Founder & Editor
Colten Anderson
Colten Anderson founded and edits PatchDay Alert. He is an IT manager who has led service desk, endpoint management, and Microsoft 365 support functions, with a background in ITSM process improvement and workstation management across Intune and NinjaOne. He writes from the perspective of a working IT practitioner: the focus is how each vulnerability, patch, and security change lands in real operations, who absorbs the work, and what to do first. He reads every item before it ships.
Connect LinkedIn ↗ GitHub ↗
Beats Commentary · Patch Tuesday · Compliance Watch · Field Notes
211 articles
-
Field Note · Jun 5, 2026
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce themselves on June 30, 2026.
-
Field Note · Jun 5, 2026
Promtail is end-of-life: your Loki shipper just lost its support floor
If Promtail still ships your logs to Loki, the agent reading every log file on the host has had no upstream remediation path since March 2, 2026. The migration to Alloy is mostly mechanical, except for the one file that decides whether you get duplicates or a gap.
-
Field Note · Jun 5, 2026
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now. If you run Magento, you act today.
-
Analysis · Jun 5, 2026
Two AWS bugs you'd never have heard about, and the fix was yours
AWS disclosed two SageMaker SDK flaws on its own bulletins page. They may carry a CVE ID with no CVSS, they'll never hit CISA KEV, and patching them is the customer's job.
-
Analysis · Jun 5, 2026
Your Azure CLI session has an MFA exemption you never asked for
Two Entra Conditional Access changes land in the same fortnight, and they're the lead evidence in a longer story: Microsoft is closing the identity opt-outs orgs have leaned on for years.
-
Analysis · Jun 4, 2026
The GlobalProtect bypass deadline already passed, but you might not be affected
CVE-2026-0257 is a GlobalProtect auth bypass with a KEV deadline that's come and gone. Whether it touches you comes down to a 60-second config check, not your PAN-OS version.
-
Analysis · Jun 3, 2026
Three CVEs keep getting called the Nx attack, and only one of them is this one
An 18-minute window on the VS Code marketplace ended with 3,800 of GitHub's own repositories copied. The interesting part isn't the speed. It's the delivery channel nobody was watching.
-
Analysis · Jun 3, 2026
Everything is critical, so nothing is critical
A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk score, and the queue that treats it like one is the reason confirmed-exploited bugs sit unpatched for 43 days.
-
Analysis · Jun 3, 2026
The patch triage meeting that ends with owners, not opinions
The short-list is built before anyone sits down. The meeting exists to put a name and a clock on each item, then end. Here's how to run it in fifteen minutes.
-
Analysis · Jun 2, 2026
One CERT says it's exploited, Microsoft says it isn't, and you patch anyway
A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue. The interesting part is why the alarm and the data disagree, and why that disagreement shouldn't change your call.
-
Field Note · May 29, 2026
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle. Landing it on already-encrypted devices and proving it took across the whole fleet is the actual work. Here's the enforce-and-verify runbook.
-
Analysis · May 29, 2026
Gogs has a critical RCE and no one is coming to fix it
Rapid7 found a push-button remote code execution flaw in Gogs, shipped a Metasploit module with it, and ran 72 days from report to publication with no patch and two months of maintainer silence. There is no fix. There may never be one.
-
Analysis · May 29, 2026
Palo Alto's third edge zero-day in two years rhymes with the first two
CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed. The deadline is not the story. The third PAN-OS portal zero-day in under two years is.
-
Analysis · May 28, 2026
GlassWorm's botnet is down, but the technique it proved still works
CrowdStrike, Google, and Shadowserver knocked out all four C2 channels at once. That ends the infrastructure, not the playbook. Three primitives outlive the takedown.
-
Field Note · May 28, 2026
NGINX Rift: four places apt upgrade doesn't reach
The host patch for CVE-2026-42945 shipped on day one. The container images, the App Protect WAF in front of it, the downstream forks, and the config audit it leaves behind are separate jobs.
-
Analysis · May 28, 2026
Ingress-nginx got archived in March. The first critical CVE arrived in May.
The Kubernetes community archived ingress-nginx seven weeks before an 18-year-old heap overflow dropped in the NGINX core it ships. The fix path is now a migration project, not a patch.
-
Analysis · May 28, 2026
The print stack regresses on schedule
KB5087424 broke 32-bit printing on Windows Server 2022 hotpatch fleets. It's the latest data point in a five-year arc of print-stack regressions that track Microsoft's deliberate retirement of the legacy spooler architecture.
-
Analysis · May 27, 2026
Hotpatch was supposed to be the smoother path
KB5087424 broke 32-bit printing on Windows Server 2022, and the no-reboot delivery model that was supposed to reduce friction has no fix path that doesn't surrender the security content.
-
Analysis · May 25, 2026
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shell is a driver you cannot turn off.
-
Analysis · May 25, 2026
SonicWall patched CVE-2024-12802 and left the bug in place on Gen6
The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses. On Gen6, that distinction is the whole vulnerability.
-
Analysis · May 24, 2026
The patch window went negative. Now what?
Mandiant's mean time-to-exploit is negative seven days. NVD gave up on enriching most of the catalog. Here's what the next 24 months of patch management actually look like with AI on both sides.
-
Analysis · May 22, 2026
Your antivirus runs as SYSTEM, and that's the whole story
Two actively-exploited Defender zero-days look like 'the AV is broken.' The pattern underneath is older and more boring: the scanner has run unsandboxed as SYSTEM for a decade, and that makes it a target, not a sentinel.
