Tag
#cisa-kev
134 posts tagged #cisa-kev.
-
Analysis · Jun 17, 2026 · Colten Anderson
The Cisco IOS XE reboot that wasn't remediation
Patching CVE-2023-20198 and rebooting the box clears the web shell but leaves the rogue admin account behind. If you ran one IOS XE web UI on the public internet in late 2023, you have an account audit to do before you close the ticket.
-
Analysis · Jun 16, 2026 · Colten Anderson
Sophos has seven CISA KEV entries. Five hit the same management interface.
The User Portal and Webadmin surface runs through SQL injection, buffer overflow, authentication bypass, and code injection across five years. Chinese state actors exploited several of them as zero-days, and the exploitation often started before Sophos knew about the bugs.
-
Analysis · Jun 16, 2026 · Colten Anderson
Juniper Junos OS has six KEV entries and two separate attack surfaces
Five CVSS 5.3 bugs in J-Web that chain to unauthenticated RCE, and a kernel isolation flaw exploited by a China-nexus actor to root MX routers. The scoring gap on the first cluster is the operational lesson.
-
Analysis · Jun 8, 2026 · Colten Anderson
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the fix shipped. The prioritization logic behind that is the story.
-
Field Note · Jun 5, 2026 · Colten Anderson
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now. If you run Magento, you act today.
-
Analysis · Jun 4, 2026 · Colten Anderson
The GlobalProtect bypass deadline already passed, but you might not be affected
CVE-2026-0257 is a GlobalProtect auth bypass with a KEV deadline that's come and gone. Whether it touches you comes down to a 60-second config check, not your PAN-OS version.
-
Analysis · Jun 3, 2026 · Colten Anderson
Everything is critical, so nothing is critical
A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk score, and the queue that treats it like one is the reason confirmed-exploited bugs sit unpatched for 43 days.
-
Analysis · May 25, 2026 · Colten Anderson
SonicWall patched CVE-2024-12802 and left the bug in place on Gen6
The firmware update closes the code path but does not rewrite the LDAP config the exploit actually uses. On Gen6, that distinction is the whole vulnerability.
-
Analysis · May 20, 2026 · Colten Anderson
Before MOVEit and GoAnywhere, Cl0p's playbook was born on a 20-year-old Accellion box
The Accellion FTA breaches of late 2020 are where Cl0p's mass-data-theft-and-extortion model started. Four CVEs in a legacy file-transfer appliance, exploited to steal data from dozens of organizations. The product was already two decades old and on its way out.
-
Analysis · May 20, 2026 · Colten Anderson
Your attack surface isn't just port 443
CVE-2023-46604 is a perfect-10 RCE in Apache ActiveMQ. The exploit isn't a web request; it's a single message to the broker on port 61616, a port most web-focused scanning and firewalling never considers. The broker then fetches a remote XML file and runs whatever's in it.
-
Analysis · May 20, 2026 · Colten Anderson
Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
-
Analysis · May 20, 2026 · Colten Anderson
Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix
CVE-2021-41773 was a path traversal in Apache httpd 2.4.49 that could leak files and, with CGI enabled, reach RCE. The 2.4.50 fix was incomplete, so CVE-2021-42013 followed days later. Two CVEs, one bug, a textbook patch-the-patch.
-
Analysis · May 20, 2026 · Colten Anderson
Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.
CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.load on data an unauthenticated user controls. It's the Ruby version of the deserialization footgun, and ransomware crews used it to move onto Linux.
-
Analysis · May 20, 2026 · Colten Anderson
BlueKeep: the wormable RDP bug Microsoft patched Windows XP for
CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop. Microsoft was scared enough of a WannaCry repeat that it shipped patches for end-of-life XP and Server 2003. The worm never fully came, but the lesson did: RDP doesn't belong on the internet.
-
Analysis · May 20, 2026 · Colten Anderson
Apple, Chrome, Android: the zero-day stream that mostly isn't aimed at you
The catalog's Apple, Google/Chrome, Android, Samsung, and Qualcomm entries are overwhelmingly browser and mobile zero-days, many used by mercenary spyware against specific people. For most organizations the defense is one boring control: fast auto-update.
-
Analysis · May 20, 2026 · Colten Anderson
They read one file off the VPN gateway and left with your whole Active Directory
CVE-2024-24919 is filed as 'information disclosure.' On a Check Point gateway that meant unauthenticated file read, which meant password hashes, which meant ntds.dit within hours. It was a zero-day for a month before disclosure, and patching it doesn't undo the theft.
