Tag
#patch-management
46 posts tagged #patch-management.
-
Analysis · Jun 18, 2026 · Colten Anderson
Patching Ivanti Sentry Closes the Door. It Doesn't Evict the Guest.
Shadowserver found backdoored Ivanti Sentry instances within 48 hours of the PoC and said the rest are most likely compromised. The patch is step one, not the answer.
-
Analysis · Jun 17, 2026 · Colten Anderson
regreSSHion proved 'hard to exploit' is not a patch window
CVE-2024-6387 got filed under 'low priority' because it's slow on 64-bit. The CVSS score measured exploit difficulty, not what a root RCE in sshd actually puts at risk.
-
Field Note · Jun 5, 2026 · Colten Anderson
One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.
An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now. If you run Magento, you act today.
-
Analysis · Jun 4, 2026 · Colten Anderson
The GlobalProtect bypass deadline already passed, but you might not be affected
CVE-2026-0257 is a GlobalProtect auth bypass with a KEV deadline that's come and gone. Whether it touches you comes down to a 60-second config check, not your PAN-OS version.
-
Analysis · Jun 3, 2026 · Colten Anderson
The patch triage meeting that ends with owners, not opinions
The short-list is built before anyone sits down. The meeting exists to put a name and a clock on each item, then end. Here's how to run it in fifteen minutes.
-
Field Note · May 28, 2026 · Colten Anderson
NGINX Rift: four places apt upgrade doesn't reach
The host patch for CVE-2026-42945 shipped on day one. The container images, the App Protect WAF in front of it, the downstream forks, and the config audit it leaves behind are separate jobs.
-
Analysis · May 25, 2026 · Colten Anderson
Microsoft patched a SYSTEM bug in 2020. It still works in 2026.
A pseudonymous researcher published MiniPlasma, a working PoC for CVE-2020-17103, and the only thing standing between you and a SYSTEM shell is a driver you cannot turn off.
-
Analysis · May 24, 2026 · Colten Anderson
The patch window went negative. Now what?
Mandiant's mean time-to-exploit is negative seven days. NVD gave up on enriching most of the catalog. Here's what the next 24 months of patch management actually look like with AI on both sides.
-
Analysis · May 20, 2026 · Colten Anderson
Apache HTTP Server 2.4.49: a path-traversal fix that needed a second fix
CVE-2021-41773 was a path traversal in Apache httpd 2.4.49 that could leak files and, with CGI enabled, reach RCE. The 2.4.50 fix was incomplete, so CVE-2021-42013 followed days later. Two CVEs, one bug, a textbook patch-the-patch.
-
Analysis · May 20, 2026 · Colten Anderson
A new critical Confluence RCE stopped being news. That's the problem.
CVE-2022-26134, CVE-2023-22515, CVE-2023-22518, CVE-2023-22527: Atlassian Confluence Server and Data Center has been mass-exploited so many times that the headline repeats. If you run it on the internet, you're operating one of the most reliably-targeted boxes there is.
-
Analysis · May 20, 2026 · Colten Anderson
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Analysis · May 20, 2026 · Colten Anderson
Content-process only is one bug short of game over
CVE-2024-9680 was a Firefox use-after-free that 'only' ran code in the sandboxed content process. RomCom paired it with a Windows sandbox escape and turned a single page visit into a backdoor. Mozilla shipped the fix in about 25 hours.
-
Analysis · May 20, 2026 · Colten Anderson
900 old bugs, one answer: patch what's supported, retire what isn't
More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear. They're still listed because they're still exploited on the systems nobody updated. The legacy tier is huge, and its remediation is short.
-
Analysis · May 20, 2026 · Colten Anderson
Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list
The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016. They're there because the software is still running somewhere. For most of these, the fix isn't a patch, it's removing a runtime you stopped needing years ago.
-
Analysis · May 20, 2026 · Colten Anderson
The fix shipped in 2015. The CVE came in 2017. The deadline landed in 2024.
