Commentary

Lead story

Analysis · Jun 22, 2026 · Colten Anderson

CVE-2026-45657: 'Exploitation Less Likely' Is Not a Patch Window

Microsoft's June kernel use-after-free is wormable, CVSS 9.

More from this beat

• Analysis · Jun 20, 2026 · Colten Anderson

  GeoServer CVE-2024-36401: The Map Nobody Owned

  A CVSS 9.

• Analysis · Jun 19, 2026 · Colten Anderson

  Your vuln scanner is looking for OpenSSH. The exploited bug is in Erlang.

  CVE-2025-32433 is a CVSS 10.

• Analysis · Jun 18, 2026 · Colten Anderson

  Two Struts CVEs, one incomplete fix, and the enterprise Java visibility problem

  CVE-2023-50164 and CVE-2024-53677 hit the same file upload component in Apache Struts, a year apart.

• Analysis · Jun 18, 2026 · Colten Anderson

  Patching Ivanti Sentry Closes the Door. It Doesn't Evict the Guest.

  Shadowserver found backdoored Ivanti Sentry instances within 48 hours of the PoC and said the rest are most likely compromised.

• Analysis · Jun 17, 2026 · Colten Anderson

  regreSSHion proved 'hard to exploit' is not a patch window

  CVE-2024-6387 got filed under 'low priority' because it's slow on 64-bit.

• Analysis · Jun 16, 2026 · Colten Anderson

  Juniper Junos OS has six KEV entries and two separate attack surfaces

  Five CVSS 5.

• Analysis · Jun 16, 2026 · Colten Anderson

  A model was pulled for being too good at finding bugs

  Anthropic shipped Claude Fable 5 and Mythos 5, then a federal directive killed both four days later.

• Analysis · Jun 5, 2026 · Colten Anderson

  Two AWS bugs you'd never have heard about, and the fix was yours

  AWS disclosed two SageMaker SDK flaws on its own bulletins page.

• Analysis · Jun 5, 2026 · Colten Anderson

  Your Azure CLI session has an MFA exemption you never asked for

  Two Entra Conditional Access changes land in the same fortnight, and they're the lead evidence in a longer story: Microsoft is closing the identity opt-outs orgs have leaned on for years.

• Analysis · Jun 3, 2026 · Colten Anderson

  Three CVEs keep getting called the Nx attack, and only one of them is this one

  An 18-minute window on the VS Code marketplace ended with 3,800 of GitHub's own repositories copied.

• Analysis · May 29, 2026 · Colten Anderson

  Gogs has a critical RCE and no one is coming to fix it

  Rapid7 found a push-button remote code execution flaw in Gogs, shipped a Metasploit module with it, and ran 72 days from report to publication with no patch and two months of maintainer silence.

• Analysis · May 29, 2026 · Colten Anderson

  Palo Alto's third edge zero-day in two years rhymes with the first two

  CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed.

• Analysis · May 28, 2026 · Colten Anderson

  GlassWorm's botnet is down, but the technique it proved still works

  CrowdStrike, Google, and Shadowserver knocked out all four C2 channels at once.

• Analysis · May 28, 2026 · Colten Anderson

  Ingress-nginx got archived in March. The first critical CVE arrived in May.

  The Kubernetes community archived ingress-nginx seven weeks before an 18-year-old heap overflow dropped in the NGINX core it ships.

• Analysis · May 28, 2026 · Colten Anderson

  The print stack regresses on schedule

  KB5087424 broke 32-bit printing on Windows Server 2022 hotpatch fleets.

• Analysis · May 27, 2026 · Colten Anderson

  Hotpatch was supposed to be the smoother path

  KB5087424 broke 32-bit printing on Windows Server 2022, and the no-reboot delivery model that was supposed to reduce friction has no fix path that doesn't surrender the security content.

• Analysis · May 25, 2026 · Colten Anderson

  Microsoft patched a SYSTEM bug in 2020. It still works in 2026.

  A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shell is a driver you cannot turn off.

• Analysis · May 25, 2026 · Colten Anderson

  SonicWall patched CVE-2024-12802 and left the bug in place on Gen6

  The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses.

• Analysis · May 24, 2026 · Colten Anderson

  The patch window went negative. Now what?

  Mandiant's mean time-to-exploit is negative seven days.

• Analysis · May 22, 2026 · Colten Anderson

  Your antivirus runs as SYSTEM, and that's the whole story

  Two actively-exploited Defender zero-days look like 'the AV is broken.