-
Analysis · May 20, 2026 · Colten Anderson
CISA just gave the Conficker bug a 2026 deadline
Five of the seven CVEs CISA added on May 20 are 2008–2010 fossils, including MS08-067 and Operation Aurora. KEV inclusion means current exploitation, so the real signal isn't nostalgia.
-
Analysis · May 20, 2026 · Colten Anderson
Cisco's management and identity products keep showing up in the catalog
Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs. The management plane is the target.
-
Analysis · May 20, 2026 · Colten Anderson
The VPN bug that isn't on the gateway, it's the updater on the laptop
CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway. The weak point is the privileged helper service that auto-updates the client, which a local user can trick into running their code as SYSTEM.
-
Analysis · May 20, 2026 · Colten Anderson
A 2020 bug leaked VPN passwords. The orgs that survived had MFA.
CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext. Akira ransomware used it for initial access years after the patch. The control that turned a leaked password into a non-event was multi-factor authentication.
-
Analysis · May 20, 2026 · Colten Anderson
The unlocked side door on your Cisco VPN was the default group nobody configured
CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled. Akira and LockBit used it for initial access. The fix is patching plus hardening the defaults you never touched.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the NetScaler RCE doesn't tell you if a webshell is already on it
CVE-2023-3519 was an unauthenticated RCE on Citrix NetScaler used as a zero-day to drop webshells. Patching closes the hole; it doesn't remove an implant planted before you patched. With a black-box appliance, finding out is the hard part. Here's the IOC-hunt runbook.
-
Analysis · May 20, 2026 · Colten Anderson
CitrixBleed: the patch closed the leak but left the stolen keys working
CVE-2023-4966 leaked post-MFA session tokens from NetScaler. Organizations that patched and stopped there got breached anyway, because a stolen token still worked after the update. The action that mattered was killing every active session, and a lot of victims skipped it.
-
Analysis · May 20, 2026 · Colten Anderson
Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic
CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler. After disclosure with no patch, a public exploit dropped and mass exploitation followed within days. It set the template for the NetScaler-as-target story that CitrixBleed later continued.
-
Analysis · May 20, 2026 · Colten Anderson
A new critical Confluence RCE stopped being news. That's the problem.
CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats. If you run it on the internet, you're operating one of the most reliably-targeted boxes there is.
-
Analysis · May 20, 2026 · Colten Anderson
22,000 servers ransomed in days: the CyberPanel control-panel wipeout
Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024. Hosting control panels run as root and face the internet by design, which is exactly why one bug becomes a fleet-wide event.
-
Analysis · May 20, 2026 · Colten Anderson
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
Analysis · May 20, 2026 · Colten Anderson
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
-
Analysis · May 20, 2026 · Colten Anderson
An uploaded filename is attacker input. dotCMS forgot, and got a webshell.
CVE-2022-26352 is a directory traversal in dotCMS's upload API: the filename in a multipart request wasn't sanitized, so '../' sequences let an attacker write a JSP webshell to a web-reachable directory. With anonymous content creation on, that's unauthenticated RCE.
-
Analysis · May 20, 2026 · Colten Anderson
Drupalgeddon: when a data structure is allowed to name a function to call
Drupal's Form API lets a renderable array carry a callback, that's a feature. Drupalgeddon (CVE-2018-7602) let an attacker put their own callback in, and Drupal called it: exec, passthru, system. Powerful framework metaprogramming plus untrusted input equals RCE.
-
Analysis · May 20, 2026 · Colten Anderson
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Analysis · May 20, 2026 · Colten Anderson
The year on-premise Exchange became the most-attacked software on earth
ProxyLogon and ProxyShell turned 2021 into open season on Exchange Server. Two unauthenticated RCE chains, tens of thousands of web-shelled servers, an FBI operation to clean them up. If you still run Exchange on-prem, you're operating a permanent top-tier target.
-
Analysis · May 20, 2026 · Colten Anderson
A mitigation blocks a path. OWASSRF found another door.
After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished. OWASSRF (CVE-2022-41080) walked around them by knocking on OWA instead of Autodiscover, and Play ransomware walked in. Mitigations aren't fixes.
-
Analysis · May 20, 2026 · Colten Anderson
The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token
CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling. Naming the auth-token header in the Connection header made the proxy strip it after the auth check read it, but before the backend did.
-
Field Note · May 20, 2026 · Colten Anderson
F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'
The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it. HTTP-to-AJP request smuggling let attackers set it themselves, for unauthenticated root. Here's how to check, patch, and lock it down.
-
Analysis · May 20, 2026 · Colten Anderson
Content-process only is one bug short of game over
CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process. RomCom paired it with a Windows sandbox escape and turned a single page visit into a backdoor. Mozilla shipped the fix in about 25 hours.
