Cybersecurity Snapshot: OWASP Ranks Top Agentic AI App Risks, as CISA Lists Most Dangerous Software Flaws

Check out the most critical threats to agentic AI applications, and then dive into the worst software weaknesses of 2025. Plus, learn about pro-Russia hacktivists’ attacks against critical infrastructure; AI governance best practices for boards; and NCSC’s updated security-certificate guidance.

Here are five things you need to know for the week ending December 12.

1 - OWASP releases Top 10 list for agentic AI security risks

If your organization has started using agentic AI tools – autonomous agents that can plan, execute workflows and make decisions with limited or no human oversight – your cyber team now has a new resource.

This week, the Open Worldwide Application Security Project (OWASP) released its "OWASP Top 10 for Agentic Applications 2026," whose goal is to help organizations identify and mitigate the unique risks associated with these autonomous AI systems.

"Companies are already exposed to agentic AI attacks - often without realizing that agents are running in their environments," Keren Katz, co-lead for OWASP's Top 10 for Agentic AI Applications and senior group manager of AI security at Tenable, said in a statement. 

"While the threat is already here, the information available about this new attack vector is overwhelming. Effectively protecting a company against agentic AI requires not only strong security intuition but also a deep understanding of how AI agents fundamentally operate," Katz added.
 

Unlike standard generative AI, agentic AI systems can take direct action, coordinate with other agents and make decisions with limited human intervention. This shift creates unique vulnerabilities. 

Here are OWASP’s top 10 risks for agentic AI applications:

• Agent goal hijack, which refers to attackers manipulating an AI agent's core objectives, turning helpful assistants into potential threats
• Tool misuse and exploitation, where AI agents may be tricked into misusing legitimate digital tools for destructive purposes or unauthorized actions
• Identity and privilege abuse, a scenario in which an AI agent's credentials are compromised or mismanaged, causing it to operate far beyond its intended scope
• Agentic supply chain vulnerabilities, which allow attackers to compromise the third-party components, libraries or datasets an AI agent relies on to function, poisoning its runtime environment
• Unexpected code execution, where the reliance on natural language to control AI agent actions opens new avenues for attackers to trick systems into running malicious code on the host
• Memory and context poisoning, in which malicious actors can corrupt an agent's long-term memory to influence future behavior
• Insecure inter-agent communication, where without proper verification, attackers spoof or intercept messages exchanged between agents, misdirecting entire clusters of autonomous systems.
• Cascading failures, which refers to how a single error or false signal in one AI agent can propagate through interlinked agents, amplifying the damage across interconnected systems.
• Human-agent trust exploitation, a scenario where agents can generate polished, confident-sounding explanations that mislead human operators into approving dangerous or erroneous actions
• Rogue agents, which are compromised AI agents that exhibit misalignment or take self-directed actions that conflict with their original purpose
   

^{(Source: "OWASP Top 10 for Agentic Applications 2026" report from OWASP, December 2025)}

Developed with input from over 100 industry experts, this guide serves as a benchmark for securing the next generation of autonomous AI technologies.

“These are not theoretical risks. They are the lived experience of the first generation of agentic adopters-and they reveal a simple truth: Once AI began taking actions, the nature of security changed forever,” John Sotiropoulos, OWASP GenAI Security Project Board Member & Agentic Security Initiative Co-lead, wrote in a blog post.

“The Agentic Top 10 distills this new reality into a framework the world can use with actionable mitigations and new architectural blueprints,” he added.

For more information about agentic AI security, check out these Tenable blogs:

• “Agentic AI Security: Keep Your Cyber Hygiene Failures from Becoming a Global Breach”
• “A Practical Defense Against AI-led Attacks”
• “Microsoft Copilot Studio Security Risk: How Simple Prompt Injection Leaked Credit Cards and Booked a $0 Trip”
• “Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications”
• “AI Security: Web Flaws Resurface in Rush to Use MCP Servers”

2 - Here are the software flaws causing the most chaos

The list of the most severe and prevalent software weaknesses is out, and whether you’re a cyber pro, a developer or a risk manager, these insights can help you make better informed security decisions next year.

Published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and MITRE this week, the "2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses" features familiar foes like cross-site scripting (XSS), as well as some new ones.

So how can your team use this list? CISA and MITRE suggest that it can help you cut down on vulnerabilities by adopting development lifecycle changes and making safer architectural decisions. 
 

You can also lower costs by eradicating weaknesses early, which lets you reduce remediation and incident response. The list, the agencies say, can also help product teams identify weaknesses to avoid, as they practice secure-by-design development.

Here’s the full list of the most critical software weaknesses attackers exploit:

“CISA and MITRE encourage organizations to review this list and use it to inform their respective software security strategies,” read a CISA statement.

For more information about software security:

• “OWASP Top Ten Web Application Security Risks” (OWASP)
• “12 key application security best practices” (TechTarget)
• “What is software security and why is it important?” (IEEE)
• “New UK Security Guidelines Aim to Reshape Software Development” (DarkReading)
• “AI-Powered DevSecOps: Navigating Automation, Risk and Compliance in a Zero-Trust World” (DevOps.com)

3 - Pro-Russia hacktivists leverage simple tactics to disrupt critical infrastructure

Critical infrastructure organizations, pay attention.

Hacktivist groups acting on behalf of the Russian government are targeting global critical infrastructure sectors, including energy; water systems; and food and agriculture. 

The warning comes via the advisory “Opportunistic Pro-Russia Hacktivists Attack US and Global Critical Infrastructure,” jointly published this week by a group of multi-national cybersecurity and law enforcement agencies, including CISA.

Groups such as the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16) and Sector16 are leveraging opportunistic methods to infiltrate operational technology (OT) networks, often gaining access through insecure, internet-facing virtual network computing (VNC) connections.

“The pro-Russia hacktivist groups highlighted in this advisory have demonstrated intent and capability to inflict tangible harm on vulnerable systems,” CISA Executive Assistant Director for Cybersecurity Nick Andersen said in a statement.
 

While these groups generally lack the sophistication of state-sponsored advanced persistent threats (APTs), their actions can still cause significant disruption. By exploiting weak security controls, such as default passwords and exposed human-machine interfaces (HMIs), they manipulate industrial control systems. 

“The threat actors' intrusion methodology is relatively unsophisticated, inexpensive to execute, and easy to replicate," the advisory reads. Yet, the attacks have had operational impacts like "loss of view" for system operators and potential physical damage to equipment.

To mitigate these risks, the authoring agencies recommend that critical infrastructure organizations take immediate action to harden their OT environments, including:

• Reduce internet exposure: Disconnect OT assets from the public-facing internet wherever possible. If remote access is necessary, use secure methods like VPNs.
• Strengthen authentication: Implement robust multifactor authentication (MFA) for all access to OT networks and devices. Avoid using default passwords.
• Improve asset management: Adopt mature asset management processes to map data flows and identify all access points within the OT environment.
• Limit remote access: Restrict VNC and other remote access services to only authorized users and essential operations.

CISA is also calling on OT device manufacturers to adopt secure-by-design principles in order to build security into their products from the start.

For more information about OT security, check out these Tenable resources:

• “Mind the Gap: A Roadmap to IT/OT Alignment” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Fortifying Your OT Environment: Vulnerability and Risk Mitigation Strategies” (on-demand webinar)
• “Identity Security Is the Missing Link To Combatting Advanced OT Threats” (blog)

4 - How to align board oversight with the reality of AI adoption

Is your board treating AI as just another tech trend or as the existential shift it truly is? 

A new McKinsey report, "The AI reckoning: How boards can evolve," argues that while 88% of organizations use AI, board governance is lagging dangerously behind. 

To bridge this gap, directors must stop viewing AI solely through a technological lens and start understanding it as a catalyst that fundamentally reshapes competitive dynamics.
 

The report identifies four distinct AI postures for companies: 

• Business pioneers, which position AI at their strategy’s core
• Internal transformers, where AI underpins operations
• Functional reinventors, which leverage AI to sharpen workflows
• Pragmatic adopters, which use AI for specific applications

Further, it outlines governance actions boards should take, including:

• Align on AI posture: Regularly review how AI fits into the company's strategic ambition to ensure that its stance reflects current realities.
• Clarify oversight ownership: Explicitly define which AI topics belong to the full board, which sit with committees and which remain with management to prevent accountability gaps.
• Codify a governance framework: Establish clear project-scaling rules, risk thresholds, vendor guardrails, and escalation triggers to guide decision-making.
• Build AI fluency: Directors need not be data scientists, but they must understand how AI creates specific risks and opportunities for their business.

"The rules, risks, and expectations related to AI are evolving rapidly, and boards cannot assume today’s practices are sufficient to meet the new challenges and opportunities," reads the report.

For more information about AI governance and oversight:

• “AI in Cybersecurity: Governance and Risk Quantification in the Boardroom” (Fair Institute)
• “Security for AI: A Practical Guide to Enforcing Your AI Acceptable Use Policy” (Tenable)
• “Governance of AI: A Critical Imperative for Today’s Boards" (Harvard Law School)
• “6 Best Practices for Implementing Commonly Available AI Governance Frameworks" (CDO Magazine)
• “Implementing AI Governance" (National Association of Corporate Directors)

5 - NCSC updates guidance on security certificates, TLS and IPsec

Is your organization ready for the shift toward shorter certificate lifetimes and automated management? 

That’s a key topic in the U.K. National Cyber Security Centre’s (NCSC) updated guide "Provisioning and managing certificates in the Web PKI," published this week.

It replaces previous NCSC guidance to reflect the evolving landscape of the web public key infrastructure (PKI). The NCSC highlights the need for organizations to shift away from manual management to reduce human error and to prepare for a future where certificates expire much faster.
 

The guidance aligns with recent NCSC advice on external attack surface management (EASM) and offers several key recommendations, including:

• Use automated certificate provisioning: Adopt automated protocols like ACME to reduce the burden of manual management and prevent expiration due to human error.
• Prepare for shorter validity periods: Recognize that the ecosystem is moving toward shorter certificate lifecycles.
• Monitor issuance and renewal: Maintain awareness of which certificates are in use and utilize certificate transparency (CT) logs to detect unexpected issuance.
• Avoid wildcard certificates: Limit the use of wildcard certificates to reduce the impact if a private key is compromised.
• Prefer domain validation: Use domain validation (DV) certificates for all use cases, as browsers now treat them as equivalent to organization validation (OV) and extended validation (EV) certificates.

"We will be producing more substantial revisions to our TLS and IPsec guidance in the near future, introducing additional recommended profiles / cipher suite preferences that include post-quantum cryptography, as the relevant protocol standards are finalised," reads a complementary NCSC blog.