• Analysis · May 20, 2026 · Colten Anderson

  Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box

  The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started.

• Analysis · May 20, 2026 · Colten Anderson

  Your attack surface isn't just port 443

  CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ.

• Analysis · May 20, 2026 · Colten Anderson

  Adobe ColdFusion has been getting popped the same ways for 15 years

  The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024.

• Analysis · May 20, 2026 · Colten Anderson

  Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix

  CVE-2021-41773 was a path traversal in Apache httpd 2.

• Analysis · May 20, 2026 · Colten Anderson

  Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.

  CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.

• Analysis · May 20, 2026 · Colten Anderson

  CISA just gave the Conficker bug a 2026 deadline

  Five of the seven CVEs CISA added on May 20 are 2008–2010 fossils, including MS08-067 and Operation Aurora.

• Analysis · May 20, 2026 · Colten Anderson

  A new critical Confluence RCE stopped being news. That's the problem.

  CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats.

• Analysis · May 20, 2026 · Colten Anderson

  When the build tool, the GitHub Action, and sudo are the vulnerability

  tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery.

• Analysis · May 20, 2026 · Colten Anderson

  The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed

  Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire.

• Analysis · May 20, 2026 · Colten Anderson

  An uploaded filename is attacker input. dotCMS forgot, and got a webshell.

  CVE-2022-26352 is a directory traversal in dotCMS's upload API: the filename in a multipart request wasn't sanitized, so '.

• Analysis · May 20, 2026 · Colten Anderson

  Drupalgeddon: when a data structure is allowed to name a function to call

  Drupal's Form API lets a renderable array carry a callback, that's a feature.

• Analysis · May 20, 2026 · Colten Anderson

  The same handful of mechanisms account for most of the catalog

  After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons.

• Analysis · May 20, 2026 · Colten Anderson

  The year on-premise Exchange became the most-attacked software on earth

  ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server.

• Analysis · May 20, 2026 · Colten Anderson

  The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token

  CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling.

• Analysis · May 20, 2026 · Colten Anderson

  Content-process only is one bug short of game over

  CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process.

• Analysis · May 20, 2026 · Colten Anderson

  Everyone hardened against macros. Follina didn't use one.

  CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool.

• Analysis · May 20, 2026 · Colten Anderson

  The 'test connection' button that mails your stored credentials to an attacker

  CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server.

• Analysis · May 20, 2026 · Colten Anderson

  The ransomware that brought a signed driver to switch off the rule against unsigned drivers

  In 2020, RobbinHood became the first ransomware seen shipping a legitimately-signed GIGABYTE driver, exploiting it to disable Windows driver-signature enforcement, then loading its own unsigned driver to kill security software from the kernel.

• Analysis · May 20, 2026 · Colten Anderson

  GitLab CVE-2021-22205: the upload that ran code through an image parser

  CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab.

• Analysis · May 20, 2026 · Colten Anderson

  When a vulnerability is shaped exactly like a backdoor

  CVE-2021-44529 triggers when you send Ivanti's appliance a cookie that says 'ab' followed by base64 the server decodes and runs.

• Analysis · May 20, 2026 · Colten Anderson

  Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern

  Kaseya VSA is remote-monitoring software MSPs use to manage thousands of client machines.

• Analysis · May 20, 2026 · Colten Anderson

  The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.

  CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE.

• Analysis · May 20, 2026 · Colten Anderson

  The Linux firewall bug your users can reach because you gave them a private root

  CVE-2024-1086 is an nf_tables use-after-free that hands a local user root.

• Analysis · May 20, 2026 · Colten Anderson

  Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.

  CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021.

• Analysis · May 20, 2026 · Colten Anderson

  Turning on SSO turned on the vulnerability, and turning it back off didn't help

  CVE-2022-47966 gave unauthenticated RCE across two dozen ManageEngine products, but only where SAML single sign-on was enabled.

• Analysis · May 20, 2026 · Colten Anderson

  The most dangerous server in the hospital is the one nobody can name

  Mirth Connect moves patient records between systems and runs with high privileges, and a lot of installs sit on the open internet.

• Analysis · May 20, 2026 · Colten Anderson

  Lorenz ransomware's way in was the phone system

  In 2022, Lorenz ransomware breached corporate networks through a Mitel MiVoice Connect appliance, the VoIP system, using CVE-2022-29499 as a zero-day.

