Tag
#firewall
5 posts tagged #firewall.
-
Analysis · Jun 16, 2026 · Colten Anderson
Sophos has seven CISA KEV entries. Five hit the same management interface.
The User Portal and Webadmin surface runs through SQL injection, buffer overflow, authentication bypass, and code injection across five years. Chinese state actors exploited several of them as zero-days, and the exploitation often started before Sophos knew about the bugs.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers. The exploit's payoff was planting an SSH key or super-admin account, so patching after exposure leaves the back door in place.
-
Analysis · May 8, 2026 · Colten Anderson
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
Analysis · May 7, 2026 · Colten Anderson
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.