CVE-2017-1000253 is a Linux kernel privilege escalation that was already patched upstream two years before it got a CVE. It got a federal deadline the same year CentOS 7 died. 'Patched upstream' never meant 'patched on your box.'
-
Analysis · May 20, 2026 · Colten Anderson
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.
-
Analysis · May 20, 2026 · Colten Anderson
A soft hyphen reopened a bug PHP closed in 2012
CVE-2024-4577 is a patch bypass of a 12-year-old PHP-CGI flaw. The 2012 fix sanitized the input. Windows then helpfully rewrote a soft hyphen back into a real one, after the check, and handed the attacker their command-line argument anyway.
-
Analysis · May 20, 2026 · Colten Anderson
A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter
The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint. It was demoed at Pwn2Own in March 2023, patched mid-year, had a public PoC by late 2023, and hit the KEV list in early 2024. That timeline is something you can plan around.
-
Analysis · May 20, 2026 · Colten Anderson
The 2024โ2026 enterprise-infra bugs, grouped by the mistake that caused them
Oracle WebLogic, SolarWinds Web Help Desk, Citrix Session Recording, Juniper ScreenOS, Outlook, VMware Aria, Brocade, Junos, and more. The recent enterprise-infrastructure entries reduce to the same familiar mechanisms, deserialization, planted credentials, document tricks, broken access control.
-
Analysis · May 20, 2026 · Colten Anderson
The 2025 long tail: same six categories, eighty different products
Roundcube and TeleMessage email, Wing FTP and Commvault, Kentico and Adobe Commerce, WatchGuard and PRTG, Rockwell and Trimble ICS, Gladinet and Omnissa. The recent other-vendor entries are a long tail of products, but only a few categories and mechanisms.
-
Analysis · May 20, 2026 · Colten Anderson
Five hours from public PoC to live exploitation on your monitoring server
CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold. The exploit went public at 5pm UTC; Trend Micro saw the first real attack by 10pm. The tool that watches your whole network became the way in.
-
Analysis · May 20, 2026 · Colten Anderson
Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation
Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver. They don't each need their own post. Together they make one point about patching Windows fast.
-
Analysis · May 20, 2026 · Colten Anderson
The user opened a JPG they could see in the archive. A RAT installed behind it.
CVE-2023-38831 weaponizes the one thing you tell users is safe: opening a file they can see. A WinRAR archive hides a script in a folder named identically to a benign file, and double-clicking the file runs the script. You can't train this away, and WinRAR doesn't auto-update.
-
Analysis · May 20, 2026 · Colten Anderson
The Zimbra bug that infected the mail server when it scanned the attachment
In 2022, Zimbra Collaboration Suite got hammered by a cluster of bugs. One didn't even need the victim to click: send a booby-trapped RAR, and the server unpacked it to scan for malware, infecting itself. On-premise email is the keys to the kingdom, and 2022 proved it.
-
Analysis · May 18, 2026 · Colten Anderson
KB5089549 fails at 35% because your ESP is full
May's Windows 11 cumulative dies at the boot-file write step on machines with under 10 MB free in the EFI System Partition. Here's the registry fix, the detection query, and the WSUS decision.
-
Analysis · May 18, 2026 · Colten Anderson
Apple's May Wi-Fi kernel bug is bad, but it's probably not Broadpwn
CVE-2026-28819 gets kernel code execution on macOS, but Apple's wording points at a local-app trigger, not a rogue access point. Patch on a 72-hour clock, not a panic clock.
-
Analysis · May 17, 2026 · Colten Anderson
Dead.Letter is a Debian and Ubuntu problem, and the popular workaround is wrong
Exim 4.99.3 patches a pre-auth RCE that only exists on GnuTLS-linked builds. Several outlets are recommending a config change that does not close the hole.
-
Analysis · May 15, 2026 · Colten Anderson
When breaking the maintenance window is cheaper than waiting
The change board exists to make change safer, not slower. Here's the operational math for when the window has to move.