• Analysis · May 20, 2026 · Colten Anderson

  You can be the victim of a vulnerability in software you don't run

  Most of the 90-plus million people whose data Cl0p stole through MOVEit had never heard of it, and their data leaked through payroll firms and service bureaus, not their own systems.

• Analysis · May 20, 2026 · Colten Anderson

  The tool that audits everything runs as SYSTEM everywhere. That cuts both ways.

  CVE-2022-31199 is unauthenticated RCE as SYSTEM in Netwrix Auditor, and it hits the server and the agents on every monitored system.

• Analysis · May 20, 2026 · Colten Anderson

  noPac: any domain user to Domain Admin, no exploit code required

  CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command.

• Analysis · May 20, 2026 · Colten Anderson

  Known exploited, no patch: what to do in the weeks before a fix exists

  When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks.

• Analysis · May 20, 2026 · Colten Anderson

  Your ERP is on the internet, and it's the system that cuts the checks

  Security programs treat ERP as 'internal.

• Analysis · May 20, 2026 · Colten Anderson

  PetitPotam: make a domain controller authenticate to you, relay it, own the domain

  CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them.

• Analysis · May 20, 2026 · Colten Anderson

  A soft hyphen reopened a bug PHP closed in 2012

  CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw.

• Analysis · May 20, 2026 · Colten Anderson

  PHP-FPM CVE-2019-11043: an RCE that depended on a copy-pasted nginx config

  CVE-2019-11043 is a remote code execution bug in PHP-FPM, but it only fires on a specific nginx configuration, one that circulated widely in tutorials and got copy-pasted into production everywhere.

• Analysis · May 20, 2026 · Colten Anderson

  DeadBolt skipped the network intrusion and just encrypted the NAS directly

  Most ransomware has to break in, escalate, and spread before it encrypts anything.

• Analysis · May 20, 2026 · Colten Anderson

  Why ransomware crews love a backup server twice over

  CVE-2022-36537 is a ZK Framework bug that handed attackers ConnectWise R1Soft backup servers.

• Analysis · May 20, 2026 · Colten Anderson

  The other half of the ScreenConnect chain just got a 2026 deadline

  CVE-2024-1709 got the CVSS 10 and the headlines in February 2024.

• Analysis · May 20, 2026 · Colten Anderson

  Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing

  CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP.

• Analysis · May 20, 2026 · Colten Anderson

  The SolarWinds crew spent late 2023 breaking into build servers. That's not a coincidence.

  CVE-2023-42793 is an unauthenticated RCE on JetBrains TeamCity.

• Analysis · May 20, 2026 · Colten Anderson

  There's no vendor to patch this one. The vulnerable code is inside an app you built.

  CVE-2017-11357 is a file-upload-to-RCE flaw in the Telerik UI component.

• Analysis · May 20, 2026 · Colten Anderson

  A User-Agent string is not authentication, but TerraMaster's NAS treated it like one

  To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS.

• Analysis · May 20, 2026 · Colten Anderson

  The 2024–2026 enterprise-infra bugs, grouped by the mistake that caused them

  Oracle WebLogic, SolarWinds Web Help Desk, Citrix Session Recording, Juniper ScreenOS, Outlook, VMware Aria, Brocade, Junos, and more.

• Analysis · May 20, 2026 · Colten Anderson

  The 2025 long tail: same six categories, eighty different products

  Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa.

• Analysis · May 20, 2026 · Colten Anderson

  Ransomware crews keep hitting Veeam for the same two reasons

  Four Veeam Backup & Replication CVEs feed the same playbook.

• Analysis · May 20, 2026 · Colten Anderson

  ESXi handed out admin to a group named 'ESX Admins' and never checked who made it

  CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate.

• Analysis · May 20, 2026 · Colten Anderson

  Server-side template injection: when the page renderer runs the attacker's code

  CVE-2022-22954 is a template-injection bug in VMware Workspace ONE Access.

• Analysis · May 20, 2026 · Colten Anderson

  A browser bug, sold as a weapon, pointed at journalists

  CVE-2022-2294 was a heap overflow in WebRTC, the real-time-comms code inside Chrome and other browsers.

• Analysis · May 20, 2026 · Colten Anderson

  A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen

  CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM.

• Analysis · May 20, 2026 · Colten Anderson

  The same crew beat the same defense twice in three months. The patch was the problem.

  CVE-2023-24880 let Magniber ransomware bypass SmartScreen with malformed MSI signatures.

