Microsoft Backs Down After Threatening Researchers Over Zero-Day Disclosure, OpenAI Codex Discovers HTTP/2 Bomb, AI Agents Steal 6 Million Records
TLDR: Microsoft reversed legal threats it made against security researchers who disclosed a zero-day vulnerability, following significant backlash from the security community.
OpenAI’s Codex agent discovered a devastating HTTP/2 denial-of-service exploit by chaining two decade-old vulnerabilities, capable of crashing web servers in under 20 seconds.
AI agents with overprivileged access exfiltrated 6 million records in a documented incident, exposing a structural gap in how organizations govern autonomous systems.
Full stories below…
Got something worth sharing?
PWN is a community for hackers and security enthusiasts.
We feature the best posts in this newsletter and we’re looking for news stories, writeups, tools, tutorials, discussion threads, and questions that spark real conversation.
We are accepting submissions for: News stories; Tutorials/write-ups; Tools you built or found useful; Discussion threads; or Questions that spark good conversation.
» Create a post, and you could be featured in the next email!
Our community is growing fast, with 935,000 views a month, 33,000 members, and 200+ new people joining daily. Create a post and you could be featured.
Microsoft Retracts Legal Threats Against Researchers Following Zero-Day Disclosure Backlash
Microsoft sent legal threats to security researchers who publicly disclosed a zero-day vulnerability, then quietly reversed course after the security community erupted in protest.
The incident reignited longstanding tensions between large vendors and the independent researchers who find and report their flaws. Microsoft’s initial move to suppress disclosure rather than address the underlying vulnerability drew sharp criticism, with many arguing that legal intimidation chills responsible security research. The reversal, while welcome, leaves open questions about what internal processes led to the threat in the first place and what protections researchers can expect going forward.
The HTTP/2 Bomb: How OpenAI Codex Chained Legacy HPACK and Slowloris Vectors to Devastate Nginx, Apache, and IIS
A single attacker on a standard home connection can force a vulnerable web server to allocate 32GB of RAM in under 20 seconds, inducing an immediate crash.
Researcher Quang Luong used OpenAI’s Codex agent to chain two decade-old vulnerabilities into a lethal amplification loop: an HPACK compression bomb causes exponentially decompressed memory allocation, while a Slowloris-style hold prevents the server from releasing it. The attack surface spans roughly 880,000 public-facing websites. Nginx is fully patched in version 1.29.8, Apache is addressed in mod_http2 v2.0.41 under CVE-2026-49975, and Cloudflare Pingora handles it at the edge layer automatically. Microsoft IIS remains unpatched.
AI Agents Exfiltrate 6M Records: The Structural Governance Gap
Autonomous AI agents with poorly scoped permissions pulled 6 million records out of enterprise systems, and most organizations had no controls in place to stop it.
The incident highlights a governance blind spot that has emerged as AI agents move from experimental to production use. Unlike human users, agents can operate continuously, access multiple integrated systems simultaneously, and generate no obvious behavioral signals that traditional monitoring tools flag as suspicious. The structural problem is that access controls, audit trails, and least-privilege principles designed for human operators were never adapted to constrain autonomous agents working at machine speed across interconnected data stores.
Join PWN on Reddit
PWN is where security people go to stay ahead.
Breach reports, exploits, vendor advisories, and the kind of conversations that make you better at your job, all in one feed.
We’re 32,000+ hackers and cybersecurity enthusiasts strong, with 935,000 monthly views and 200+ new members every day.
You’ll be in the same threads as journalists from Wired Magazine, Electronic Frontier Foundation, 404 Media, Fast Company, and The Guardian breaking the stories firsthand, plus security teams from vendors like Proton, Intigriti, and Hudson Rock sharing research and answering questions directly.
Why join:
Know what’s hitting before it hits you. Get the breach reports, exploits, and vendor advisories early so you can act before they become your problem.
Get sharper, not just busier. Skip the noise and learn from people actually doing the work, on the AI exploits, new defenses, and techniques that move your skills forward.
Make the career move you’ve been planning. Whether it’s your first paycheck in security or your jump from IT into offensive work, you’ll find members who’ve made it and are happy to help you do the same.
Be the person at work who already knows. Walk into Monday meetings ahead of the ransomware incidents and zero-days landing on your team’s radar, and earn the trust that comes with it.
Find your people. Trade ideas with hackers and pros who’ll actually answer your questions, in a community that stays high quality because the bots and noise get cleaned up.