2026

    Here are the top critical CVEs as of May 2026:

    CVE-2026-0073 (Google Android Zero-Click Vulnerability): Allows remote code execution on Android devices without user interaction, exploitable on the same local network. Updates have been released.

    CVE-2026-0300 (Palo Alto Networks PAN-OS Buffer Overflow): Enables unauthenticated remote code execution with root privileges on PAN-OS, especially when the User-ID Authentication Portal is exposed. Limited exploitation has been observed.

    CVE-2026-41940 (cPanel & WHM Authentication Bypass): A critical vulnerability leading to authentication bypass and elevated control of cPanel/WHM, actively weaponized against government, military, MSPs, and hosting providers.

    I’ve also noted other high-impact and actively exploited CVEs from recent months, including flaws in Cisco Secure Firewall, Langflow, Ubiquiti UniFi, and NetScaler ADC/Gateway. Older vulnerabilities like ZeroLogon and Log4Shell also continue to be exploited due to incomplete remediation.

  • A New Opportunity: Quiet AI Revolution Already Underway at Our Labs

    A New Opportunity: Quiet AI Revolution Already Underway at Our Labs

    Something is shifting in how the most serious institutions think
    about intelligence, risk, and decision-support. It is not loud. It
    is not on stage at RSA. But it is happening.

    This is where the second wave begins. Not cloud-native, but infrastructure-native. Not generalist, but precision-built for the specific cognitive demands of security leadership and strategic decision-making. Not a product you try with a credit card, but a system you deploy inside your own walls.

    The institutions moving in this direction are not doing so because they fear AI. They are doing so because they understand it well enough to demand something better than what is publicly available.

    — ✦ —

    What We Are Building

    We are not going to describe it in detail here. That is intentional.

    What we can say is this: we have built something that operates entirely within a client’s own infrastructure. The intelligence it produces is generated from the institution’s own data, shaped by frameworks relevant to their regulatory environment, and delivered in a form that executives can act on — not just read.

    It is designed for the people in an organization who carry the most consequential responsibilities. The ones accountable for what happens when something goes wrong. The ones whose judgment needs to be sharper, faster, and better-informed than the environment around them — without compromising the confidentiality that makes their role possible.

    Two distinct capability sets. One shared architecture. Fully privately owned.

    WHERE WE ARE NOW

    We are in early alpha with a small number of clients in our local market. We are having quiet conversations with a small number of people whose perspective — and potentially whose involvement — we would value.

    If you are in security, advisory, or at the intersection of the two, and the above resonates — not because of the technology, but because of the problem it addresses — then perhaps we should speak.