Field Notes
The Field Notes Desk
The Field Notes Desk writes from the operator's chair: per-CVE walkthroughs, vendor postmortems, exploitation timelines, and the occasional war story from a Monday morning that did not go to plan. If it doesn't have a clear next step, it isn't done.
What this desk covers Per-CVE writeups, vendor postmortems, exploitation timelines, and the rest of the operator's week. See the beat →
36 articles
-
Analysis · May 11, 2026
The .de outage was a TLD postmortem, not a patch you missed
DENIC's signing pipeline shipped two-thirds bad signatures during a routine ZSK rotation on May 5. Nothing in your environment caused it, and nothing in your environment could prevent it. Here's what you can still change at your resolver.
-
Analysis · May 11, 2026
Kubernetes 1.36 is the upgrade that quietly rewrites your RBAC
The headline features in 1.36 are user namespaces and SELinux. The thing that will actually bite you on Monday is a single locked-on feature gate that turns every nodes/proxy grant in your cluster into an audit finding.
-
Analysis · May 8, 2026
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.8.0.21 on October 27. By December 3, Huntress had a working PoC against fully patched hosts and Cl0p was running it in production. This is the fifth MFT vendor in five years to hand Cl0p the same playbook.
-
Analysis · May 8, 2026
Qlik patched the smuggling bug, then Praetorian beat it with one extra letter
On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding. Three weeks later Praetorian sent tchunked, the desync came back, and Cactus ransomware spent the next two months harvesting the administrators who thought they were done patching.
-
Analysis · May 8, 2026
Mitel MiCollab keeps shipping the same path-traversal bug class
watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day. The pattern across NPM, ReconcileWizard, and AWV is structural, and operators tolerate it because UC is the most upgrade-averse tier in the enterprise.
-
Analysis · May 8, 2026
Your LiteLLM proxy needs to be on 1.83.10 by May 11
CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM. The patch is one version bump; the rotation work after it is the real job.
-
Analysis · May 8, 2026
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector. EncryptHub exploited it as a zero-day while simultaneously disclosing other vulnerabilities to Microsoft for credit.
-
Analysis · May 8, 2026
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it. Then perpetual license holders couldn't download the fix.
-
Analysis · May 8, 2026
Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.
Twelve CVEs. Four exploitation waves. Three years. One product line. A complete accounting of Ivanti EPMM's zero-day history, from the Norwegian government breach to this week's credential chain.
-
Analysis · May 7, 2026
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Analysis · May 6, 2026
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023. Same binary, same attack surface, same session token leakage. Its own post-patch guidance still doesn't invalidate the tokens attackers actually steal.
-
Analysis · May 6, 2026
CrushFTP chose the narrative over its customers
CrushFTP tried to keep a CVSS 9.8 auth bypass quiet. The disclosure mess that followed — two CVEs, public PoC code, CEO threats — helped attackers move faster.
-
Analysis · May 6, 2026
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years. Akira ransomware automated the decryption. Fortinet keeps shipping this class of bug.
-
Analysis · May 6, 2026
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
Analysis · May 6, 2026
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks. Two unrelated ransomware groups were already using it. It was the sixth CLFS zero-day since 2022.
-
Analysis · May 5, 2026
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist. The correction came Saturday night, behind a paywall.
-
Analysis · May 5, 2026
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
-
Analysis · May 5, 2026
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers. Under 24 hours from initial access to ransomware. GoAnywhere's third year in a row.
-
Analysis · May 5, 2026
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations. Here's what patching EBS actually looks like under a KEV deadline.
-
Analysis · May 5, 2026
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 5, 2026
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable. Microsoft's first fix was incomplete, and ransomware operators had the gap memorized.
-
Analysis · May 5, 2026
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.5. It enabled unauthenticated RCE across 400+ SharePoint servers. Authentication bypasses are consistently underscored, and consistently the vulnerability class that turns a bad bug into a mass-exploitation campaign.
-
Analysis · May 5, 2026
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days. The problem isn't bugs. It's that incomplete fixes are a pattern, and patch compliance frameworks can't measure patch quality.
-
Analysis · May 5, 2026
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
-
Analysis · May 5, 2026
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
-
Analysis · May 5, 2026
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.
-
Analysis · May 5, 2026
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.
-
Analysis · May 3, 2026
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.14 through 6.19. A Python script gives any local user root. Every major distro is affected, containers don't help, and the mitigation is trivial.
-
Analysis · May 3, 2026
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.449.424.0 flagged two legitimate DigiCert root CA certificates as a high-severity trojan. The alert was a false positive — but if auto-remediation ran before the fix shipped, your certificate store may now be missing trust anchors that TLS depends on.
-
Analysis · May 1, 2026
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11. If you haven't inventoried your fleet against the requirements, you're about to get a split patching model you didn't plan for.
-
Analysis · May 1, 2026
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.
-
Field Note · May 1, 2026
Patch CVE-2026-40372, then rotate the keys
The ASP.NET Core DataProtection fix stops new forged payloads. It does not clean up tokens your app may have issued while the vulnerable code was live.
-
Analysis · Apr 30, 2026
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests. The fix landed. The architecture question hasn't. Updated May 4 with exploitation scale: 44,000+ hosts compromised, ransomware, botnet, and state-sponsored campaigns confirmed.