-
Analysis · May 20, 2026 · Colten Anderson
Everyone hardened against macros. Follina didn't use one.
CVE-2022-30190 (Follina) ran code from a Word document with no macro at all, by abusing a Windows URL protocol handler to invoke the Support Diagnostic Tool. It defeated macro-based defenses, and Microsoft had reportedly closed an earlier report as 'not a security issue.'
-
Field Note · May 20, 2026 · Colten Anderson
FortiClient EMS CVE-2023-48788: a SQL injection that talks the database into running SYSTEM commands
When a product runs on Microsoft SQL Server, a SQL injection is rarely just a data leak. The attacker turns on xp_cmdshell from inside the injection and gets OS command execution. On FortiClient EMS that's unauthenticated, as SYSTEM. Here's how to check, patch, and detect it.
-
Analysis · May 20, 2026 · Colten Anderson
Fortinet's other products take their turn: FortiWeb, FortiManager, FortiClient EMS
Beyond the long-running FortiOS auth-bypass cycle, 2025-2026 brought a wave of exploited bugs in FortiWeb, FortiManager, and FortiClient EMS, SQL injection, path traversal, auth bypass, and a format-string RCE. Same vendor, same perimeter-and-management target profile.
-
Analysis · May 20, 2026 · Colten Anderson
The 'test connection' button that mails your stored credentials to an attacker
CVE-2018-13374 lets an attacker recover the LDAP bind credentials stored in a FortiGate by pointing its LDAP connectivity test at a rogue server. It's a small bug with a broad lesson: 'test connection' features that transmit stored secrets are a credential-disclosure pattern.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers. The exploit's payoff was planting an SSH key or super-admin account, so patching after exposure leaves the back door in place.
-
Analysis · May 20, 2026 · Colten Anderson
The ransomware that brought a signed driver to switch off the rule against unsigned drivers
In 2020, RobbinHood became the first ransomware seen shipping a legitimately-signed GIGABYTE driver, exploiting it to disable Windows driver-signature enforcement, then loading its own unsigned driver to kill security software from the kernel. The four GIGABYTE CVEs are why.
-
Analysis · May 20, 2026 · Colten Anderson
GitLab CVE-2021-22205: the upload that ran code through an image parser
CVE-2021-22205 is an unauthenticated RCE in GitLab, but the bug wasn't really in GitLab. It was in ExifTool, the metadata library GitLab used to process uploaded images. Upload a crafted file, ExifTool parses it, code runs. Image parsers are a recurring RCE vector.
-
Analysis · May 20, 2026 · Colten Anderson
Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.
CVE-2015-2291 is a vulnerable Intel Ethernet driver. Scattered Spider loaded it to reach the kernel and patch out Defender, CrowdStrike, SentinelOne, and Palo Alto in memory. It's the classic bring-your-own-vulnerable-driver attack, and the defenses are switches you can flip today.
-
Analysis · May 20, 2026 · Colten Anderson
The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock
Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware. They're not separate stories. They're the same story: internet-exposed consumer gear that gets conscripted into IoT botnets, and the fix is almost always the same.
-
Analysis · May 20, 2026 · Colten Anderson
Ivanti Endpoint Manager: the management server that can be coerced into handing over credentials
CVE-2024-13159, 13160, and 13161 are path-traversal/credential-coercion flaws in Ivanti Endpoint Manager that let an attacker make the EPM server authenticate to them and relay it. It's another Ivanti product, and another privileged management server worth defending as tier-zero.
-
Analysis · May 20, 2026 · Colten Anderson
When a vulnerability is shaped exactly like a backdoor
CVE-2021-44529 triggers when you send Ivanti's appliance a cookie that says 'ab' followed by base64 the server decodes and runs. That's not what an accidental bug looks like. Whether it was planted or just terrible code, the lesson about dependency provenance is the same.
-
Field Note · May 20, 2026 · Colten Anderson
Jenkins CVE-2024-23897: from 'limited file read' to your secret key
The KEV entry calls it 'limited read access to certain files.' On a Jenkins controller, the files include the cryptographic key that turns read into remote code execution. Here's how to check, patch, and what to rotate if you were exposed.
-
Analysis · May 20, 2026 · Colten Anderson
Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern
Kaseya VSA is remote-monitoring software MSPs use to manage thousands of client machines. That reach is why it keeps getting attacked, and why in 2021 REvil used it to push ransomware to roughly 1,500 downstream businesses in a single weekend.
