Edge stores decrypted passwords in memory as AI speeds exploits

Security researchers found Microsoft Edge decrypts every saved password at browser startup and keeps those credentials in the browser process memory. An attacker with administrative or equivalent access who can create a memory dump of Edge’s “browser” sub-task can extract plaintext passwords even if the user has not recently visited the associated sites. Researcher Tom Jøran Sønstebyseter Rønning wrote: “When you save passwords in Edge, the browser decrypts every credential at startup and keeps them, resident in process memory.” Microsoft describes the behavior as a design choice to speed sign-ins.

Testing showed Edge differs from other Chromium-based browsers, which typically decrypt credentials only when they are needed. Exploitation requires an attacker to already have elevated access to the device, but researchers warned the approach lowers the effort required to harvest saved logins after a compromise.

At the same time, developers of advanced artificial intelligence models have demonstrated tools that can analyze code, simulate multi-step attack chains and surface exploitable software bugs. Anthropic CEO Dario Amodei warned organizations face “a narrow window of about six to 12 months” to fix the defects discovered by the company’s model before similar capabilities spread more widely. Security teams report faster times from disclosure to exploit as automated tools scale vulnerability discovery and exploit generation.

Vendors and agencies are adjusting patching practices in response. Oracle said it will add monthly critical security releases to supplement its quarterly updates, with the first monthly Critical Security Patch Update scheduled for May 28, 2026. U.S. cybersecurity officials are considering shortening mandatory deadlines for fixing known exploited vulnerabilities from weeks to days to reflect faster exploit timelines. One study found the median time from disclosure to exploitation fell from 745 days in 2020 to 44 days in the latest year.

Industrial control system software also produced recent high-severity disclosures. Two vulnerabilities in the Eclipse BaSyx V2 Digital Twin platform were assigned CVE-2026-7411, an unauthenticated path traversal with a CVSS score of 10.0, and CVE-2026-7412, a blind server-side request forgery with a CVSS score of 8.6. The path traversal can be exploited to write arbitrary files and enable code execution; the SSRF can force the server to proxy requests to internal targets. The vendor released a patched milestone build, version 2.0.0-milestone-10. Researcher Mohamed Lemine Ahmed Jidou warned that chaining the two flaws could allow an attacker to “completely bypass network segmentation” and use a compromised Digital Twin server to send unauthorized commands to programmable logic controllers and sensors.

Other recent security developments include a critical authentication bypass in MOVEit Automation assigned CVE-2026-4670, supply-chain protections added to pnpm 11 that delay using newly published packages for 24 hours, and analyses of ransomware and stealer malware that expose implementation flaws and delivery chains. A technical review of VECT 2.0 ransomware binaries found encryption logic errors and race conditions that can make data recovery impossible even if a ransom is paid.

Researchers and vendors advise organizations to prioritize fixes for high-severity flaws, monitor for unusual local activity that could indicate memory-dump attempts, and review how devices and services store credentials. Some browser vendors continue to decrypt passwords only on demand, while Edge retains decrypted credentials in memory for sign-in performance. The combination of persistent in-memory credential exposure, faster AI-driven vulnerability discovery, and new ICS zero-days has led vendors to change release cadences and defenders to revisit patching timelines.