-
Analysis · May 20, 2026
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
Analysis · May 20, 2026
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Analysis · May 20, 2026
Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
-
Analysis · May 20, 2026
Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix
CVE-2021-41773 was a path traversal in Apache httpd 2.4.49 that could leak files and, with CGI enabled, reach RCE. The 2.4.50 fix was incomplete, so CVE-2021-42013 followed days later. Two CVEs, one bug, a textbook patch-the-patch.
-
Analysis · May 20, 2026
Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.
CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.load on data an unauthenticated user controls. It's the Ruby version of the deserialization footgun, and ransomware crews used it to move onto Linux.
-
Analysis · May 20, 2026
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Analysis · May 20, 2026
Apple, Chrome, Android: the zero-day stream that mostly isn't aimed at you
The catalog's Apple, Google/Chrome, Android, Samsung, and Qualcomm entries are overwhelmingly browser and mobile zero-days, many used by mercenary spyware against specific people. For most organizations the defense is one boring control: fast auto-update.
-
Analysis · May 20, 2026
They read one file off the VPN gateway and left with your whole Active Directory
CVE-2024-24919 is filed as 'information disclosure.' On a Check Point gateway that meant unauthenticated file read, which meant password hashes, which meant ntds.dit within hours. It was a zero-day for a month before disclosure, and patching it doesn't undo the theft.
-
Analysis · May 20, 2026
CISA just gave the Conficker bug a 2026 deadline
Five of the seven CVEs CISA added on May 20 are 2008–2010 fossils, including MS08-067 and Operation Aurora. KEV inclusion means current exploitation, so the real signal isn't nostalgia.
-
Analysis · May 20, 2026
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs. The management plane is the target.
-
Analysis · May 20, 2026
The VPN bug that isn't on the gateway, it's the updater on the laptop
CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway. The weak point is the privileged helper service that auto-updates the client, which a local user can trick into running their code as SYSTEM.
-
Analysis · May 20, 2026
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext. Akira ransomware used it for initial access years after the patch. The control that turned a leaked password into a non-event was multi-factor authentication.
-
Analysis · May 20, 2026
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled. Akira and LockBit used it for initial access. The fix is patching plus hardening the defaults you never touched.
-
Field Note · May 20, 2026
Patching the NetScaler RCE doesn't tell you if a webshell is already on it
CVE-2023-3519 was an unauthenticated RCE on Citrix NetScaler used as a zero-day to drop webshells. Patching closes the hole; it doesn't remove an implant planted before you patched. With a black-box appliance, finding out is the hard part. Here's the IOC-hunt runbook.
-
Analysis · May 20, 2026
CitrixBleed: the patch closed the leak but left the stolen keys working
CVE-2023-4966 leaked post-MFA session tokens from NetScaler. Organizations that patched and stopped there got breached anyway, because a stolen token still worked after the update. The action that mattered was killing every active session, and a lot of victims skipped it.
-
Analysis · May 20, 2026
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler. After disclosure with no patch, a public exploit dropped and mass exploitation followed within days. It set the template for the NetScaler-as-target story that CitrixBleed later continued.
-
Analysis · May 20, 2026
A new critical Confluence RCE stopped being news. That's the problem.
CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats. If you run it on the internet, you're operating one of the most reliably-targeted boxes there is.
-
Analysis · May 20, 2026
22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024. Hosting control panels run as root and face the internet by design, which is exactly why one bug becomes a fleet-wide event.
-
Analysis · May 20, 2026
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
Analysis · May 20, 2026
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
-
Analysis · May 20, 2026
An uploaded filename is attacker input. dotCMS forgot, and got a webshell.
CVE-2022-26352 is a directory traversal in dotCMS's upload API: the filename in a multipart request wasn't sanitized, so '../' sequences let an attacker write a JSP webshell to a web-reachable directory. With anonymous content creation on, that's unauthenticated RCE.
-
Analysis · May 20, 2026
Drupalgeddon: when a data structure is allowed to name a function to call
Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.
-
Analysis · May 20, 2026
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Analysis · May 20, 2026
The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
-
Analysis · May 20, 2026
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished. OWASSRF (CVE-2022-41080) walked around them by knocking on OWA instead of Autodiscover, and Play ransomware walked in. Mitigations aren't fixes.
-
Analysis · May 20, 2026
The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token
CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling. Naming the auth-token header in the Connection header made the proxy strip it after the auth check read it, but before the backend did.
-
Field Note · May 20, 2026
F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'
The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it. HTTP-to-AJP request smuggling let attackers set it themselves, for unauthenticated root. Here's how to check, patch, and lock it down.
-
Analysis · May 20, 2026
Content-process only is one bug short of game over
CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process. RomCom paired it with a Windows sandbox escape and turned a single page visit into a backdoor. Mozilla shipped the fix in about 25 hours.
-
Analysis · May 20, 2026
Everyone hardened against macros. Follina didn't use one.
CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool. It defeated macro-based defenses, and Microsoft had reportedly closed an earlier report as 'not a security issue.'
-
Field Note · May 20, 2026
FortiClient EMS CVE-2023-48788: a SQL injection that talks the database into running SYSTEM commands
When a product runs on Microsoft SQL Server, a SQL injection is rarely just a data leak. The attacker turns on xp_cmdshell from inside the injection and gets OS command execution. On FortiClient EMS that's unauthenticated, as SYSTEM. Here's how to check, patch, and detect it.
-
Analysis · May 20, 2026
Fortinet's other products take their turn: FortiWeb, FortiManager, FortiClient EMS
Beyond the long-running FortiOS auth-bypass cycle, 2025-2026 brought a wave of exploited bugs in FortiWeb, FortiManager, and FortiClient EMS, SQL injection, path traversal, auth bypass, and a format-string RCE. Same vendor, same perimeter-and-management target profile.
