Beat
Field Notes
Per-CVE writeups, vendor postmortems, exploitation timelines, and the rest of the operator's week.
The Field Notes Desk.
Lead story
Analysis · May 11, 2026 · The Field Notes Desk
The .de outage was a TLD postmortem, not a patch you missed
DENIC's signing pipeline shipped two-thirds bad signatures during a routine ZSK rotation on May 5.
More from this beat
-
Analysis · May 11, 2026 · The Field Notes Desk
Kubernetes 1.36 is the upgrade that quietly rewrites your RBAC
The headline features in 1.
-
Analysis · May 8, 2026 · The Field Notes Desk
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.
-
Analysis · May 8, 2026 · The Field Notes Desk
Qlik patched the smuggling bug, then Praetorian beat it with one extra letter
On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding.
-
Analysis · May 8, 2026 · The Field Notes Desk
Mitel MiCollab keeps shipping the same path-traversal bug class
watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day.
-
Analysis · May 8, 2026 · The Field Notes Desk
Your LiteLLM proxy needs to be on 1.83.10 by May 11
CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM.
-
Analysis · May 8, 2026 · The Field Notes Desk
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector.
-
Analysis · May 8, 2026 · The Field Notes Desk
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it.
-
Analysis · May 8, 2026 · The Field Notes Desk
Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.
Twelve CVEs.
-
Analysis · May 7, 2026 · The Field Notes Desk
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor.
-
Analysis · May 6, 2026 · The Field Notes Desk
Citrix shipped CitrixBleed again
Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023.
-
Analysis · May 6, 2026 · The Field Notes Desk
CrushFTP chose the narrative over its customers
CrushFTP tried to keep a CVSS 9.
-
Analysis · May 6, 2026 · The Field Notes Desk
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years.
-
Analysis · May 6, 2026 · The Field Notes Desk
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped.
-
Analysis · May 6, 2026 · The Field Notes Desk
Six zero-days in three years: the CLFS pattern Microsoft can't outrun
Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks.
-
Analysis · May 5, 2026 · The Field Notes Desk
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist.
-
Analysis · May 5, 2026 · The Field Notes Desk
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere?
-
Analysis · May 5, 2026 · The Field Notes Desk
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.
-
Analysis · May 5, 2026 · The Field Notes Desk
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers.
-
Analysis · May 5, 2026 · The Field Notes Desk
GoAnywhere MFT gets its third critical RCE in three years
Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers.
-
Analysis · May 5, 2026 · The Field Notes Desk
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations.
-
Analysis · May 5, 2026 · The Field Notes Desk
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back.
-
Analysis · May 5, 2026 · The Field Notes Desk
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday.
-
Analysis · May 5, 2026 · The Field Notes Desk
SharePoint's two-week window: patched servers were still exploitable
Organizations that patched SharePoint on July 9 did everything right and were still vulnerable.
-
Analysis · May 5, 2026 · The Field Notes Desk
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.
-
Analysis · May 5, 2026 · The Field Notes Desk
The patch that wasn't: why SharePoint's fix needed a fix
CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days.
-
Analysis · May 5, 2026 · The Field Notes Desk
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API.
-
Analysis · May 5, 2026 · The Field Notes Desk
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15.
-
Analysis · May 5, 2026 · The Field Notes Desk
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API.
-
Analysis · May 5, 2026 · The Field Notes Desk
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days.
-
Analysis · May 3, 2026 · The Field Notes Desk
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.
-
Analysis · May 3, 2026 · The Field Notes Desk
Cerdigent was a false positive. Check what Defender actually removed.
Defender definition 1.
-
Analysis · May 1, 2026 · The Field Notes Desk
Hotpatch goes default in Autopatch. You have 10 days.
Microsoft flips hotpatch on by default for all Autopatch tenants May 11.
-
Analysis · May 1, 2026 · The Field Notes Desk
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited.
-
Field Note · May 1, 2026 · The Field Notes Desk
Patch CVE-2026-40372, then rotate the keys
The ASP.
-
Analysis · Apr 30, 2026 · The Field Notes Desk
CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.
A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests.