Tech Risk Reading Picks

1. Few firms are ready for quantum computing cybersecurity risk: A new ISACA global poll reveals that while quantum computing is widely seen as a transformative force with the potential to revolutionize industries and dramatically accelerate data processing, it also poses a significant cybersecurity threat—especially the risk of breaking current internet encryption. Despite 62% of professionals acknowledging this danger, only 5% of organizations have a defined strategy to address it, and most remain unprepared for the anticipated impacts, such as increased cyber threats, regulatory challenges, and shifting business risks. Concerns like “harvest now, decrypt later” underscore the urgency for post-quantum cryptography adoption, yet awareness of relevant NIST standards remains low. Experts stress that organizations must start planning now—by identifying encrypted data, transitioning systems, and upgrading infrastructure—before quantum computing reaches the threshold where it can undermine global digital security. [more]

2. Security challenges faced by Agentic AI applications: The security challenges of agentic applications—software powered by autonomous AI agents—by detailing nine attack scenarios that exploit vulnerabilities like misconfigured tools, unsecured code interpreters, and prompt injection. Through tests on two popular agent frameworks, CrewAI and AutoGen, it demonstrates that most threats stem from insecure design patterns rather than framework flaws. The authors provide targeted mitigation strategies for each threat, emphasizing the need for layered, defense-in-depth security. Their findings, including open-sourced code and datasets, offer broadly applicable guidance to secure AI agents. [more]

3. AI for good and bad: Advances in scalable AI and autonomous technologies are reshaping cybersecurity, potentially allowing CISOs to deploy tens of thousands of autonomous agents instead of hiring more personnel, according to NightDragon CEO Dave DeWalt. While these innovations promise to shift the balance in favor of defenders, DeWalt warns that cybersecurity has worsened significantly over the past decade due to the shift from isolated legacy systems to complex, cloud-based and IoT-heavy environments—creating a "perfect cyber storm" that has now become a major hurricane. Speaking at RSAC 2025, DeWalt also highlighted ongoing federal cybersecurity efforts, the debate between platformization and best-of-breed tools, and increased investment in quantum and hybrid GPU-QPU technologies. [more]

4. Critical Langflow RCE flaw exploited: The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned of active exploitation of a critical remote code execution (RCE) vulnerability in Langflow, tracked as CVE-2025-3248, which allows unauthenticated attackers to take full control of vulnerable servers via an insecure API endpoint. Langflow, a popular open-source visual tool for building AI workflows, has over 60,000 GitHub stars and is widely used by developers and startups. The flaw, stemming from the /api/v1/validate/code endpoint’s failure to sandbox or authenticate user input, was patched in version 1.3.0 by adding authentication. CISA urges users to upgrade to version 1.4.0 or implement mitigations such as firewalls or VPNs by May 26, 2025, as over 500 exposed instances were found and exploitation is highly likely, according to Horizon3 researchers who published a detailed blog and proof-of-concept exploit. [more]

5. Google Cloud has the higher cloud vulnerability rates than AWS and Azure: CyCognito reveals that Google Cloud and smaller cloud providers have significantly higher rates of vulnerable and easily exploitable assets compared to AWS and Azure, making them riskier for cloud deployments. Analyzing nearly five million internet-exposed assets, the study found that 38% of Google Cloud and smaller provider assets had at least one security issue, more than double AWS's 15%, while Azure had a higher rate of critical vulnerabilities (0.07%). Although the absolute rates of critical, easily exploitable issues are low across major providers, smaller clouds and hosting services had vulnerabilities at ten times the rate of AWS. As cloud security grows more complex, CyCognito recommends dynamic testing and seedless discovery to mitigate hidden risks across multi-cloud environments. [more]

Web3 Cryptospace Spotlight

1. Web3 lost $92M in April: In April 2025, DeFi platforms suffered a sharp rise in crypto hacks, with 15 coordinated attacks resulting in $92 million in losses—up 124% from March—highlighting critical security vulnerabilities. Major breaches, including a $70 million heist from UPCX and a $7.5 million attack on KiloEx, illustrate the growing threat to decentralized systems, which have already seen over $1.7 billion stolen this year. These incidents underscore the urgent need for stronger security measures such as zero-trust frameworks, regular audits, and better bug bounty programs to combat increasingly sophisticated crypto hacking tactics. [more]

2. Zero-day SOL vulnerability that allowed unlimited minting: The Solana Foundation has fixed a critical zero-day vulnerability, discovered on April 16, that could have allowed attackers to forge zero-knowledge proofs and illicitly mint or withdraw Token-22 confidential tokens, which use zero-knowledge proofs for private transfers. Though no exploit occurred, two patches were quickly deployed and adopted by a majority of validators. The flaw lay in missing algebraic components in a cryptographic process known as the Fiat-Shamir Transformation. While the fix was successful and all funds remain safe, the Foundation's discreet coordination with validators has sparked concerns about Solana’s centralization. Critics contrasted this with Ethereum’s broader client diversity, arguing that Solana’s reliance on a single production-ready client increases its protocol-level vulnerability. [more]