-
Analysis · May 20, 2026
The 'test connection' button that mails your stored credentials to an attacker
CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server. It's a small bug with a broad lesson: 'test connection' features that transmit stored secrets are a credential-disclosure pattern.
-
Field Note · May 20, 2026
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers. The exploit's payoff was planting an SSH key or super-admin account, so patching after exposure leaves the back door in place.
-
Analysis · May 20, 2026
The ransomware that brought a signed driver to switch off the rule against unsigned drivers
In 2020, RobbinHood became the first ransomware seen shipping a legitimately-signed GIGABYTE driver, exploiting it to disable Windows driver-signature enforcement, then loading its own unsigned driver to kill security software from the kernel. The four GIGABYTE CVEs are why.
-
Analysis · May 20, 2026
GitLab CVE-2021-22205: the upload that ran code through an image parser
CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab. It was in ExifTool, the metadata library GitLab used to process uploaded images. Upload a crafted file, ExifTool parses it, code runs. Image parsers are a recurring RCE vector.
-
Analysis · May 20, 2026
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver. Scattered Spider loaded it to reach the kernel and patch out Defender, CrowdStrike, SentinelOne, and Palo Alto in memory. It's the classic bring-your-own-vulnerable-driver attack, and the defenses are switches you can flip today.
-
Analysis · May 20, 2026
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
Analysis · May 20, 2026
Ivanti Endpoint Manager: the management server that can be coerced into handing over credentials
CVE-2024-13159, 13160, and 13161 are path-traversal/credential-coercion flaws in Ivanti Endpoint Manager that let an attacker make the EPM server authenticate to them and relay it. It's another Ivanti product, and another privileged management server worth defending as tier-zero.
-
Analysis · May 20, 2026
When a vulnerability is shaped exactly like a backdoor
CVE-2021-44529 triggers when you send Ivanti's appliance a cookie that says 'ab' followed by base64 the server decodes and runs. That's not what an accidental bug looks like. Whether it was planted or just terrible code, the lesson about dependency provenance is the same.
-
Field Note · May 20, 2026
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.' On a Jenkins controller, the files include the cryptographic key that turns read into remote code execution. Here's how to check, patch, and what to rotate if you were exposed.
-
Analysis · May 20, 2026
Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern
Kaseya VSA is remote-monitoring software MSPs use to manage thousands of client machines. That reach is why it keeps getting attacked, and why in 2021 REvil used it to push ransomware to roughly 1,500 downstream businesses in a single weekend.
-
Field Note · May 20, 2026
Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production
CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page. It only works when APP_DEBUG is true, which should never be the case in production. Here's how to confirm debug mode is off everywhere, patch, and check whether you were hit.
-
Analysis · May 20, 2026
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Analysis · May 20, 2026
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Analysis · May 20, 2026
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws. They share one fix path: keep supported Windows patched, kill SMBv1, retire end-of-life.
-
Analysis · May 20, 2026
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
Analysis · May 20, 2026
The Linux firewall bug your users can reach because you gave them a private root
CVE-2024-1086 is an nf_tables use-after-free that hands a local user root. The reason an unprivileged user can touch the kernel's packet-filtering engine at all is unprivileged user namespaces, and turning those off defuses a whole class of these bugs at once.
-
Analysis · May 20, 2026
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.
-
Analysis · May 20, 2026
Turning on SSO turned on the vulnerability, and turning it back off didn't help
CVE-2022-47966 gave unauthenticated RCE across two dozen ManageEngine products, but only where SAML single sign-on was enabled. The best-practice config was the attack surface, the root cause was a years-stale bundled library, and 'was enabled' counted too.
-
Analysis · May 20, 2026
The most dangerous server in the hospital is the one nobody can name
Mirth Connect moves patient records between systems and runs with high privileges, and a lot of installs sit on the open internet. CVE-2023-43208 is an unauthenticated RCE in it, and it's a patch bypass: the first fix used a denylist, and a researcher walked around it.
-
Analysis · May 20, 2026
Lorenz ransomware's way in was the phone system
In 2022, Lorenz ransomware breached corporate networks through a Mitel MiVoice Connect appliance, the VoIP system, using CVE-2022-29499 as a zero-day. Telephony and unified-comms appliances are edge servers running web code, and almost nobody treats them that way.
-
Analysis · May 20, 2026
You can be the victim of a vulnerability in software you don't run
Most of the 90-plus million people whose data Cl0p stole through MOVEit had never heard of it, and their data leaked through payroll firms and service bureaus, not their own systems. CVE-2023-34362 is the case study in third-party data risk you can't patch your way out of.
-
Analysis · May 20, 2026
The tool that audits everything runs as SYSTEM everywhere. That cuts both ways.
CVE-2022-31199 is unauthenticated RCE as SYSTEM in Netwrix Auditor, and it hits the server and the agents on every monitored system. Truebot used it. A privileged monitoring tool with agents across your estate is a shadow administration layer, and a force multiplier when it's compromised.
-
Analysis · May 20, 2026
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Analysis · May 20, 2026
Known exploited, no patch: what to do in the weeks before a fix exists
When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks. Only mitigations. That scenario is more common than a patch-centric process assumes, and mitigations are the plan, not a consolation prize.