-
Field Note · May 20, 2026 · Colten Anderson
Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production
CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page. It only works when APP_DEBUG is true, which should never be the case in production. Here's how to confirm debug mode is off everywhere, patch, and check whether you were hit.
-
Analysis · May 20, 2026 · Colten Anderson
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Analysis · May 20, 2026 · Colten Anderson
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Analysis · May 20, 2026 · Colten Anderson
Still running SMBv1? The catalog has a 2017 reminder for you.
A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws. They share one fix path: keep supported Windows patched, kill SMBv1, retire end-of-life.
-
Analysis · May 20, 2026 · Colten Anderson
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
Analysis · May 20, 2026 · Colten Anderson
The Linux firewall bug your users can reach because you gave them a private root
CVE-2024-1086 is an nf_tables use-after-free that hands a local user root. The reason an unprivileged user can touch the kernel's packet-filtering engine at all is unprivileged user namespaces, and turning those off defuses a whole class of these bugs at once.
-
Analysis · May 20, 2026 · Colten Anderson
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.
-
Analysis · May 20, 2026 · Colten Anderson
Turning on SSO turned on the vulnerability, and turning it back off didn't help
CVE-2022-47966 gave unauthenticated RCE across two dozen ManageEngine products, but only where SAML single sign-on was enabled. The best-practice config was the attack surface, the root cause was a years-stale bundled library, and 'was enabled' counted too.
-
Analysis · May 20, 2026 · Colten Anderson
The most dangerous server in the hospital is the one nobody can name
Mirth Connect moves patient records between systems and runs with high privileges, and a lot of installs sit on the open internet. CVE-2023-43208 is an unauthenticated RCE in it, and it's a patch bypass: the first fix used a denylist, and a researcher walked around it.
-
Analysis · May 20, 2026 · Colten Anderson
Lorenz ransomware's way in was the phone system
In 2022, Lorenz ransomware breached corporate networks through a Mitel MiVoice Connect appliance, the VoIP system, using CVE-2022-29499 as a zero-day. Telephony and unified-comms appliances are edge servers running web code, and almost nobody treats them that way.
-
Analysis · May 20, 2026 · Colten Anderson
You can be the victim of a vulnerability in software you don't run
Most of the 90-plus million people whose data Cl0p stole through MOVEit had never heard of it, and their data leaked through payroll firms and service bureaus, not their own systems. CVE-2023-34362 is the case study in third-party data risk you can't patch your way out of.
-
Analysis · May 20, 2026 · Colten Anderson
The tool that audits everything runs as SYSTEM everywhere. That cuts both ways.
CVE-2022-31199 is unauthenticated RCE as SYSTEM in Netwrix Auditor, and it hits the server and the agents on every monitored system. Truebot used it. A privileged monitoring tool with agents across your estate is a shadow administration layer, and a force multiplier when it's compromised.
-
Analysis · May 20, 2026 · Colten Anderson
noPac: any domain user to Domain Admin, no exploit code required
CVE-2021-42278 and CVE-2021-42287 chain into 'noPac,' which takes a standard domain user to Domain Admin in about one command. There's no memory corruption, just abused Active Directory name handling, riding on a default that lets ordinary users create computer accounts.
-
Analysis · May 20, 2026 · Colten Anderson
Known exploited, no patch: what to do in the weeks before a fix exists
When Microsoft disclosed CVE-2023-36884, it was already being used by a Russian group against governments, and there was no patch for weeks. Only mitigations. That scenario is more common than a patch-centric process assumes, and mitigations are the plan, not a consolation prize.
-
Analysis · May 20, 2026 · Colten Anderson
OMIGOD: an unauth root RCE in an agent you didn't know Azure installed
CVE-2021-38647 is an unauthenticated remote code execution as root in the OMI agent. Most victims didn't know they were running OMI, Azure silently deployed it on Linux VMs when you enabled common services. Invisible agents are invisible attack surface.
-
Analysis · May 20, 2026 · Colten Anderson
Your ERP is on the internet, and it's the system that cuts the checks
Security programs treat ERP as 'internal.' Oracle E-Business Suite exposes web modules to the internet by design, and CVE-2022-21587 turned one into unauthenticated code execution on the system that runs payroll, purchase orders, and the general ledger.
-
Analysis · May 20, 2026 · Colten Anderson
A CVSS 10 that hinged on one unchecked box: 'Validate Identity Provider Certificate'
CVE-2020-2021 let attackers bypass authentication on Palo Alto firewalls and VPNs using SAML, but only when one option was disabled: 'Validate Identity Provider Certificate.' A perfect-10 bug whose presence depended on a checkbox.
