Researchers disclosed that certain versions of Exim are susceptible to a critical remote code execution (RCE) vulnerability caused by a use-after-free (UAF) condition in the BDAT body parsing path. The flaw is specifically triggered when Exim is configured to use GnuTLS, the default TLS library for many Debian-based distributions. The vulnerability occurs when a client sends a TLS close_notify alert mid-body during an SMTP CHUNKING (RFC 3030) transfer, followed by a final cleartext byte on the same TCP connection. This specific sequence leads to heap corruption, which a remote, unauthenticated attacker can leverage to execute arbitrary code on the system. The vulnerability, designated CVE-2026-45185, also known as Dead.Letter, is rated critical with a base CVSS score of 9.8.

The following versions are affected

• Exim: Versions prior to 4.99.3 (when configured with GnuTLS).

What is Exim?

Exim is an open-source Mail Transfer Agent (MTA) for Unix-like operating systems that manages the routing and delivery of email messages via SMTP using a highly flexible and programmable configuration system.

What is the impact?

Successful exploitation of the vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code on the affected system.

Are updates or workarounds available?

Upgrade affected systems to the new versions

• Exim: Upgrade to 4.99.3 or later.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

product:=exim AND banner:"STARTTLS"

October 2023: CVE-2023-42116, CVE-2023-42117, CVE-2023-42118, CVE-2023-42119, and CVE-2023-42114

On September 27th 2023, Trend Micro's Zero Day Initiative (ZDI) published details of a critical zero-day vulnerability that allows an unauthenticated attacker the ability to remotely execute arbitrary code within the context of an Exim SMTP service account. In addition, ZDI disclosed five additional zero-day vulnerabilities with lower severity rankings:

• CVE-2023-42116: Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability (CVSS v3.0 8.1)
• CVE-2023-42117: Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability (CVSS v3.0 8.1)
• CVE-2023-42118: Exim libspf2 Integer Underflow Remote Code Execution Vulnerability (CVSS v3.0 7.5)
• CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.1)
• CVE-2023-42114: Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vulnerability (CVSS v3.0 3.7)

What is Exim Mail?

Exim mail is an open source, message transfer agent (MTA) that runs on Unix/Linux operating systems. Exim is also the default MTA configured on Debian Linux distributions.

Are updates available?

Recently, maintainers of the Exim mail server issued a 4.96.1 patch that appears to resolve four of the six vulnerabilities listed above. Although the maintainers are still working to resolve the remaining vulnerabilities, if you are running Exim mail servers on your network, you should apply the security patch immediately.

How do I find potentially vulnerable Exim mail servers with runZero?

A Shodan search showed nearly 3.5 million Exim servers exposed to the internet. Their accessibility makes these mail transfer agents targets for attackers.

With runZero, you can find Exim mail servers in your inventory with this pre-built query. This query searches for any live asset that has the exim product exposed over SMTP.

product:exim

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Palo Alto Networks (PAN) released a security advisory for a high buffer overflow vulnerability in the IKEv2 processing that allows an unauthenticated remote attacker to execute arbitrary code with elevated privileges or cause a denial of service.

• CVE-2026-0263 is rated high with CVSS score of 7.2, is a buffer overflow vulnerability and potentially allows for remote code execution with elevated privileges.

What is the impact?

CVE-2026-0263 allows for an unauthenticated remote attacker to execute arbitrary code with elevated privileges or lead to a denial of service (DoS).

The vulnerability only affects PA-Series firewalls if IKEv2 VPN tunnels are configured with Post Quantum Cryptography (PQC).

Are updates or workarounds available?

Within the advisory, Palo Alto recommends "configuring IKEv2 VPN tunnels only with NIST approved Post Quantum Cryptography (PQC) ciphers".

• PAN-OS 12.1: Upgrade to 12.1.7 or later, 
                                               12.1.4-h5 or 12.1.7 or later.
• PAN-OS 11.2: Upgrade to 11.2.12 or later, 
                                              11.2.10-h6 or 11.2.12 or later, 
                                              11.2.7-h13 or 11.2.12 or later, 
                                              11.2.4-h17 or 11.2.12 or later.
• PAN-OS 11.1: Upgrade to 11.1.15 or later, 
                                              11.1.13-h5 or 11.1.15 or later, 
                                              11.1.10-h25 or 11.1.15 or later, 
                                              11.1.7-h6 or 11.1.15 or later, 
                                              11.1.6-h32 or 11.1.15 or later, 
                                              11.1.4-h33 or 11.1.15 or later.

How to find PAN-OS systems on your network

From the Asset Inventory you can use the following query to locate potentially vulnerable PAN-OS systems:

hw:="Palo Alto Networks" AND os:="Palo Alto Networks PAN-OS%" AND os_version:>0 AND
  ((os_version:>="12.1.5" AND os_version:<"12.1.7") OR
  (os_version:>="12.1.2" AND os_version:<"12.1.4-h5") OR
  (os_version:>="11.2.11" AND os_version:<"11.2.12") OR
  (os_version:>="11.2.8" AND os_version:<"11.2.10-h6") OR
  (os_version:>="11.2.5" AND os_version:<"11.2.7-h13") OR
  (os_version:>="11.2.0" AND os_version:<"11.2.4-h17") OR
  (os_version:>="11.1.14" AND os_version:<"11.1.15") OR
  (os_version:>="11.1.11" AND os_version:<"11.1.13-h5") OR
  (os_version:>="11.1.8" AND os_version:<"11.1.10-h25") OR
  (os_version:>="11.1.7" AND os_version:<"11.1.7-h6") OR
  (os_version:>="11.1.5" AND os_version:<"11.1.6-h32") OR
  (os_version:>="11.1.0" AND os_version:<"11.1.4-h33"))

May 5, 2026 Palo Alto vulnerabilities: CVE-2026-0300

On May 5, 2026, Palo Alto Networks (PAN) released a security advisory for a critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) that allows an unauthenticated remote attacker to execute arbitrary code with root privileges.

• CVE-2026-0300 is rated critical with CVSS score of 9.3, is a buffer overflow vulnerability and potentially allows for remote code execution with root privileges.

On May 6, 2026, CISA announced that the vulnerability is actively being exploited and it was added to the Known Exploited Vulnerabilities (KEV) Catalog.

What is the impact?

CVE-2026-0300 allows for an unauthenticated remote attacker to execute arbitrary code with root privileges, which can lead to complete system takeover.

The vulnerability only affects PA-Series and VM-Series firewalls if they're set up with the Captive Portal.

Are updates or workarounds available?

Within the advisory, Palo Alto recommends restricting access to the Captive Portal to trusted internal IP addresses. Additionally, they advise following a set of best practices to secure device access. 

Palo Alto Networks has a patch release scheduled for CVE-2026-0300 ranging between 5/15 through 5/28.

How to find PAN-OS systems on your network

From the Asset Inventory you can use the following query to locate potentially vulnerable PAN-OS systems:

hw:="Palo Alto Networks%" AND os:="Palo Alto Networks PAN-OS%" AND 
os_version:>0 AND ((os_version:<"10.2.7-h34") OR  
(os_version:>"10.2.7-h34" AND os_version:<"10.2.10-h36") OR  
(os_version:>"10.2.10-h36" AND os_version:<"10.2.13-h21") OR  
(os_version:>"10.2.13-h21" AND os_version:<"10.2.16-h7") OR  
(os_version:>"10.2.16-h7" AND os_version:<"10.2.18-h6") OR  
(os_version:>="11.1" AND os_version:<"11.1.4-h33") OR  
(os_version:>"11.1.4-h33" AND os_version:<"11.1.6-h32") OR  
(os_version:>"11.1.6-h32" AND os_version:<"11.1.7-h6") OR  
(os_version:>"11.1.7-h6" AND os_version:<"11.1.10-h25") OR  
(os_version:>"11.1.10-h25" AND os_version:<"11.1.13-h5") OR  
(os_version:>"11.1.13-h5" AND os_version:<"11.1.15") OR  
(os_version:>="11.2" AND os_version:<"11.2.4-h17") OR  
(os_version:>"11.2.4-h17" AND os_version:<"11.2.7-h13") OR  
(os_version:>"11.2.7-h13" AND os_version:<"11.2.10-h6") OR  
(os_version:>"11.2.10-h6" AND os_version:<"11.2.12") OR  
(os_version:>="12.1" AND os_version:<"12.1.4-h5") OR  
(os_version:>"12.1.4-h5" AND os_version:<"12.1.7"))

From the Service Inventory you can use the following query to locate potentially vulnerable PAN-OS Captive Portals:

_service.favicon.ico.image.md5:c8c08bbe0b78b27d61002db456c741cc AND _service.http.code:="403" and (port:6080 OR port:6081 OR port:6082)

February 2025 (Multiple CVEs)

On February 20, 2025, Palo Alto Networks updated another security advisory notifying customers of other active exploitation of vulnerabilities being chained together with CVE-2025-0108. In the advisory, CVE-2025-0111, with a CVSS score of 7.1, the vendor warns that an "authenticated attacker with network access to the management web interface" could gain read access to files accessible by the nobody user on the local filesystem.

On February 18, 2025 Palo Alto Networks confirmed that CVE-2025-0108 was being actively exploited in the wild. They also updated their advisory noting that the vulnerability could be chained together with other patched vulnerabilities including CVE-2024-9474.

On February 12, 2025 Palo Alto Networks (PAN) has issued multiple security advisories for vulnerabilities in PAN-OS. 

• CVE-2025-0108 is rated high with a CVSS score of 7.8. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to bypass authentication and run certain scripts.
• CVE-2025-0109 is rated medium with a CVSS score of 5.5. Successful exploitation of this vulnerability would allow a remote unauthenticated attacker to delete certain files as the "nobody" user. This includes certain logs and configuration files but not system files.

What is the impact?

An attacker that can access the web administration interface of a device running PAN-OS can execute certain scripts or delete certain files. 

Are updates or workarounds available?

Palo Alto has released updates to address these vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.

How to find PAN-OS systems on your network

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"

November 2024 (Multiple CVEs)

On November 18, 2024 Palo Alto Networks (PAN) issued a security advisory for a vulnerability that allows an unauthenticated attacker with access to the system's management PAN-OS web interface to gain administrator privileges on the device. There is limited evidence that CVE-2024-0012 is being exploited in the wild. This vulnerability is rated as critical with a 9.3 CVSS score. 

What is the impact?

An attacker that can access the web administration interface of a device running PAN-OS can gain administrative privileges on the system. This would allow the attacker control over the system, and additionally may allow the attacker paths to further exploits (for example, CVE-2024-9474).

Palo Alto has indicated that there is limited evidence of exploitation of this vulnerability in the wild. Palo Alto's Unit 42 research organization has authored a writeup on the vulnerability that includes some Indicators of Compromise (IoCs).

Note that CISA (the Cybersecurity and Infrastructure Security Agency) has added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities catalog.

Are updates or workarounds available?

Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.

How to find PAN-OS systems on your network

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"

CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465

Palo Alto Networks (PAN) updated a security advisory advising customers to restrict access to the management interface of Next-Generation Firewalls (NGFW) due to an actively exploited zero-day vulnerability.

CISA announced that CVE-2024-5910, which was patched in July, is actively being exploited and was added to the Known Exploited Vulnerabilities (KEV) Catalog. Although not directly affecting PAN-OS, this vulnerability affects the Expedition migration tool, which could contain API keys, administrator credentials, and/or PAN-OS device configuration information.

Additionally, CISA announced that both CVE-2024-9463 (CVSS 9.9) and CVE-2024-9465 (CVSS 9.3) are actively being exploited and were also added to the Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities also affect the Expedition migration tool.

What is the impact?

Although no specific details of a remote code execution vulnerability were disclosed within the advisory, Palo Alto is actively investigating an active exploitation of a zero-day vulnerability against the management interfaces of NGFWs exposed to the public Internet.

CVE-2024-5910 allows for a remote attacker to reset application admin credentials on Expedition servers. Additionally, successful exploitation of the other two vulnerabilities above could allow for a remote attacker to execute arbitrary OS commands or reveal the contents of the underlying database.

Are updates or workarounds available?

Within the advisory, Palo Alto recommends restricting access to the management interface. Additionally, they advise following a set of best practices to secure the management interface. 

Palo Alto Networks released a patch for CVE-2024-5910 in July.

How to find PAN-OS systems on your network

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS" type:"Firewall"

How to find Expedition servers on your network

From the Service Inventory you can use the following query to locate potentially vulnerable systems:

html.title:="Expedition Project"

October 10, 2024 vulnerabilities

Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.

• CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for  and execution of OS commands as root.
• CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
• CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
• CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
• CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.

If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis. According to the vendor, there was no known malicious exploitation of vulnerable systems at the time.

According to Palo Alto Networks, "The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions." They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.

CVE-2024-3400

Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software had a vulnerability that allowed for remote command injection.

CVE-2024-3400 was rated critical with CVSS score of 9.8 and indicated an unauthenticated attacker could execute arbitrary code with root privileges on the firewall. The vendor indicated that there was evidence of limited exploitation in the wild.

watchTowr posted a detailed analysis including the details needed for exploitation. This analysis covered two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that lead to remote execution through the telemetry script. PAN updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".

The following PAN-OS versions were affected by this vulnerability.

Palo Alto Networks indicated that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

Customers could verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry was enabled by checking the firewall web interface (Device > Setup > Telemetry).

Palo Alto Networks recommended that customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

It was also recommended that telemetry be disabled until devices could be upgraded to an unaffected version of PAN-OS.

Fortinet disclosed in an advisory that a critical vulnerability was identified in multiple versions of FortiAuthenticator.

• CVE-2026-44277: An improper access control vulnerability exists in Fortinet FortiAuthenticator due to insufficient authorization checks. A remote attacker with no privileges could exploit this vulnerability via a network-based attack vector, potentially allowing the execution of unauthorized code or commands. This vulnerability has been designated CVE-2026-44277 and has been rated critical with a CVSS score of 9.1.

The following versions are affected:

• FortiAuthenticator 8.0: 8.0.0, 8.0.2
• FortiAuthenticator 6.6: Versions 6.6.0 through 6.6.8
• FortiAuthenticator 6.5: Versions 6.5.0 through 6.5.6

What is Fortinet FortiAuthenticator?

FortiAuthenticator is a centralized Identity and Access Management (IAM) solution that provides secure, identity-based access across a network by managing user authentication, multi-factor authentication (MFA), and single sign-on (SSO). It acts as a gatekeeper that integrates with existing directories to ensure only authorized users and devices can access critical resources across the Fortinet Security Fabric and third-party systems.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to gain unauthorized API access, enabling them to escalate privileges and execute code or commands on the vulnerable host.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions:

• FortiAuthenticator 8.0: Upgrade to 8.0.3 or later
• FortiAuthenticator 6.6: Upgrade to 6.6.9 or later
• FortiAuthenticator 6.5: Upgrade to 6.5.7 or later

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:FortiAuthenticator

Fortinet disclosed in an advisory that a critical vulnerability was identified in versions of FortiSandbox.

• CVE-2026-26083: A missing authorization vulnerability exists in multiple Fortinet FortiSandbox products due to improper access control enforcement. A remote, unauthenticated attacker could exploit this vulnerability by sending crafted HTTP requests, potentially allowing the execution of unauthorized code or commands. This vulnerability has been designated CVE-2026-26083 and has been rated critical with a CVSS score of 9.1.

The following versions are affected:

• FortiSandbox 5.0: Versions 5.0.0 through 5.0.1
• FortiSandbox 4.4: Versions 4.4.0 through 4.4.8
• FortiSandbox Cloud 24: All versions
• FortiSandbox Cloud 23: All versions
• FortiSandbox Cloud 5.0: 5.0.2 through 5.0.5
• FortiSandbox PaaS 23.4: 23.4 all versions
• FortiSandbox PaaS 23.3: 23.3 all versions
• FortiSandbox PaaS 23.1: 23.1 all versions 
• FortiSandbox PaaS 22.2: 22.2 all versions
• FortiSandbox PaaS 22.1: 22.1 all versions
• FortiSandbox PaaS 21.4: 21.4 all versions
• FortiSandbox PaaS 21.3: 21.3 all versions
• FortiSandbox PaaS 5.0: 5.0.0 through 5.0.1
• FortiSandbox PaaS 4.4: 4.4.5 through 4.4.8

What is Fortinet FortiSandbox?

Fortinet FortiSandbox is a security appliance that identifies unknown threats by executing suspicious files in isolated virtual environments to monitor their behavior and then automates a response by sharing that intelligence across the network to block the detected threat.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to gain unauthorized API access, enabling them to escalate privileges and execute code or commands on the vulnerable host.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions:

• FortiSandbox 5.0: Upgrade to 5.0.2 or later
• FortiSandbox 4.4: Upgrade to 4.4.9 or later
• FortiSandbox PaaS 5.0: Upgrade to 5.0.2 or later
• FortiSandbox PaaS 4.4: Upgrade to 4.4.9 or later
• FortiSandbox PaaS: Migrate to a fixed release
• FortiSandbox Cloud: Migrate to a fixed release

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

os:="Fortinet FortiSandbox%"

April 2026 Fortinet FortiSandbox vulnerabilities: CVE-2026-39808, and CVE-2026-39813

Fortinet disclosed in two advisories that multiple vulnerabilities have been identified in versions of FortiSandbox.

• CVE-2026-39808: An OS command injection vulnerability exists within an API endpoint due to the improper neutralization of special elements. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted HTTP requests, potentially allowing for the execution of unauthorized code or commands. This vulnerability has been designated CVE-2026-39808 and has been rated critical with a CVSS score of 9.1.
• CVE-2026-39813: An API privilege escalation vulnerability exists due to a path traversal flaw. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted HTTP requests to the JRPC API. Successful exploitation may allow an attacker to bypass authentication and escalate privileges on the system. This vulnerability has been designated CVE-2026-39813 and has been rated critical with a CVSS score of 9.1.

The following versions are affected:

• FortiSandbox 4.4: Versions 4.4.0 through 4.4.8 (affected by both CVEs)
• FortiSandbox 5.0: Versions 5.0.0 through 5.0.5 (affected by CVE-2026-39813 only)

What is Fortinet FortiSandbox?