-
Analysis · May 20, 2026
OMIGOD: an unauth root RCE in an agent you didn't know Azure installed
CVE-2021-38647 is an unauthenticated remote code execution as root in the OMI agent. Most victims didn't know they were running OMI, Azure silently deployed it on Linux VMs when you enabled common services. Invisible agents are invisible attack surface.
-
Analysis · May 20, 2026
Your ERP is on the internet, and it's the system that cuts the checks
Security programs treat ERP as 'internal.' Oracle E-Business Suite exposes web modules to the internet by design, and CVE-2022-21587 turned one into unauthenticated code execution on the system that runs payroll, purchase orders, and the general ledger.
-
Analysis · May 20, 2026
A CVSS 10 that hinged on one unchecked box: 'Validate Identity Provider Certificate'
CVE-2020-2021 let attackers bypass authentication on Palo Alto firewalls and VPNs using SAML, but only when one option was disabled: 'Validate Identity Provider Certificate.' A perfect-10 bug whose presence depended on a checkbox.
-
Analysis · May 20, 2026
Palo Alto GlobalProtect CVE-2019-1579: another VPN gateway, another pre-auth RCE
CVE-2019-1579 was a pre-authentication remote code execution in Palo Alto's GlobalProtect SSL-VPN. It's one more entry in the longest-running story in this catalog: the SSL-VPN gateway as a perennial, pre-auth-RCE-prone perimeter target.
-
Analysis · May 20, 2026
PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
-
Analysis · May 20, 2026
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Analysis · May 20, 2026
PHP-FPM CVE-2019-11043: an RCE that depended on a copy-pasted nginx config
CVE-2019-11043 is a remote code execution bug in PHP-FPM, but it only fires on a specific nginx configuration, one that circulated widely in tutorials and got copy-pasted into production everywhere. The bug is in the code; the exposure came from a config snippet.
-
Analysis · May 20, 2026
DeadBolt skipped the network intrusion and just encrypted the NAS directly
Most ransomware has to break in, escalate, and spread before it encrypts anything. DeadBolt found internet-exposed QNAP NAS devices, exploited a Photo Station bug, and encrypted the files in place. On a NAS, the device is the data, and that changes the whole attack.
-
Analysis · May 20, 2026
Why ransomware crews love a backup server twice over
CVE-2022-36537 is a ZK Framework bug that handed attackers ConnectWise R1Soft backup servers. A backup server is the perfect ransomware target for two reasons at once: it can push code to everything it protects, and destroying it removes the one thing that lets a victim refuse to pay.
-
Analysis · May 20, 2026
2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017. The same year, Samba shipped a fix for SambaCry: upload a library to a writable share, trigger it, get root. It lives on in the NAS and IoT boxes that embed Samba and never update.
-
Analysis · May 20, 2026
The other half of the ScreenConnect chain just got a 2026 deadline
CVE-2024-1709 got the CVSS 10 and the headlines in February 2024. The path-traversal half that actually lands code execution, CVE-2024-1708, only got its own KEV deadline on April 28, 2026. Two years late, same chain.
-
Analysis · May 20, 2026
The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.2. It requires authentication. Most teams filed it below the criticals. It was still the entry point for a two-week, full-domain compromise, and the cleanup tactic was installing rogue antivirus to make the real EDR fall over.
-
Analysis · May 20, 2026
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint. It was demoed at Pwn2Own in March 2023, patched mid-year, had a public PoC by late 2023, and hit the KEV list in early 2024. That timeline is something you can plan around.
-
Analysis · May 20, 2026
Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing
CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP. It's the same .NET deserialization footgun that keeps showing up in enterprise web apps, on a CMS that often sits forgotten but internet-facing.
-
Analysis · May 20, 2026
SolarWinds Serv-U: a state actor's zero-day in yet another file-transfer product
CVE-2021-35211 was a zero-day RCE in SolarWinds Serv-U, exploited by a China-nexus actor weeks after the SUNBURST headlines faded. It's another managed-file-transfer product turned into a foothold, the category attackers keep returning to.
-
Analysis · May 20, 2026
2021 was open season on SonicWall's appliances, remote access and email alike
In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs. Seven of those CVEs are in the catalog, several used before patches existed.
-
Analysis · May 20, 2026
Akira's favorite front door is a SonicWall SSL-VPN, and it's fast
Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN. In one campaign, the time from SonicWall access to encrypted files was 55 minutes. Several of these bugs walk past MFA.
-
Analysis · May 20, 2026
SysAid customers got the patch the same week they learned they were already breached
CVE-2023-47246 was a SysAid zero-day before it was a CVE. The Cl0p operator Lace Tempest, fresh off MOVEit, was writing webshells to Tomcat and deploying ransomware while the vendor was still writing the advisory. When the attacker has the bug first, detection matters as much as patching.
-
Analysis · May 20, 2026
The SolarWinds crew spent late 2023 breaking into build servers. That's not a coincidence.
CVE-2023-42793 is an unauthenticated RCE on JetBrains TeamCity. APT29, the Russian service behind SolarWinds, exploited it at scale, and so did North Korean groups. They weren't after one network. A build server is the supply chain.
-
Analysis · May 20, 2026
There's no vendor to patch this one. The vulnerable code is inside an app you built.
CVE-2017-11357 is a file-upload-to-RCE flaw in the Telerik UI component. It's not a product on your network you can update; it's a library compiled into web apps your own team shipped, sometimes years ago, often without anyone remembering Telerik is in there.
-
Analysis · May 20, 2026
A User-Agent string is not authentication, but TerraMaster's NAS treated it like one
To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS. The API recognized its own app's identifier and handed over the credentials. Chained to a second bug, that's unauthenticated root.
