Beat
Field Notes
Per-CVE writeups, vendor postmortems, exploitation timelines, and the rest of the operator's week.
Written by Colten Anderson.
Lead story
Analysis · Jun 24, 2026 · Colten Anderson
Five edge and gateway bugs went under active attack in one week. Here is the patch order.
Ivanti Sentry, Splunk, FortiSandbox, Ubiquiti UniFi OS, and Cisco SD-WAN Manager were all under active exploitation in the same seven days.
More from this beat
-
Field Note · Jun 22, 2026 · Colten Anderson
Commvault CVE-2025-34028: upgrading to 11.38.20 is not the whole fix
CVE-2025-34028 gives pre-auth RCE on Commvault Command Center.
-
Analysis · Jun 21, 2026 · Colten Anderson
Arista EOS decapsulates tunnel traffic it was never configured for. No patch is planned.
CVE-2026-7473 lets attackers bypass VXLAN/GRE segmentation on Arista 7000R switches by sending mismatched tunnel protocols.
-
Analysis · Jun 20, 2026 · Colten Anderson
ShinyHunters had 13 days inside PeopleSoft before Oracle said anything
CVE-2026-35273 is a CVSS 9.
-
Analysis · Jun 8, 2026 · Colten Anderson
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.
-
Field Note · Jun 5, 2026 · Colten Anderson
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule.
-
Field Note · Jun 5, 2026 · Colten Anderson
Promtail is end-of-life: your Loki shipper just lost its support floor
If Promtail still ships your logs to Loki, the agent reading every log file on the host has had no upstream remediation path since March 2, 2026.
-
Field Note · Jun 5, 2026 · Colten Anderson
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now.
-
Analysis · Jun 4, 2026 · Colten Anderson
The GlobalProtect bypass deadline already passed, but you might not be affected
CVE-2026-0257 is a GlobalProtect auth bypass with a KEV deadline that's come and gone.
-
Analysis · Jun 2, 2026 · Colten Anderson
One CERT says it's exploited, Microsoft says it isn't, and you patch anyway
A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue.
-
Field Note · May 29, 2026 · Colten Anderson
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle.
-
Field Note · May 28, 2026 · Colten Anderson
NGINX Rift: four places apt upgrade doesn't reach
The host patch for CVE-2026-42945 shipped on day one.
-
Analysis · May 20, 2026 · Colten Anderson
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop.
-
Analysis · May 20, 2026 · Colten Anderson
Apple, Chrome, Android: the zero-day stream that mostly isn't aimed at you
The catalog's Apple, Google/Chrome, Android, Samsung, and Qualcomm entries are overwhelmingly browser and mobile zero-days, many used by mercenary spyware against specific people.
-
Analysis · May 20, 2026 · Colten Anderson
They read one file off the VPN gateway and left with your whole Active Directory
CVE-2024-24919 is filed as 'information disclosure.
-
Analysis · May 20, 2026 · Colten Anderson
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs.
-
Analysis · May 20, 2026 · Colten Anderson
The VPN bug that isn't on the gateway, it's the updater on the laptop
CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway.
-
Analysis · May 20, 2026 · Colten Anderson
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext.
-
Analysis · May 20, 2026 · Colten Anderson
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the NetScaler RCE doesn't tell you if a webshell is already on it
CVE-2023-3519 was an unauthenticated RCE on Citrix NetScaler used as a zero-day to drop webshells.
-
Analysis · May 20, 2026 · Colten Anderson
CitrixBleed: the patch closed the leak but left the stolen keys working
CVE-2023-4966 leaked post-MFA session tokens from NetScaler.
-
Analysis · May 20, 2026 · Colten Anderson
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler.
-
Analysis · May 20, 2026 · Colten Anderson
22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024.
-
Analysis · May 20, 2026 · Colten Anderson
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished.
-
Field Note · May 20, 2026 · Colten Anderson
F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'
The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it.
-
Field Note · May 20, 2026 · Colten Anderson
FortiClient EMS CVE-2023-48788: a SQL injection that talks the database into running SYSTEM commands
When a product runs on Microsoft SQL Server, a SQL injection is rarely just a data leak.
-
Analysis · May 20, 2026 · Colten Anderson
Fortinet's other products take their turn: FortiWeb, FortiManager, FortiClient EMS
Beyond the long-running FortiOS auth-bypass cycle, 2025-2026 brought a wave of exploited bugs in FortiWeb, FortiManager, and FortiClient EMS, SQL injection, path traversal, auth bypass, and a format-string RCE.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers.