Fortinet FortiSandbox is a security appliance that identifies unknown threats by executing suspicious files in isolated virtual environments to monitor their behavior and then automates a response by sharing that intelligence across the network to block the detected threat.

What is the impact?

Successful exploitation of these vulnerabilities would allow an attacker to gain unauthorized API access, enabling them to escalate privileges and execute code or commands on the vulnerable host.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions:

• FortiSandbox 4.4: Upgrade to 4.4.9 or later
• FortiSandbox 5.0: Upgrade to 5.0.6 or later

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

os:="Fortinet FortiSandbox%"

LiteLLM disclosed in three advisories that certain versions of LiteLLM Proxy are susceptible to multiple vulnerabilities that can be chained together to achieve remote code execution (RCE). While official container images run the process as root, other deployments execute with the privileges of the user account running the proxy process. Research regarding the exploit chain involving GHSA-r75f-5x8p-qvmc and GHSA-xqmj-j6mv-4862 indicates that the vulnerable code path only triggers after the server has processed "a minimum amount of legitimate interaction."

• CVE-2026-42208: A SQL injection vulnerability exists in the API key verification process due to improper error handling. A remote, unauthenticated attacker can exploit this by sending a specially crafted Authorization header to any LLM API endpoint (e.g., /chat/completions). Successful exploitation allows an attacker to read or potentially modify database data, leading to unauthorized access to the proxy and the credentials it manages. This vulnerability has been designated CVE-2026-42208 and has been rated critical with a CVSS score of 9.3.
• CVE-2026-42203: A server-side template injection (SSTI) vulnerability in the /prompts/test API endpoint arises from the improper neutralization of user-supplied prompt templates, which are rendered without sandboxing. A crafted template can execute arbitrary code within the LiteLLM Proxy process. Successful exploitation allows a remote, authenticated user to access secrets in the process environment (e.g., provider API keys or database credentials) or execute arbitrary code on the host. This vulnerability has been designated CVE-2026-42203 and has been rated high with a CVSS score of 8.6.
• CVE-2026-42271: An authenticated command execution vulnerability exists in the MCP stdio test endpoints (/mcp-rest/test/connection and /mcp-rest/test/tools/list), which are used to preview an MCP server before saving. A remote, low-privileged attacker can exploit this by providing a crafted server configuration in the request body. The command is spawned as a subprocess on the proxy host with the privileges of the proxy process. This vulnerability has been designated CVE-2026-42271 and has been rated high with a CVSS score of 8.7.

These vulnerabilities do not currently have CVE IDs assigned, however, the vulnerability currently designated GHSA-r75f-5x8p-qvmc has been rated critical with a CVSS score of 9.3.

Update (April 27, 2026): The advisories now reflect assigned CVE IDs; however, these remain in a "reserved" state, and further details have not yet been provided by the CNA.

Update (May 8, 2026): There is evidence that CVE-2026-42208 is being actively exploited in the wild. The CVE IDs listed above have been updated with the latest CVSS score information.

The following versions are affected:

• LiteLLM: Versions 1.81.16 through 1.83.6

What is LiteLLM Proxy?

LiteLLM Proxy is an open-source gateway that enables applications to interact with multiple large language model (LLM) providers through a single, standardized API by translating requests into the specific formats required by each service.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• LiteLLM: Upgrade to v1.83.7-stable or later.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND (html.title:="LiteLLM%" OR last.html.title:="LiteLLM%")

Threat actors thrive on these assumptions.

But runZero makes zero assumptions. We discover, validate, and map the potential attack paths for you.

With the release of runZero 4.9, two powerhouse capabilities combine to eliminate this critical visibility gap and reveal exactly how attackers will exploit your network, so you can prevent it.

Understand the entire iceberg, not just the tip

Using safe, protocol-native queries, runZero recursively walks the backplane to identify the many hidden sub-devices sitting behind Modbus and BACnet gateways. Where traditional tools see only a single gateway IP address, runZero unveils the entire field-level topology of vulnerable PLCs and nested devices downstream of the gateway. Not only do we discover these critical, hidden devices, we fingerprint their attributes and any exposures. Like a ship's sonar that shows the entire iceberg lurking under the waterline, runZero dives deep behind the gateway to see the entire attack surface.

Since OT environments behind the gateway are usually flat, an attack on one of these hidden assets represents a massive lateral movement risk. Compromising a single downstream PLC can grant an adversary control over the physical outputs — the switches that manage everything from safety valves to high-voltage equipment.

So, seeing these devices and reducing their vulnerability is only the first step. The next critical step is validating how accessible (or not) they really are to a threat actor.

See the path of least resistance for attackers

After deep discovery, runZero leaves assumptions behind by showing you how an attacker could reach those devices, externally or internally. Interactive attack path mapping illuminates avenues of attack that most security professionals may never discover. It models the complex trajectories an adversary would use, exposing the "accidental routes" and multi-homed devices (like jump boxes) that bypass your carefully planned segmentation.

Other vulnerability scanners miss these risks since they are focused only on known vulnerabilities. runZero shows you these paths of least resistance, allowing defenders to focus on the critical exposures and assets that pose the most devastating risk.

The Payoff

Together, these capabilities completely transform your defensive strategy. Without runZero, you have incomplete visibility plus untested assumptions of your network segmentation. But with runZero, you’ve got complete and automatic discovery, plus attack path mapping that trades assumptions for validation. With runZero, you can map the unmappable, secure every path, and safeguard your OT environments.

Start your free 21 day trial and begin your own discovery now.

Researchers disclosed that certain versions of Ollama are susceptible to a heap out-of-bounds read vulnerability within the GGUF model loader. A remote, unauthenticated attacker could exploit this by sending a specially crafted GGUF file to the /api/create endpoint. When the server processes a GGUF file where the declared tensor offset and size exceed the file's actual length, the functions in fs/ggml/gguf.go and server/quantization.go (WriteTo()) read past the allocated heap buffer during the quantization process.

The resulting memory leak may expose sensitive information, including environment variables, API keys, system prompts, and concurrent user conversation data. This data can then be exfiltrated by uploading the resulting model artifact to an attacker-controlled registry via the /api/push endpoint. In the upstream distribution, the /api/create and /api/push endpoints lack authentication. While default deployments bind to 127.0.0.1, the documented OLLAMA_HOST=0.0.0.0 configuration is common in practice, leading to significant public Internet exposure. This vulnerability has been designated CVE-2026-7482, also known as Bleeding Llama, and has been rated critical with a CVSS score of 9.1.

The following versions are affected:

• Ollama: Versions prior to 0.17.1

What is Ollama?

Ollama is an open-source framework designed for the local deployment, management, and execution of large language models (LLMs) on personal computing hardware.

What is the impact?

Successful exploitation of this vulnerability could expose sensitive information, including environment variables, API keys, system prompts, and concurrent user conversation data.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• Ollama: Upgrade to 0.17.1 or later.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Ollama AND product:=Ollama AND source:runzero

Google disclosed that certain Android versions are susceptible to an authentication bypass vulnerability within the wireless ADB mutual authentication process. This is due to a logic error in the adbd_tls_verify_cert function of the auth.cpp subcomponent in the ADB daemon (adbd). An unauthenticated attacker with adjacent network access can exploit this flaw to achieve remote code execution (RCE) as the shell user. This exploit requires no additional privileges and no user interaction. This vulnerability has been designated CVE-2026-0073 and has been rated high with a CVSS score of 8.8.

The following versions are affected:

• Android 14: Prior to the 2026-05-01 security patch level.
• Android 15: Prior to the 2026-05-01 security patch level.
• Android 16: Prior to the 2026-05-01 security patch level.
• Android 16-qpr2: Prior to the 2026-05-01 security patch level.

What is Android Wireless Android Debug Bridge (ADB)?

Android Wireless Android Debug Bridge (ADB) is a communication feature that enables remote shell command execution, application installation, and system debugging over a local Wi-Fi network using the TCP/IP protocol, removing the need for a physical USB connection.

What is the impact?

Successful exploitation of the vulnerabilities allows an unauthenticated attacker with adjacent network access to achieve remote code execution (RCE) as the shell user.

Are updates or workarounds available?

Upgrade affected systems to the 2026-05-01 security patch level or later.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

protocol:=adb AND os:Android

Progress Software has disclosed that certain versions of MOVEit Automation are susceptible to two vulnerabilities within the service backend command port interfaces.

• CVE-2026-4670: An authentication bypass vulnerability that allows a remote, unauthenticated attacker to gain unauthorized access to the system. This vulnerability has been designated CVE-2026-4670 and has been rated critical with a CVSS score of 9.8.
• CVE-2026-5174: An improper input validation vulnerability that allows a remote, low-privileged attacker to elevate their privileges. This vulnerability has been designated CVE-2026-5174 and has been rated high with a CVSS score of 7.7.

The following versions are affected:

• MOVEit Automation: Version 2024.1.7 (16.1.7) and prior
• MOVEit Automation: Version 2025.0.8 (17.0.8) and prior
• MOVEit Automation: Version 2025.1.4 (17.1.4) and prior (Affected by CVE-2026-5174 only)

What is Progress MOVEit Automation?

Progress MOVEit Automation is a managed file transfer (MFT) orchestration tool used to automate the scheduled or event-driven movement and processing of data between disparate servers, cloud storage environments, and applications via a centralized management interface.

What is the impact?

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access, obtain administrative control, or expose sensitive data.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• MOVEit Automation 2024.x.x and prior: Upgrade to 2024.1.8 or later.
• MOVEit Automation 2025.0.x: Upgrade to 2025.0.9 or later.
• MOVEit Automation 2025.1.x: Upgrade to 2025.1.5 or later.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND (html.title:="MOVEit Automation%" OR last.html.title:="MOVEit Automation%")

Apache disclosed that certain versions of Apache HTTP Server are affected by a double free vulnerability that may lead to remote code execution (RCE). This flaw occurs within the HTTP/2 protocol implementation when a stream undergoes an "early reset." While further technical details are not publicly available at this time, the vulnerability involves a memory management error triggered during specific HTTP/2 communication sequences. The vulnerability, designated CVE-2026-23918, is rated high with a base CVSS score of 8.8.

The following versions are affected

• Apache HTTP Server: Version 2.4.66

What is Apache HTTP Server?

Apache HTTP Server is an open-source, cross-platform application that serves web content by processing requests via the Hypertext Transfer Protocol (HTTP).

What is the impact?

Successful exploitation of the vulnerability could allow a low-privileged remote attacker to execute arbitrary code on the affected system.

Are updates or workarounds available?

Upgrade affected systems to the new versions

• Apache HTTP Server: Version 2.4.67

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Apache AND product:=HTTPD AND version:>0 AND version:=2.4.66

October 2021: CVE-2021-41773

The Apache Software Foundation recently announced a path traversal vulnerability present in version 2.4.49 of the Apache HTTP Server software. Due to insufficient coverage of potential path traversal characters in the URL, an unauthenticated attacker can read files outside of the document root and even execute system commands in some configurations. While this vulnerability (CVE-2021-41773) only affects version 2.4.49 (and 2.4.50 as a variant), it was exploited in the wild to Apache publishing their security advisory.

Update: The 2.4.50 fix was incomplete and we strongly recommend upgrading to 2.4.51 or newer.

How to find potentially vulnerable Apache HTTP Servers

From the Service Inventory, use the following pre-built query to locate vulnerable Apache HTTP Server instances in your network:

product:"apache httpd" AND protocol:http AND (http.head.server:"Apache/2.4.49" OR http.head.server:"Apache/2.4.50")

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try runZero

Don't have runZero and need help finding your Apache HTTP Server instances? Start your trial today.

SonicWall disclosed that certain versions of SonicOS across Gen 6, Gen 7, and Gen 8 firewall platforms are susceptible to the following vulnerabilities:

• CVE-2026-0204: A flaw in the access control mechanism may expose management interface functions under specific conditions. An unauthenticated attacker with adjacent network access could gain unauthorized access to management functionality, potentially leading to security control bypasses or administrative misuse. This vulnerability has been designated CVE-2026-0204 and has been rated high with a CVSS score of 8.0.
• CVE-2026-0205: A post-authentication path traversal vulnerability allows an authenticated attacker with adjacent network access to interact with restricted services. This vulnerability has been designated CVE-2026-0205 and has been rated medium with a CVSS score of 6.8.
• CVE-2026-0206: A post-authentication stack-based buffer overflow allows a remote, high-privileged attacker to cause a denial-of-service (DoS) by crashing the firewall. This vulnerability has been designated CVE-2026-0206 and has been rated medium with a CVSS score of 4.9.

While unconfirmed, the initial authentication bypass (CVE-2026-0204) may provide an unauthenticated attacker with the privileges necessary to chain and exploit the subsequent path traversal and buffer overflow vulnerabilities.

The following versions are affected:

• Gen 6 Series (TZ 300/400/500/600, NSA 2650–6650, SOHO 250, SM 9200–9650): SonicOS version 6.5.5.1-6n and prior.
• Gen 7 Series (TZ 270–670, NSa 2700–6700, NSsp 10700–15700, NSv 270-870): SonicOS 7.0.1-5169 and prior, and 7.3.1-7013 and prior.
• Gen 8 Series (TZ 80–680, NSa 2800–5800): SonicOS version 8.1.0-8017 and prior.

What is SonicWall SonicOS?

SonicWall SonicOS is the proprietary operating system that manages the networking, routing, and deep packet inspection security functions for SonicWall physical and virtual firewall appliances.

What is the impact?

Successful exploitation of the vulnerabilities allows an unauthenticated attacker with adjacent network access to gain unauthorized access to management functionality, potentially leading to security control bypasses.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• Gen 6 Series: Upgrade to SonicOS version 6.5.5.2-28n or later.
• Gen 7 Series: Upgrade to SonicOS version 7.3.2-7010 or later.
• Gen 8 Series: Upgrade to SonicOS version 8.2.0-8009 or later.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="SonicWall%" AND os:="SonicWall SonicOS%" AND
  os_version:>0 AND ((os_version:<"6.5.5.2-28n") OR
  (os_version:>="7" AND os_version:<"7.3.2-7010") OR
  (os_version:>="8" AND os_version:<"8.2.0-8009"))

July 2025: CVE-2025-40599, CVE-2025-40596, CVE-2025-4059, and CVE-2025-40598

SonicWall has disclosed four vulnerabilities, across two advisories (SNWLID-2025-0014 and SNWLID-2025-0012), in certain versions of SMA 100 series products (SMA 210, 410 and 500v).

• An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote adversary with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution (RCE). This vulnerability has been designated CVE-2025-40599 and has been rated critical with a CVSS score of 9.1.
• A stack-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40596 and has been rated high with a CVSS score of 7.3.
• A heap-based buffer overflow vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to achieve remote code execution (RCE) or cause a denial-of-service (DoS) condition. This vulnerability has been designated CVE-2025-40597 and has been rated high with a CVSS score of 7.5.
• A reflected cross-site scripting (XSS) vulnerability in the SMA 100 series web interface may allow a remote, unauthenticated adversary to execute arbitrary client-side JavaScript code in a victim's web browser. This vulnerability has been designated CVE-2025-40598 and has been rated medium with a CVSS score of 6.1.

The following versions are affected

• SMA 100 Series (SMA 210, 410, 500v) version 10.2.1.15-81sv and prior versions

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• SMA 100 Series (SMA 210, 410, 500v) upgrade to version 10.2.2.1-90sv or later

There is no evidence these vulnerabilities are being exploited in the wild. However, due to latest threat intelligence from Google Threat Intelligence Group (GTIG), which highlights potential risks, SonicWall is strongly advising all organizations using SMA 100 series products to take additional measures detailed in the comments section of the security advisory SNWLID-2025-0014.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially vulnerable assets:

hw:="SonicWall SMA100"

May 2025: Multiple vulnerabilities

SonicWall has issued an advisory for its SMA100 Series appliances. 

• CVE-2025-32819 and has been rated high with a CVSS score of 8.8.
• CVE-2025-32820 and has been rated high with a CVSS score of 8.3.
• CVE-2025-32821 and has been rated medium with a CVSS score of 6.7.

What is the impact?

When chained together, the vulnerabilities could allow a remote authenticated attacker to bypass system checks leading to potential remote code execution. It does not affect SonicWall Firewall or SMA 1000 series appliances.

Are updates or workarounds available?

The vendor advises users to update to platform-hotfix (10.2.1.15-81sv or later) as soon as possible. The vendor also advises its customers to configure multifactor authentication (MFA) and enable WAF on the appliance.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:

hw:"SonicWall SMA100" OR (_asset.protocol:http AND http.head.server:="SonicWALL SSL-VPN Web Server")

January 2025: SMA1000 Series

SonicWall has issued an advisory for its SMA1000 Series appliances. The vendor reported that this vulnerability may be actively exploited in the wild.

This vulnerability has been designated CVE-2025-23006 and has been assigned a CVSS score of 9.8 (critical).

What is the impact?

The vulnerability would allow for a remote unauthenticated attacker to execute arbitrary operating system commands. The vulnerability was discovered within the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC). It does not affect SonicWall Firewall or SMA 100 series appliances.

Are updates or workarounds available?

The vendor advises users to update to platform-hotfix (12.4.3-02854 or later) as soon as possible. The vendor also advises its customers to follow the steps outlined in the Best Practices section of the SMA1000 Administration Guide. Access to the console should also be restricted to trusted networks.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable firmware:

hw:"SonicWall SMA1000" OR _asset.protocol:http (last.html.title:="Appliance Management Console Login" OR last.html.title:="Central Management Console Login" OR http.head.server:="SMA/%" OR (favicon.ico.image.mmh3:"16866410" AND (last.html.title:"WorkPlace" OR html.title:"WorkPlace")))

September 2024: SonicOS and SSLVPN

SonicWall disclosed a vulnerability that affects SonicOS management access and SSLVPN software on SonicWall Gen 5, Gen 6, in addition to Gen 7 devices running SonicOS version 7.0.1-5035 or earlier.

CVE-2024-40766 is rated critical with CVSS score of 9.3, and potentially allows for unauthorized resource access by an attacker.

What is the impact?

Successful exploitation of this vulnerability potentially results in unauthorized resource access and in some cases could lead to a DoS after causing vulnerable devices to crash.

Are updates or workarounds available?

SonicWall recommends restricting management access to trusted sources or disabling WAN management from the public Internet. Additionally, SonicWall has released updated firmware which is available for download from mysonicwall.com.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"SonicWall"

cPanel disclosed that certain versions of cPanel & WHM are affected by a critical login authentication vulnerability. While public details are currently limited, the changelogs for the affected versions cite a fix for an issue regarding session loading and saving (CPANEL-52908), released on April 28, 2026. This vulnerability does not currently have a CVE ID assigned.

Update (April 29, 2026): New details identify this as an authentication bypass vulnerability in the login flow, enabling remote, unauthenticated attackers to gain unauthorized access to the control panel. This vulnerability has been designated CVE-2026-41940 and has been rated critical with a CVSS score of 9.8.

Update (April 30, 2026): There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• cPanel & WHM 110.0.x: Versions prior to 110.0.97 (11.110.0.97)
• cPanel & WHM 118.0.x: Versions prior to 118.0.63 (11.118.0.63)
• cPanel & WHM 126.0.x: Versions prior to 126.0.54 (11.126.0.54)
• cPanel & WHM 132.0.x: Versions prior to 132.0.29 (11.132.0.29)
• cPanel & WHM 134.0.x: Versions prior to 134.0.20 (11.134.0.20)
• cPanel & WHM 136.0.x: Versions prior to 136.0.5 (11.136.0.5)

Note: Servers running end-of-life or unsupported versions are also likely affected. It is strongly recommended that you upgrade your server to a supported, patched version immediately.

What are cPanel & WHM?

cPanel & WHM comprises two primary components: WebHost Manager (WHM), the administrative interface for server-level infrastructure, and cPanel, the user-facing control panel for managing individual hosting accounts.

What is the impact?

Successful exploitation of this vulnerability could allow an adversary to gain unauthorized access to affected servers.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• cPanel & WHM 110.0.x: 110.0.97 (11.110.0.97) or later.
• cPanel & WHM 118.0.x: 118.0.63 (11.118.0.63) or later.
• cPanel & WHM 126.0.x: 126.0.54 (11.126.0.54) or later.
• cPanel & WHM 132.0.x: 132.0.29 (11.132.0.29) or later.
• cPanel & WHM 134.0.x: 134.0.20 (11.134.0.20) or later.
• cPanel & WHM 136.0.x: 136.0.5 (11.136.0.5) or later.
• Unsupported Versions: Upgrade to one of the supported versions detailed above.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=cPanel AND (product:=cPanel OR product:=WHM)

On April 24, 2026, researchers publicly disclosed an audit identifying 89 exploitable vulnerabilities. These issues primarily involve missing input validation across all writable Map(String,String) fields within eight XAPI object types. Consequently, an attacker with the vm-admin management role could theoretically "achieve full host filesystem read/write [access]" and execute "cross-VM data exfiltration" or "pool-wide compromise." The report claims these actions are possible through "single API calls with no exploit code," requiring neither a root shell nor triggering security alerts. These vulnerabilities reportedly persisted since the inception of the XAPI codebase (circa 2006). The researchers assigned a CVSS distribution of 5 critical, 28 high, 46 medium, and 10 low, stating that all versions of Citrix XenServer / Hypervisor, XCP-ng, and XAPI-based distributions were affected.

On April 28, 2026, the Xen Project (upstream) and XCP-ng (downstream) released advisories addressing these claims. The Xen Project issued technical advisories XSA-483 through XSA-489 to address the core source code. Notably, XSA-489 serves as a direct rebuttal to the April 24 audit, concluding that only five of the 89 claims were actionable. The remainder were identified as intended Role-Based Access Control (RBAC) functionality or, in several instances, appeared to be "AI hallucinations" within the researcher's report. Simultaneously, XCP-ng published a blog providing specific security and maintenance updates focused on the practical impact on XCP-ng environments.

The following vulnerabilities have been confirmed by the vendors:

• CVE-2026-23556 (VSA-2026-007, XSA-483): A flaw where oxenstored keeps quota-related use counts across domain destruction. XCP-ng notes this could allow a privileged user in a guest domain to trigger a denial-of-service (DoS) condition by preventing other domains from starting; the XCP-ng advisory classifies this impact as critical.
• CVE-2026-23557 (XSA-484): A denial-of-service (DoS) vulnerability via the XS_RESET_WATCHES command in xenstored.
• CVE-2026-31786 (XSA-485): A Linux kernel out-of-bounds read via a Xen-related sysfs file, potentially leaking sensitive information.
• CVE-2026-23558 (VSA-2026-008, XSA-486): A race condition in grant table v2 status page mapping. XCP-ng notes this use-after-free (UAF) flaw could allow a privileged user in a HVM or PVH guest domain to escalate their privileges to the hypervisor level; the XCP-ng advisory classifies this impact as critical.
• CVE-2026-31787 (XSA-487): A Linux kernel double-free in the Xen privcmd driver; as it requires root privileges, the Xen Project considers the crash potential not security-relevant.
• CVE-2025-54505 (VSA-2026-010, XSA-488): Addresses "Floating Point Divider State Sampling" on certain AMD CPUs. While not a XCP-ng software vulnerability, this update mitigates a hardware issue to prevent a guest VM from inferring data from another VM; the XCP-ng advisory classifies this impact as moderate.
• XAPI RBAC Escalation (VSA-2026-011, XSA-489): This advisory confirms five actionable vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. While the first three may allow vm-admin role users to escalate to root privileges in the control domain, the flaw relies on advanced RBAC features not typically exposed in standard management tools or documentation; the XCP-ng advisory classifies this impact as low. This would only impact users with a specific configuration involving an XCP-ng pool using Active Directory for user management where the managed user has the XAPI role vm-admin.
  

Note: Current advisories suggest that Xen Project vulnerabilities CVE-2026-23557, CVE-2026-31786, CVE-2026-31787, CVE-2026-23562, and CVE-2026-42486 have not yet been addressed specifically by XCP-ng updates.

The following versions are affected:

• XCP-ng: Version 8.3

Note: XCP-ng 8.3 LTS is currently the only release not marked end-of-life (EOL). Therefore, older versions are likely susceptible to these vulnerabilities but fall outside the scope of current security patching and support.

What is XCP-ng?

XCP-ng (Xen Cloud Platform - next generation) is a bare-metal hypervisor based on the open-source Xen project that enables multiple virtual machines to run concurrently on a single physical server.

What is the impact?

Successful exploitation of the vulnerabilities allows a remote, authenticated attacker to gain unauthorized host filesystem control and breach VM isolation boundaries.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• XCP-ng 8.3: Upgrade to package xen-4.17.6-6.2.xcpng8.3 or later.
• XCP-ng 8.2 and prior: These versions are EOL. Users should evaluate environmental risk and migrate to a supported release.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND (html.title:="Welcome to XCP-ng%" OR html.title:="XO Lite")

For years, the industry has relied on the "segmentation illusion"— the comfortable but incorrect assumption that critical industrial assets are air-gapped or safely tucked away behind layers of firewalls. Today, the threat landscape is rapidly evolving due to geopolitical dynamics and AI-powered attacks that are designed to quickly identify segmentation weaknesses, along with other common footholds like internet-exposed OT assets, unpatchable legacy systems, and untrustworthy IT/OT boundaries that turn a minor business breach into a total operational shutdown.

Our latest release is designed to give defenders the high-fidelity asset, network, and security intelligence they need to win in this environment. With the new features in runZero 4.9, you can see exactly how an attacker could move through your network via a series of pivot points, allowing you to harden critical choke points and remediate exposures before they are exploited. We’ve also expanded our OT telemetry to provide deep insights into the role and risk profile of every device in increasingly converged environments.

Here's a quick demo of the new features, or keep reading to learn more:

Map the unmappable. Secure every path.

Most OT practitioners have been taught that active scanning is dangerous. We’ve already proven that’s a myth in numerous deployments and in robust testing conducted by the U.S. Department of Energy’s National Renewable Energy Laboratory. runZero’s scan engine is purpose-built for safety. By using safe, protocol-specific probes and granular throttling, we extract high-fidelity metadata — firmware versions, screenshots, and even secondary interfaces — without requiring a single credential or endpoint agent.

One of the breakthroughs in this release is our ability to map the unmappable. We are one of the only solutions that can now enumerate "sub-assets" sitting behind protocol gateways like Modbus, BACnet, KNXnet, and EtherNet/IP. If you have a gateway with 20 PLCs behind it, we don't just see the gateway; we see the entire field-level topology.

Other capabilities that runZero’s latest release brings to the fight, include:

Topology maps that actually scale (and are fun to explore!)

Our new 2D and 3D maps let you zoom from a global overview all the way down to individual sites and subnets, enabling you to quickly spot exposures even in environments with hundreds of thousands of assets. No more untangling the network spaghetti; these maps provide clear visuals that make sense of even the most complex environments. With hybrid Layer 2 and Layer 3 views, you can finally see how your physical and logical networks actually overlap. Other new features include the ability to:

• Geolocate assets instantly: We use public and egress IP data to pinpoint where your gear is physically sitting across the globe and have added tools so you can search for nearby devices to gain critical environmental context.

• Hunt and search in the map views: Get eyes on high-risk assets, pivot points, end-of-life systems, specific device types, and exposures by searching and filtering directly in the map view.

• Spot the "weird": Quickly flag anomalies, like a misplaced Windows laptop sitting in a segmented production zone where it definitely doesn't belong, as well as outliers that don’t look like the others (pro tip: this usually means they’re risky devices).

Interactive attack path mapping

Want to know how an attacker would move around your network? You can now visualize trajectories from initial compromise to operational impact.

• Trace the attack path: Set a source and a target to see the exact pivot points and bridges an attacker would use to traverse your environment.

• Find the choke points: See which critical assets could grant attackers access to your crown jewels.

Multi-homed and bridge detection

Automatically surface devices connected to multiple networks and bypass your carefully planned segmentation and firewall strategies.

Go beyond the gateway

Other tools stop at the protocol gateway. We don’t. runZero uses safe, protocol-native queries to peer behind gateways and unmask the downstream PLCs and field-level devices sitting on serial and fieldbus networks.

Unmask protocol exposures

Gain asset intelligence across your entire attack surface with an expanded library of 220+ protocols. This release delivers deep visibility into dozens of "insecure by design" industrial protocols — like Modbus, BACnet, EtherNet/IP, and Siemens S7comm — which are commonly targeted by attackers attempting to pivot from the network to physical operations.

Real-world risk prioritization

Not every exposure is a hair-on-fire emergency. We help you focus on the segmentation gaps and vulnerabilities that actually put your operations at risk.

Device classification and even-deeper fingerprinting

We analyze thousands of distinct asset attributes to ensure you have definitive insights into exactly what a device is and what it’s doing on your network. The latest release adds asset categorization and function tags that you can use to search, filter, and explore.

Sleek UI/UX enhancements — now with new dark and light modes

We’ve overhauled the interface to make data exploration faster and easier across any sized environment, even the massive ones. And yes, we finally added dark mode, because we know what it’s like to stare at a screen in a dimly lit SOC at 2am — plus, it just looks cool. If you prefer the high-contrast life, there’s a new light mode, too. Or, stick with the "classic" view — whatever helps you hunt best!

Real-world scenario: IT-origin with OT blast radius

To illustrate the power of this release, let's look at a scenario to see how our new capabilities turn raw telemetry into a defensive strategy.

The biggest threat to industrial operations usually isn't a "Stuxnet-style" custom exploit; it’s an IT-originated event that cascades into OT because the boundary between the two is weak. In this case, the culprit isn't a complex hack — it’s a single, forgotten workstation that shatters the "segmentation illusion" and turns a network breach into a total factory floor shutdown.

The dangerous, but intentional "administrative" bridge

Imagine an attacker gaining a foothold in the corporate IT network through a security camera using default credentials (yes, we can help you find that). These cameras are oftentimes inside the network, but out-of-the-box settings tell firewalls to port forward internet traffic to them, exposing them to the world.

While searching for high-value targets, the attacker discovers a technician’s laptop on the same wireless network as the camera. This laptop is plugged into the factory network — but for internet access, the technician is still using the corporate wireless network, and unfortunately has also enabled RDP.

The attacker is able to log in to this laptop with the default technician account, and the laptop becomes the first hop from the internet-exposed camera to the factory LAN, bypassing the main firewall.

From the compromised laptop, the attacker is able to reach the factory LAN, and although the network is mostly segmented correctly, a sole Rockwell Automation controller is attached.

The attacker is able to enumerate the Ethernet/IP (CIP) of the controller and identify additional targets accessible through the protocol gateway, providing full access to RTUs without credentials

By sending an unauthorized "Stop" command through the gateway to the RTU, the attacker shuts down every downstream PLC — halting a $100M production line and disrupting a series of robotic arms and equipment.

The defender’s edge

But never fear, defenders. runZero’s new capabilities would help you thwart this attack:

• Visualize the trajectory: Our new attack path mapping highlights the exact route from the corporate network, through the laptop, and into the production subnet.

• Identify the choke point: runZero flags the laptop running RDP as high risk, showing you precisely where your security policy has been bypassed.

• See the downstream impact: While the attacker only sees a gateway, runZero’s sub-asset discovery peers behind it to reveal the PLCs controlling the robotic arms and production line equipment. By querying the gateway via specialized industrial protocols like CIP or Modbus, runZero unmasks the field-level devices that were previously invisible to the security team.

Why it matters

This isn't just a hypothetical "worst-case" scenario — it is a statistical reality. In a recent representative sample of large manufacturing environments, runZero found that 30% of all OT assets are only one hop away from an internet-exposed device, and 90% are within just two hops.

These findings highlight how easily a single forgotten workstation can turn a minor IT breach into a catastrophic operational shutdown. Even in "secure" networks, segmentation is frequently bypassed — often intentionally — to make remote maintenance easier for vendors or technicians.

By surfacing these risky assets and identifying the hidden attack paths they create, runZero enables you to move beyond the "segmentation illusion," harden your boundaries, and ensure your air gap is a reality, not just an assumption.

In-depth intelligence built for converged environments

Whether you are managing a national telecom, a global manufacturer, or a critical utility, runZero provides the unified source of truth needed to bridge the gap between IT and OT security operations. We don't just find your assets; we visualize reachability and highlight true risk. Because in a world of millions of nodes, the only one that matters is the one an attacker can exploit.

How to get started with runZero

Try the Platform: Interested in seeing runZero in action? You can explore the platform for free for 21 days, and following your trial, you can transition to our free Community Edition (for environments with fewer than 100 assets).

Learn More: Explore our platform and resources for more information about runZero.

The Xen Project (upstream) and Citrix (downstream) released separate but related advisories to address these claims. The Xen Project issued technical advisories XSA-483 through XSA-489 to address the core source code. Notably, XSA-489 serves as a direct rebuttal to the April 24 audit, concluding that only five of the 89 claims were actionable. The remainder were identified as intended RBAC functionality or, in several instances, appeared to be "AI hallucinations" within the researcher's report. Simultaneously, Citrix released Security Bulletin CTX696527 to provide specific updates and hotfixes for commercial users, focusing on the practical impact to the XenServer environments.

The following vulnerabilities have been confirmed by the vendors:

• CVE-2026-23556 (XSA-483): A flaw where oxenstored keeps quota-related use counts across domain destruction. Citrix notes this could allow a privileged user in a guest VM to cause the host to crash or become unresponsive.
• CVE-2026-23557 (XSA-484): A Denial of Service (DoS) vulnerability via the XS_RESET_WATCHES command in xenstored.
• CVE-2026-31786 (XSA-485): A Linux kernel out-of-bounds read via a Xen-related sysfs file, potentially leaking sensitive information.
• CVE-2026-23558 (XSA-486): A race condition in grant table v2 status page mapping. Citrix notes this could allow a privileged user in a guest VM to compromise the host under specific circumstances.
• CVE-2026-31787 (XSA-487): A Linux kernel double-free in the Xen privcmd driver; as it requires root privileges, the Xen Project considers the crash potential not security-relevant.
• CVE-2025-54505 (XSA-488): Addresses "Floating Point Divider State Sampling" on certain AMD CPUs. While not a XenServer software vulnerability, this update mitigates a hardware issue to prevent a guest VM from inferring data from a different VM.
• XAPI RBAC Escalation (XSA-489): This advisory confirms five actionable vulnerabilities: CVE-2026-23559, CVE-2026-23560, CVE-2026-23561, CVE-2026-23562, and CVE-2026-42486. Citrix warns that the first three in particular may allow host administrators to gain access beyond the limits of their assigned RBAC role.

Note: Current advisories suggest that Xen Project vulnerabilities CVE-2026-23557, CVE-2026-31786, CVE-2026-31787, CVE-2026-23562, and CVE-2026-42486 have not yet been addressed specifically by Citrix updates.

The following versions of Citrix Hypervisor / XenServer are affected:

• Citrix XenServer version 8.4

Note: Citrix XenServer 9.x is currently in Public Preview and not covered by standard security bulletins; as such, it may be affected by these issues.

Initial Advisory (April 24, 2026)

On April 24, 2026, researchers publicly disclosed an audit identifying 89 exploitable vulnerabilities. These issues primarily involve missing input validation across all writable Map(String,String) fields within eight XAPI object types. Consequently, an attacker with the vm-admin management role "can achieve full host filesystem read/write [access], cross-VM data exfiltration, storage protocol injection, cross-hypervisor lateral movement, and pool-wide compromise through single API calls with no exploit code, no root shell, and no security alerts." These vulnerabilities have persisted since the inception of the XAPI codebase (circa 2006). The researchers assigned the following CVSS severity distribution: 5 critical, 28 high, 46 medium, and 10 low. These vulnerabilities do not currently have CVE IDs assigned.

What is Citrix XenServer?

Citrix XenServer, formerly known as Citrix Hypervisor, is a bare-metal hypervisor based on the open-source Xen project that enables multiple virtual machines to run concurrently on a single physical server.