-
Analysis · May 20, 2026
The 2024–2026 enterprise-infra bugs, grouped by the mistake that caused them
Oracle WebLogic, SolarWinds Web Help Desk, Citrix Session Recording, Juniper ScreenOS, Outlook, VMware Aria, Brocade, Junos, and more. The recent enterprise-infrastructure entries reduce to the same familiar mechanisms, deserialization, planted credentials, document tricks, broken access control.
-
Analysis · May 20, 2026
The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.
-
Analysis · May 20, 2026
Ransomware crews keep hitting Veeam for the same two reasons
Four Veeam Backup & Replication CVEs feed the same playbook. Attackers target the backup server because it can destroy your recovery option and because it holds the credentials to everything it backs up. CVE-2024-40711 took Akira and Fog from access to ransomware fast.
-
Analysis · May 20, 2026
The backup agent on every server was ALPHV's way in
Veritas Backup Exec's agent listens on every machine it backs up. Three 2021 CVEs in it, CVE-2021-27876, 27877, and 27878, let ALPHV/BlackCat affiliates get in. Backup infrastructure isn't just a destruction target; its agents are an attack surface on every host.
-
Analysis · May 20, 2026
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
-
Analysis · May 20, 2026
The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate. A run of pre-auth RCEs in vCenter (CVE-2021-21972, 21975, 21985, 22005) and the ESXi OpenSLP bugs (CVE-2019-5544, CVE-2020-3992) that fed the ESXiArgs ransomware wave show why the management layer is a crown-jewel target.
-
Analysis · May 20, 2026
Server-side template injection: when the page renderer runs the attacker's code
CVE-2022-22954 is a template-injection bug in VMware Workspace ONE Access. A template engine meant to render data into a page rendered attacker input into code execution instead, unauthenticated, on the appliance that brokers your single sign-on. Attackers had an exploit 48 hours after the patch.
-
Analysis · May 20, 2026
A browser bug, sold as a weapon, pointed at journalists
CVE-2022-2294 was a heap overflow in WebRTC, the real-time-comms code inside Chrome and other browsers. It wasn't used for mass crime. A surveillance vendor, Candiru, used it to plant DevilsTongue spyware on journalists in the Middle East. Different threat model, same patch.
-
Analysis · May 20, 2026
Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold. The exploit went public at 5pm UTC; Trend Micro saw the first real attack by 10pm. The tool that watches your whole network became the way in.
-
Analysis · May 20, 2026
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
Analysis · May 20, 2026
The same crew beat the same defense twice in three months. The patch was the problem.
CVE-2023-24880 let Magniber ransomware bypass SmartScreen with malformed MSI signatures. It worked because Microsoft's earlier fix for nearly the same bug addressed one symptom and left the root cause standing. Narrow patches invite variants, and the attacker just comes back.
-
Analysis · May 20, 2026
Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.
The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers. CVE-2024-21338 routes around it: the vulnerable driver is appid.sys, the AppLocker component Windows ships by default. You can't blocklist a core part of the OS.
-
Analysis · May 20, 2026
The warning your careful users count on, that quietly never fired
CVE-2024-21412 bypasses Windows SmartScreen with a shortcut inside a shortcut. The file looks like a JPEG, the user double-clicks, and the safety prompt that was supposed to appear simply doesn't. It's also a bypass of the previous SmartScreen fix.
-
Analysis · May 20, 2026
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks. Symantec later found a Black Basta exploit tool built weeks earlier. The technique it used, an IFEO Debugger key, is one you can detect even when you can't patch in time.
-
Analysis · May 20, 2026
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
Analysis · May 20, 2026
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
-
Analysis · May 20, 2026
The Print Spooler keeps getting exploited. The fix is usually to turn it off.
PrintNightmare wasn't one bug. The KEV catalog holds a string of Print Spooler entries, from PrintNightmare to SpoolFool to the flaw APT28 paired with GooseEgg. They share a root cause, and for most servers the durable answer isn't a patch, it's disabling a service you don't need.
-
Analysis · May 20, 2026
The user opened a JPG they could see in the archive. A RAT installed behind it.
CVE-2023-38831 weaponizes the one thing you tell users is safe: opening a file they can see. A WinRAR archive hides a script in a folder named identically to a benign file, and double-clicking the file runs the script. You can't train this away, and WinRAR doesn't auto-update.
-
Analysis · May 20, 2026
When the catalog says 'authenticated' and the researcher says it isn't
The KEV entry for CVE-2023-40044 calls it an authenticated attack. The researchers who found it demonstrated remote code execution with no login at all. When your authoritative sources disagree about whether a bug needs credentials, plan around the scarier answer.
-
Analysis · May 20, 2026
WSO2 CVE-2022-29464: an upload bug on the box that brokers your APIs and logins
CVE-2022-29464 is an unauthenticated file-upload-to-RCE in WSO2 products. The bug is a familiar one. What makes it serious is where it lives: API management and identity middleware that sits in front of your services and authenticates your users.
-
Analysis · May 20, 2026
Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
-
Analysis · May 20, 2026
The Zimbra bug that infected the mail server when it scanned the attachment
In 2022, Zimbra Collaboration Suite got hammered by a cluster of bugs. One didn't even need the victim to click: send a booby-trapped RAR, and the server unpacked it to scan for malware, infecting itself. On-premise email is the keys to the kingdom, and 2022 proved it.
-
Analysis · May 20, 2026
A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router. Zyxel patched it in 2017, but the device is end-of-life, so the real remediation is replacement. It's on the KEV list because EOL edge gear is exactly what gets conscripted into botnets.