• Analysis · May 20, 2026 · Colten Anderson

  Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.

  The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers.

• Analysis · May 20, 2026 · Colten Anderson

  The warning your careful users count on, that quietly never fired

  CVE-2024-21412 bypasses Windows SmartScreen with a shortcut inside a shortcut.

• Analysis · May 20, 2026 · Colten Anderson

  The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.

  CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day.

• Analysis · May 20, 2026 · Colten Anderson

  The boring privilege-escalation bug is the one that finishes the job

  CVE-2024-30088 is a local Windows kernel race condition.

• Analysis · May 20, 2026 · Colten Anderson

  The user opened a JPG they could see in the archive. A RAT installed behind it.

  CVE-2023-38831 weaponizes the one thing you tell users is safe: opening a file they can see.

• Analysis · May 20, 2026 · Colten Anderson

  When the catalog says 'authenticated' and the researcher says it isn't

  The KEV entry for CVE-2023-40044 calls it an authenticated attack.

• Analysis · May 20, 2026 · Colten Anderson

  Zerologon: a crypto mistake that hands over the domain in seconds

  CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin.

• Analysis · May 20, 2026 · Colten Anderson

  The Zimbra bug that infected the mail server when it scanned the attachment

  In 2022, Zimbra Collaboration Suite got hammered by a cluster of bugs.

• Analysis · May 18, 2026 · Colten Anderson

  5 Ways GitHub Spent April Lighting Itself On Fire

  GitHub logged ten separate outages in one month, including one fixed by turning DNS off and on again.

• Analysis · May 18, 2026 · Colten Anderson

  A valid signature is not a vouch

  For 27 days the official DAEMON Tools installer carried a clean Disc Soft signature and a backdoor.

• Analysis · May 18, 2026 · Colten Anderson

  Microsoft titled it Spoofing. It's session hijacking.

  CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model.

• Analysis · May 17, 2026 · Colten Anderson

  Three CitrixBleeds in 30 months is not a streak, it is a code surface

  CVE-2026-3055 is the third pre-auth memory disclosure in NetScaler's authentication stack in 30 months.

• Analysis · May 17, 2026 · Colten Anderson

  The malware was signed. The signature was real. The package was poison.

  TanStack's npm release pipeline published 84 malicious package versions with valid SLSA provenance.

• Analysis · May 15, 2026 · Colten Anderson

  The patch ring math stops working at fifty endpoints

  Enterprise ring guidance assumes a fleet big enough that 5% is a meaningful sample.

• Analysis · May 14, 2026 · Colten Anderson

  Rapid7 found a second CVSS 10 in Cisco SD-WAN while researching the first

  Two unauthenticated auth bypasses in the same Cisco vdaemon in under three months, both being exploited by the same actor that has been sitting in critical-infrastructure fabrics since 2023.

• Analysis · May 14, 2026 · Colten Anderson

  Vercel shipped the framework. You're shipping the patch

  CVE-2026-44578 is a CVSS 8.

• Analysis · May 14, 2026 · Colten Anderson

  Does this CVE actually apply to you? Three filters before you patch

  Single-score triage fails in both directions: 10.

• Analysis · May 13, 2026 · Colten Anderson

  Daybreak shipped without a single number of its own

  OpenAI announced an end-to-end vulnerability detection and patching platform on May 12, then borrowed every performance figure from its predecessors.

• Analysis · May 12, 2026 · Colten Anderson

  What 14 days of TeamPCP told us about registry defense in 2026

  Five compromises across two ecosystems in six weeks, then a 169-package npm wave on May 11.

• Analysis · May 11, 2026 · Colten Anderson

  Cisco is now telling you the patch doesn't clean the box

  Cisco's April 23 PSIRT advisory says the ArcaneDoor implant survives upgrading to the September 2025 fixes for CVE-2025-20333 and CVE-2025-20362.

• Analysis · May 11, 2026 · Colten Anderson

  The CVSS 4.3 that APT28 was already using

  Microsoft shipped the fix for CVE-2026-32202 without an exploitation flag while Russian state actors had a five-month head start.

• Analysis · May 10, 2026 · Colten Anderson

  Array Networks patched in a week and forgot to build a security program

  CVE-2023-28461 is a CVSS 9.

• Analysis · May 10, 2026 · Colten Anderson

  The seven-year gap is the story, not the CVE

  Microsoft patched CVE-2018-8639 in December 2018.

