13 years hidden. 10 hours to exploit.

AI surfaced one CVE. AI weaponized another. Same week.

Two CVEs landed in CISA's Known Exploited Vulnerabilities catalog this week. One had been hiding inside Apache ActiveMQ Classic for 13 years before a researcher found it with the help of an AI coding assistant. The other, in Marimo, was being actively exploited 10 hours after public disclosure. The contrast is the story.

The Apache ActiveMQ flaw, CVE-2026-34197, sits in the Jolokia JMX-HTTP bridge that the broker exposes for management. An authenticated attacker can coerce the broker into pulling a remote Spring XML config file and executing whatever bean instantiation it requests. On versions 6.0.0 through 6.1.1, that authentication can itself be skipped by chaining CVE-2024-32114, which leaves the Jolokia API anonymously reachable. Apache shipped 5.19.4 and 6.2.3 to fix it. The federal patch deadline was April 30. The interesting part is not the bug. It is that human reviewers stared at this code for 13 years and AI-assisted analysis surfaced it inside one research cycle.

The Marimo story runs the other direction. Marimo is an open-source Python notebook used by data teams. CVE-2026-39987 is a pre-authentication RCE in the /terminal/ws WebSocket endpoint, which validates running mode but skips credential checks. Disclosure landed April 8. Sysdig logged 662 exploit attempts deploying NKAbuse variants between April 11 and 14. CISA added the CVE to KEV on April 23 with a May 7 federal deadline. The first weaponization showed up inside 10 hours.

Read together, the two CVEs trace the same arc from opposite directions. Defenders are now using AI to find latent bugs in foundational software that human eyes missed for over a decade. Attackers are using AI to operationalize new disclosures before most enterprises have finished reading the advisory. Both ends of the vulnerability lifecycle compressed inside the same week.

This is the part the standard patch-cadence framework cannot absorb. A 30-day KEV federal deadline assumes a 30-day exploitation window. That window does not exist for any 2026 CVE that lands in foundational software. Patch SLAs measured in days are now lagging the actual threat model. The DoGood network priority data has been showing this drift for two quarters: middleware modernization, dependency inventory, and open-source SBOM coverage are climbing the Q2 list faster than the platform-vendor work that usually dominates. The reason those asks suddenly look prescient landed this week.

The practical move is not to tighten the patch SLA. It is to inventory every piece of foundational middleware that has been running quietly for years (message brokers, internal management APIs, notebook servers, configuration daemons) and assume each one is on the same surface as the ActiveMQ Jolokia bridge. Attackers are using AI to find what your team forgot. The defensive question for the next quarter is not how fast you can patch. It is how fast you can locate.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

Cisco's SD-WAN management plane took three CVEs to KEV in one update

CISA added three Cisco Catalyst SD-WAN Manager flaws to KEV on April 20: CVE-2026-20122 (arbitrary file overwrite), CVE-2026-20128 (recoverable-format password storage), and CVE-2026-20133 (sensitive information exposure). All three are confirmed in active exploitation. The chain is the point. An attacker uses 20133 to enumerate the system, 20122 to overwrite files, and 20128 to harvest credentials and escalate. Cisco shipped fixes; the federal deadline is May 11. If your network team runs vManage, this is a patch-this-week call, not a next-cycle call.

Itron disclosed a 15-day-old intrusion in its utility platform

Itron, the meter and grid-software vendor that powers smart utilities for hundreds of cities and operators, said April 28 it had detected unauthorized access to its systems on April 13. Itron is not the headline name; it is the substrate. Telemetry, billing, and demand-response data flow through Itron platforms for utilities serving roughly 4 billion endpoints globally. The 15-day disclosure window is the part to watch. Utility-sector regulators have been signaling tighter incident-disclosure clocks; Itron's timeline becomes case law for whatever lands next.

Autovista ransomware froze European auto-data feeds

Autovista, the data provider behind Eurotax, Schwacke, Glass's, and Rødboka, was hit by ransomware that disrupted its data services across Europe and Australia. Insurers, dealers, and consumer-valuation platforms all consume Autovista feeds for vehicle pricing and claims. If your enterprise consumes Autovista data through a third-party platform, the ask this week is simple: which of your suppliers depends on those feeds, and what is their continuity plan during the outage. The answer should not be 'we will check.'

10 hours is the time between public disclosure of CVE-2026-39987 in Marimo and the first observed exploitation in the wild. CISA's federal KEV deadlines are measured in days. The window between a CVE going public and a working exploit appearing is now measured in hours. Every patch SLA written before this year was sized for a different threat model. If your remediation runbook starts with a 24-hour triage step, the exploit beat your triage. The number to internalize is not 30 days. It is 10 hours.

Foundational software you forgot about is the active attack surface this week. The DoGood network has been logging more middleware-modernization and open-source dependency-review asks than any quarter we've tracked. This week is why those asks look right.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.