-
Analysis · May 19, 2026
YellowKey is unpatched and your travel laptops are exposed today
A public PoC, a TPM-only default, and no patch in sight. TPM+PIN stops the live exploit, but the researcher says a second variant is waiting.
-
Analysis · May 18, 2026
5 Ways GitHub Spent April Lighting Itself On Fire
GitHub logged ten separate outages in one month, including one fixed by turning DNS off and on again. Here are the five most absurd.
-
Analysis · May 18, 2026
A valid signature is not a vouch
For 27 days the official DAEMON Tools installer carried a clean Disc Soft signature and a backdoor. The signature did exactly what it was designed to do. That is the problem.
-
Analysis · May 18, 2026
Microsoft titled it Spoofing. It's session hijacking.
CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model. Four days in, the answer is a mitigation that breaks four OWA features and an SU with no ship date.
-
Analysis · May 18, 2026
KB5089549 fails at 35% because your ESP is full
May's Windows 11 cumulative dies at the boot-file write step on machines with under 10 MB free in the EFI System Partition. Here's the registry fix, the detection query, and the WSUS decision.
-
Analysis · May 18, 2026
Apple's May Wi-Fi kernel bug is bad, but it's probably not Broadpwn
CVE-2026-28819 gets kernel code execution on macOS, but Apple's wording points at a local-app trigger, not a rogue access point. Patch on a 72-hour clock, not a panic clock.
-
Analysis · May 17, 2026
Three CitrixBleeds in 30 months is not a streak, it is a code surface
CVE-2026-3055 is the third pre-auth memory disclosure in NetScaler's authentication stack in 30 months. Citrix says they are unrelated. The endpoints, the class, and the exploitation tempo say otherwise.
-
Analysis · May 17, 2026
Dead.Letter is a Debian and Ubuntu problem, and the popular workaround is wrong
Exim 4.99.3 patches a pre-auth RCE that only exists on GnuTLS-linked builds. Several outlets are recommending a config change that does not close the hole.
-
Analysis · May 17, 2026
The malware was signed. The signature was real. The package was poison.
TanStack's npm release pipeline published 84 malicious package versions with valid SLSA provenance. The attestation was correct. It just wasn't the question that mattered.
-
Analysis · May 15, 2026
When breaking the maintenance window is cheaper than waiting
The change board exists to make change safer, not slower. Here's the operational math for when the window has to move.
-
Field Note · May 15, 2026
A defensible software inventory you can build with the tools you already have
PowerShell, dpkg, system_profiler, Nmap, and a git repo will produce a weekly software inventory that joins cleanly against the CISA KEV catalog. Here are the parts that look right and aren't.
-
Analysis · May 15, 2026
The patch ring math stops working at fifty endpoints
Enterprise ring guidance assumes a fleet big enough that 5% is a meaningful sample. At 50 machines, it's 2.5 boxes.
-
Field Note · May 15, 2026
Patching Windows when your test ring is two laptops
Microsoft's deployment-ring guidance was written for orgs where 5% of the fleet is dozens of machines. Here's what the model actually buys you when 5% is two laptops, and what to substitute for the rest.
-
Field Note · May 15, 2026
Recovering from a bad Intune deployment without making it worse
Stop the spread, unwind the damage, verify it took. A failure-mode-to-action playbook for when a config profile, app push, or CA policy goes sideways.
-
Field Note · May 15, 2026
A 30-minute Patch Tuesday triage you can actually run
How to get from 150 CVEs to the 4-8 that change your week, using only public signals and a clock.
-
Field Note · May 15, 2026
Nine PowerShell checks before you trust a Windows host
A short, native-PowerShell audit a Windows admin can run on any host in about ten minutes. The bad answers are unambiguous and the fixes are cheap.
-
Analysis · May 14, 2026
Rapid7 found a second CVSS 10 in Cisco SD-WAN while researching the first
Two unauthenticated auth bypasses in the same Cisco vdaemon in under three months, both being exploited by the same actor that has been sitting in critical-infrastructure fabrics since 2023.
-
Analysis · May 14, 2026
Fragnesia is the patch you already deployed, bypassed
If you rolled the Dirty Frag kernel update last week and called it done, your fleet is exposed again. Worse, patched hosts may still hand out root shells until you drop the page cache.
-
Analysis · May 14, 2026
Vercel shipped the framework. You're shipping the patch
CVE-2026-44578 is a CVSS 8.6 SSRF in self-hosted Next.js. The fix for 13.x and 14.x users is a major-version migration, filed against your product team as a Dependabot chore.
-
Analysis · May 14, 2026
Does this CVE actually apply to you? Three filters before you patch
Single-score triage fails in both directions: 10.0s that don't apply, 4.3s that get exploited for 13 days. Three filters reduce the queue.
-
Analysis · May 13, 2026
Daybreak shipped without a single number of its own
OpenAI announced an end-to-end vulnerability detection and patching platform on May 12, then borrowed every performance figure from its predecessors. The borrowed figures don't help its case.
-
Analysis · May 12, 2026
What 14 days of TeamPCP told us about registry defense in 2026
Five compromises across two ecosystems in six weeks, then a 169-package npm wave on May 11. One threat actor, two very different defensive postures. The pattern is the point.
-
Analysis · May 11, 2026
Cisco is now telling you the patch doesn't clean the box
Cisco's April 23 PSIRT advisory says the ArcaneDoor implant survives upgrading to the September 2025 fixes for CVE-2025-20333 and CVE-2025-20362. Reimage, do not patch.
