Field Notes

Lead story

Analysis · Jun 8, 2026 · Colten Anderson

A crash got a federal patch deadline. Here's why that's the right call

CVE-2026-28318 is a 7.

More from this beat

• Field Note · Jun 5, 2026 · Colten Anderson

  Three June 30 Microsoft 365 retirements that fail silently

  A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule.

• Field Note · Jun 5, 2026 · Colten Anderson

  Promtail is end-of-life: your Loki shipper just lost its support floor

  If Promtail still ships your logs to Loki, the agent reading every log file on the host has had no upstream remediation path since March 2, 2026.

• Field Note · Jun 5, 2026 · Colten Anderson

  One cookie to your storefront homepage is shell. CVE-2026-45247 has a Saturday deadline.

  An unauthenticated RCE in the Mirasvit Cache Warmer extension is already being hit at scale, and CISA's federal patch deadline is essentially now.

• Analysis · Jun 4, 2026 · Colten Anderson

  The GlobalProtect bypass deadline already passed, but you might not be affected

  CVE-2026-0257 is a GlobalProtect auth bypass with a KEV deadline that's come and gone.

• Analysis · Jun 2, 2026 · Colten Anderson

  One CERT says it's exploited, Microsoft says it isn't, and you patch anyway

  A pre-auth SYSTEM RCE on every domain controller doesn't need an exploitation rumor to earn the top of your patch queue.

• Field Note · May 29, 2026 · Colten Anderson

  Enforcing and proving BitLocker TPM+PIN across an Intune fleet

  Requiring a startup PIN is one toggle.

• Field Note · May 28, 2026 · Colten Anderson

  NGINX Rift: four places apt upgrade doesn't reach

  The host patch for CVE-2026-42945 shipped on day one.

• Analysis · May 20, 2026 · Colten Anderson

  BlueKeep: the wormable RDP bug Microsoft patched Windows XP for

  CVE-2019-0708 was a pre-authentication, wormable RCE in Windows Remote Desktop.

• Analysis · May 20, 2026 · Colten Anderson

  Apple, Chrome, Android: the zero-day stream that mostly isn't aimed at you

  The catalog's Apple, Google/Chrome, Android, Samsung, and Qualcomm entries are overwhelmingly browser and mobile zero-days, many used by mercenary spyware against specific people.

• Analysis · May 20, 2026 · Colten Anderson

  They read one file off the VPN gateway and left with your whole Active Directory

  CVE-2024-24919 is filed as 'information disclosure.

• Analysis · May 20, 2026 · Colten Anderson

  Cisco's management and identity products keep showing up in the catalog

  Smart Licensing Utility, Identity Services Engine, IOS XE, Catalyst SD-WAN Manager, Unified Communications Manager, a run of exploited Cisco bugs in 2024-2026, including a hardcoded credential and several unauthenticated RCEs.

• Analysis · May 20, 2026 · Colten Anderson

  The VPN bug that isn't on the gateway, it's the updater on the laptop

  CVE-2020-3433 and CVE-2020-3153 are in the Cisco AnyConnect Windows client, not the VPN gateway.

• Analysis · May 20, 2026 · Colten Anderson

  A 2020 bug leaked VPN passwords. The orgs that survived had MFA.

  CVE-2020-3259 lets an unauthenticated attacker read Cisco ASA memory, sometimes including VPN credentials in cleartext.

• Analysis · May 20, 2026 · Colten Anderson

  The unlocked side door on your Cisco VPN was the default group nobody configured

  CVE-2023-20269 let attackers brute-force Cisco ASA VPN credentials and establish unauthorized sessions, both by abusing default connection profiles that ship enabled.

• Field Note · May 20, 2026 · Colten Anderson

  Patching the NetScaler RCE doesn't tell you if a webshell is already on it

  CVE-2023-3519 was an unauthenticated RCE on Citrix NetScaler used as a zero-day to drop webshells.

• Analysis · May 20, 2026 · Colten Anderson

  CitrixBleed: the patch closed the leak but left the stolen keys working

  CVE-2023-4966 leaked post-MFA session tokens from NetScaler.

• Analysis · May 20, 2026 · Colten Anderson

  Shitrix: the Citrix bug that taught everyone how fast a perimeter RCE goes from PoC to pandemic

  CVE-2019-19781, 'Shitrix,' was a path-traversal RCE in Citrix NetScaler.