-
Analysis · May 20, 2026 · Colten Anderson
Palo Alto GlobalProtect CVE-2019-1579: another VPN gateway, another pre-auth RCE
CVE-2019-1579 was a pre-authentication remote code execution in Palo Alto's GlobalProtect SSL-VPN. It's one more entry in the longest-running story in this catalog: the SSL-VPN gateway as a perennial, pre-auth-RCE-prone perimeter target.
-
Analysis · May 20, 2026 · Colten Anderson
PetitPotam: make a domain controller authenticate to you, relay it, own the domain
CVE-2021-36942 lets an attacker coerce a Windows machine, including a domain controller, into authenticating to them. Relay that to Active Directory Certificate Services and you can mint a certificate as the DC. It's an Active Directory configuration problem as much as a patch.
-
Analysis · May 20, 2026 · Colten Anderson
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Analysis · May 20, 2026 · Colten Anderson
PHP-FPM CVE-2019-11043: an RCE that depended on a copy-pasted nginx config
CVE-2019-11043 is a remote code execution bug in PHP-FPM, but it only fires on a specific nginx configuration, one that circulated widely in tutorials and got copy-pasted into production everywhere. The bug is in the code; the exposure came from a config snippet.
-
Analysis · May 20, 2026 · Colten Anderson
DeadBolt skipped the network intrusion and just encrypted the NAS directly
Most ransomware has to break in, escalate, and spread before it encrypts anything. DeadBolt found internet-exposed QNAP NAS devices, exploited a Photo Station bug, and encrypted the files in place. On a NAS, the device is the data, and that changes the whole attack.
-
Analysis · May 20, 2026 · Colten Anderson
Why ransomware crews love a backup server twice over
CVE-2022-36537 is a ZK Framework bug that handed attackers ConnectWise R1Soft backup servers. A backup server is the perfect ransomware target for two reasons at once: it can push code to everything it protects, and destroying it removes the one thing that lets a victim refuse to pay.
-
Analysis · May 20, 2026 · Colten Anderson
2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS
Everyone remembers EternalBlue tearing through Windows SMB in 2017. The same year, Samba shipped a fix for SambaCry: upload a library to a writable share, trigger it, get root. It lives on in the NAS and IoT boxes that embed Samba and never update.
-
Analysis · May 20, 2026 · Colten Anderson
The other half of the ScreenConnect chain just got a 2026 deadline
CVE-2024-1709 got the CVSS 10 and the headlines in February 2024. The path-traversal half that actually lands code execution, CVE-2024-1708, only got its own KEV deadline on April 28, 2026. Two years late, same chain.
-
Analysis · May 20, 2026 · Colten Anderson
The attacker installed a second antivirus to crash your first one
CVE-2024-38094 is a 7.2. It requires authentication. Most teams filed it below the criticals. It was still the entry point for a two-week, full-domain compromise, and the cleanup tactic was installing rogue antivirus to make the real EDR fall over.
-
Analysis · May 20, 2026 · Colten Anderson
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint. It was demoed at Pwn2Own in March 2023, patched mid-year, had a public PoC by late 2023, and hit the KEV list in early 2024. That timeline is something you can plan around.
-
Analysis · May 20, 2026 · Colten Anderson
Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing
CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP. It's the same .NET deserialization footgun that keeps showing up in enterprise web apps, on a CMS that often sits forgotten but internet-facing.
-
Analysis · May 20, 2026 · Colten Anderson
SolarWinds Serv-U: a state actor's zero-day in yet another file-transfer product
CVE-2021-35211 was a zero-day RCE in SolarWinds Serv-U, exploited by a China-nexus actor weeks after the SUNBURST headlines faded. It's another managed-file-transfer product turned into a foothold, the category attackers keep returning to.
-
Analysis · May 20, 2026 · Colten Anderson
2021 was open season on SonicWall's appliances, remote access and email alike
In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs. Seven of those CVEs are in the catalog, several used before patches existed.
-
Analysis · May 20, 2026 · Colten Anderson
Akira's favorite front door is a SonicWall SSL-VPN, and it's fast
Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN. In one campaign, the time from SonicWall access to encrypted files was 55 minutes. Several of these bugs walk past MFA.
-
Analysis · May 20, 2026 · Colten Anderson
SysAid customers got the patch the same week they learned they were already breached
CVE-2023-47246 was a SysAid zero-day before it was a CVE. The Cl0p operator Lace Tempest, fresh off MOVEit, was writing webshells to Tomcat and deploying ransomware while the vendor was still writing the advisory. When the attacker has the bug first, detection matters as much as patching.