What is the impact?

Successful exploitation of the vulnerabilities allows a remote, authenticated attacker to gain unauthorized host filesystem control and breach VM isolation boundaries.

Are updates or workarounds available?

For Citrix XenServer versions 8.4 and prior, the vendor recommends updating to the latest version of Citrix XenServer via the Early Access or Normal update channels.

Note: Citrix XenServer versions 9.x are Public Preview releases and do not receive security bulletins; therefore, users should evaluate their environment's risk and consider migrating to a stable, supported release.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

os:="Citrix XenServer"

September 2024: CVE-2024-45817

Citrix released a security update to address vulnerabilities in their XenServer and Hypervisor virtualization products.

Citrix outlines that the following affects both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR and could allow a malicious administrator of a guest VM to cause the host to crash or become unresponsive.

• CVE-2024-45817 has not been rated, but affects how the state of the system could end up in deadlock due to a recursive call guarded by a mutex on x86's APIC (Advanced Programmable Interrupt Controller) architecture when reporting errors to a status.

• CVE-2022-24805 is not rated, but affects net-snmp and allows for a classic buffer overflow.
• CVE-2022-24809 is not rated, but affects net-snmp and allows for a NULL pointer dereference.

Both of these can be triggered by a user with read-only credentials.

What is the impact?

The vulnerabilities may all be triggered by guest or read-only credentials which increases the likelihood of them occurring.

Are updates or workarounds available?

Citrix recommends limiting access to management interfaces as well as upgrading to one of the following versions:

• XenServer 8
• Citrix Hypervisor 8.2 CU1 LTSR

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

(product:citrix and type:hypervisor) or product:xenserver

GitHub disclosed that certain versions of GitHub Enterprise Server (GHES) are affected by a remote code execution (RCE) vulnerability due to improper neutralization of special elements. Successful exploitation could allow an authenticated, low-privileged user with push access to any repository, including one they created themselves, to achieve arbitrary command execution on the GitHub server via a single git push using crafted push option values containing an unsanitized delimiter character. This vulnerability has been designated CVE-2026-3854 and has been rated high with a CVSS score of 8.7.

The following versions are affected:

• GHES 3.14.x: Versions prior to 3.14.25
• GHES 3.15.x: Versions prior to 3.15.20
• GHES 3.16.x: Versions prior to 3.16.16
• GHES 3.17.x: Versions prior to 3.17.13
• GHES 3.18.x: Versions prior to 3.18.7
• GHES 3.19.x: Versions prior to 3.19.4

What is GitHub Enterprise Server?

GitHub Enterprise Server is a self-hosted version of GitHub that allows organizations to run an isolated instance of the platform on their own physical or virtual infrastructure, independent of external cloud services.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• GHES 3.14.x: Upgrade to 3.14.25 or later.
• GHES 3.15.x: Upgrade to 3.15.20 or later.
• GHES 3.16.x: Upgrade to 3.16.16 or later.
• GHES 3.17.x: Upgrade to 3.17.13 or later.
• GHES 3.18.x: Upgrade to 3.18.7 or later.
• GHES 3.19.x: Upgrade to 3.19.4 or later.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=GitHub AND product:="Enterprise%"

CrowdStrike disclosed that certain versions of self-hosted LogScale are susceptible to an unauthenticated path traversal vulnerability. A remote, unauthenticated attacker could exploit a specific, exposed cluster API endpoint to read arbitrary files from the server filesystem. This vulnerability has been designated CVE-2026-40050 and has been rated critical with a CVSS score of 9.1. This vulnerability does not affect Next-Gen SIEM customers.

The following versions are affected:

• LogScale Self-Hosted (GA): Versions 1.224.0 through 1.234.0 (inclusive)
• LogScale Self-Hosted (LTS): Version 1.228.0 and 1.228.1

What is CrowdStrike Falcon LogScale?

CrowdStrike Falcon LogScale (formerly Humio) is a log management and observability platform that ingests, stores, and enables real-time search of large-volume streaming data using an index-free architecture.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to read arbitrary files on the vulnerable host.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions immediately:

• LogScale 1.228.x: Upgrade to 1.228.2 (LTS) or later.
• LogScale 1.224.0 through 1.234.0: Upgrade to 1.233.1, 1.234.1, 1.235.1, or later.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND (http.head.server:="Humio-%" OR last.http.head.server:="Humio-%")

Just to catch you up: VulnCon is an annual symposium organized jointly by FIRST (the Forum of Incident Responders and Security Teams) and the CVE program. We just wrapped up the third year of this event, and it’s already pretty well-established globally as THE place to be for several hundred government and industry practitioners from all over the world who share my penchant for vulnerability-gazing.

As with previous years, VulnCon featured lectures and workshops all about the twisty little passages where vulnerability discovery, dissemination, and defense intersect, all with an aim of helping each other and our many diverse cybersecurity and information security communities deal with the inevitability of shipping software bugs.

AI isn’t pronounced “Aiiiii!”

While VulnCon is very, very niche compared to broader expos and conferences like RSAC, InfoSec Europe, and Black Hat, we could not escape the general tech industry’s infatuation with AI. Approximately 2^32-1 words have already been written on the predicted impact of Anthropic’s Claude Mythos and Glasswing, ranging from total panic to blaisé indifference. I’m here to report that the general attitude of attendees – who are, across the board, established experts in their security specialties – is, truly, cautiously optimistic in a very middle-path sort of way. I got the sense that we are agreed that AI tooling has graduated from speculative, to novel, to quite nearly normal in many vulnerability research pipelines, and network defenders who haven’t started implementing some kind of AI assistance in live incident response are likely going to have a bad time in the back half of 2026 and beyond.

The optimistic part of this take is that we can use the same kinds of AI tooling to rapidly catch up and keep pace with the relentless rate of vulnerability discovery. After all, AI doesn’t merely play offense or defense – it’s truly dual-use (if not pan-use, if that’s a word). General purpose large language models (LLMs) already are doing a much, much better job of uncovering and validating technical vulnerabilities, insecure defaults, and misconfigurations than they were even two years ago.

Even if nothing changes in the way the AI superpowers develop and grow AI capabilities, all of us squishy-brained, biochemical decision makers can use much of the same tooling to catch up and manage the ever-increasing march of individual vulnerabilities, up and down the defensive stack—from building the next generation of tools defenders need for assessment and visibility to integrated, orchestrated incident response when breaches do occur.

We’re all in this together

The conference struck me as a very “we’re all on the same side here” kind of affair, permeating most conversations I was fortunate to be involved in. Notably, we heard from, and got to spend considerable quality time with, our friends and colleagues in government, both domestically and internationally.

Probably the most significant programming choice was that the kick-off address was a joint presentation from CISA and ENISA. These are two great agencies that agent great together, and when it comes to managing and improving the CVE program (the world isn’t ready to just give up on a quarter century of lessons learned). So, while it’s clear that the last year has been pretty rocky in CVE-land, we definitely don’t want a return to the bad old days of regional or industry specific grab bags of unconnected, disparate databases of technical vulnerability intelligence.

On the other end of the spectrum, the update from the National Vulnerability Database (better known as the NVD) was reported pretty bleakly, as the National Institute of Science and Technology (NIST) continues to struggle with annotating every new CVE. Instead, the NVD has committed to a new prioritization scheme. Of course, we all want to know what CVEs are actually worth knowing about, but the critical (and dare I say, cynical) read is that NVD just keeps losing ground here.

However, I don’t think this winnowing down of the CVE target space is as disastrous as it’s being reported as. After all, I’m pretty happy with how CISA’s Vulnrichment platform and program has been chugging along, bringing much-needed enrichment and transparency to vulnerabilities. In my opinion, Vulnrichment has already mostly supplanted NIST’s efforts, at least when it comes to first-pass risk-ratings when vendors and CNAs don’t step up. In fact, KEVology (to pick a totally random and not-at-all self-serving example) relies on and normalizes around Vulnrichment quite a bit, and I suspect most downstream consumers of broad CVE data are in the same boat.

In the end, getting CVE aligned with this brave new world of supercharged rates of vulnerability disclosure certainly won’t happen by accident, and there’s no one weird trick to fix what’s broken about CVE assignment and management. This will all require real work, beyond mere wishing and talking, but I’m confident that we can rise to the challenge. As a CVE board member, I can promise that I’ll do what I can to make sure that we don’t lose the plot here.

See for yourself

Almost all of the presentations were live streamed and recorded, so I’m very much looking forward to catching some of the talks that were tough to choose between on VulnCon’s three-track agenda. I’ll update this space when those recordings are available, and I’ll bug the organizers to pull that trigger sooner rather than later. There was a ton of good content this year, so I’m excited to share it with runZero’s blog fans.

Next year, VulnCon will take place the immediate week before BSidesSF and RSAC, which hopefully will make international attendance even easier to justify; come for the real vuln talk in Arizona, stay for the ridiculously overproduced expo booth antics one state over in California.

The remaining principles (numbers five through eight) in the guidance detail how OT system owners can set themselves up for success against adversaries, including recommendations for preventing breaches and detecting them if they occur. The final four principles are pivotal for system owners to get right.

Principle 5: Harden your OT boundary

Many OT systems are difficult to update or replace, increasing the prevalence of obsolete assets and weak security controls. Because of this inability to modernize, oftentimes the primary defense against external threats to OT systems is their network boundary. As such, organizations should invest in modern, modular, and easily replaceable boundary protections. Additionally, the guidance suggests a robust checklist of actions to help harden your OT boundary:

• Change default passwords

  • Default credentials provide an easy-to-fix and easy-to-exploit avenue for attackers to gain initial access.

• Enforce the principle of least privilege

  • Human-to-machine and machine-to-machine connectivity should follow the concept of least privilege, following joiners, movers, leavers (JML) processes to ensure proper access rights throughout user lifecycles.

• Restrict unused services and ports

  • Only required ports and protocols should be exposed on assets.

• Implement phishing-resistant multi-factor authentication (MFA) for external services

  • Phish-resistant MFA should be implemented where possible for human-to-machine connectivity.

• Use context-aware access

  • Where possible, controls should be enabled that enforce connectivity based on attributes of the connection, like device location, time of access, or OS version.

• Enforce security requirements on third parties

  • Controls should be applied to third-party connections into the OT environment. NCSC’s previous guidance provides more details about this in principle five.

• Enforce unidirectional traffic flows

• Where possible, organizations should use Cross Domain Solutions and Data Diodes to help facilitate secure data transfers between untrusted and trusted domains.

As the convergence between OT and IT progresses, implementing principle five is critical for OT system owners in order to define and harden the boundary between OT and IT in their environments.

Principle 6: Limit the impact of compromise

There is a saying that goes, “You should be prepared for WHEN you get breached, not IF.” Organizations should take steps to limit the impact of a breach before it happens. OT systems owners need to focus on two risks:

• Contamination

  • Contamination refers to malicious or insecure code that makes its way into a trusted environment, often through the abuse of weak configurations, bad implementation, or vulnerable products.

• Lateral movement

  • Lateral movement describes how attackers expand their reach to neighboring nodes after initial access. Lateral movement can involve scanning, compromising hosts with stolen credentials, escalating privileges to gain access to systems, and more. Lateral movement should be seen as a threat both from external attackers and from insider and third-party threats.

Strategies for OT (and all) system owners to protect their environments include:

• Segmentation

  • Organizations should segment their networks behind firewalls or network architecture, dividing the network into smaller, functionally isolated networks, to reduce risk.

  • Microsegmentation: Microsegmentation applies controls on a much more granular level, usually at the host level, to restrict services, protocols, or specific clients from communicating.

  • Separation of duties: Separation of duties ensures that no one person has the ‘keys to the kingdom’. If you divide the responsibilities of individuals or systems within the environment, it limits exposure in the event of a breach or an insider threat.

• The browse down principle

  • The browse down principle states that you should trust the device on which administrative work is done as much as, or more than, the system you are managing. In essence, you don't want to manage a trusted system with an untrusted device.

• Boundary controls
  • Principle five discusses ways for organizations to harden their boundary, and principle six provides additional recommendations:

    • Host-based Controls

    • Static network controls

    • Dynamic network controls

    • Threat detection and response.

The best time for OT system owners to plan for a breach was yesterday, and the second-best time is today. OT system owners need to take proper precautions now to ensure that when, not if, a breach occurs, they are ready.

Principle 7: Ensure all connectivity is logged and monitored

While it's important to take all possible steps to prevent a breach, the last line of defense organizations have is their alerting and logging implementation. The ideal implementation of a good collection and alerting system is to empower system owners to expediently detect, contain, or prevent a breach, rather than simply collect logs.

There are at least four considerations OT system owners should look to address when a log collection and analysis program is implemented:

• Unauthorized activity

  • Any change in an OT (or IT) environment should come through strict change management procedures. Having a strong change management program, along with the ability to monitor for and alert on unauthorized changes, should be a major consideration.

• Anomaly detection

  • There should be detection of traffic patterns that deviate from the norm, or baseline, of known-good network traffic. Anomaly-based detection should not replace actual controls designed to prevent undesired traffic.

• Break-glass

  • Break-glass or use only in case of emergency access should be used only in emergency situations. Any use thereof should trigger an alarm of the highest criticality to the Security Operations Center (SOC). Break-glass account abuse is often how bad actors try to gain access to an environment through legitimate means.

• Data flow monitoring

  • Continuously monitoring data both within and across network segments and the OT boundary enables early detection of compromise.

NCSC has extensive guidance on proper log implementation, but principle seven serves as a brief reminder that logging for the sake of logging is not enough. Logs should be actionable within an organization to detect a breach and, if possible, prevent it from spreading.

Principle 8: Establish an isolation plan

There may be times when it's necessary to isolate OT environments from external influences, for example, if there is a compromise in connected IT systems or an increased threat from adversaries. OT systems should be designed, where possible, to still provide critical functions while isolated. It's essential that an isolation plan is designed and tested to ensure that critical functions remain operational while preventing unforeseen or unintended consequences during isolation.

There are three primary isolation strategies that an organization could consider:

• Site isolation

  • Site isolation works well in flat networks or networks without sophisticated security measures. Site isolation primarily involves removing or terminating external connections, either physically (e.g., cable disconnect) or via software (e.g., firewall configuration)

• Application or service-specific isolation

  • If an organization has successfully implemented the secure connectivity controls outlined in the guidance, application isolation might be more effective than site isolation. Application isolation enables an organization to isolate affected services or assets using the controls outlined in the guidance, such as microsegmentation.

• Site isolation with hardware-enforced trusted communications

  • This isolation plan allows organizations that have used either data diodes, a CDS, or other hardware-based traffic enforcement to isolate their network while keeping the hardware enforced data flows open. This allows isolating the trusted network from the untrusted network while still enabling secure data transfer.

Isolation plans, just like breach contingency plans, should be built and tested before they are needed. Ideally, isolation plans will never be needed, but with the evolving threat landscape, organizations should take action now to be prepared in the event isolation is needed.

How runZero can help

In our previous blog on this guidance, we mentioned five ways we help organizations protect and secure their OT systems. Those features of runZero also apply to principles five through eight, but there are more ways that runZero can help secure OT environments:

1. Default password checks

   • runZero can run default password checks to discover assets and software that have not changed their default settings.

2. Discover gaps in coverage

   • runZero can surface hidden assets, assets missing security controls, and assets that are bridging networks they shouldn't.

3. Alerting on unauthorized changes

   • runZero provides a comprehensive asset inventory and can detect and alert when assets are added or removed from a network, or when asset changes occur.

4. Edge device detection

   • Many organizations think they know where their edge lies, but runZero can expose assets with network connections you didn’t know existed.

If you stuck with us through all three blog posts, thanks for being here! These weren’t short posts, but neither was the guidance. If you need help protecting your OT assets, runZero is here to help. Try us out for free, or get in touch with us today.

If you missed the livestream, here’s a quick look at the themes and sessions from the day hosted by runZero’s Tod Beardsley and Rob King.

The vulnerability crisis: Quality, prediction, and noise

Right now, the industry is overwhelmed by a flood of CVEs, and we’re pretty sure this is just the beginning of a pretty steep slope. With vulnerability disclosures at an all-time high, the debate over quality versus quantity is more important than ever. In the ‘CVE quagmire’ segment, Jerry Gamblin (RogoLabs) told Tod that we’re facing an average of more than 160 new CVEs per day. He highlighted that while we’re hearing a lot about the potential for an artificial intelligence (AI) tsunami of bugs, we still haven’t addressed people-generated bugs and the inconsistent metadata that have hindered security teams for decades. On a positive note, they discussed how projects like RogoLabs’ CVE.ICU is making the CVE program more transparent, and how the upcoming Schema 6.0 could also help by requiring better, machine-readable data for automated discovery and fixes.

Next, we had the perfect follow-up session, ‘Predicting exploitation’with Jay Jacobs (Empirical Security), exploring the practice of predicting vulnerability exploitation. Jacobs detailed the evolution of the Exploit Prediction Scoring System (EPSS) from a research initiative into a vital, daily-published API that provides probability scores and percentile rankings for hundreds of thousands of CVEs.

They discussed how EPSS differs from other scoring systems and frameworks, specifically explaining the relationship between a probability score and the percentile rank. Jacobs also addressed common misconceptions about low-probability scores, noting that even a small percentage can be highly significant when measured across a massive population of vulnerabilities.

Rounding out our discussions on CVEs was the 'Mute the sirens' session with Mark Lambert (ArmorCode). Given the increasing volume and velocity of vulnerabilities, Lambert explains how an important step in reducing the noise includes determining what actually needs to be fixed, and it’s not just about picking the critical ones. He noted that they leverage threat intelligence from CISA’s KEV and EPSS to determine what’s being actively exploited, which is particularly important given that nearly all CVEs are never actually exploited in the real world.

Then, they further analyze this vulnerability intelligence by using integrations with other solutions to get an inventory of assets, determine what’s externally facing, and understand if a fix is urgently needed from a business-priority perspective. Using this unified exposure management approach goes beyond focusing only on traditional CVEs to include issues found through penetration testing and static analysis, providing a comprehensive picture of an organization’s security posture.