-
Analysis · May 20, 2026 · Colten Anderson
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver.
-
Analysis · May 20, 2026 · Colten Anderson
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware.
-
Analysis · May 20, 2026 · Colten Anderson
Ivanti Endpoint Manager: the management server that can be coerced into handing over credentials
CVE-2024-13159, 13160, and 13161 are path-traversal/credential-coercion flaws in Ivanti Endpoint Manager that let an attacker make the EPM server authenticate to them and relay it.
-
Field Note · May 20, 2026 · Colten Anderson
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.
-
Field Note · May 20, 2026 · Colten Anderson
Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production
CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page.
-
Analysis · May 20, 2026 · Colten Anderson
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear.
-
Analysis · May 20, 2026 · Colten Anderson
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016.
-
Analysis · May 20, 2026 · Colten Anderson
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws.
-
Analysis · May 20, 2026 · Colten Anderson
OMIGOD: an unauth root RCE in an agent you didn't know Azure installed
CVE-2021-38647 is an unauthenticated remote code execution as root in the OMI agent.
-
Analysis · May 20, 2026 · Colten Anderson
A CVSS 10 that hinged on one unchecked box: 'Validate Identity Provider Certificate'
CVE-2020-2021 let attackers bypass authentication on Palo Alto firewalls and VPNs using SAML, but only when one option was disabled: 'Validate Identity Provider Certificate.
-
Analysis · May 20, 2026 · Colten Anderson
Palo Alto GlobalProtect CVE-2019-1579: another VPN gateway, another pre-auth RCE
CVE-2019-1579 was a pre-authentication remote code execution in Palo Alto's GlobalProtect SSL-VPN.
-
Analysis · May 20, 2026 · Colten Anderson
2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017.
-
Analysis · May 20, 2026 · Colten Anderson
The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.
-
Analysis · May 20, 2026 · Colten Anderson
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint.
-
Analysis · May 20, 2026 · Colten Anderson
SolarWinds Serv-U: a state actor's zero-day in yet another file-transfer product
CVE-2021-35211 was a zero-day RCE in SolarWinds Serv-U, exploited by a China-nexus actor weeks after the SUNBURST headlines faded.
-
Analysis · May 20, 2026 · Colten Anderson
2021 was open season on SonicWall's appliances, remote access and email alike
In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs.
-
Analysis · May 20, 2026 · Colten Anderson
Akira's favorite front door is a SonicWall SSL-VPN, and it's fast
Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN.
-
Analysis · May 20, 2026 · Colten Anderson
SysAid customers got the patch the same week they learned they were already breached
CVE-2023-47246 was a SysAid zero-day before it was a CVE.
-
Analysis · May 20, 2026 · Colten Anderson
The backup agent on every server was ALPHV's way in
Veritas Backup Exec's agent listens on every machine it backs up.
-
Analysis · May 20, 2026 · Colten Anderson
The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate.
-
Analysis · May 20, 2026 · Colten Anderson
Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver.
-
Analysis · May 20, 2026 · Colten Anderson
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks.
-
Analysis · May 20, 2026 · Colten Anderson
The Print Spooler keeps getting exploited. The fix is usually to turn it off.
PrintNightmare wasn't one bug.
-
Analysis · May 20, 2026 · Colten Anderson
WSO2 CVE-2022-29464: an upload bug on the box that brokers your APIs and logins
CVE-2022-29464 is an unauthenticated file-upload-to-RCE in WSO2 products.
-
Analysis · May 20, 2026 · Colten Anderson
A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router.
-
Analysis · May 19, 2026 · Colten Anderson
YellowKey is unpatched and your travel laptops are exposed today
A public PoC, a TPM-only default, and no patch in sight.
-
Analysis · May 18, 2026 · Colten Anderson
KB5089549 fails at 35% because your ESP is full
May's Windows 11 cumulative dies at the boot-file write step on machines with under 10 MB free in the EFI System Partition.
-
Analysis · May 18, 2026 · Colten Anderson
Apple's May Wi-Fi kernel bug is bad, but it's probably not Broadpwn
CVE-2026-28819 gets kernel code execution on macOS, but Apple's wording points at a local-app trigger, not a rogue access point.
-
Analysis · May 17, 2026 · Colten Anderson
Dead.Letter is a Debian and Ubuntu problem, and the popular workaround is wrong
Exim 4.
