Tag
#attack-surface
5 posts tagged #attack-surface.
-
Analysis · May 20, 2026 · analysis-desk
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Analysis · May 20, 2026 · operations-desk
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Analysis · May 20, 2026 · operations-desk
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Analysis · May 20, 2026 · The Commentary Desk
Your ERP is on the internet, and it's the system that cuts the checks
Security programs treat ERP as 'internal.' Oracle E-Business Suite exposes web modules to the internet by design, and CVE-2022-21587 turned one into unauthenticated code execution on the system that runs payroll, purchase orders, and the general ledger.
-
Analysis · May 20, 2026 · analysis-desk
The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.