-
Analysis · May 11, 2026
The CVSS 4.3 that APT28 was already using
Microsoft shipped the fix for CVE-2026-32202 without an exploitation flag while Russian state actors had a five-month head start. Vendor-tag triage missed it. The federal deadline is tomorrow.
-
Analysis · May 11, 2026
The .de outage was a TLD postmortem, not a patch you missed
DENIC's signing pipeline shipped two-thirds bad signatures during a routine ZSK rotation on May 5. Nothing in your environment caused it, and nothing in your environment could prevent it. Here's what you can still change at your resolver.
-
Analysis · May 11, 2026
Kubernetes 1.36 is the upgrade that quietly rewrites your RBAC
The headline features in 1.36 are user namespaces and SELinux. The thing that will actually bite you on Monday is a single locked-on feature gate that turns every nodes/proxy grant in your cluster into an audit finding.
-
Analysis · May 11, 2026
The June 2026 Secure Boot cliff: tomorrow is your last clean window
Three Microsoft Secure Boot certificates from 2011 expire in June. May 12 is the last Patch Tuesday before the cliff, and the registry trigger isn't going to set itself.
-
Analysis · May 10, 2026
Array Networks patched in a week and forgot to build a security program
CVE-2023-28461 is a CVSS 9.8 auth bypass on an SSL VPN that Earth Kasha was already exploiting. The fix shipped fast. The disclosure infrastructure around it doesn't exist.
-
Analysis · May 10, 2026
The most expensive sentence Microsoft can write is 'no customer action required'
CVE-2026-33823 ships with a server-side fix and a 9.6 CVSS, but the audit log doesn't record portal-layer access. The patch is free. The compliance work isn't.
-
Analysis · May 10, 2026
The seven-year gap is the story, not the CVE
Microsoft patched CVE-2018-8639 in December 2018. CISA added it to the KEV catalog in March 2025. The interesting number isn't the bug's age. It's the distance between when a fix shipped and when the exposed fleet was acknowledged.
-
Analysis · May 10, 2026
The second bug is the easy one now
Two unrelated actors weaponized the same Task Scheduler zero-day at the same time. The reason isn't sophistication, it's that missing-auth on local RPC is sitting under most of Windows.
-
Analysis · May 10, 2026
Zyxel patched CVE-2024-11667 in September. They named it in November
The fix shipped on September 3, 2024. The CVE assignment came eleven weeks later, after Helldown was already in production networks. The customers who patched on time still got compromised.
-
Analysis · May 10, 2026
SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak
SimpleHelp shipped a fix in seven days from full disclosure. Then they posted it to a forum. Ransomware affiliates have been pulling hashed admin credentials out of unpatched servers ever since.
-
Analysis · May 9, 2026
Skip the optional preview: KB5083631 isn't worth your Tuesday morning
May 12 ships the same 34 fixes plus the month's security patches in one tested package. The preview brings the same risk for none of the upside.
-
Analysis · May 8, 2026
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.8.0.21 on October 27. By December 3, Huntress had a working PoC against fully patched hosts and Cl0p was running it in production. This is the fifth MFT vendor in five years to hand Cl0p the same playbook.
-
Analysis · May 8, 2026
Qlik patched the smuggling bug, then Praetorian beat it with one extra letter
On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding. Three weeks later Praetorian sent tchunked, the desync came back, and Cactus ransomware spent the next two months harvesting the administrators who thought they were done patching.
-
Analysis · May 8, 2026
Mitel MiCollab keeps shipping the same path-traversal bug class
watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day. The pattern across NPM, ReconcileWizard, and AWV is structural, and operators tolerate it because UC is the most upgrade-averse tier in the enterprise.
-
Analysis · May 8, 2026
Five critical Fortinet CVEs in 28 months is not a streak of bad luck
Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked. The pattern in FortiOS and FortiProxy is structural, and patching alone has not been enough to remove attacker access.
-
Analysis · May 8, 2026
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
Analysis · May 8, 2026
Your LiteLLM proxy needs to be on 1.83.10 by May 11
CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM. The patch is one version bump; the rotation work after it is the real job.
-
Analysis · May 8, 2026
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector. EncryptHub exploited it as a zero-day while simultaneously disclosing other vulnerabilities to Microsoft for credit.
-
Analysis · May 8, 2026
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it. Then perpetual license holders couldn't download the fix.
-
Analysis · May 8, 2026
Ivanti Connect Secure: the perimeter that keeps breaking
Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
-
Analysis · May 8, 2026
Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.
Twelve CVEs. Four exploitation waves. Three years. One product line. A complete accounting of Ivanti EPMM's zero-day history, from the Norwegian government breach to this week's credential chain.
-
Analysis · May 7, 2026
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Analysis · May 6, 2026
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.
-
Analysis · May 6, 2026
CrushFTP chose the narrative over its customers
CrushFTP tried to keep a CVSS 9.8 auth bypass quiet. The disclosure mess that followed, two CVEs, public PoC code, and CEO threats, helped attackers move faster.
-
Analysis · May 6, 2026
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years. Akira ransomware automated the decryption. Fortinet keeps shipping this class of bug.
-
Analysis · May 6, 2026
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
Analysis · May 6, 2026
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks. Two unrelated ransomware groups were already using it. It was the sixth CLFS zero-day since 2022.
-
Analysis · May 5, 2026
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist. The correction came Saturday night, behind a paywall.
-
Analysis · May 5, 2026
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
-
Analysis · May 5, 2026
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers. Under 24 hours from initial access to ransomware. GoAnywhere's third year in a row.
-
Analysis · May 5, 2026
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations. Here's what patching EBS actually looks like under a KEV deadline.