-
Analysis · May 15, 2026 · Colten Anderson
The patch ring math stops working at fifty endpoints
Enterprise ring guidance assumes a fleet big enough that 5% is a meaningful sample. At 50 machines, it's 2.5 boxes.
-
Field Note · May 15, 2026 · Colten Anderson
Patching Windows when your test ring is two laptops
Microsoft's deployment-ring guidance was written for orgs where 5% of the fleet is dozens of machines. Here's what the model actually buys you when 5% is two laptops, and what to substitute for the rest.
-
Analysis · May 14, 2026 · Colten Anderson
Fragnesia is the patch you already deployed, bypassed
If you rolled the Dirty Frag kernel update last week and called it done, your fleet is exposed again. Worse, patched hosts may still hand out root shells until you drop the page cache.
-
Analysis · May 11, 2026 · Colten Anderson
The June 2026 Secure Boot cliff: tomorrow is your last clean window
Three Microsoft Secure Boot certificates from 2011 expire in June. May 12 is the last Patch Tuesday before the cliff, and the registry trigger isn't going to set itself.
-
Analysis · May 10, 2026 · Colten Anderson
The seven-year gap is the story, not the CVE
Microsoft patched CVE-2018-8639 in December 2018. CISA added it to the KEV catalog in March 2025. The interesting number isn't the bug's age. It's the distance between when a fix shipped and when the exposed fleet was acknowledged.
-
Analysis · May 9, 2026 · Colten Anderson
Skip the optional preview: KB5083631 isn't worth your Tuesday morning
May 12 ships the same 34 fixes plus the month's security patches in one tested package. The preview brings the same risk for none of the upside.
-
Analysis · May 8, 2026 · Colten Anderson
Your LiteLLM proxy needs to be on 1.83.10 by May 11
CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM. The patch is one version bump; the rotation work after it is the real job.
-
Analysis · May 7, 2026 · Colten Anderson
CISA says patch by Friday. Palo Alto's fix ships next Tuesday.
CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor. The KEV deadline is May 9. The first patch lands May 13. Here's what to do with the four days in between.
-
Analysis · May 6, 2026 · Colten Anderson
SAP NetWeaver was owned for ten weeks before anyone said anything
Five threat groups were already inside SAP NetWeaver when the emergency patch shipped. One confirmed victim reported multi-billion dollar profit impact. SAP's initial workaround guidance was later marked 'Do Not Use.'
-
Analysis · May 5, 2026 · Colten Anderson
BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.
The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere? It did. Third critical BeyondTrust RCE in 15 months, confirmed ransomware, CISA gave you 3 days.
-
Analysis · May 5, 2026 · Colten Anderson
Your firewall management console was the breach. Cisco FMC CVE-2026-20131.
CVSS 10.0 unauthenticated RCE in Cisco FMC was exploited as a zero-day for 36 days. Here's what the upgrade actually looks like.
-
Analysis · May 5, 2026 · Colten Anderson
Exchange's deserialization problem didn't start in 2023. It still isn't fixed.
A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers. The bug isn't the story. The patching economics are.
-
Analysis · May 5, 2026 · Colten Anderson
Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.
CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations. Here's what patching EBS actually looks like under a KEV deadline.
-
Analysis · May 5, 2026 · Colten Anderson
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026 · Colten Anderson
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.
-
Analysis · May 5, 2026 · Colten Anderson
TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.
CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days. CISA added it to KEV in April 2026 with a May 4 federal deadline. If you're still below 2023.11.4, this is two years overdue.
-
Analysis · May 1, 2026 · Colten Anderson
The security work that landed on ops
Cloud shared responsibility, compliance mandates, and insecure defaults have quietly moved security execution onto ops teams that were never staffed for it.
-
Field Note · May 1, 2026 · Colten Anderson
Patch CVE-2026-40372, then rotate the keys
The ASP.NET Core DataProtection fix stops new forged payloads. It does not clean up tokens your app may have issued while the vulnerable code was live.