Research-driven reporting in cybersecurity journalism

With more AI-generated content and smaller newsrooms, cybersecurity journalism faces new challenges. In the 'Signal vs. slop' session, current and former reporters discussed how research-driven reporting is changing. Our panel of experts included Bill Brenner (CYBR.SEC.Media), Dennis Fisher (Decipher), and Steve Ragan (1Password).

The group discussed how reduced funding for traditional media has pushed many journalists to work for and with vendors directly, where brand journalism now fills the gap left by shrinking newsrooms, creating challenges for editorial independence amid the pressures of advertising and sponsored content. They also reflected on how large language models (LLMs) are affecting the quality of security reporting and how the rise of automated content lacks the human insight needed for good communication.

Expanding on the cybersecurity journalist’s perspective, the 'On the frontlines of investigative journalism' session with investigative journalist and author Joseph Menn examined the intersection of technology, crime, geopolitics, and hacktivism.

Menn shared with Tod that today’s most interesting stories aren’t just about business deals or stock prices; they focus on the complex areas where organized crime groups and state-sponsored intelligence operations overlap, especially in places like Russia and China.

They also discussed Menn’s book, Cult of the Dead Cow. They talked about the group's role in pressuring tech giants like Microsoft to take security seriously, effectively shifting the industry from a culture of hobbyist tinkering to one of professionalized defense and public policy influence.

Bridging the physical and digital divide

In the 'From risk to resilience' session, Mary Gannon (GuidePoint Security) and Patrick Gillespie (GuidePoint Security) talked with Rob about how IT and Operational Technology (OT) are converging. They discussed the unique challenges of securing industrial systems in sectors such as manufacturing and mining, where older software like Windows 98 and even Windows 3.1 is still in use. They pointed out that while bringing IT and OT together offers benefits such as real-time data and remote work, it also poses serious safety risks.

One key takeaway is the importance of knowing what assets are on your network. Many OT organizations don’t have a clear picture of what’s connected, often because the security teams don’t actually own the physical equipment. They explained that in OT, the priorities are different: IT cares most about keeping data private, while OT focuses on safety and keeping systems running. That’s why things like immediate patching aren’t always possible — shutting down a system could put people’s lives at risk.

This shift from physical assets to decentralized systems is also redefining the very concept of a network perimeter. In the ‘Perimeters and pathways’ session with Jared Atkinson (SpecterOps), Zakir Durumeric (Censys), and HD Moore (runZero), our experts stressed that the idea of a single, clear network perimeter is outdated, replaced by a satellite model of thousands of cloud accounts, remote control systems, and data-sovereignty-compliant providers. They also pointed out that network infrastructure, like firewalls, VPNs, and LTE modems, is now a top target for initial access, blurring the line between internal and external assets.

They discussed the pathways attackers take once they gain initial access, and how defenders can use solutions to map identity-based attack paths through systems. The conversation also noted that fingerprinting internal TLS services and searching for matching hashes on the public internet reveals hidden connections and misconfigurations, such as management ports exposed to guest wireless networks that completely bypass intended segmentation.

And this is especially risky at ‘The network edge,’ where old hardware like routers that no longer get updates are easy targets for attackers. During this session, Kimber Duke (VulnCheck) and Patrick Garrity (VulnCheck) discussed the critical intersection of end-of-life (EOL) hardware and this notion of a porous network edge with Tod.

Our experts revealed that edge devices, such as consumer routers and firewalls, are some of the most targeted assets for exploitation. They also talked about the zombie cycle of the internet, where unpatched, unsupported devices remain online indefinitely, creating a massive, static attack surface. Unfortunately, this problem is exacerbated by Internet Service Providers (ISPs) that continue to issue EOL hardware to new customers as well as the lack of consumer awareness regarding router updates.

As the conversation shifted to AI, our experts noted that they’re seeing a mix of valid bugs and ‘AI slop,’ and they anticipate the volume of valid vulnerabilities to increase geometrically over time.

The AI frontier: Bounties and asymmetric defense

And speaking of AI (which is nearly impossible to avoid in San Francisco, it turns out), it was also a focus in several sessions, including the discussion Tod had with Casey Ellis (Bugcrowd) about ‘Bug bounties in the age of AI.’ They talked about how AI is making it easier for both attackers and defenders, but that the primary drivers of security research still depend on human intent and quick decision-making. They also discussed the challenge of the 'defender's dilemma,' where attackers can try new things quickly and with little risk, while defenders must secure entire environments and face severe operational consequences if their automated 'agents' cause a production outage.

As the session continued, Ellis stressed the importance of vulnerability research and the need to standardize disclosure practices, which is why he’s focusing on disclose.io to make vulnerability disclosure and vulnerability report acceptance easier through standardized legal templates and a vendor-neutral database of disclosure policies.

As noted earlier, we weren’t done with AI yet. 'The infinite eye' segment with Jonathan Cran (Mallory) and HD Moore (runZero) talked with Tod about how AI-powered threat intelligence is giving defenders a real edge in a noisy security landscape. The conversation highlights a major shift in vulnerability management; defenders are transitioning away from waiting for official CVE numbers to tracking emerging threats through GitHub issues, mailing lists, and security advisories. By being more intentional about embracing the strengths of LLMs to filter out slop and fake exploits, defenders can answer critical questions much faster about their exposure in minutes, often beating CVE assignment and official vulnerability databases to the punch.

Strengthening the shield: Community and visibility

In the 'Force multiplied' session, Rishiraj Sharma (ProjectDiscovery) and Tod discussed how the open-source framework Nuclei has revolutionized how security teams validate vulnerabilities. Sharma explained that Nuclei was created to cut through the noise from traditional scanners, which often flag thousands of potentially vulnerable instances based solely on version detection. Instead, Nuclei lets security pros outline the exact steps a person would take to verify an exploit, making it clear which assets are really at risk and need immediate attention.

Thanks to input from pentesters, bug bounty hunters, and researchers worldwide, Nuclei can now create verified exploit templates in just hours instead of days. Sharma also noted that ProjectDiscovery’s bug bounty program incentivizes researchers to write new templates and validate existing ones to ensure high quality and reduce false positives.

A new kind of RSAC experience

At the end of the day, the best part of runZero Day wasn’t just one session — it was the insights shared and the format. By moving the conversation beyond the Moscone Center, we were able to broaden the audience for the major themes of the cybersecurity industry and RSAC to the world beyond Silicon Valley.

In the end, we hope you dip into the recorded stream, and if you just can’t get enough, you should definitely join the next runZero Hour, where Tod and Rob will chat it up with Caroline Wong, author of The AI Cybersecurity Handbook. They’ll talk more about the ups and downs of our machine-brained tooling in our day-to-day practice of cybersecurity.

First off, I’m glad to get these CVE out the door, which may sound a little strange. After all, nobody’s happy when their product ships with vulnerabilities. But, this does give me, incorrigible vulnerability-gazer todb, a reason to tout runZero’s overarching commitment to transparently communicate with our customers, users, and fans about the occasional bug that we happen to write, then find, and then fix. Best of all, there’s no reason to believe any of these were exploited in the wild (and we did check; if we ever find indicators of compromise, the affected customers would be the first to know).

In our role as a designated CVE Numbering Authority (or CNA), we are now expected to voluntarily (and, dare I say, enthusiastically), publish CVE records noting vulnerabilities that affect our own software. This first batch covers several months of bug-writing, concluding with CVE identifiers for an even dozen vulnerabilities. While most of them are pretty boring (everything in the set requires you to already be at least an authorized runZero user, and most are in the CVSS 5.8 Medium range) we’re committed to showing some uncomfortable proof that we actually do practice what we preach when it comes to security audits. We take our compliance requirements quite seriously, and we are going beyond an auditor’s checkbox when it comes to rolling out fixes before anything actually bad happens.

Going forward, we’re targeting the first Tuesday of every month for these CVE rollups, in order to give our customers and users a chance to apply fixes as we release them. To be clear, I expect there will be first-Tuesdays that go by with nary a bug to document. You'll notice that our most recent security issue was back in February, and I'm writing this in April, so you can expect to see a monthly report when there's something to share.

I’d also like to note that runZero has spent its entire corporate life offering security fixes as regular point releases, and we don’t expect to change that cadence now we’re a CNA. Instead, we’re offering our customers the best of both worlds: rapid fixes for security issues (no matter how minor they seem), and follow up documentation for the folks who continue to rely on the CVE ecosystem for alerting. This works for us because the runZero Platform is, at heart, a SaaS offering, which means that most of our users get these fixes without any heavy lifting or other action on their part. However, we’re also used in high security environments that require an on-prem, air-gapped installation. Ironically, this means that those high-security customers may miss out on security fixes for a while, so we’re hopeful that publishing these CVEs might nudge them along to getting not just security fixes, but all of our sweet new features and refinements that they miss out on with a slower-than-instant update cycle.

Of course, in the unlikely event that things go really off the rails and someone else discovers and publishes a vulnerability of ours before we do ourselves, we’ll be first on the scene with a fix and a CVE in hand.

So, nobody likes shipping vulns, but the least we can do is be clear about our vulnerabilities when we find and fix them, both practically in release notes, and logistically for the global CVE community. Everybody writes bugs, but not everyone is on board with owning them, and that’s why I’m (weirdly) pleased to announce our twelve newly minted CVEs. For more details, swing by runZero’s Security Advisories page, or just look these up directly with your favorite CVE client.

CVEs for April, 2026

The below are ordered by CVSS general ratings (High to Low, there were no Criticals). All runZero Platform hosted customers have already been fixed, while on-prem customers will need to update to the latest version.

High

• CVE-2026-5373: runZero Platform superuser privilege escalation, CVSS 8.1 (High)

Medium

• CVE-2026-5372: runZero Platform SQL injection in saved queries, CVSS 6.4 (Medium)
• CVE-2026-5376: runZero Platform session timeout failure, CVSS 5.9 (Medium)
• CVE-2026-5374: runZero Platform MCP information leak, CVSS 5.8 (Medium)
• CVE-2026-5378: runZero Platform user creation leak, CVSS 5.8 (Medium)
• CVE-2026-5384: runZero Platform incorrect credential scope, CVSS 5.8 (Medium)
• CVE-2026-5380: runZero Platform clear-text secret exposure, CVSS 5.3 (Medium)
• CVE-2026-5383: runZero Explorer missing authorization check (CVSS 4.4 (Medium)

Low

• CVE-2026-5379: runZero Platform MCP certification information leak, CVSS 3.0 (Low)
• CVE-2026-5382: runZero Platform MCP endpoint information leak, CVSS 3.0 (Low)
• CVE-2026-5375: runZero Platform API credential information leak, CVSS 2.7 (Low)
• CVE-2026-5381: runZero Platform task information leak, CVSS 2.2 (Low)

Fortinet disclosed certain versions of the FortiClient Endpoint Management Server (EMS) are susceptible to an API authentication and authorization bypass vulnerability caused by improper access control. A remote, unauthenticated attacker could exploit this flaw by sending specially crafted requests to the server. A successful exploit may allow the attacker to execute unauthorized code or commands. This vulnerability has been designated CVE-2026-35616 and has been rated critical with a CVSS score of 9.1.

Both Fortinet and CISA have now confirmed that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• FortiClientEMS 7.4: Versions 7.4.5 through 7.4.6

What is Fortinet FortiClient Endpoint Management Server?

Fortinet FortiClient Endpoint Management Server (EMS) is a centralized application used to deploy, configure, and monitor security settings on devices running the FortiClient agent.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute unauthorized code or commands on the vulnerable host.

Are updates or workarounds available?

Users are encouraged upgrade affected systems to the following versions or apply the relevant hotfixes immediately:

• FortiClientEMS 7.4: Upgrade to 7.4.7 or later.
• FortiClientEMS 7.4.5: Apply hotfix 7.4.5.2111.
• FortiClientEMS 7.4.6: Apply hotfix 7.4.6.2170.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:=-800551065

Cisco disclosed in two advisories that multiple vulnerabilities have been identified in versions of their Smart Software Manager On-Prem (SSM On-Prem).

• CVE-2026-20160: A vulnerability that could allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system of an affected host. This issue stems from the unintentional exposure of an internal service. An attacker could exploit this by sending a crafted request to the exposed service's API. A successful exploit could grant the attacker root level privileges on the underlying operating system. This vulnerability has been designated CVE-2026-20160 and has been rated critical with a CVSS score of 9.8.
• CVE-2026-20151: A vulnerability in the web interface that could allow a remote, low-privileged attacker (System User role) to elevate their privileges. This flaw exists due to the improper transmission of sensitive user information. An attacker could exploit this by sending a crafted message to the host and retrieving session credentials from subsequent status messages. This would allow an attacker to elevate their role from System User to administrative. Note: This vulnerability only exposes information regarding users currently logged into the web interface; SSH sessions are not affected. This vulnerability has been designated CVE-2026-20151 and has been rated high with a CVSS score of 7.3.

The following versions are affected by one or both vulnerabilities:

• CVE-2026-20151: Cisco SSM On-Prem versions 9-202510 and earlier.
• CVE-2026-20160: Cisco SSM On-Prem versions 9-202502 through 9-202510.

What is Cisco Smart Software Manager On-Prem?

Cisco Smart Software Manager On-Prem is a local virtual appliance that enables organizations to manage and track Cisco software licenses within a private network, eliminating the need to connect individual devices directly to Cisco's cloud-based licensing portal.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Cisco SSM On-Prem: Upgrade to 9-202601 or later.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND html.title:="On-Prem License Workspace"

Our presence had front-row feels with back-row vibes — spanning demos, meetings, social events, and our first-ever day-long livestream — all focused on building community, learning from industry experts, and pushing the boundaries to ensure defenders win by default.

BSidesSF: The deep cuts

Our week began at BSidesSF, the ultimate opening act of deep dive tech talks and backstage conversations with the expert practitioners who drive innovation and aren’t afraid to get their hands on a keyboard. We love to get social, so it’s only appropriate that we were the daytime social sponsor posted up between the bar and the outdoor lounge. We loved reconnecting with old friends and making lots of new ones.

We also have to give a special shoutout to the entire BSidesSF crew for the warm welcome they gave Zeti the Yeti. Our beloved 6.5’ furry mascot was presented with his own special BSides badge, which literally brought a tear or two to our eyes. We are thankful that the BSides community gets us! (And we had a lot of fun going all in with the musical theme, including cipher puzzles that matched up our favorite Broadway shows with cybersecurity trivia.)

After our crew packed up our BSidesSF booth, we headed off to the iconic Tongacon, which made a victorious return to the Tonga Room this year, complete with indoor rain and plenty of tiki drinks. We were proud to sponsor this year, and we enjoyed catching up with longtime friends and forging new connections before shifting our focus to the hustle and bustle of RSAC.

RSAC: Headliners and headlines

On Monday, the marquee acts took to the stage to deliver industry news, influential conversations, and thought leadership!

We started our RSA tour with two speaking sessions, media interviews, and social gatherings.

First, our CEO, HD Moore, examined how AI is changing vulnerability discovery and how to prepare for it. Followed by our VP of Security Research, Tod Beardsley, who explored the CVE program, its fragility, and its possible future.

Then, we focused on our community-centered gigs.

We hosted incredible book signings with two influential voices in our industry, Caroline Wong and Joseph Menn. Caroline Wong drew a packed room as we celebrated her new book, The AI Cybersecurity Handbook. We had a fascinating discussion about how AI is transforming cybersecurity, and everyone wanted a signed copy. Next, Joseph Menn, investigative journalist and author of Cult of the Dead Cow, captivated the audience by sharing his journey as a journalist and the inspiration behind his latest book. Attendees were thrilled to get their hands on a personalized, signed copy.

And the hits kept rolling, with pop-up moments throughout the conference featuring the runZero team (and Zeti the Yeti sightings powered by iconic SF pedicabs!).

But we didn’t just rock in person!

Livestream: Our debut tracks

It was a lights, sound, magic moment for the runZero team as we launched the inaugural runZero Day, a live-streamed event held alongside RSAC, bringing insights to everyone who wanted to experience the magic of the week virtually.

On March 25, we broadcast live for almost six amazing hours! runZero Day brought together more than a dozen unique voices to explore the issues shaping cybersecurity today and what’s coming next. We were beyond honored to host an incredible lineup of industry trailblazers, innovators, founders, journalists, and subject matter experts.

The program covered a wide range of topics, including:

• The evolving role of the CVE program in modern defense

• The realities of reporting on cybersecurity in a high-pressure, high-stakes environment

• Challenges in securing OT, applications, and increasingly complex attack surfaces

• Perspectives from startup founders working to rethink the future of security

• Impacts of AI on our rapidly morphing industry

Merging technical perspectives with industry insights, our big, crazy, audacious goal was to make RSAC-related content accessible to a global audience, giving more people the opportunity to interact, learn, and contribute regardless of their location — no badge required!

Liner notes

It was music to our ears when BSidesSF and RSAC 2026 once again proved that the most valuable part of the week isn’t just what you learn or what happens on stage — it’s who you meet (or reconnect with) and how you apply the knowledge you gained moving forward.

Join the fan club

If you missed us in San Francisco, there are still plenty of ways to connect with the runZero band and learn how we provide unrivaled exposure detection and insights across your entire internal and external attack surface:

• Try the Platform: Interested in seeing runZero in action? You can explore the platform for free for 21 days, and following your trial, you can transition to our free Community Edition (for environments with fewer than 100 assets).

• Learn More: Explore our Platform features and Resources for more information about runZero.

Cisco disclosed in two advisories that multiple vulnerabilities have been identified in versions of their Integrated Management Controller (IMC).

