Anthropic has signed a landmark 20-year, $19 billion lease with TeraWulf for the "Justified Data" campus in Hawesville, Kentucky. The 401-megawatt AI data centre, built on a former aluminium smelting site, is expected to come online in late 2027.
What keeps cyber analysts awake at night is persistent memory in AI agents storing enterprise IP on US servers with no residency or automatic deletion. It bypasses 30-day rules. DTA's AGT.2 requires retention and purge governance but many businesses remain unaware of the privacy and forensic risks.
AWS has increased prices for reserved AI GPU capacity by around 20%, highlighting the growing shortage of high bandwidth memory and advanced chips. As demand outpaces supply, AI development costs are rising, making large scale model training and deployment more expensive.
21st May 2026 Cyber Update: CISA’s Latest KEV Batch Shows Old Bugs Still Have a Long Tail
CISA’s latest KEV update mixes new Microsoft Defender flaws with legacy Windows and Adobe bugs, showing why exploited risk often sits in forgotten systems.
The US Cybersecurity and Infrastructure Security Agency has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue, reinforcing a consistent theme in cyber risk: exposure is often driven as much by ageing systems as by newly disclosed flaws.
The latest additions include two recent Microsoft Defender vulnerabilities alongside several legacy issues affecting Windows, Internet Explorer, DirectX, and Adobe Acrobat and Reader, originally identified between 2008 and 2010. The mix of old and new underscores the long tail of unpatched risk across enterprise environments.
What has changed?
CISA confirmed that all seven vulnerabilities were added on the basis of observed active exploitation. The two Microsoft entries are CVE-2026-41091 , an elevation-of-privilege flaw in Microsoft Defender, and CVE-2026-45498, a denial-of-service vulnerability affecting the same product.
Both vulnerabilities are now listed in the KEV catalogue, which many security teams treat as a prioritisation tool rather than a passive advisory source.
The Canadian Centre for Cyber Security has also issued guidance on the Microsoft vulnerabilities, identifying exposure in Microsoft Defender versions prior to 4.18.26040.7 and Microsoft Malware Protection Engine versions prior to 1.1.26040.8. This alignment across agencies elevates the issue from routine patching to an active exploitation priority.
Why it matters
The broader takeaway is that material risk does not always originate from newly disclosed vulnerabilities. Several issues in this update are more than 15 years old, highlighting persistent visibility and remediation gaps.
These gaps often sit in overlooked areas of the environment, including legacy endpoints, outdated system images, dormant applications, unmanaged software, and assets that fall outside standard patching processes.
KEV updates are increasingly viewed as a practical benchmark for vulnerability management maturity. The challenge is no longer the ability to generate extensive scan results, but the capacity to identify actively exploited vulnerabilities, map them accurately to internal systems, and remediate them within a meaningful timeframe.
While artificial intelligence does not directly feature in this update, the implications for AI-supported security operations are clear. The key question is whether AI-driven triage can meaningfully reduce noise and prioritise exploited vulnerabilities, or whether it simply accelerates the processing of existing backlogs without improving outcomes.
For boards and executive teams, the implications are direct. Organisations should confirm that KEV monitoring is embedded as a standing control, ensure Microsoft Defender deployments are current, assess any residual exposure to legacy Windows and Adobe systems, and verify that remediation reporting demonstrates closure rather than activity.
Get the stories that matter to you. Subscribe to Cyber News Centre and update your preferences to follow our Daily 4min Cyber Update, Innovative AI Startups, The AI Diplomat series, or the main Cyber News Centre newsletter — featuring in-depth analysis on major cyber incidents, tech breakthroughs, global policy, and AI developments.
Sign up for Cyber News Centre
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead.
Apple is accelerating its security updates to outpace AI driven exploit development, releasing early patches for iOS and macOS, while a critical WinRAR vulnerability shows why legacy software remains a prime target for attackers.
Tata Electronics’ confirmed cyber incident underscores a sharper risk for global manufacturers: stolen supplier specifications and production data can expose valuable intellectual property, test customer trust and challenge India’s push to become a trusted alternative to China.
Five Eyes cyber agencies have warned leaders to act now as AI changes cyber risk, while Mackay Sugar’s ransomware disruption shows why Australian operators cannot treat resilience as a back-office issue.
AI agents are no longer side experiments. They are becoming live attack surface, carrying access to data, code and identity. For Australian businesses, the message is clear: adoption must be matched with control.
Where cybersecurity meets innovation, the CNC team delivers AI and tech breakthroughs for our digital future. We analyze incidents, data, and insights to keep you informed, secure, and ahead. Sign up for free!