-
Analysis · May 20, 2026 · Colten Anderson
The SolarWinds crew spent late 2023 breaking into build servers. That's not a coincidence.
CVE-2023-42793 is an unauthenticated RCE on JetBrains TeamCity. APT29, the Russian service behind SolarWinds, exploited it at scale, and so did North Korean groups. They weren't after one network. A build server is the supply chain.
-
Analysis · May 20, 2026 · Colten Anderson
There's no vendor to patch this one. The vulnerable code is inside an app you built.
CVE-2017-11357 is a file-upload-to-RCE flaw in the Telerik UI component. It's not a product on your network you can update; it's a library compiled into web apps your own team shipped, sometimes years ago, often without anyone remembering Telerik is in there.
-
Analysis · May 20, 2026 · Colten Anderson
A User-Agent string is not authentication, but TerraMaster's NAS treated it like one
To pull the admin password off a TerraMaster NAS, you sent a request with the header User-Agent: TNAS. The API recognized its own app's identifier and handed over the credentials. Chained to a second bug, that's unauthenticated root.
-
Analysis · May 20, 2026 · Colten Anderson
The 2024–2026 enterprise-infra bugs, grouped by the mistake that caused them
Oracle WebLogic, SolarWinds Web Help Desk, Citrix Session Recording, Juniper ScreenOS, Outlook, VMware Aria, Brocade, Junos, and more. The recent enterprise-infrastructure entries reduce to the same familiar mechanisms, deserialization, planted credentials, document tricks, broken access control.
-
Analysis · May 20, 2026 · Colten Anderson
The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.
-
Analysis · May 20, 2026 · Colten Anderson
Ransomware crews keep hitting Veeam for the same two reasons
Four Veeam Backup & Replication CVEs feed the same playbook. Attackers target the backup server because it can destroy your recovery option and because it holds the credentials to everything it backs up. CVE-2024-40711 took Akira and Fog from access to ransomware fast.
-
Analysis · May 20, 2026 · Colten Anderson
The backup agent on every server was ALPHV's way in
Veritas Backup Exec's agent listens on every machine it backs up. Three 2021 CVEs in it, CVE-2021-27876, 27877, and 27878, let ALPHV/BlackCat affiliates get in. Backup infrastructure isn't just a destruction target; its agents are an attack surface on every host.
-
Analysis · May 20, 2026 · Colten Anderson
ESXi handed out admin to a group named 'ESX Admins' and never checked who made it
CVE-2024-37085 is an auth bypass where domain-joined ESXi grants full control to any member of a group called 'ESX Admins,' without verifying the group is legitimate. At least four ransomware crews used it to encrypt hypervisors. ESXi 7.0 isn't getting a patch.
-
Analysis · May 20, 2026 · Colten Anderson
The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters
vCenter and ESXi run your entire virtual estate. A run of pre-auth RCEs in vCenter (CVE-2021-21972, 21975, 21985, 22005) and the ESXi OpenSLP bugs (CVE-2019-5544, CVE-2020-3992) that fed the ESXiArgs ransomware wave show why the management layer is a crown-jewel target.
-
Analysis · May 20, 2026 · Colten Anderson
Server-side template injection: when the page renderer runs the attacker's code
CVE-2022-22954 is a template-injection bug in VMware Workspace ONE Access. A template engine meant to render data into a page rendered attacker input into code execution instead, unauthenticated, on the appliance that brokers your single sign-on. Attackers had an exploit 48 hours after the patch.
-
Analysis · May 20, 2026 · Colten Anderson
A browser bug, sold as a weapon, pointed at journalists
CVE-2022-2294 was a heap overflow in WebRTC, the real-time-comms code inside Chrome and other browsers. It wasn't used for mass crime. A surveillance vendor, Candiru, used it to plant DevilsTongue spyware on journalists in the Middle East. Different threat model, same patch.
-
Analysis · May 20, 2026 · Colten Anderson
Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold. The exploit went public at 5pm UTC; Trend Micro saw the first real attack by 10pm. The tool that watches your whole network became the way in.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026 · Colten Anderson
A clickable link in a SYSTEM dialog is a SYSTEM shell waiting to happen
CVE-2019-1388 turned a hyperlink in the UAC certificate dialog into a path to NT AUTHORITY\SYSTEM. No exploit code, just clicks: open the cert, click 'Issued by,' and the browser launches as SYSTEM. The lesson is what any interactive element in a privileged process really is.
-
Analysis · May 20, 2026 · Colten Anderson
The same crew beat the same defense twice in three months. The patch was the problem.