• CVE-2026-20093: A vulnerability in the password change functionality could allow a remote, unauthenticated attacker to bypass authentication. Due to incorrect handling of password requests, an attacker could send a crafted HTTP request to alter any user's password, including an Admin account, to gain full system access. This vulnerability has been designated CVE-2026-20093 and has been rated critical with a CVSS score of 9.8.
• CVE-2026-20094: A vulnerability in the web-based management interface could allow a remote, low-privileged (read-only) attacker to perform command injection. By sending crafted commands to the interface, an attacker could exploit improper input validation to execute arbitrary commands as the root user. This vulnerability has been designated CVE-2026-20094 and has been rated high with a CVSS score of 8.8.
• CVE-2026-20095 and CVE-2026-20096: Two vulnerabilities in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to perform command injection. Due to improper input validation, an attacker could execute arbitrary commands on the underlying operating system as the root user. The vulnerabilities designated CVE-2026-20095 and CVE-2026-20096 have been rated medium with a CVSS score of 6.5.
• CVE-2026-20097: A vulnerability in the web-based management interface could allow a remote, high-privileged (admin-level) attacker to execute arbitrary code. By sending crafted HTTP requests to an affected device, an attacker could exploit improper input validation to execute arbitrary code on the underlying operating system as the root user. This vulnerability has been designated CVE-2026-20097 and has been rated medium with a CVSS score of 6.5.

The following Cisco products are affected if they are running a vulnerable release of Cisco IMC, regardless of device configuration:

5000 Series Enterprise Network Compute Systems (ENCS):
(Affected by CVE-2026-20093, CVE-2026-20095, and CVE-2026-20096)

• Cisco NFV Infrastructure Software (NFVIS) versions 4.15 and earlier

Catalyst 8300 Series Edge uCPE:
(Affected by CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

• Cisco NFVIS versions 4.16 and earlier
• Cisco NFVIS version 4.18

UCS C-Series M5 & M6 Rack Servers (Standalone Mode):
(Affected by all CVEs: CVE-2026-20093, CVE-2026-20094, CVE-2026-20095, CVE-2026-20096, and CVE-2026-20097)

• Cisco IMC versions 4.2 and earlier
• Cisco IMC version 4.3
• Cisco IMC version 6.0 (M6 only)

UCS E-Series M3 & M6:
(Affected by CVE-2026-20093, CVE-2026-20094 (M6 only), CVE-2026-20095, and CVE-2026-20096)

• Cisco IMC versions 3.2 and earlier (M3)
• Cisco IMC versions 4.15 and earlier (M6)

UCS S-Series Storage Servers (Standalone Mode):
(Affected by CVE-2026-20094, CVE-2026-20095, and CVE-2026-20096)

• Cisco IMC versions 4.2 and earlier
• Cisco IMC version 4.3

Cisco Appliances:
The following appliances are affected if the Cisco IMC user interface (UI) is exposed, as these platforms are built upon preconfigured versions of the UCS C-Series Servers listed above:

• Application Policy Infrastructure Controller (APIC) Servers
• Business Edition 6000 and 7000 Appliances
• Catalyst Center Appliances, formerly DNA Center
• Cisco Telemetry Broker Appliances
• Cloud Services Platform (CSP) 5000 Series
• Common Services Platform Collector (CSPC) Appliances
• Connected Mobile Experiences (CMX) Appliances
• Connected Safety and Security UCS Platform Series Servers
• Cyber Vision Center Appliances
• Expressway Series Appliances
• HyperFlex Edge Nodes
• HyperFlex Nodes in HyperFlex Datacenter without Fabric Interconnect (DC-No-FI) deployment mode
• IEC6400 Edge Compute Appliances
• IOS XRv 9000 Appliances
• Meeting Server 1000 Appliances
• Nexus Dashboard Appliances
• Prime Infrastructure Appliances
• Prime Network Registrar Jumpstart Appliances
• Secure Endpoint Private Cloud Appliances
• Secure Firewall Management Center Appliances
• Secure Malware Analytics Appliances
• Secure Network Analytics Appliances
• Secure Network Server Appliances
• Secure Workload Servers

What is Cisco Integrated Management Controller?

The Cisco Integrated Management Controller is a dedicated baseboard management controller that provides out-of-band hardware configuration, monitoring, and remote control for Cisco UCS C-Series and S-Series servers via a web interface, CLI, or API, independent of the host operating system.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

5000 Series ENCS:

• Cisco NFVIS versions 4.15 and earlier: Upgrade to 4.15.5 or later.

Catalyst 8300 Series Edge uCPE:

• Cisco NFVIS versions 4.16 and earlier: Migrate to a fixed release.
• Cisco NFVIS version 4.18: Upgrade to 4.18.3 (Apr 2026) or later.

UCS C-Series M5 Rack Server:

• Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
• Cisco IMC version 4.3: Upgrade to 4.3(2.260007) or later.

UCS C-Series M6 Rack Server:

• Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
• Cisco IMC version 4.3: Upgrade to 4.3(6.260017) or later.
• Cisco IMC version 6.0: Upgrade to 6.0(2.260044) or later.

UCS E-Series M3:

• Cisco IMC versions 3.2 and earlier: Upgrade to 3.2.17 or later.

UCS E-Series M6:

• Cisco IMC versions 4.15 and earlier: Upgrade to 4.15.3 or later.

UCS S-Series Storage Server:

• Cisco IMC versions 4.2 and earlier: Migrate to a fixed release.
• Cisco IMC version 4.3: Upgrade to 4.3(6.260017) or later.

Notes:

• NFVIS Platforms: Upgrading Cisco IMC on 5000 Series ENCS and Catalyst 8300 Series Edge uCPE requires an upgrade of the Cisco Enterprise NFVIS. The IMC is updated automatically during the firmware auto-upgrade process.
• Cisco Appliances: Administrators can typically perform a direct upgrade of the Cisco IMC using the Cisco Host Upgrade Utility (HUU). For specific exceptions, please refer to the detailed instructions in the official Cisco Security Advisory.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Cisco AND product:="Integrated Management Controller"

Progress Software disclosed two vulnerabilities in 5.x versions of customer-managed ShareFile Storage Zones Controller (SZC).

• CVE-2026-2699: Allows a remote, unauthenticated adversary to access restricted configuration pages. This could lead to unauthorized system configuration changes and potential Remote Code Execution (RCE) resulting from an Execution After Redirect (EAR) vulnerability. This vulnerability has been designated CVE-2026-2699 and has been rated critical with a CVSS score of 9.8.
• CVE-2026-2701: Allows a remote, high-privileged user to upload a malicious file to the server and execute it to achieve RCE. This vulnerability has been designated CVE-2026-2701 and has been rated critical with a CVSS score of 9.1.

The following versions are affected:

• ShareFile Storage Zones Controller 5.x versions prior to 5.12.4

What is Progress ShareFile Storage Zones Controller?

Progress ShareFile Storage Zones Controller is a software application that enables organizations to store their ShareFile data on-premises or in a private cloud infrastructure, rather than using the default ShareFile cloud storage.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• ShareFile Storage Zones Controller 5.x: Upgrade to version 5.12.4 or later.
• Alternative: Users on version 5.x may also upgrade to any v6 version, as all v6 versions are unaffected by these
  vulnerabilities.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

(vendor:="Progress Software" OR vendor:=Citrix OR vendor:=ShareFile) AND
  (product:="ShareFile Storage Zones Controller" OR product:="ShareFile StorageZones Controller")

We are continuing our blog series on this guidance by taking a closer look at the first four principles that lay the foundation for a robust OT security posture and how runZero can help empower OT network defenders.

Let’s dive in.

Principle 1: Balance the risks and opportunities

At the heart of the first principle is the idea that connectivity decisions should be risk‑informed and auditable. Before adding or modifying any connection into or out of an OT system, organizations must create and document business use cases for all permitted connectivity within OT systems. These must clearly document why the connection is needed, the benefits it provides, and what risk it introduces. Specifically, when documenting the justification and use case of connections, organizations should consider, at a minimum, the following:

• Why the connection is required and what operational function it enables

• What benefits are expected, like improved monitoring or predictive maintenance

• What risks are acceptable based on organisational threat context

• Potential impacts if the connection is misused or compromised

• How new dependencies might affect isolation or resilience

• Who is accountable at a senior level for the decision

This principle also deliberately highlights two major considerations for organizations to weigh that greatly increase risk when expanding OT connectivity: obsolete products (both software and hardware) and operational risks that ensure the safety, reliability, and availability of OT systems.

Organizations need to understand, evaluate, and address the risks associated with obsolete products. These risks may include the lack of security updates and the loss of institutional knowledge to help support older systems.

To reduce operational risk, organizations also need to consider loss of connectivity, single points of failure, and manual fallback capabilities.

This principle ensures OT system owners and operators carefully consider and document the impacts, effects, and ramifications of increasing the connectivity of their OT systems, especially when they are using old or obsolete products that could compromise the integrity of the OT system.

Principle 2: Limit the exposure of your connectivity

Exposure refers to how accessible OT systems are to both internal networks and external systems. The more reachable an OT asset is, the broader the potential attack surface becomes. To protect against exploitation, organizations should adopt an exposure management approach to their environment. It’s important to note that exposure management is not the same as vulnerability management and should not be treated as such.

An exposure management approach considers factors such as internet, adjacent, or internal network accessibility, End of Life (EOL) devices, obsolete protocol usage, administrative service or interface accessibility, and the many non-CVE risks that often lead to exploitation.

The guidance provides suggestions for limiting the exposure of OT systems, including:

• Reduce time of exposure

  • When possible, utilize just-in-time (JIT) access to reduce the time window for attacks to occur.

• Remove inbound port exposure

  • Only brokered connections through a secure gateway should be allowed. All other connections should initiate outbound from the OT system.

• Manage obsolescence risks

  • When obsolete OT devices cannot be upgraded, system owners should implement network segmentation, boundary controls, access restrictions, and device monitoring and logging.

• Manage unique connectivity risks

  • Even if encrypted, wireless communications like WiFI or radio are not bound by the physical perimeter of your site and introduce risk. Compensating controls should be implemented to mitigate risk from wireless mediums.

The second principle highlights the necessity for organizations to understand what is on their networks and how those components are connected to reduce their risk.

Principle 3: Centralize and standardize network connections

Principle three encourages organizations to standardize their network connections to combat the ever-present decentralized, inconsistent, and needlessly complex connections that introduce risk. The guidance recommends:

• Flexibility

  • Maintain a robust change management process to protect against emerging threats by continuously evaluating and refining connectivity and controls. Organizations must select products with ongoing support to adapt to regulatory changes and newer threat models.

• Repeatability

  • Connectivity models and plans should be standardized and reusable to reduce or eliminate the need for bespoke solutions that can lead to unnecessary and unexpected exposures.

• Categorized

  • While repeatability is necessary, distinctions in device and data types (across and within systems) allow selection of the most appropriate protections and controls for each system.

While more concise, the third principle should not be overlooked, given that complexity in systems can create unknown connections, leading to an increased attack surface.

Principle 4: Use standardized and secure protocols

OT system owners most often prioritize availability in the CIA (confidentiality, integrity, and availability) triad, especially in industrial or critical infrastructure environments. With that said, they should implement all components of the triad, including confidentiality and integrity, where possible.

The guidance suggests two main approaches:

Protocol Validation:

System owners should validate both the protocol and the data payloads within and between systems to ensure the traffic seen is expected and valid. The protocols in use and the payloads should be inspected at key trust boundaries, for example, the OT/IT boundary or between services, such as SCADA control software and a PLC. It is recommended that the validation of allowed traffic should be schema-based, that is, following a ‘known good’ model that only allows expected and desired traffic.

Industrial Protocols:

When evaluating what industrial protocols to use in your OT system, you should:

• Use modern, secure versions of protocols (CIP Security vs CIP or DNP2-SAv5 vs DNP3) that support cryptographic protections for integrity.

• Implement protocols that use open standards to allow for vendor-agnostic solutions to avoid vendor lock in and bespoke implementations.

• If utilized, require a business use case for the use of insecure protocols and implement compensating controls to manage the risk.

• Restrict OT protocols to isolated OT network segments, blocking, or when necessary, brokering external connections.

OT system owners need to implement modern and secure OT protocols to reduce the attack surface of their environments.

How runZero helps

When implemented correctly, these first four principles create a structured, repeatable approach to designing OT connectivity that simultaneously supports operational goals and strengthens cybersecurity posture.

runZero helps OT system owners implement these principles by:

1. Providing an asset inventory of OT, IoT, and IT assets

   • You can’t protect what you can’t see. runZero’s asset inventory enables system owners to see everything on the network.

2. Obsolete device detection

   • runZero natively provides EOL information for devices. In cases where EOL information is unavailable, runZero provides deep asset-level insight, including software and hardware version information. This allows system owners to know exactly what is on the network.

3. Detection of protocols and ports

   • With safe active scanning, runZero enables system owners to find the open ports and protocols on devices that may have been missed by other methods.

4. Segmentation validation

   • runZero can empower OT system owners to validate their network segmentation, ensuring their OT systems are not erroneously or incorrectly connected to the IT network.

5. Exposure management

   • runZero’s unauthenticated scanning provides a unique opportunity for system owners to uncover risks and exposures that matter. Instead of focusing on vulnerabilities that will never be exploited, runZero surfaces the problems that plague OT systems: obsolete protocols, misconfigurations, exposed admin interfaces, and more.

In OT environments — where uptime, safety, and reliability are paramount — these four foundational principles, along with runZero, empower OT systems owners to reduce their attack surface and keep their critical infrastructure secure.

Stay tuned for our third and final blog in this series as we discuss the final four principles from the guidance.

On October 15, 2025, F5 disclosed a denial of service vulnerability, designated CVE-2025-53521, in F5 BIG-IP Access Policy Manager (APM).

On Friday, March 27, 2026, F5 updated the CVE entry to indicate that the vulnerability is now known to be a remote code execution vulnerability (RCE) with a CVSS score of 9.8. This vulnerability is now known to allow a remote, unauthenticated attacker to perform remote code execution.

This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 27, 2026.

The following versions are affected:

• F5 BIG-IP Access Policy Manager versions 17.5.0 - 17.5.1 (inclusive)
• F5 BIG-IP Access Policy Manager versions 17.1.0 - 17.1.2 (inclusive)
• F5 BIG-IP Access Policy Manager versions 16.1.0 - 16.1.6 (inclusive)
• F5 BIG-IP Access Policy Manager versions 15.1.0 - 15.1.10 (inclusive)

What is F5 BIG-IP Access Policy Manager (APM)?

F5 BIG-IP Access Policy Manager (APM) is a software module on F5 BIG-IP appliances that acts as an identity-aware proxy and VPN.

What is the impact?

Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available?

Upgrade affected versions of F5 BIG-IP Access Policy Manager to the latest patched version.

• 17.5.x upgrade to 17.5.1.3 or later
• 17.1.x upgrade to 17.1.3 or later
• 16.1.x upgrade to 16.1.6.1 or later
• 15.1.x upgrade to 15.1.10.8 or later

How do I find F5 Big-IP assets with runZero?

From the Software Inventory, use the following query to locate potentially affected systems:

vendor:=F5 AND product:="BIG-IP Access Policy Manager"

October 2025: CISA Emergency Directive

On October 15, 2025, CISA issued an emergency directive to mitigate vulnerabilities on F5 Big-IP appliances. According to the directive, the general guidance is to "inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5."

What is F5 Big-IP?

F5 Big-IP appliances provide application delivery and security services to enhance security and improve performance of network applications.

What is the impact?

According to the directive, "a nation-state affiliated actor compromised F5 systems and exfiltrated data, including portions of the Big-IP proprietary source code and vulnerability information". The emergency directive specifically calls out "all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF". Organizations should apply the latest vendor updates and disconnect any affected publicly-connected devices that have reached their end-of-support date.

For more information, refer directly to the CISA emergency directive. 

How do I find F5 Big-IP assets with runZero?

From the Asset Inventory, use the following query to locate potentially affected systems:

os:="F5%"

May 2022: CVE-2022-1388

In May 2022, technology vendor F5 published information on over 40 vulnerabilities, mostly affecting their BIG-IP line of products. While these vulnerabilities included a mix of types and severities, a particular authentication bypass vulnerability that affected all BIG-IP modules was concerning enough that CISA specifically called it out.

What was the impact?

Known as CVE-2022-1388 (CVSS “critical” score of 9.8), a vulnerable BIG-IP target could allow for takeover by an unauthenticated attacker via network connection or management port. Once connected to a vulnerable target, successful exploitation was achieved via a crafted HTTP request sent by the attacker, bypassing iControl REST authentication and providing the attacker full access and control. F5 did add that there was no data plane exposure via exploitation of this vulnerability, rather "this being a control plane issue only".

Were updates available?

Patches were made available by F5 for CVE-2022-1388, as well for many of the other vulnerabilities included in their security advisory overview. Guidance also included mitigation steps if immediate or near-term patching was not an option.

On January 13, 2026, Microsoft disclosed a remote code execution vulnerability, designated CVE-2026-20963, in Microsoft SharePoint. The vulnerability is due to deserialization of untrusted data in Microsoft SharePoint which allows a remote, unauthenticated attacker attacker to execute code over a network.

While initially released with a CVSS score of 8.8, the score was updated to 9.8 on March 17, 2026.

This vulnerability is known to be exploited in the wild and was added to the CISA.gov Known Exploited Vulnerabilities (KEV) list on March 18, 2026.

The following versions are affected:

• SharePoint Enterprise Server 2016 before version 16.0.5535.1001
• SharePoint Server 2019 before version 16.0.10417.20083
• SharePoint Server Subscription Edition before version 16.0.19127.20442

What is the impact?

Successful exploitation of this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available?

Upgrade affected versions of SharePoint Server to the latest patched version.

• SharePoint Enterprise Server 2016 version 16.0.5535.1001 or later

• SharePoint Server 2019 version 16.0.10417.20083 or later

• SharePoint Server Subscription Edition version 16.0.19127.20442 or later

How do I find Microsoft SharePoint Server installations with runZero?

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Microsoft AND (
  (product:="SharePoint Server 2016" AND (version:>=16.0 AND version:<16.0.5535.1001)) OR
  (product:="SharePoint Server 2019" AND (version:>=16.0 AND version:<16.0.10417.20083)) OR
  (product:="SharePoint Server Subscription Edition" AND (version:>=16.0 AND version:<16.0.19127.20442))
  ) AND NOT version:=""

July 2025 (Multiple CVEs)

Microsoft has disclosed two vulnerabilities in certain versions of on-premises Microsoft SharePoint Server:

• SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
• SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.

