Tag
#vulnerability-management
9 posts tagged #vulnerability-management.
-
Analysis · Jun 16, 2026 · Colten Anderson
A model was pulled for being too good at finding bugs
Anthropic shipped Claude Fable 5 and Mythos 5, then a federal directive killed both four days later. In May we forecast the patch window had gone negative; this is the first time a regulator reached for a kill switch to agree.
-
Analysis · Jun 8, 2026 · Colten Anderson
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the fix shipped. The prioritization logic behind that is the story.
-
Analysis · Jun 5, 2026 · Colten Anderson
Two AWS bugs you'd never have heard about, and the fix was yours
AWS disclosed two SageMaker SDK flaws on its own bulletins page. They may carry a CVE ID with no CVSS, they'll never hit CISA KEV, and patching them is the customer's job.
-
Analysis · Jun 3, 2026 · Colten Anderson
The patch triage meeting that ends with owners, not opinions
The short-list is built before anyone sits down. The meeting exists to put a name and a clock on each item, then end. Here's how to run it in fifteen minutes.
-
Analysis · May 24, 2026 · Colten Anderson
The patch window went negative. Now what?
Mandiant's mean time-to-exploit is negative seven days. NVD gave up on enriching most of the catalog. Here's what the next 24 months of patch management actually look like with AI on both sides.
-
Analysis · May 20, 2026 · Colten Anderson
CISA just gave the Conficker bug a 2026 deadline
Five of the seven CVEs CISA added on May 20 are 2008โ2010 fossils, including MS08-067 and Operation Aurora. KEV inclusion means current exploitation, so the real signal isn't nostalgia.
-
Analysis · May 20, 2026 · Colten Anderson
When the catalog says 'authenticated' and the researcher says it isn't
The KEV entry for CVE-2023-40044 calls it an authenticated attack. The researchers who found it demonstrated remote code execution with no login at all. When your authoritative sources disagree about whether a bug needs credentials, plan around the scarier answer.
-
Analysis · May 15, 2026 · Colten Anderson
When breaking the maintenance window is cheaper than waiting
The change board exists to make change safer, not slower. Here's the operational math for when the window has to move.
-
Field Note · May 15, 2026 · Colten Anderson
A defensible software inventory you can build with the tools you already have
PowerShell, dpkg, system_profiler, Nmap, and a git repo will produce a weekly software inventory that joins cleanly against the CISA KEV catalog. Here are the parts that look right and aren't.