CVE-2023-24880 let Magniber ransomware bypass SmartScreen with malformed MSI signatures. It worked because Microsoft's earlier fix for nearly the same bug addressed one symptom and left the root cause standing. Narrow patches invite variants, and the attacker just comes back.
-
Analysis · May 20, 2026 · Colten Anderson
Lazarus didn't bring a vulnerable driver. They used the one already on every Windows PC.
The standard defense against driver-based kernel attacks is a blocklist of known-bad drivers. CVE-2024-21338 routes around it: the vulnerable driver is appid.sys, the AppLocker component Windows ships by default. You can't blocklist a core part of the OS.
-
Analysis · May 20, 2026 · Colten Anderson
The warning your careful users count on, that quietly never fired
CVE-2024-21412 bypasses Windows SmartScreen with a shortcut inside a shortcut. The file looks like a JPEG, the user double-clicks, and the safety prompt that was supposed to appear simply doesn't. It's also a bypass of the previous SmartScreen fix.
-
Analysis · May 20, 2026 · Colten Anderson
Microsoft said 'no known exploitation.' The exploit may have been three months old.
When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks. Symantec later found a Black Basta exploit tool built weeks earlier. The technique it used, an IFEO Debugger key, is one you can detect even when you can't patch in time.
-
Analysis · May 20, 2026 · Colten Anderson
The FBI dismantled QakBot in 2023. In 2024 it was test-driving a Windows zero-day.
CVE-2024-30051 is a DWM Core Library privilege escalation to SYSTEM, used as a zero-day. Kaspersky tied it to QakBot, the botnet taken down nine months earlier, and found the exploit was already in several groups' hands before the patch.
-
Analysis · May 20, 2026 · Colten Anderson
The boring privilege-escalation bug is the one that finishes the job
CVE-2024-30088 is a local Windows kernel race condition. It needs an attacker who's already inside, which is exactly why it gets deprioritized. APT34 used it to turn a foothold into SYSTEM, then dropped a password filter to skim every cleartext login.
-
Analysis · May 20, 2026 · Colten Anderson
The Print Spooler keeps getting exploited. The fix is usually to turn it off.
PrintNightmare wasn't one bug. The KEV catalog holds a string of Print Spooler entries, from PrintNightmare to SpoolFool to the flaw APT28 paired with GooseEgg. They share a root cause, and for most servers the durable answer isn't a patch, it's disabling a service you don't need.
-
Analysis · May 20, 2026 · Colten Anderson
The user opened a JPG they could see in the archive. A RAT installed behind it.
CVE-2023-38831 weaponizes the one thing you tell users is safe: opening a file they can see. A WinRAR archive hides a script in a folder named identically to a benign file, and double-clicking the file runs the script. You can't train this away, and WinRAR doesn't auto-update.
-
Analysis · May 20, 2026 · Colten Anderson
When the catalog says 'authenticated' and the researcher says it isn't
The KEV entry for CVE-2023-40044 calls it an authenticated attack. The researchers who found it demonstrated remote code execution with no login at all. When your authoritative sources disagree about whether a bug needs credentials, plan around the scarier answer.
-
Analysis · May 20, 2026 · Colten Anderson
WSO2 CVE-2022-29464: an upload bug on the box that brokers your APIs and logins
CVE-2022-29464 is an unauthenticated file-upload-to-RCE in WSO2 products. The bug is a familiar one. What makes it serious is where it lives: API management and identity middleware that sits in front of your services and authenticates your users.
-
Analysis · May 20, 2026 · Colten Anderson
Zerologon: a crypto mistake that hands over the domain in seconds
CVE-2020-1472 is a cryptographic flaw in the Netlogon protocol that lets an unauthenticated attacker with network access to a domain controller reset its machine-account password to empty, becoming domain admin. CVSS 10, no credentials, seconds to exploit.
-
Analysis · May 20, 2026 · Colten Anderson
The Zimbra bug that infected the mail server when it scanned the attachment
In 2022, Zimbra Collaboration Suite got hammered by a cluster of bugs. One didn't even need the victim to click: send a booby-trapped RAR, and the server unpacked it to scan for malware, infecting itself. On-premise email is the keys to the kingdom, and 2022 proved it.
-
Analysis · May 20, 2026 · Colten Anderson
A 2017 home-router bug got a federal deadline. The fix is to throw the router away.
CVE-2017-6884 is command injection in a Zyxel SOHO router. Zyxel patched it in 2017, but the device is end-of-life, so the real remediation is replacement. It's on the KEV list because EOL edge gear is exactly what gets conscripted into botnets.