• Analysis · May 20, 2026 · Colten Anderson

  22,000 servers ransomed in days: the CyberPanel control-panel wipeout

  Two CVSS-10 pre-auth RCEs in CyberPanel let the PSAUX ransomware crew encrypt roughly 22,000 internet-exposed servers in late October 2024.

• Analysis · May 20, 2026 · Colten Anderson

  A mitigation blocks a path. OWASSRF found another door.

  After ProxyNotShell, Microsoft told Exchange admins to apply URL-rewrite mitigations while the patch was finished.

• Field Note · May 20, 2026 · Colten Anderson

  F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'

  The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it.

• Field Note · May 20, 2026 · Colten Anderson

  FortiClient EMS CVE-2023-48788: a SQL injection that talks the database into running SYSTEM commands

  When a product runs on Microsoft SQL Server, a SQL injection is rarely just a data leak.

• Analysis · May 20, 2026 · Colten Anderson

  Fortinet's other products take their turn: FortiWeb, FortiManager, FortiClient EMS

  Beyond the long-running FortiOS auth-bypass cycle, 2025-2026 brought a wave of exploited bugs in FortiWeb, FortiManager, and FortiClient EMS, SQL injection, path traversal, auth bypass, and a format-string RCE.

• Field Note · May 20, 2026 · Colten Anderson

  Patching the Fortinet auth bypass doesn't remove the admin account the attacker added

  CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers.

• Analysis · May 20, 2026 · Colten Anderson

  Scattered Spider didn't need a zero-day. They brought a decade-old driver Windows still loads.

  CVE-2015-2291 is a vulnerable Intel Ethernet driver.

• Analysis · May 20, 2026 · Colten Anderson

  The catalog is full of cheap routers and cameras for one reason: they're botnet feedstock

  Scroll the KEV catalog and you hit a wall of command-injection bugs in D-Link, TP-Link, DrayTek, ASUS, Netgear, and IP-camera firmware.

• Analysis · May 20, 2026 · Colten Anderson

  Ivanti Endpoint Manager: the management server that can be coerced into handing over credentials

  CVE-2024-13159, 13160, and 13161 are path-traversal/credential-coercion flaws in Ivanti Endpoint Manager that let an attacker make the EPM server authenticate to them and relay it.

• Field Note · May 20, 2026 · Colten Anderson

  Jenkins CVE-2024-23897: from 'limited file read' to your secret key

  The KEV entry calls it 'limited read access to certain files.

• Field Note · May 20, 2026 · Colten Anderson

  Laravel CVE-2021-3129: the RCE that only fires when debug mode is on in production

  CVE-2021-3129 is unauthenticated remote code execution in Laravel's Ignition error page.

• Analysis · May 20, 2026 · Colten Anderson

  900 old bugs, one answer: patch what's supported, retire what isn't

  More than half the KEV catalog is pre-2025 legacy: old Windows, IE, Office, Flash, Java, Apache, and a sea of network gear.

• Analysis · May 20, 2026 · Colten Anderson

  Why a decade-old Silverlight bug is in a 2022 exploited-vulnerability list

  The KEV catalog includes Microsoft Silverlight, Oracle Java, JBoss, and Outside In bugs from 2010 to 2016.

• Analysis · May 20, 2026 · Colten Anderson

  Still running SMBv1? The catalog has a 2017 reminder for you.

  A cluster of old Windows bugs sits in the KEV catalog: an SMBv1 information-disclosure from the MS17-010 family that powered WannaCry, plus assorted legacy privilege-escalation flaws.

• Analysis · May 20, 2026 · Colten Anderson

  OMIGOD: an unauth root RCE in an agent you didn't know Azure installed

  CVE-2021-38647 is an unauthenticated remote code execution as root in the OMI agent.

• Analysis · May 20, 2026 · Colten Anderson

  A CVSS 10 that hinged on one unchecked box: 'Validate Identity Provider Certificate'

  CVE-2020-2021 let attackers bypass authentication on Palo Alto firewalls and VPNs using SAML, but only when one option was disabled: 'Validate Identity Provider Certificate.

• Analysis · May 20, 2026 · Colten Anderson

  Palo Alto GlobalProtect CVE-2019-1579: another VPN gateway, another pre-auth RCE

  CVE-2019-1579 was a pre-authentication remote code execution in Palo Alto's GlobalProtect SSL-VPN.