The following versions are affected

• Microsoft SharePoint Enterprise Server 2016 versions currently unknown
• Microsoft SharePoint Server 2019 versions currently unknown
• Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available?

As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.

• Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
• Rotate SharePoint Server ASP.NET machine keys.

• Upgrade affected systems to the new versions when a patch is available.

How do I find Microsoft SharePoint Server installations with runZero?

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:="Microsoft" AND product:="SharePoint Server%"

Several vulnerabilities affecting Apple's device ecosystem have been weaponized into an exploit chain known as DarkSword. These vulnerabilities enable remote code execution and payload deployment when a user visits a malicious website.

This exploit chain is known to have been used by multiple commercial surveillance vendors and suspected state-sponsored actors. In March 2026, the chain and related exploit kit tooling was leaked publicly and is now available for use by a wider range of malicious actors.

While the exploit kit was used to attack iOS, the vulnerabilities are known to have existed in iPadOS, macOS, tvOS, watchOS, and visionOS.

There are 6 vulnerabilities known to be part of the DarkSword exploit chain:

• CVE-2025-14174 - Memory corruption vulnerability in ANGLE, patched in 18.7.3 and 26.2
  
• CVE-2025-31277 - Memory corruption vulnerability in JavaScriptCore, patched in 18.6
• CVE-2025-43510 - Memory management vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
• CVE-2025-43520 - Memory corruption vulnerability in the iOS kernel, patched in 18.7.2 and 26.1
• CVE-2025-43529 - Memory corruption vulnerability in JavaScriptCore, patched in 18.7.3 and 26.2
• CVE-2026-20700 - User-mode Pointer Authentication Code (PAC) bypass in dyld, patched in 26.3

What is the impact?

Upon successful exploitation of the exploits above the attacker is able to compromise the target device and install backdoor software.

Are updates or workarounds available?

Vulnerable devices should be upgraded 26.3 or later. If the device cannot be updated to 26.3, update to 18.7.3 or later. Both of these updates were released in Feb 2026.

If the device cannot be updated then Lockdown mode can be enabled to mitigate the risk of these vulnerabilities. Lockdown mode is a highly restrictive security mode that may cause some functionality to be limited.

How do I find potentially vulnerable Apple devices with runZero?

From the Asset Inventory, use the following query to locate assets running potentially vulnerable versions of the affected products:

(os:="apple ios" OR os:="apple ipados" OR os:="apple tvos" OR os:="apple macos" OR os:="apple watchos" OR os:="apple visionos") AND osversion:>0 AND ((osversion:>="26.0" AND osversion:<"26.3") OR (osversion:>="18.0" AND osversion:<"18.7.3"))

Citrix has published Security Bulletin CTX696300, documenting multiple vulnerabilities that impact customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). In certain gateway and load-balancing configurations, these devices are vulnerable to multiple vulnerabilities:

• CVE-2026-3055 - Insufficient input validation leading to memory overread. This vulnerability is considered critical with a CVSS score of 9.3.
  
• CVE-2026-4368 - A race condition could lead to user session mixup. This vulnerability is considered severe, with a CVSS score of 7.7.

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-66.59
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-62.23
• NetScaler ADC FIPS and NDcPP BEFORE 13.1-37.262

Note: Citrix ADC / NetScaler 13.0 and prior have reached end of life. Citrix has made no statements regarding the vulnerabilities in these versions, but they are possibly affected as well.

What is the impact?

Citrix has not published guidance on the impact of these vulnerabilities. Given the values that they have provided for the CVSS score it likely that successful exploitation of these vulnerabilities could result in full system compromise.

Are updates or workarounds available?

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-66.59 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-62.23 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1.37.262 and later releases of 13.1-FIPS and 13.1-NDcPP

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"

September 2025 (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424)

Citrix has published Security Bulletin CTX694938, documenting multiple vulnerabilities that impact customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). In certain gateway and load-balancing configurations, these devices are vulnerable to multiple vulnerabilities:

• CVE-2025-7775 - A memory corruption vulnerability that could allow a remote attacker to execute arbitrary code on the system. This vulnerability is considered critical with a CVSS score of 9.2.
  
• CVE-2025-7776 - A memory corruption vulnerability that could allow a remote attacker to create a denial-of-service condition. This vulnerability is considered severe, with a CVSS score of 8.8.
• CVE-2025-8424 - An improper authentication vulnerability that could allow a remote attacker to gain access to sensitive system resources without proper authorization. This vulnerability is considered severe, with a CVSS score of 8.7.

There is evidence that CVE-2025-775 is being actively exploited in the wild.

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1  before 14.1-47.48
• NetScaler ADC and NetScaler Gateway 13.1  before 13.1-59.22
• NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP

What is the impact?

Successful exploitation of this vulnerability could allow an adversary to execute arbitrary code on the vulnerable system, potentially leading to total system compromise or a denial-of-service condition.

Are updates or workarounds available?

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"

June 2025 (CVE-2025-6543)

Citrix published Security Bulletin CTX694788 that documented a vulnerability that impacts customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are affected by a memory overflow vulnerability. This vulnerability has been designated CVE-2025-6543 and has been rated critical with a CVSS score of 9.2.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

What is the impact?

Successful exploitation of this vulnerability could allow an adversary to make unintended changes to control flow, potentially allowing remote code execution (RCE) or causing denial-of-service (DoS).

Are updates or workarounds available?

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway to version 14.1-47.46 and later releases
• NetScaler ADC and NetScaler Gateway to version 13.1-59.19 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"

June 2025 (CVE-2025-5777, CVE-2025-5349)

Citrix published Security Bulletin CTX693420 that documented two vulnerabilities that impact customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). There is evidence that one of the vulnerabilities, designated by CVE-2025-5777, is being actively exploited in the wild.

• NetScaler configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are at risk of an insufficient input validation vulnerability leading to memory out-of-bounds read in the NetScaler Management Interface which could allow access to secret values, bypass of protection mechanism, DoS or other unexpected results. This vulnerability has been designated CVE-2025-5777 and has been rated critical with a CVSS score of 9.3.
• An attacker with access to the NetScaler appliance IP (NSIP) address, Cluster Management IP (CLIP) address or local Global Server Load Balancing (GSLB) Site IP (GSLBIP) address could utilize an improper access control vulnerability to gain access the the NetScaler Management Interface and its management functions. This vulnerability has been designated CVE-2025-5349 and has been rated high with a CVSS score of 8.7.

The following versions are affected

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS

What is the impact?

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, potentially disrupt system operations and cause a denial-of-service, or gain control over the NetScaler Management Interface and its management functions potentially leading to system compromise.

Are updates or workarounds available?

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway to version 14.1-43.56 and later releases
• NetScaler ADC and NetScaler Gateway to version 13.1-58.32 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS to version 12.1-55.328 and later releases of 12.1-FIPS

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"

February 2025 (CVE-2024-12284)

Citrix issued a security bulletin for the on-premise NetScaler Console (formerly NetScaler ADM) and NetScaler Agent products. CVE-2024-12284 is rated high with a CVSS score of 8.8, which could lead to privilege escalation.

What is the impact?

For customers running an on-premise installation of NetScaler Console with NetScaler Console Agents deployed, an authenticated remote attacker could "execute commands without additional authorization". NetScaler emphasized that an attacker must be authenticated, which limits the potential impact. 

Are updates or workarounds available?

Citrix recommends upgrading to one of the following versions as soon as possible:

• NetScaler Console 14.1-38.53 and later releases
• NetScaler Console 13.1-56.18 and later releases of 13.1
• NetScaler Agent 14.1-38.53 and later releases
• NetScaler Agent 13.1-56.18 and later releases of 13.1

How do I find potentially vulnerable systems with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND html.title:="NetScaler Console"

June 2024: (CVE-2023-6548, CVE-2023-6549)

In January Citrix published Security Bulletin CTX584986 that documented two vulnerabilities that impact NetScaler ADCs and Gateways. The most severe of these, CVE-2023-6549, was discovered and documented by BishopFox.

CVE-2023-6549 is rated high with a CVSS score of 8.2. This vulnerability is an unauthenticated out-of-bounds memory read which could be exploited to collect information from the appliance’s process memory, including HTTP request bodies. While serious, this is not thought to be a bad as the Citrix Bleed vulnerability due to the new vulnerability being less likely to leak high risk data.

CVE-2023-6548 is rated medium with a CVSS score of 5.5. This vulnerability is a code injection flaw that allows remote code injection by an authenticated attacker (with low privileged) with access to a management interface on one of the NSIP, CLIP or SNIP interfaces.

What is the impact?

The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. CVE-2023-6549 is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker. CVE-2023-6548 could be used by an attacker with credentials to execute code.

Are updates or workarounds available?

Citrix recommends limiting access to management interfaces as well as upgrading to one of the following versions:

• NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
• NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

Warning: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one supported version that addresses the vulnerabilities.

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:netscaler OR product:"citrix adc"

July 2023 (CVE-2023-3519)

In July, 2023, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities included a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations included a critical infrastructure entity in the U.S., where attackers gained access the previous month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.

What was the impact?

The three reported vulnerabilities affecting NetScaler ADC and Gateway products were of various types, and each include different preconditions required for exploitation:

• Unauthenticated remote code execution (CVE-2023-3519; CVSS score 9.8 - "critical")
  • Successful exploitation required the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or "authentication, authorization, and auditing" (AAA) virtual server.
• Reflected cross-site scripting (XSS) (CVE-2023-3466; CVSS score 8.3 - "high")
  • Successful exploitation required the victim to be on the same network as the vulnerable NetScaler target when the victim loaded a malicious link (planted by the attacker) in their web browser.
• Privilege escalation to root administrator (nsroot) (CVE-2023-3467; CVSS score 8.0 - "high")
  • Successful exploitation required an attacker having achieved command-line access on a vulnerable NetScaler target.

U.S.-based CISA reported attackers exploiting CVE-2023-3519 to install webshells used in further network exploration and data exfiltration, causing CVE-2023-3519 to be added to CISA's Known Exploited Vulnerabilities Catalog. Other common attacker goals, like establishing persistence, lateral movement, and malware deployment, were all potential outcomes following successful exploitation.

Citrix made patched firmware updates available. Admins were advised to update older firmware on vulnerable NetScaler devices as soon as possible.

CISA also made additional information available around indicators of compromise and mitigations.

How to find potentially vulnerable NetScaler instances with runZero

From the Asset inventory, they used the following prebuilt query to locate NetScaler instances on their network:

hw:="Citrix NetScaler%" OR hw:="Citrix ADC%" OR os:="Citrix NetScaler%" OR os:="Citrix ADC"

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.

The following query could also be used in on the Software and Services inventory pages to locate NetScaler software:

product:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Oracle has disclosed a vulnerability in specific versions of its Identify Manager and Web Services Manager products, contained within the Oracle Fusion Middleware suite that, when exploited, may allow a remote, unauthenticated adversary to takeover vulnerable Oracle Identity Manager and Web Services Manager installations. This vulnerability has been designated CVE-2026-21992 and has been rated critical with a CVSS score of 9.8.

The following versions are affected

• Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0

What is Oracle Identity Manager?

Oracle Identity Manager is a complete security platform that manages user lifecycles and provides secure access to enterprise resources. It automates user management across cloud and on-premises systems, enables secure sign-on with features like multi-factor authentication.

What is the impact?

Successful exploitation of this vulnerability can result in takeover of Oracle Identity Manager and Oracle Web Services Manager.

Are updates or workarounds available?

Users are encouraged to upgrade affected versions of Oracle Identity Manager and Oracle Web Services Manager to the latest patched version as quickly as possible. Oracle has included patching instructions on their website.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Oracle AND (product:"Identity Manager" OR product:"Web Services Manager")

November 2025: Oracle Identity Manager vulnerability: CVE-2025-61757

Oracle has disclosed a vulnerability in certain versions of its Identify Manager contained within the Oracle Fusion Middleware suite that, when exploited, may allow a remote, unauthenticated adversary to achieve arbitrary remote code execution (RCE). This vulnerability has been designated CVE-2025-61757 and has been rated critical with a CVSS score of 9.8.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• Oracle Identity Manager versions 12.2.1.4.0 and 14.1.2.1.0

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary commands on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to upgrade affected versions of Oracle Identity Manager to the latest patched version as quickly as possible.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:="Oracle" product:="Identity Manager"

A vulnerability has been discovered in Langflow. 

This vulnerability, designated CVE-2026-33017 has a CVSS score of 9.3 (critical). Exploiting this vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• All versions prior to 1.8.2

What is Langflow?

Langflow is a popular, open-source tool for building and deploying AI-powered agents and workflows.

What is the impact?

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system with the privileges of the Langflow process. This vulnerability is remotely exploitable without authentication.

Are updates available?

The Langflow project has released version 1.8.2 to address this vulnerability and urges all users to upgrade to that or a later version as quickly as possible.

How do I find potentially vulnerable Langflow installations with runZero?

Vulnerable devices can be found by navigating to the Software Inventory and using the following query:

vendor:=Langflow AND product:=Langflow AND (version:>0 AND version:<1.8.2)

June 2025: Langflow vulnerability (CVE-2025-3248)

A vulnerability has been discovered in Langflow, a popular framework for building AI workflows. This vulnerability, designated CVE-2025-3248 has a CVSS score of 9.8 (critical). Successfully exploiting this vulnerability would allow a remote, unauthenticated attacker to execute arbitrary code on the vulnerable system.

Note that CISA has indicated that there is evidence this vulnerability is being exploited in the wild.

Update: As of June 17th, 2025, there is evidence that this vulnerability is actively being exploited as part of the Flodrix botnet. Trend Micro has published a report detailing an active campaign that utilizes an open-source proof of concept (PoC) exploit for CVE-2025-3248 to initially compromise the system. The attacker then downloads and executes the Flodrix malware to establish communication with the command and control (C&C) server for the Flodrix botnet.

What is the impact?

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system with the privileges of the Langflow process. This vulnerability is exploitable remotely and without authentication.

Are updates available?

The Langflow project has released version 1.3.0 to address this vulnerability and urges all users to upgrade to that or a later version as quickly as possible.

How do I find potentially vulnerable Langflow installations with runZero?

Vulnerable devices can be found by navigating to the Software Inventory and using the following query:

_asset.protocol:http AND product:Langflow AND (version:>0 AND version:<1.3.0)

A configuration injection vulnerability was discovered and fixed in the Kubernetes Ingress-NGINX controller software.

• The vulnerability has been designated CVE-2026-4342 and has been rated high with a CVSS score of 8.8.

The following versions are affected

• Ingress-NGINX controller versions through v1.13.9 (exclusive)
• Ingress-NGINX controller versions through v1.14.5 (exclusive)
• Ingress-NGINX controller versions through v1.15.1 (exclusive)

What is Kubernetes Ingress-NGINX?

Kubernetes Ingress-NGINX controller provides reverse proxy and load balancing to Kubernetes services, providing an HTTP/HTTPS gateway to cluster resources.

What's the impact?

Successful exploitation could lead to arbitrary code execution in the context of the Ingress-NGINX controller, as well as disclosure of secrets accessible to the controller. The Ingress-NGINX controller can access all cluster-wide secrets in its default configuration.

Are updates or workarounds available?

Users are encouraged to update to versions 1.13.9, 1.14.5, 1.15.1 or a later version.

How to find potentially vulnerable Ingress-Nginx services with runZero

From the Services Inventory, use the following query to locate potentially vulnerable systems:

(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")

February 2026: Kubernetes Ingress-NGINX Controller (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514)

Today, in a message from the Kubernetes Security Response Committee (SRC), users were notified of four vulnerabilities, which, if left exposed and unpatched, could be exploited to achieve remote code execution by unauthenticated attackers.

What's the impact?

Three of the vulnerabilities relate to validation and sanitation of user-controlled fields (CVE-2026-24512, CVE-2026-24513, and CVE-2026-24514). Out of the three, CVE-2026-24513 is the most concerning, which potentially allows for an attacker to bypass the auth-url annotation if the backend service fails to honor the X-Code HTTP header. In addition, CVE-2026-1580 potentially allows for attackers to inject configuration into NGINX, leading to arbitrary code execution in the context of the Ingress-NGINX controller. Notably, the attack does appear to depend on a clear shot to the admission controller for the Ingress-NGINX controller, which itself is an optional component that allows for Kubernetes-homed services to be reached from the wider network.

Finally, it’s important to note that the very similarly-named NGINX Ingress controller is not affected by these Ingress-NGINX controller vulnerabilities.

Are updates or workarounds available?

Users are advised to update to version 1.13.7, 1.14.3, or any later version as quickly as possible.

How to find potentially vulnerable Ingress-Nginx services with runZero

From the Services Inventory, use the following query to locate potentially vulnerable systems:

(_asset.protocols:tls AND protocol:tls AND tls.issuer:="O=nil1" AND tls.subject:="O=nil2" AND tls.names:"%nginx%")

ConnectWise released a security bulletin for an improper verification of cryptographic signature vulnerability found in the ScreenConnect software.

The following versions are affected:

• ConnectWise ScreenConnect versions prior to 26.1

This vulnerability has been designated CVE-2026-3564 and has a CVSS score of 9 (critical).

What is ConnectWise ScreenConnect?

ConnectWise ScreenConnect provides remote desktop access for end-users and IT professionals for support, maintenance,
or collaboration.

What is the impact?

Successful exploitation can allow unauthorized access to ScreenConnect and unauthorized actions within the application, including privilege escalation in certain scenarios. Cloud installations are already patched.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible (within days). The latest available release for on-premise installations is 26.1.

How do I find vulnerable ScreenConnect installations with runZero?

From the Software Inventory, use the following query to locate potentially vulnerable ConnectWise ScreenConnect installations:

vendor:ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<26.1)

June 2025, ScreenConnect vulnerability (CVE-2025-3935)

Certain versions of ConnectWise ScreenConnect may be susceptible to ViewState code injection attacks in ASP.NET Web Forms. The ViewState is used by ASP.NET to preserve page state across multiple requests. The data is encoded using Base64 and protected by cryptographic keys referred to as machine keys. It is important to note that it typically requires privileged system level access to obtain these machine keys. This issue could potentially impact any product utilizing ASP.NET framework ViewStates. There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected:

• ConnectWise ScreenConnect versions prior to 25.2.4

This vulnerability has been designated CVE-2025-3935 and has a CVSS score of 8.1 (high).