• Analysis · May 10, 2026 · Colten Anderson

  The second bug is the easy one now

  Two unrelated actors weaponized the same Task Scheduler zero-day at the same time.

• Analysis · May 10, 2026 · Colten Anderson

  Zyxel patched CVE-2024-11667 in September. They named it in November

  The fix shipped on September 3, 2024.

• Analysis · May 10, 2026 · Colten Anderson

  SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak

  SimpleHelp shipped a fix in seven days from full disclosure.

• Analysis · May 8, 2026 · Colten Anderson

  Five critical Fortinet CVEs in 28 months is not a streak of bad luck

  Three heap overflows, two auth bypasses, all pre-auth, all ransomware-linked.

• Analysis · May 8, 2026 · Colten Anderson

  Three root shells in seven months. All from the same firewall.

  CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024.

• Analysis · May 8, 2026 · Colten Anderson

  Ivanti Connect Secure: the perimeter that keeps breaking

  Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path.

• Analysis · May 4, 2026 · Colten Anderson

  Three hours was the good outcome: npm's trust model and the Axios compromise

  A DPRK threat actor backdoored two Axios versions on npm.

• Analysis · May 3, 2026 · Colten Anderson

  50 CVEs in 18 months is not a growing pain. It's a design choice the industry keeps making.

  MCP went from unknown to default AI integration in under two years.

• Analysis · May 3, 2026 · Colten Anderson

  Spirit Airlines is dead. Its attack surface isn't.

  The security story isn't that an airline went bankrupt.

• Analysis · May 1, 2026 · Colten Anderson

  The security work that landed on ops

  Cloud shared responsibility, compliance mandates, and insecure defaults have quietly moved security execution onto ops teams that were never staffed for it.

• Analysis · May 1, 2026 · Colten Anderson

  People problems wearing a server badge

  The sysadmin job was sold as infrastructure.

• Analysis · May 1, 2026 · Colten Anderson

  Microsoft: the Patch Day cinematic universe

  Licensing, patches, email blocking, Copilot, Recall, Windows replacement.

• Analysis · May 1, 2026 · Colten Anderson

  The feedback loop is broken

  Executives keep making the same categories of bad IT decisions because the consequences land on operators, not decision-makers.

• Analysis · May 1, 2026 · Colten Anderson

  Your security vendor's AI isn't making you safer. It's making you tired.

  76% of cybersecurity professionals say the AI landscape is overwhelmed by overpromotion.

• Analysis · May 1, 2026 · Colten Anderson

  The most dangerous sentence in a code comment is 'this should never happen'

  From Therac-25 to CrowdStrike, the same pattern keeps producing catastrophic failures: an engineer reasons that a condition is impossible, skips the guard, and the system outgrows the assumption.

• Analysis · May 1, 2026 · Colten Anderson

  The same LDAP injection, in two firewalls, in the same month

  OPNsense shipped a textbook LDAP filter injection that hid for eleven years.

• Analysis · May 1, 2026 · Colten Anderson

  The Vercel breach is the Heroku/Travis CI playbook, rerun through an AI tool

  A compromised OAuth token at a small AI productivity company gave attackers a path into Vercel's internal systems.

• Analysis · May 1, 2026 · Colten Anderson

  Anthropic's MCP gives every downstream app unauthenticated RCE, and they called it expected behavior

  The Model Context Protocol's STDIO transport passes user input directly into subprocess execution with no sanitization.

• Analysis · May 1, 2026 · Colten Anderson

  Windows Defender is the attack surface now, and two of the three exploits don't have patches

  Three tools dropped in April turn Defender's own privileged operations into privilege escalation and detection evasion.

• Field Note · Apr 29, 2026 · Colten Anderson

  Best practices for patch prioritization in a hybrid environment: start with business impact

  Severity scores tell you which CVE is nastiest.

• Analysis · Apr 28, 2026 · Colten Anderson

  What patching looks like when you support the whole mess: endpoints, M365, identity, browsers, VPN, and line-of-business tools

  Patching isn't Windows Updates anymore.

• Field Note · Apr 28, 2026 · Colten Anderson

  Patch now, patch later, ignore for now: the triage model real IT teams actually need

  A three-bucket triage model for sysadmins who don't own a vulnerability scanner and aren't going to buy one.

• Analysis · Apr 28, 2026 · Colten Anderson

  Why most patch summaries fail the people who actually have to do the work

  Vendor advisories are written for completeness.