The 2024–2026 enterprise-infra bugs, grouped by the mistake that caused them
Oracle WebLogic, SolarWinds Web Help Desk, Citrix Session Recording, Juniper ScreenOS, Outlook, VMware Aria, Brocade, Junos, and more. The recent enterprise-infrastructure entries reduce to the same familiar mechanisms, deserialization, planted credentials, document tricks, broken access control.
The recent enterprise-infrastructure entries in the catalog span a dozen vendors, but like the Tier-1 capstone, they don’t introduce new mistakes; they repeat a handful. Grouping by mechanism is the useful way to read them.
Insecure deserialization (still the workhorse)
- Oracle WebLogic Server CVE-2020-2883 is a T3/IIOP deserialization RCE, the same class that has plagued WebLogic for years, exploited for cryptominers and worse.
- SolarWinds Web Help Desk CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551 are a run of Java-deserialization RCEs in the help-desk product, each effectively a patch-bypass cycle on the same underlying weakness, the same dynamic as the Mirth denylist story.
- Citrix Session Recording CVE-2024-8068 and CVE-2024-8069 are access-control/deserialization flaws allowing privilege escalation and limited RCE.
- Oracle Agile PLM CVE-2024-20953 is another deserialization entry.
The fix is always the same: don’t deserialize untrusted input with type-permissive serializers; allowlist.
A planted backdoor
- Juniper ScreenOS CVE-2015-7755 is the infamous unauthorized administrative access from hardcoded code, a backdoor master password discovered in ScreenOS in 2015. It’s the clearest catalog example of the backdoor-shaped code problem: when a network device contains a built-in way in, the only defense is replacing or fully patching the firmware.
Document and Office tricks
- Outlook CVE-2024-21413 (“MonikerLink”) bypasses Protected View using a crafted moniker link, leading to credential leakage or code execution, a document-attack-surface case.
- Office CVE-2026-21509 and CVE-2026-21514 are recent Office RCEs in the same vein, and SharePoint CVE-2026-20963 continues the SharePoint RCE lineage. Defense: patch, and layer execution controls that don’t depend on the user heeding a warning.
Broken access control and privilege escalation
- Microsoft Power Pages CVE-2025-24989 and Partner Center CVE-2024-49035 are improper-access-control flaws allowing privilege escalation in cloud/portal products.
- VMware Aria Operations CVE-2025-41244 and CVE-2026-22719 are privilege-escalation flaws (41244 via the VMware Tools integration), on the monitoring layer that sits across the virtual estate.
Appliance and management RCE
- Brocade Fabric OS CVE-2025-1976 is a root-level code injection on storage-network switches.
- Juniper Junos OS CVE-2025-21590 is an exploited flaw on the routing platform.
- Microsoft Configuration Manager CVE-2024-43468 is an RCE in the endpoint-management server (SCCM/MECM), a tier-zero box that deploys software fleet-wide.
- Oracle Fusion Middleware CVE-2025-61757 and Microsoft .NET Framework CVE-2024-29059 round out the set, and Mitel SIP Phones CVE-2024-41710 is an argument-injection flaw on telephony endpoints, the VoIP-as-attack-surface theme.
The point, and what to do
Two dozen bugs, a dozen vendors, the same five or six mechanisms. The implications are the ones this whole series keeps reaching:
- Patch internet-facing and management software on an emergency cadence. Help-desk servers, config managers, monitoring platforms, and network OSes are control-plane systems; their bugs get exploited fast.
- Treat deserialization as a permanent risk class in your own code and demand it of vendors; the WebLogic and Web Help Desk entries show it doesn’t go away.
- Defend documents beyond macros, with execution controls and email filtering, given the Outlook/Office/SharePoint entries.
- Watch access-control and privilege-escalation bugs on cloud/portal and monitoring products, which grant lateral and vertical movement.
- Replace or fully remediate devices with backdoor-class issues like the ScreenOS master password; there’s no configuring around a built-in way in.
The reframe, one more time: you defend against a small set of mechanisms, not an endless list of products. Master secure deserialization, validated access control, document-execution controls, and ruthless patching of management infrastructure, and the per-vendor CVE stream becomes manageable. We read every catalog addition, across every tier, as another instance of the same handful of mistakes, because that’s what lets you get ahead of them.
Sources
Share
Related field notes
-
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
One email, every weekday morning.
You're in. Check your inbox.