Operator writing for noisy security days.

News

Cisco SD-WAN KEV update is a control-plane warning

CISA's April 20, 2026 KEV update matters because it pulls another Cisco Catalyst SD-WAN Manager flaw into the exploited bucket, turning what might look like a narrow information disclosure bug into a control-plane hunting problem.

April 21, 2026 cisco / cisa / kev / sd-wan / network-security / vulnerability-management / control-plane

News

SGLang RCE makes model files part of the attack surface

CVE-2026-5760 matters because it turns an AI model artifact into a server-side code execution path, which means inference teams need model provenance, template sandboxing, and runtime containment before the next charmingly named model shows up in production.

Apr 20, 2026

News

SharePoint zero-days do not care that the bug says spoofing

CVE-2026-32201 matters because a medium-rated SharePoint spoofing flaw still shipped with exploitation already detected, which is a reminder that trusted internal portals can become attack infrastructure long before anyone gets around to arguing about the CVSS.

Apr 18, 2026

News

nginx-ui turns MCP into a reverse-proxy takeover

CVE-2026-33032 matters because it did not break nginx with exotic memory corruption; it let attackers drive a production reverse proxy through an unauthenticated MCP message endpoint, which is a much more practical way to ruin someone’s week.

Apr 17, 2026

News

W3LL was never just a phishing kit

The April 13, 2026 takedown of W3LL matters because the real target was not one fake-login toolkit but an access market that packaged AiTM phishing, session theft, and account resale into something cheap enough for ordinary fraud crews to operate at scale.

Apr 16, 2026

News

SharePoint turns spoofing into an internal trust incident

Microsoft’s April 14, 2026 fix for CVE-2026-32201 matters because an exploited SharePoint 'spoofing' bug is not a cosmetic problem inside a trusted collaboration platform; it is a way to poison internal content, workflows, and decisions at network speed.

Apr 15, 2026

News

Iran does not need a zero-day if your PLC is on the internet

The April 7, 2026 PLC advisory matters because the attack path was not exotic OT malware but internet-exposed controllers reachable through legitimate engineering tooling, which turns a public IP on a PLC into a direct operational risk.

Apr 14, 2026

News

APT28 turns SOHO routers into a cloud identity problem

The April 7, 2026 APT28 router disclosures matter because they show how an unmaintained edge device in a home or branch office can quietly become the upstream control point for Microsoft 365 credential theft and adversary-in-the-middle collection.

Apr 13, 2026

News

Adobe Reader turns a PDF into endpoint selection logic

CVE-2026-34621 matters because the malicious PDF was not just a document-borne exploit but a selective access mechanism that fingerprinted endpoints, stole local data, and kept the expensive follow-on stage for machines the attacker actually cared about.

Apr 12, 2026

News

Marimo makes advisory publication an initial-access event

Marimo's April 8, 2026 pre-auth terminal bug matters because attackers did not wait for a public exploit kit, a KEV entry, or even a settled CVE record. The advisory itself was enough to turn exposed notebook instances into initial access within 9 hours and 41 minutes.

Apr 11, 2026

News

FortiClient EMS turns endpoint management into a tier-zero incident

CVE-2026-35616 matters because a pre-auth compromise of FortiClient EMS is not just a server bug but a live path into the security control plane that governs endpoint policy, VPN access, and compliance state across the fleet.

Apr 7, 2026

News

Axios turns npm install into endpoint triage

The Axios compromise matters because installing the malicious releases was not a dependency hygiene issue but a host-compromise event that could land a cross-platform RAT on developer laptops and CI runners before anyone noticed the application still worked.

Apr 6, 2026

News

Citrix NetScaler turns memory disclosure into an identity problem

CVE-2026-3055 matters because it shows, again, that a memory-disclosure bug on an internet-facing identity appliance is not a minor information leak but a practical route to session theft and control-plane compromise.

Apr 5, 2026

News

F5 BIG-IP shows how stale triage becomes live exposure

The F5 BIG-IP APM story matters because it is a clean example of how an old vulnerability ticket can quietly become an actively exploited internet-facing RCE while defenders are still trusting the first label it was given.

Apr 4, 2026

News

TrueConf turns trusted updates into a malware switchboard

The TrueConf CVE-2026-3502 story matters because it turns compromise of one on-prem collaboration server into a trusted code-delivery path for every connected client, which is a much bigger operational problem than the CVSS line item suggests.

Apr 3, 2026

News

Mercor makes LiteLLM an incident, not a warning

Mercor's March 31 and April 1, 2026 disclosures matter because they confirm what defenders should have assumed on March 24: the LiteLLM PyPI compromise was not a tidy open-source hygiene problem. It was an incident path into real environments.

Apr 2, 2026

News

NetScaler memory leaks are identity-edge emergencies

Citrix's March 2026 NetScaler disclosure matters because CVE-2026-3055 is not just another appliance bug. It is a memory leak on the authentication edge, and that turns patching into incident response very quickly.

Apr 1, 2026

News

DarkSword turns iPhone exploitation into reusable infrastructure

Google's March 18, 2026 DarkSword research matters because the real story is not one more iPhone exploit chain, but the fact that multiple actors are reusing the same full-device compromise pipeline across countries and missions.

Mar 27, 2026

News

KEV does not care which stack you prefer

CISA's March 20, 2026 KEV additions matter because they cut across Apple endpoints, Craft CMS sites, and Laravel Livewire apps, which is a polite federal way of saying attackers do not care how your org chart labels the problem.

Mar 23, 2026

News

Cisco FMC is a management-plane emergency

Cisco's March 2026 FMC emergency matters because the vulnerable target is the control plane for other security controls, and that changes how fast sane teams should move.

Mar 22, 2026

News

Wing FTP is a reminder that exploited beats severe

The interesting security lesson in the recent Wing FTP coverage is not the product itself. It is the reminder that active exploitation and exposure path matter more than a comforting severity label.

Mar 21, 2026

News

Secret scanning gets more specific, and that is good news

GitHub added new partner and generic secret-scanning patterns in March 2026, which sounds small until you remember how much modern incident response still begins with somebody leaking a credential into plain sight.

Mar 10, 2026

News

Iran-linked campaigns are still a systems problem

Palo Alto Networks' March 2, 2026 threat brief on Iran-linked activity is a useful reminder that headline attribution matters less than the old, stubborn system weaknesses the operators keep reusing.

Mar 2, 2026

News

The 2026 IR report says the quiet part out loud

Palo Alto Networks' 2026 incident response report says attacks are faster, more creative, and more focused on data theft, which is a polite way of saying defenders do not get to warm up anymore.

Feb 17, 2026

News

Mobile fleets are infrastructure too

Apple's February 11, 2026 iOS 26.3 and iPadOS 26.3 security release is a reminder that phones are not lifestyle accessories in enterprise environments. They are infrastructure with payroll access and MFA tokens.

Feb 11, 2026

News

FortiCloud SSO auth bypass is a trust-boundary story

Fortinet's January 27, 2026 advisory for a critical FortiCloud SSO authentication bypass is another reminder that internet-facing trust boundaries age badly when nobody revisits the assumptions underneath them.

Jan 27, 2026