Tag
#deserialization
5 posts tagged #deserialization.
-
Analysis · May 5, 2026 · The Field Notes Desk
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026 · The Field Notes Desk
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026 · The Field Notes Desk
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers. Under 24 hours from initial access to ransomware. GoAnywhere's third year in a row.
-
Analysis · May 5, 2026 · The Field Notes Desk
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 5, 2026 · The Field Notes Desk
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days. The problem isn't bugs. It's that incomplete fixes are a pattern, and patch compliance frameworks can't measure patch quality.