-
Analysis · May 5, 2026
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 5, 2026
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable. Microsoft's first fix was incomplete, and ransomware operators had the gap memorized.
-
Analysis · May 5, 2026
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.5. It enabled unauthenticated RCE across 400+ SharePoint servers. Authentication bypasses are consistently underscored, and consistently the vulnerability class that turns a bad bug into a mass-exploitation campaign.
-
Analysis · May 5, 2026
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days. The problem isn't bugs. It's that incomplete fixes are a pattern, and patch compliance frameworks can't measure patch quality.
-
Analysis · May 5, 2026
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
-
Analysis · May 5, 2026
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
-
Analysis · May 5, 2026
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.
-
Analysis · May 5, 2026
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.
-
Analysis · May 4, 2026
Three hours was the good outcome: npm's trust model and the Axios compromise
A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.
-
Analysis · May 3, 2026
50 CVEs in 18 months is not a growing pain. It's a design choice the industry keeps making.
MCP went from unknown to default AI integration in under two years. The vulnerability count, the OWASP Top 10, and the simultaneous client failures tell a story about what happens when adoption is the only metric.
-
Analysis · May 3, 2026
Spirit Airlines is dead. Its attack surface isn't.
The security story isn't that an airline went bankrupt. It's what happens to 132 APIs, years of customer PII, and a cloud footprint when a company dies overnight and nobody is left to decommission it.
-
Analysis · May 3, 2026
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.14 through 6.19. A Python script gives any local user root. Every major distro is affected, containers don't help, and the mitigation is trivial.
-
Analysis · May 3, 2026
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive, but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
Analysis · May 1, 2026
The security work that landed on ops
Cloud shared responsibility, compliance mandates, and insecure defaults have quietly moved security execution onto ops teams that were never staffed for it.
-
Analysis · May 1, 2026
People problems wearing a server badge
The sysadmin job was sold as infrastructure. The actual job is diplomacy, and the burnout numbers show it.
-
Analysis · May 1, 2026
Microsoft: the Patch Day cinematic universe
Licensing, patches, email blocking, Copilot, Recall, Windows replacement. Every subplot lands on the same sysadmin's desk.
-
Analysis · May 1, 2026
The feedback loop is broken
Executives keep making the same categories of bad IT decisions because the consequences land on operators, not decision-makers. The pattern is structural, not accidental.
-
Analysis · May 1, 2026
Your security vendor's AI isn't making you safer. It's making you tired.
76% of cybersecurity professionals say the AI landscape is overwhelmed by overpromotion. The operational cost of that fatigue is starting to show up in the places that matter.
-
Analysis · May 1, 2026
The most dangerous sentence in a code comment is 'this should never happen'
From Therac-25 to CrowdStrike, the same pattern keeps producing catastrophic failures: an engineer reasons that a condition is impossible, skips the guard, and the system outgrows the assumption.
-
Analysis · May 1, 2026
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11. If you haven't inventoried your fleet against the requirements, you're about to get a split patching model you didn't plan for.
-
Analysis · May 1, 2026
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Field Note · May 1, 2026
Patch CVE-2026-40372, then rotate the keys
The ASP.NET Core DataProtection fix stops new forged payloads. It does not clean up tokens your app may have issued while the vulnerable code was live.
-
Analysis · May 1, 2026
The same LDAP injection, in two firewalls, in the same month
OPNsense shipped a textbook LDAP filter injection that hid for eleven years. WatchGuard disclosed the same class of flaw weeks later. The pattern is not coincidence.
-
Analysis · May 1, 2026
The Vercel breach is the Heroku/Travis CI playbook, rerun through an AI tool
A compromised OAuth token at a small AI productivity company gave attackers a path into Vercel's internal systems. The structural pattern is four years old. AI tools are making it worse.
-
Analysis · May 1, 2026
Anthropic's MCP gives every downstream app unauthenticated RCE, and they called it expected behavior
The Model Context Protocol's STDIO transport passes user input directly into subprocess execution with no sanitization. OX Security found 14+ CVEs across the ecosystem. Anthropic declined to patch.
-
Analysis · May 1, 2026
Windows Defender is the attack surface now, and two of the three exploits don't have patches
Three tools dropped in April turn Defender's own privileged operations into privilege escalation and detection evasion. Microsoft patched one. The other two work on fully patched systems.
-
Analysis · Apr 30, 2026
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests. The fix landed. The architecture question hasn't. Updated May 4 with exploitation scale: 44,000+ hosts compromised, ransomware, botnet, and state-sponsored campaigns confirmed.
-
Analysis · Apr 29, 2026
Microsoft April 2026 Patch Tuesday: the CVE count is the wrong unit
Roughly 160+ CVEs landed in April. About six of them change what an IT team does this week.
-
Field Note · Apr 29, 2026
Best practices for patch prioritization in a hybrid environment: start with business impact
Severity scores tell you which CVE is nastiest. Business impact tells you which one matters.
-
Analysis · Apr 28, 2026
What patching looks like when you support the whole mess: endpoints, M365, identity, browsers, VPN, and line-of-business tools
Patching isn't Windows Updates anymore. A tour of the six surfaces a real shop patches every week.
-
Field Note · Apr 28, 2026
Patch now, patch later, ignore for now: the triage model real IT teams actually need
A three-bucket triage model for sysadmins who don't own a vulnerability scanner and aren't going to buy one.
-
Analysis · Apr 28, 2026
Why most patch summaries fail the people who actually have to do the work
Vendor advisories are written for completeness. They're not written for the operator triaging a CISA KEV ticket before lunch.