• Analysis · May 20, 2026 · Colten Anderson

  2017's other wormable file-share RCE, the one nobody remembers, is still on your NAS

  Everyone remembers EternalBlue tearing through Windows SMB in 2017.

• Analysis · May 20, 2026 · Colten Anderson

  The attacker installed a second antivirus to crash your first one

  CVE-2024-38094 is a 7.

• Analysis · May 20, 2026 · Colten Anderson

  A bug that won $100k at Pwn2Own in March was encrypting SharePoint by winter

  The CVE-2023-29357 + CVE-2023-24955 chain gives unauthenticated RCE on SharePoint.

• Analysis · May 20, 2026 · Colten Anderson

  SolarWinds Serv-U: a state actor's zero-day in yet another file-transfer product

  CVE-2021-35211 was a zero-day RCE in SolarWinds Serv-U, exploited by a China-nexus actor weeks after the SUNBURST headlines faded.

• Analysis · May 20, 2026 · Colten Anderson

  2021 was open season on SonicWall's appliances, remote access and email alike

  In 2021, SonicWall's SMA/SRA remote-access appliances and its Email Security product were both hit by zero-day exploitation, by ransomware crews and APTs.

• Analysis · May 20, 2026 · Colten Anderson

  Akira's favorite front door is a SonicWall SSL-VPN, and it's fast

  Three SonicWall bugs, CVE-2024-40766, CVE-2024-53704, and CVE-2025-23006, feed the same outcome: Akira ransomware through the SSL-VPN.

• Analysis · May 20, 2026 · Colten Anderson

  SysAid customers got the patch the same week they learned they were already breached

  CVE-2023-47246 was a SysAid zero-day before it was a CVE.

• Analysis · May 20, 2026 · Colten Anderson

  The backup agent on every server was ALPHV's way in

  Veritas Backup Exec's agent listens on every machine it backs up.

• Analysis · May 20, 2026 · Colten Anderson

  The virtualization control plane keeps getting RCE'd, and ESXiArgs showed why that matters

  vCenter and ESXi run your entire virtual estate.

• Analysis · May 20, 2026 · Colten Anderson

  Five hours from public PoC to live exploitation on your monitoring server

  CVE-2024-6670 is an unauthenticated SQL injection in WhatsUp Gold.

• Analysis · May 20, 2026 · Colten Anderson

  Two years of Patch Tuesdays, one message: the exploited Windows bug is almost always a privilege escalation

  Across 2025 and 2026, Microsoft kept fixing already-exploited Windows flaws, storage drivers, Hyper-V, the network stack, even a 20-year-old third-party modem driver.

• Analysis · May 20, 2026 · Colten Anderson

  Microsoft said 'no known exploitation.' The exploit may have been three months old.

  When Microsoft patched CVE-2024-26169 in March 2024, the advisory said it wasn't aware of attacks.

• Analysis · May 20, 2026 · Colten Anderson

  The Print Spooler keeps getting exploited. The fix is usually to turn it off.

  PrintNightmare wasn't one bug.

• Analysis · May 20, 2026 · Colten Anderson

  WSO2 CVE-2022-29464: an upload bug on the box that brokers your APIs and logins

  CVE-2022-29464 is an unauthenticated file-upload-to-RCE in WSO2 products.

• Analysis · May 20, 2026 · Colten Anderson

  A 2017 home-router bug got a federal deadline. The fix is to throw the router away.

  CVE-2017-6884 is command injection in a Zyxel SOHO router.

• Analysis · May 19, 2026 · Colten Anderson

  YellowKey is unpatched and your travel laptops are exposed today

  A public PoC, a TPM-only default, and no patch in sight.

• Analysis · May 18, 2026 · Colten Anderson

  KB5089549 fails at 35% because your ESP is full

  May's Windows 11 cumulative dies at the boot-file write step on machines with under 10 MB free in the EFI System Partition.

• Analysis · May 18, 2026 · Colten Anderson

  Apple's May Wi-Fi kernel bug is bad, but it's probably not Broadpwn

  CVE-2026-28819 gets kernel code execution on macOS, but Apple's wording points at a local-app trigger, not a rogue access point.

• Analysis · May 17, 2026 · Colten Anderson

  Dead.Letter is a Debian and Ubuntu problem, and the popular workaround is wrong

  Exim 4.