-
Analysis · May 18, 2026 · Colten Anderson
Microsoft titled it Spoofing. It's session hijacking.
CVE-2026-42897 is the first real test of Exchange Server Subscription Edition's new servicing model. Four days in, the answer is a mitigation that breaks four OWA features and an SU with no ship date.
-
Analysis · May 11, 2026 · Colten Anderson
The CVSS 4.3 that APT28 was already using
Microsoft shipped the fix for CVE-2026-32202 without an exploitation flag while Russian state actors had a five-month head start. Vendor-tag triage missed it. The federal deadline is tomorrow.
-
Analysis · May 10, 2026 · Colten Anderson
The seven-year gap is the story, not the CVE
Microsoft patched CVE-2018-8639 in December 2018. CISA added it to the KEV catalog in March 2025. The interesting number isn't the bug's age. It's the distance between when a fix shipped and when the exposed fleet was acknowledged.
-
Analysis · May 10, 2026 · Colten Anderson
SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak
SimpleHelp shipped a fix in seven days from full disclosure. Then they posted it to a forum. Ransomware affiliates have been pulling hashed admin credentials out of unpatched servers ever since.
-
Analysis · May 8, 2026 · Colten Anderson
Cleo shipped a fix in October. Cl0p was bypassing it by December.
CVE-2024-50623 was patched in 5.8.0.21 on October 27. By December 3, Huntress had a working PoC against fully patched hosts and Cl0p was running it in production. This is the fifth MFT vendor in five years to hand Cl0p the same playbook.
-
Analysis · May 8, 2026 · Colten Anderson
Qlik patched the smuggling bug, then Praetorian beat it with one extra letter
On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding. Three weeks later Praetorian sent tchunked, the desync came back, and Cactus ransomware spent the next two months harvesting the administrators who thought they were done patching.
-
Analysis · May 8, 2026 · Colten Anderson
Mitel MiCollab keeps shipping the same path-traversal bug class
watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day. The pattern across NPM, ReconcileWizard, and AWV is structural, and operators tolerate it because UC is the most upgrade-averse tier in the enterprise.
-
Analysis · May 8, 2026 · Colten Anderson
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
Analysis · May 8, 2026 · Colten Anderson
Ivanti Connect Secure: the perimeter that keeps breaking
Five KEV-listed Ivanti Connect Secure bugs in fifteen months, all ransomware-tagged, all on the unauthenticated path. The pledge bought goodwill. The code did not change.
-
Analysis · May 8, 2026 · Colten Anderson
Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.
Twelve CVEs. Four exploitation waves. Three years. One product line. A complete accounting of Ivanti EPMM's zero-day history, from the Norwegian government breach to this week's credential chain.
-
Analysis · May 7, 2026 · Colten Anderson
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Analysis · May 6, 2026 · Colten Anderson
Fortinet encrypted your config backups with 'Mary had a littl' for six years
Every FortiGate encrypted config backups with the same AES key for years. Akira ransomware automated the decryption. Fortinet keeps shipping this class of bug.
-
Analysis · May 6, 2026 · Colten Anderson
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
Analysis · May 5, 2026 · Colten Anderson
Oracle blamed its customers for a zero-day it hadn't patched
Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist. The correction came Saturday night, behind a paywall.
-
Analysis · May 5, 2026 · Colten Anderson
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026 · Colten Anderson
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026 · Colten Anderson
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations. Here's what patching EBS actually looks like under a KEV deadline.
-
Analysis · May 5, 2026 · Colten Anderson
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026 · Colten Anderson
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail fixed a CVSS 10 and told no one for two months
CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API. SmarterTools patched it silently in October 2025 with no CVE, no advisory, and release notes that said 'critical security fixes.' watchTowr found the silent fix two months later. Here's why that matters.
-
Analysis · May 5, 2026 · Colten Anderson
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
-
Analysis · May 5, 2026 · Colten Anderson
SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request
CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API. No credentials, no interaction, CVSS 9.8, confirmed ransomware. One of three critical SmarterMail CVEs in ten days. Here's what happened and what to do about it.
-
Analysis · May 5, 2026 · Colten Anderson
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.
-
Analysis · May 3, 2026 · Colten Anderson
Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.
CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.14 through 6.19. A Python script gives any local user root. Every major distro is affected, containers don't help, and the mitigation is trivial.
-
Analysis · May 1, 2026 · Colten Anderson
A 4.3 that mattered: the 13-day gap between patch and exploitation flag
Microsoft patched CVE-2026-32202 on April 14 without marking it exploited. APT28 had been using it since at least December. The gap between those two facts is where triage models break.