The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.
The recent “other vendor” entries are a sprawl, dozens of products from dozens of vendors, but they sort into the same handful of categories this series has been mapping all along. Reading them by category is the only sane way to keep up, because the per-product list is endless and the per-category defense is short.
Email and groupware servers
Roundcube Webmail (an XSS-to-account-takeover and a deserialization RCE), TeleMessage TM SGNL (the Signal-fork archiving app whose breach exposed government communications), MDaemon, Libraesva Email Security Gateway, Qualitia Active!Mail, Srimax Output Messenger, and Sangoma FreePBX (a string of admin/RCE bugs). Email is the crown jewel: patch fast, keep admin interfaces off the internet, and treat a mail-server compromise as an account-takeover and data-exposure event.
File transfer and backup
Wing FTP Server, Commvault (Web Server and Command Center), NAKIVO Backup & Replication, Dell RecoverPoint for VMs, and Soliton FileZen. The MFT-and-backup-as-target pattern: internet-facing, holds or controls the data, backup compromise removes recovery. Patch, restrict exposure, keep immutable/offline backups.
CMS and web frameworks
Kentico Xperience (a cluster of auth-bypass/RCE bugs), XWiki, Yii framework, Ruby on Rails, Adobe Commerce/Magento (the “CosmicSting” XXE-to-RCE wave), Adobe Experience Manager Forms, OSGeo GeoServer, Grafana, and CWP (Control Web Panel). The CMS/framework-as-perennial-target pattern, with deserialization and upload/injection the usual mechanisms. Patch on an emergency cadence, restrict the admin surface.
Network, security, and monitoring appliances
WatchGuard Firebox (an iked/IKEv2 RCE), Paessler PRTG, N-able N-Central, Versa Concerto, Sierra Wireless AirLink ALEOS, Aviatrix Controllers, Trend Micro Apex One, TeamT5 ThreatSonar, Hikvision devices, AMI MegaRAC (the BMC firmware embedded in many servers, a deep-infrastructure compromise), IGEL OS, HPE OneView, and Quest KACE. The perimeter/management-appliance and security-tool-as-target patterns: these run privileged, face the network, and a compromise is high-leverage. Off the internet, patched fast, tier-zero.
ICS/OT
OpenPLC/ScadaBR, Rockwell products, Trimble Cityworks, Dassault Systèmes DELMIA Apriso (a manufacturing-operations suite), Audinate Dante Discovery, Digiever and GeoVision DVRs/cameras, Smartbedded Meteobridge, and ZKTeco BioTime. Operational-technology and physical-security systems are increasingly in the catalog, often internet-exposed and rarely patched. Segment OT from IT, never expose these to the internet, and treat patching as a safety as well as security issue.
Endpoint and IT management
Motex LANSCOPE, SKYSEA Client View, Omnissa Workspace ONE UEM, ASUS Live Update, Gladinet CentreStack/Triofox (a hardcoded-key-to-RCE wave), Advantive VeraCore, Hitachi Vantara Pentaho, TrueConf, Wazuh Server, and Meta’s WhatsApp (a zero-click). The management-agent-and-platform pattern: privileged software with fleet-wide reach, worth tier-zero treatment.
The point
Eighty products, six categories, and the same mechanisms underneath, deserialization, injection, auth bypass, hardcoded keys, unvalidated uploads, plus the constants: internet exposure and slow patching. The operational program doesn’t scale per-product; it scales per-category:
- Inventory by category (email, file transfer/backup, CMS/web, appliances, OT, management) and apply the category playbook.
- Get management and admin interfaces off the internet across the board, the single highest-leverage control.
- Patch internet-facing and privileged software on an emergency cadence, and retire what’s end-of-life.
- Segment OT and management infrastructure, and keep immutable backups.
- Demand secure defaults and dependency transparency from vendors, because hardcoded keys (Gladinet) and embedded-component bugs keep recurring.
The reframe, one last time across the catalog: you are not defending against a thousand unique vulnerabilities in a thousand products. You are defending a handful of categories against a handful of mechanisms, with internet exposure and patch latency as the constants that decide outcomes. Master that, and the relentless per-vendor CVE stream becomes a manageable, categorized workflow instead of an endless scramble. We read every catalog addition, in every tier, as another instance of patterns you can get ahead of.
Sources
Share
Related field notes
-
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
One email, every weekday morning.
You're in. Check your inbox.