• Analysis · May 15, 2026 · Colten Anderson

  When breaking the maintenance window is cheaper than waiting

  The change board exists to make change safer, not slower.

• Field Note · May 15, 2026 · Colten Anderson

  A defensible software inventory you can build with the tools you already have

  PowerShell, dpkg, system_profiler, Nmap, and a git repo will produce a weekly software inventory that joins cleanly against the CISA KEV catalog.

• Field Note · May 15, 2026 · Colten Anderson

  Patching Windows when your test ring is two laptops

  Microsoft's deployment-ring guidance was written for orgs where 5% of the fleet is dozens of machines.

• Field Note · May 15, 2026 · Colten Anderson

  Recovering from a bad Intune deployment without making it worse

  Stop the spread, unwind the damage, verify it took.

• Field Note · May 15, 2026 · Colten Anderson

  A 30-minute Patch Tuesday triage you can actually run

  How to get from 150 CVEs to the 4-8 that change your week, using only public signals and a clock.

• Field Note · May 15, 2026 · Colten Anderson

  Nine PowerShell checks before you trust a Windows host

  A short, native-PowerShell audit a Windows admin can run on any host in about ten minutes.

• Analysis · May 14, 2026 · Colten Anderson

  Fragnesia is the patch you already deployed, bypassed

  If you rolled the Dirty Frag kernel update last week and called it done, your fleet is exposed again.

• Analysis · May 11, 2026 · Colten Anderson

  The .de outage was a TLD postmortem, not a patch you missed

  DENIC's signing pipeline shipped two-thirds bad signatures during a routine ZSK rotation on May 5.

• Analysis · May 11, 2026 · Colten Anderson

  Kubernetes 1.36 is the upgrade that quietly rewrites your RBAC

  The headline features in 1.

• Analysis · May 8, 2026 · Colten Anderson

  Cleo shipped a fix in October. Cl0p was bypassing it by December.

  CVE-2024-50623 was patched in 5.

• Analysis · May 8, 2026 · Colten Anderson

  Qlik patched the smuggling bug, then Praetorian beat it with one extra letter

  On August 29, 2023, Qlik shipped a literal-string filter for chunked transfer encoding.

• Analysis · May 8, 2026 · Colten Anderson

  Mitel MiCollab keeps shipping the same path-traversal bug class

  watchTowr published a working unauth file-read chain on December 5, 2024 with one of the two CVEs still a 0-day.

• Analysis · May 8, 2026 · Colten Anderson

  Your LiteLLM proxy needs to be on 1.83.10 by May 11

  CISA gave a three-day deadline on a pre-auth SQL injection in LiteLLM.

• Analysis · May 8, 2026 · Colten Anderson

  The researcher who reported two Windows bugs to Microsoft was exploiting a third

  CVE-2025-26633 turns MMC's localization feature into a code execution vector.

• Analysis · May 8, 2026 · Colten Anderson

  Broadcom turned an ESXi zero-day into a patch-access crisis

  CVE-2025-22225 was exploited for over a year before Broadcom patched it.

• Analysis · May 8, 2026 · Colten Anderson

  Ivanti EPMM has produced a confirmed zero-day every year since 2023. Here's the full chain.

  Twelve CVEs.

• Analysis · May 7, 2026 · Colten Anderson

  CISA says patch by Friday. Palo Alto's fix ships next Tuesday.

  CVE-2026-0300 is an unauthenticated RCE in PAN-OS Captive Portal, exploited since April 9 by a state-aligned actor.

• Analysis · May 6, 2026 · Colten Anderson

  Citrix shipped CitrixBleed again

  Citrix shipped the same pre-auth memory disclosure bug class it patched in 2023.

• Analysis · May 6, 2026 · Colten Anderson

  CrushFTP chose the narrative over its customers

  CrushFTP tried to keep a CVSS 9.

• Analysis · May 6, 2026 · Colten Anderson

  Fortinet encrypted your config backups with 'Mary had a littl' for six years

  Every FortiGate encrypted config backups with the same AES key for years.

• Analysis · May 6, 2026 · Colten Anderson

  SAP NetWeaver was owned for ten weeks before anyone said anything

  Five threat groups were already inside SAP NetWeaver when the emergency patch shipped.

• Analysis · May 6, 2026 · Colten Anderson

  Six zero-days in three years: the CLFS pattern Microsoft can't outrun

  Microsoft patched a CLFS zero-day on April 8 but left Windows 10 without a fix for five weeks.

• Analysis · May 5, 2026 · Colten Anderson

  Oracle blamed its customers for a zero-day it hadn't patched

  Oracle's first public statement during active Cl0p exploitation told customers the breach was their fault for not applying a patch that didn't exist.

• Analysis · May 5, 2026 · Colten Anderson

  BeyondTrust RS/PRA hit again. Same endpoint, same bug class, 15 months later.

  The researcher who found CVE-2026-1731 did it by asking one question about the December 2024 fix: did the same pattern exist elsewhere?

• Analysis · May 5, 2026 · Colten Anderson

  Your firewall management console was the breach. Cisco FMC CVE-2026-20131.

  CVSS 10.

• Analysis · May 5, 2026 · Colten Anderson

  Exchange's deserialization problem didn't start in 2023. It still isn't fixed.

  A ransomware group picked up a three-year-old Exchange RCE because scanning at scale still finds unpatched servers.

• Analysis · May 5, 2026 · Colten Anderson

  GoAnywhere MFT gets its third critical RCE in three years

  Storm-1175 was exploiting CVE-2025-10035 two days before Fortra even shipped the hotfix to customers.

• Analysis · May 5, 2026 · Colten Anderson

  Cl0p chained an Oracle EBS SSRF into a mass extortion campaign. Your patch window is 21 days.

  CVE-2025-61884 is a pre-auth SSRF in Oracle E-Business Suite that Cl0p weaponized into a full RCE chain hitting 100+ organizations.

• Analysis · May 5, 2026 · Colten Anderson

  PaperCut's other bug just became a ransomware vector again

  CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back.

• Analysis · May 5, 2026 · Colten Anderson

  React2Shell turned every Next.js App Router deployment into a pre-auth RCE target

  Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday.

• Analysis · May 5, 2026 · Colten Anderson

  SharePoint's two-week window: patched servers were still exploitable

  Organizations that patched SharePoint on July 9 did everything right and were still vulnerable.

• Analysis · May 5, 2026 · Colten Anderson

  The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot

  CVE-2025-49706 scored CVSS 6.

• Analysis · May 5, 2026 · Colten Anderson

  The patch that wasn't: why SharePoint's fix needed a fix

  CVE-2025-53770 bypassed Microsoft's July patch for SharePoint within days.

• Analysis · May 5, 2026 · Colten Anderson

  SmarterMail fixed a CVSS 10 and told no one for two months

  CVE-2025-52691 is a pre-auth RCE in SmarterMail's file upload API.

• Analysis · May 5, 2026 · Colten Anderson

  48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore

  SmarterMail's patch shipped January 15.

• Analysis · May 5, 2026 · Colten Anderson

  SmarterMail's ConnectToHub API gave attackers SYSTEM in a single POST request

  CVE-2026-24423 is an unauthenticated RCE in SmarterMail's ConnectToHub API.

• Analysis · May 5, 2026 · Colten Anderson

  TeamCity's path traversal took two years to reach KEV. That's a long time to leave a CI server exposed.

  CVE-2024-27199, a path traversal in JetBrains TeamCity On-Premises, was patched in March 2024 and exploited by BianLian ransomware within days.

• Analysis · May 3, 2026 · Colten Anderson

  Copy Fail is a 732-byte root shell. Patch your Linux fleet this week.

  CVE-2026-31431 is a deterministic privilege escalation in the Linux kernel affecting versions 4.

• Analysis · May 3, 2026 · Colten Anderson

  Cerdigent was a false positive. Check what Defender actually removed.

  Defender definition 1.

• Analysis · May 1, 2026 · Colten Anderson

  Hotpatch goes default in Autopatch. You have 10 days.

  Microsoft flips hotpatch on by default for all Autopatch tenants May 11.

• Analysis · May 1, 2026 · Colten Anderson

  A 4.3 that mattered: the 13-day gap between patch and exploitation flag

  Microsoft patched CVE-2026-32202 on April 14 without marking it exploited.

• Field Note · May 1, 2026 · Colten Anderson

  Patch CVE-2026-40372, then rotate the keys

  The ASP.

• Analysis · Apr 30, 2026 · Colten Anderson

  CVE-2026-41940 isn't just a cPanel bug. It's a design assumption that shipped for a decade.

  A CRLF injection in cPanel's session writer gave attackers unauthenticated root in four requests.