-
Analysis · May 15, 2026 · Colten Anderson
When breaking the maintenance window is cheaper than waiting
The change board exists to make change safer, not slower.
-
Field Note · May 15, 2026 · Colten Anderson
A defensible software inventory you can build with the tools you already have
PowerShell, dpkg, system_profiler, Nmap, and a git repo will produce a weekly software inventory that joins cleanly against the CISA KEV catalog.
-
Field Note · May 15, 2026 · Colten Anderson
Patching Windows when your test ring is two laptops
Microsoft's deployment-ring guidance was written for orgs where 5% of the fleet is dozens of machines.
-
Field Note · May 15, 2026 · Colten Anderson
Recovering from a bad Intune deployment without making it worse
Stop the spread, unwind the damage, verify it took.
-
Field Note · May 15, 2026 · Colten Anderson
A 30-minute Patch Tuesday triage you can actually run
How to get from 150 CVEs to the 4-8 that change your week, using only public signals and a clock.
-
Field Note · May 15, 2026 · Colten Anderson
Nine PowerShell checks before you trust a Windows host
A short, native-PowerShell audit a Windows admin can run on any host in about ten minutes.
-
Analysis · May 14, 2026 · Colten Anderson
Fragnesia is the patch you already deployed, bypassed
If you rolled the Dirty Frag kernel update last week and called it done, your fleet is exposed again.
-
Analysis · May 11, 2026 · Colten Anderson
The .de outage was a TLD postmortem, not a patch you missed
DENIC's signing pipeline shipped two-thirds bad signatures during a routine ZSK rotation on May 5.
-
Analysis · May 11, 2026 · Colten Anderson
Kubernetes 1.36 is the upgrade that quietly rewrites your RBAC
The headline features in 1.
-
Analysis · May 8, 2026 · Colten Anderson
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.
-
Analysis · May 8, 2026 · Colten Anderson
Qlik patched the smuggling bug, then Praetorian beat it with one extra letter
On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding.
-
Analysis · May 8, 2026 · Colten Anderson
Mitel MiCollab keeps shipping the same path-traversal bug class
watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day.
-
Analysis · May 8, 2026 · Colten Anderson
Your LiteLLM proxy needs to be on 1.83.10 by May 11
CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM.
-
Analysis · May 8, 2026 · Colten Anderson
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector.
-
Analysis · May 8, 2026 · Colten Anderson
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it.
-
Analysis · May 8, 2026 · Colten Anderson
Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.
Twelve CVEs.
-
Analysis · May 7, 2026 · Colten Anderson
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor.
-
Analysis · May 6, 2026 · Colten Anderson
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023.
-
Analysis · May 6, 2026 · Colten Anderson
CrushFTP chose the narrative over its customers
CrushFTP tried to keep a CVSS 9.
-
Analysis · May 6, 2026 · Colten Anderson
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years.
-
Analysis · May 6, 2026 · Colten Anderson
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped.
-
Analysis · May 6, 2026 · Colten Anderson
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks.
-
Analysis · May 5, 2026 · Colten Anderson
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist.
-
Analysis · May 5, 2026 · Colten Anderson
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere?
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.
-
Analysis · May 5, 2026 · Colten Anderson
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers.
-
Analysis · May 5, 2026 · Colten Anderson
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers.
-
Analysis · May 5, 2026 · Colten Anderson
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations.
-
Analysis · May 5, 2026 · Colten Anderson
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back.
-
Analysis · May 5, 2026 · Colten Anderson
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday.
-
Analysis · May 5, 2026 · Colten Anderson
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable.
-
Analysis · May 5, 2026 · Colten Anderson
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.
-
Analysis · May 5, 2026 · Colten Anderson
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API.
-
Analysis · May 5, 2026 · Colten Anderson
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API.
-
Analysis · May 5, 2026 · Colten Anderson
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days.
-
Analysis · May 3, 2026 · Colten Anderson
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.
-
Analysis · May 3, 2026 · Colten Anderson
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.
-
Analysis · May 1, 2026 · Colten Anderson
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11.
-
Analysis · May 1, 2026 · Colten Anderson
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited.
-
Field Note · May 1, 2026 · Colten Anderson
Patch CVE-2026-40372, then rotate the keys
The ASP.
-
Analysis · Apr 30, 2026 · Colten Anderson
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests.