The Joint Warning
On June 23, 2026, the cybersecurity agencies of all five Five Eyes nations issued a joint intelligence statement that landed with unusual force. The Australian Signals Directorate, Canada's Communications Security Establishment, New Zealand's Government Communications Security Bureau, the United Kingdom's GCHQ, and the United States' NSA and CISA signed a single declaration: AI-powered cyberattacks are not a future consideration. They are already here. And the timeline for transformation is months, not years.
The statement is remarkable not for what it predicts but for what it prescribes. Five intelligence agencies that rarely agree on public messaging aligned on a single operational priority: the fundamentals. Not AI defense tools. Not quantum-resistant encryption. The basics — patching, identity management, attack surface reduction, and legacy system isolation.
Legacy Systems Named as Primary Attack Surface
The Five Eyes statement identifies five specific actions organizations must take immediately. Third on the list, stated without qualification: 'Remove or isolate vulnerable legacy systems.' This is not a recommendation for future planning cycles. It is an operational directive from the intelligence agencies responsible for defending the digital infrastructure of 1.8 billion people across five nations.
The other four actions — reducing attack surface, patching faster, improving identity management, and testing breach response — all carry disproportionate weight when applied to legacy web infrastructure. WordPress, with 18,321 CVEs and a patching cadence measured in plugin-by-plugin manual updates across millions of sites, is the definition of the attack surface these agencies are describing.
Why AI Changes the Calculus
NSA Cybersecurity Director David Imbordino framed the urgency in operational terms: frontier AI models will lower the technical barriers for offensive cyber operations at a pace that outstrips most organizations' defensive improvement timelines. The gap between attacker capability and defender readiness is about to widen, not narrow.
The intelligence agencies note that open-source AI models trail frontier capabilities by roughly six to eight months. This means the offensive tools developed using today's most capable models will be broadly available to unsophisticated threat actors within a year. The attack surface that exists today — every unpatched WordPress plugin, every legacy CMS running end-of-life PHP, every Joomla instance with 1,313 CVEs — becomes exponentially more dangerous when the tools to exploit it require no specialized knowledge.
The WebPulse Data Confirms the Exposure
WebPulse tracks 25 web frameworks across 10 million sites. The data validates what Five Eyes is warning about. WordPress carries 18,321 CVEs and a security score of 25 out of 100. Drupal carries 1,376 CVEs maintained by 50 contributors. Joomla carries 1,313 CVEs across 352,000 sites that lack viable migration paths. Spring Framework, powering enterprise Java, dropped to a security score of 42 after 9 critical CVEs — the highest average severity of any tracked framework.
When the Five Eyes agencies say 'remove or isolate vulnerable legacy systems,' they are describing 74.3% of the detectable web. The scale of the exposure is not theoretical. It is measured.
What Executives Must Do This Week
The Five Eyes statement concludes with language directed at organizational leadership, not IT departments: 'Executive-level oversight of cybersecurity functions is essential. Cybersecurity leaders need proper authority and resources. Success requires getting the basics right, acting quickly, and integrating cybersecurity into core business strategy.' This is not technical guidance. It is a governance mandate from five sovereign intelligence agencies, issued simultaneously, with an explicit timeline of months. The window for treating legacy web infrastructure as an acceptable risk is closing.