What is the impact?

If machine keys are compromised, successful exploitation of the vulnerability could allow attackers to create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.

Are updates or workarounds available?

ConnectWise has released an update, 25.2.4, that fixes these issues by disabling the ViewState and removing any dependency on it. ConnectWise recommends that all users upgrade to this version immediately.

How do I find vulnerable ScreenConnect installations with runZero?

From the Software Inventory, use the following query to locate potentially vulnerable ConnectWise ScreenConnect installations:

vendor:ConnectWise AND product:ScreenConnect AND (version:>0 AND version:<25.2.4)

Previous ScreenConnect vulnerabilities (CVE-2024-1708, CVE-2024-1709)

On February 19, 2024, ConnectWise disclosed two serious vulnerabilities in their ScreenConnect (formerly Control) remote-access product.

The first vulnerability is an authentication bypass vulnerability. Successful exploitation of this vulnerability would allow attackers to execute arbitrary commands with full privileges on the target system. This vulnerability has been assigned a CVSS score of 10, indicating a highly critical vulnerability.

The second issue is a path-traversal vulnerability. Successful exploitation of this vulnerability would allow attackers to access restricted resources on vulnerable systems. The vendor has not disclosed what resources may be accessed when exploiting this vulnerability. This vulnerability has been assigned a CVSS score of 8.4, indicating a high severity.

Note that CVEs are not yet assigned for these vulnerabilities.

Note that there is evidence that these vulnerabilities are being actively exploited in the wild.

What is the impact?

Successful exploitation of these vulnerabilities would allow attackers to execute arbitrary commands with full privileges on the target system, potentially leading to complete system compromise.

Are updates or workarounds available?

ConnectWise has released an update, version 23.9.8, that fixes these issues. ConnectWise recommends that all users upgrade to this version immediately.

How do I find ScreenConnect installations with runZero?

From the Services Inventory, use the following query to locate potentially vulnerable ConnectWise ScreenConnect systems:

vendor:ConnectWise AND (product:Control OR product:ScreenConnect)

Note the check for the former product name (“Control”).

Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.

Ubiquiti disclosed multiple vulnerabilities affecting certain versions of the UniFi Network Application:

• A path traversal vulnerability. Successful exploitation allows a network, unauthenticated adversary to access files on the underlying system that could be manipulated to access an underlying account. The vulnerability has been designated CVE-2026-22557 and has been rated critical with a CVSS score of 10.0.
• A NoSQL injection vulnerability. Successful exploitation allows a network, authenticated adversary to escalate privileges. The vulnerability has been designated CVE-2026-22558 and has been rated high with a CVSS score of 7.7.

The following versions are affected

• UniFi Network Application versions 10.1.85 and earlier
• UniFi Network Application versions 10.2.93 and earlier
• UniFi Network Application versions 9.0.114 and earlier

What is Ubiquiti UniFi Network Application?

What is the impact?

Successful exploitation of the vulnerabilities could allow an adversary to gain unauthorized access to the UniFi Network Application compromising the overall system integrity.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• UniFi Network Application versions 10.1.89 or later
• UniFi Network Application versions 10.2.97 or later.
• UniFi Express firmware to 4.0.13 or later, which updates the UniFi Network Application to version 9.0.118 or later.

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:Ubiquiti AND product:"UniFi Network"

This guidance builds on the earlier publication Foundations for OT Cybersecurity, which focused on helping organizations establish a foundational OT asset inventory — because you can’t secure what you can’t see. The newly released Secure Connectivity Principles for Operational Technology expands on that work by providing system owners with a framework to design, implement, and manage secure connectivity across both new and existing OT environments.

Why secure OT connectivity matters

OT environments differ significantly from traditional IT systems because they directly interact with the physical world. As a result, cyber incidents affecting OT systems can have far more serious consequences than typical IT disruptions. Potential impacts include environmental damage, disruption of essential services, or even risks to human safety.

Historically, many OT environments were air-gapped or heavily segmented from enterprise IT networks. However, modernization, remote management, and increasing integration with IT systems have made OT environments far more connected than they once were. While this connectivity enables greater efficiency and visibility, it also expands the attack surface and increases the risk of compromise.

The new guidance is intended to help organizations navigate this reality by providing practical principles for securing connectivity while still enabling the operational benefits that modern OT environments require.

8 principles for a secure OT environment

Threat actors are consistently, effectively, and intentionally targeting OT systems with the intent to steal, disrupt, or destroy critical infrastructure. As a result, organizations responsible for OT environments should treat this guidance as a desired end-state, even when it is not a regulatory requirement. Given the importance of these systems, the agencies responsible for this guidance believe all OT system owners should expediently operationalize the principles outlined to help secure critical infrastructure against adversarial action.

The Secure Connectivity Principles for Operational Technology guidance outlines eight core principles designed to help organizations reduce risk and strengthen their defensive posture:

1. Balance risks and opportunities
2. Limit the exposure of connectivity
3. Centralize and standardize network connections
4. Use standardized and secure protocols
5. Harden your OT boundary
6. Limit the impact of compromise
7. Ensure all connectivity is logged and monitored
8. Establish an isolation plan

Together, these principles provide a practical roadmap for designing and operating OT networks that are resilient to modern cyber threats while still supporting operational requirements.

What’s next

In the coming weeks, we’ll take a closer look at each of these principles — exploring why they matter, how organizations can implement them in real-world OT environments, and what challenges teams may encounter along the way.

Stay tuned for parts two and three. We’ll unpack these principles and discuss how runZero can help operators gain visibility and control to better protect critical infrastructure.

Cisco disclosed in two advisories that certain versions of Cisco Secure Firewall Management Center (FMC) are affected by the following vulnerabilities:

• The Cisco FMC web interface contains an authentication bypass vulnerability stemming from an improper system process created at boot time. A remote, unauthenticated adversary could exploit this by sending crafted HTTP requests, allowing them to bypass authentication and execute script files or commands to obtain root access to the underlying operating system. The vulnerability has been designated CVE-2026-20079 and has been rated critical with a CVSS score of 10.0.
• The Cisco FMC web-based management interface contains a remote code execution (RCE) vulnerability due to insecure deserialization of a user-supplied Java byte stream. A remote, unauthenticated adversary could exploit this by sending a crafted serialized Java object to the interface, allowing them to execute arbitrary code and elevate privileges to root. Note: Deployments where the management interface lacks public Internet access significantly reduce the associated attack surface. The vulnerability has been designated CVE-2026-20131 and has been rated critical with a CVSS score of 10.0.

There is evidence that CVE-2026-20131 is being actively exploited in the wild.

The following versions of Cisco FMC are affected by one or both vulnerabilities

• Cisco FMC versions prior to 7.0.9
• Cisco FMC versions prior to 7.2.11
• Cisco FMC versions prior to 7.4.4 (CVE-2026-20079) and prior to 7.4.6 (CVE-2026-20131)
• Cisco FMC versions prior to 7.6.4 (CVE-2026-20079) and prior to 7.6.5 (CVE-2026-20131)
• Cisco FMC versions prior to 7.7.12
• Cisco FMC versions prior to 10.0.1 (CVE-2026-20131 only)

What is Cisco Secure Firewall Management Center?

Cisco Secure Firewall Management Center (FMC) is a centralized administrative platform used to configure security policies, manage firmware updates, and aggregate threat telemetry across physical and virtual Cisco security appliances from a single interface.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Cisco FMC 6.4.0.13 through 6.4.0.18 upgrade to version 7.0.9 and later
• Cisco FMC 7.0.x upgrade to version 7.0.9 and later
• Cisco FMC 7.1.x through 7.2.x upgrade to version 7.2.11 and later
• Cisco FMC 7.3.x through 7.4.x upgrade to version 7.4.6 and later
• Cisco FMC 7.6.x upgrade to version 7.6.5 and later
• Cisco FMC 7.7.x upgrade to version 7.7.12 and later
• Cisco FMC 10.0.0 upgrade to version 10.0.1 and later

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

os:="Cisco FMC%" AND os_version:>0 AND
  ((os_version:>="6.4.0.13" AND os_version:<="6.4.0.18") OR
  (os_version:>="7.0.0" AND os_version:<"7.0.9") OR
  (os_version:>="7.1.0" AND os_version:<"7.2.11") OR
  (os_version:>="7.3.0" AND os_version:<"7.4.6") OR
  (os_version:>="7.6.0" AND os_version:<"7.6.5") OR
  (os_version:>="7.7.0" AND os_version:<"7.7.12") OR
  (os_version:="10.0.0"))

A vulnerability found within CraftCMS was published in a recent security advisory.

• A privilege escalation vulnerability exists due to token mishandling.The vulnerability has been designated CVE-2026-32267 and rated high with a CVSS score of 7.7.

The following versions are affected

• CraftCMS versions 4.0.0-RC1 up to 4.17.6 (exclusive)
• CraftCMS versions 5.0.0-RC1 up to 5.9.12 (exclusive)

What is Craft CMS?

CraftCMS is a flexible content management system (CMS) used to build and manage websites.

What is the impact?

Successful exploitation of the vulnerability could allow a low-privilege user (or an unauthenticated user who has been sent a shared URL) to escalate their privileges to admin by abusing a vulnerability found in the user management

Are updates available?

Upgrade affected versions of CraftCMS to the latest patched version.

• CraftCMS 4.x upgrade to version 4.17.6 and later
• CraftCMS 5.x upgrade to version 5.9.12 and later

How do I find potentially vulnerable instances with runZero?

From the Software Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:=CraftCMS AND product:="Craft CMS"

April 2025: CVE-2025-32432 and CVE-2024-58136

Two zero-day vulnerabilities impacting Craft CMS are being actively exploited by chaining the vulnerabilities together to compromise the affected systems.

• CVE-2025-32432 is rated critical with a CVSSv3 base score of 10.0.
• CVE-2024-58136 is rated critical with a CVSSv3 base score of 9.0. This vulnerability is found within the Yii framework, which is used by Craft CMS.

What is the impact?

Successful exploitation of the vulnerability could allow a low-privilege user (or an unauthenticated user who has been sent a shared URL) to escalate their privileges to admin by abusing a vulnerability found in the user management 

Are updates available?

Although the Yii framework update is not included in the latest Craft CMS patch, the primary vulnerability was patched within 3.9.15, 4.14.15, and 5.6.17. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.

How do I find potentially vulnerable instances with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")

February 2025: CVE-2025-23209

In late January, CraftCMS published a security advisory for a code injection vulnerability that can lead to remote code execution. On February 20, 2025 CISA added CVE-2025-23209 to the known exploited vulnerabilities catalog (KEV).

What is the impact?

Successful exploitation of the vulnerability requires that a remote attacker already has control of the installation's security key. In this case, the attacker can then inject code using an specially crafted backup directory variable provided by the user.

The affected versions include:

• Versions greater than or equal to 5.0.0-RC1 through 5.5.5 (exclusive)

• Versions greater than or equal to 4.0.0-RC1 through 4.13.8 (exclusive)

Are updates available?

The vulnerability was patched in 5.5.8 and 4.13.8. Users are strongly encouraged to update their installation as soon as possible. In addition to applying a patch, users might want to rotate their security keys as a safety precaution. Additionally, a best practices write-up is available online with steps on how to harden the security of the installation.

How do I find potentially vulnerable instances with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND (has:http.head.xPoweredBy AND http.head.xPoweredBy:="Craft CMS")

Adiel Sol reported a GNU Inetutils telnetd buffer overflow vulnerability within its handling of the LINEMODE suboption SLC (Set Local Characters). This flaw occurs during option negotiation, before a login prompt is even presented. A remote, unauthenticated adversary can achieve pre-authentication remote code execution (RCE) by sending a specially crafted SLC suboption containing an excessive number of triplets. Because the telnetd service frequently runs with root privileges, exploitation can lead to a full system compromise. No CVE has been assigned to this vulnerability at this time (March 13, 2026).

Update: The vulnerability has been designated CVE-2026-32746 and has been rated critical with a CVSS score of 9.8.

The following versions are affected:

• GNU Inetutils telnetd all versions up to and including 2.7

What is GNU Inetutils telnetd?

GNU Inetutils (inet-utils) is a collection of common network programs and servers, most frequently deployed on Linux-based systems. The GNU Inetutils telnetd daemon provides a server for the Telnet protocol. While Telnet is a legacy remote-access protocol that has been largely supplanted by SSH, it remains widely used in low-power and legacy environments.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

A patched version of telnetd has not yet been released. It is strongly recommended to disable the telnetd service on all potentially vulnerable systems.

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:=telnet AND protocol:=telnet AND os:Linux AND banner:="%login:"
  AND NOT (type:device OR type:"ip camera" OR type:"ip phone" OR banner:busybox)

This query is focused on Linux devices utilizing GNU telnetd. However, please note that results may include other Linux-hosted Telnet services that are not necessarily vulnerable to this specific flaw.

January 2026: CVE-2026-24061

Simon Josefsson has reported a vulnerability in the the GNU inet-utils telnetd server. GNU inet-utils (InetUtils) is a collection of Internet-related servers and utilities. It is most commonly deployed on Linux systems.

GNU telnetd contains an authentication bypass vulnerability in its handling of user-supplied environment variables. A specially crafted $USER environment variable can bypass authentication and allow a remote, unauthenticated attacker to access a vulnerable system with the privileges of any known user, including root.

This vulnerability has been assigned CVE-2026-24061 and has a CVSS score of 9.8 (extremely critical).

The following versions are affected

• GNU inet-utils telnetd versions 1.9.3 and higher

What is telnetd?

GNU inet-utils telnetd provides a server for the standard Telnet protocol. Telnet is a legacy remote-access protocol similar that has been largely supplanted by SSH and other, more secure, protocols. However, Telnet is still widely used in low-power or legacy devices.

What is the impact?

Successful exploitation of this vulnerability would allow an adversary to bypass authentication on a vulnerable host.

Are updates or workarounds available?

There is currently no patched version available. Users are advised to disable telnet access if possible, and to ensure proper network access controls are in place.

How to find potentially vulnerable systems with runZero

From the Asset inventory, use the following query to locate potentially vulnerable assets:

_asset.protocol:=telnet AND protocol:=telnet AND os:Linux AND banner:="%login:" AND NOT banner:busybox

Note that this query will locate many Telnet services running on Linux hosts; GNU inet-utils telnetd is one of the most common Telnet servers deployed on Linux systems, but this query may discover other Telnet servers as well.

Veeam Software disclosed in two advisories that multiple vulnerabilities have been identified in Veeam Backup & Replication which could allow for remote code execution (RCE), privilege escalation, and credential theft.

Version 12.3.x Vulnerabilities

• CVE-2026-21666 & CVE-2026-21667: Allows a remote, low-privileged authenticated domain user to perform RCE on the Backup Server. The vulnerabilities designated CVE-2026-21666 and CVE-2026-21667 have been rated critical with a CVSS score of 9.9.
• CVE-2026-21668: Allows a remote, low-privileged authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. This vulnerability has been designated CVE-2026-21668 and has been rated high with a CVSS score of 8.8.

Version 13.0.x Vulnerabilities

• CVE-2026-21669: Allows a remote, low-privileged authenticated domain user to perform RCE on Windows-based Backup Servers. This vulnerability has been designated CVE-2026-21669 and has been rated critical with a CVSS score of 9.9.
• CVE-2026-21670: Allows a remote, low-privileged user to extract saved SSH credentials from Windows-based servers or the Veeam Software Appliance. This vulnerability has been designated CVE-2026-21670 and has been rated high with a CVSS score of 7.7.
• CVE-2026-21671: Allows a remote, high-privileged user with the "Backup Administrator" role to perform RCE in high availability (HA) deployments. This vulnerability has been designated CVE-2026-21671 and has been rated critical with a CVSS score of 9.1.

Vulnerabilities Affecting Both 12.3.x and 13.0.x

• CVE-2026-21672: A vulnerability allowing local privilege escalation on Windows-based Backup Servers. This vulnerability has been designated CVE-2026-21672 and has been rated high with a CVSS score of 8.8.
• CVE-2026-21708: Allows a remote, low-privileged user with the "Backup Viewer" role to perform RCE as the postgres user. This vulnerability has been designated CVE-2026-21708 and has been rated critical with a CVSS score of 9.9.

The following versions are affected:

• Veeam Backup & Replication versions 12.3.x prior to 12.3.2.4465
• Veeam Backup & Replication versions 13.0.x prior to 13.0.1.2067

What is Veeam Backup & Replication?

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Veeam Backup & Replication versions 12.3.x upgrade to version 12.3.2.4465 or later
• Veeam Backup & Replication versions 13.0.x upgrade to version 13.0.1.2067 or later

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Veeam AND (product:="Backup & Replication" OR product:="Veeam Backup & Replication")

November 2025: CVE-2025-48983, and CVE-2025-48984

Veeam Software has disclosed two remote code execution (RCE) vulnerabilities affecting certain versions of Veeam Backup & Replication. These flaws in different software components allow a remote, low-privileged adversary (authenticated domain user) to execute arbitrary code.

• The first method is via a vulnerability in the Mount service on domain-joined backup infrastructure servers. This vulnerability has been designated CVE-2025-48983 and has been rated critical with a CVSS score of 9.9.
• The second method is via a vulnerability in domain-joined backup servers. This vulnerability has been designated CVE-2025-48984 and has been rated critical with a CVSS score of 9.9.

The following versions are affected:

• Veeam Backup & Replication versions 12.x prior to 12.3.2.4165

What is Veeam Backup & Replication?

Veeam Backup & Replication is data protection software that supports image-level backup, recovery, and replication for virtual, physical, and cloud machines.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Veeam Backup & Replication versions 12.x upgrade to version 12.3.2.4165 or later

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Veeam AND product:="Veeam Backup & Replication" AND (version:>0 AND version:>=12 AND version:<12.3.2.4165)

Currently, runZero prebuilt integrations can identify these findings.

December 2024:

Veeam has disclosed two vulnerabilities found internally within their Veeam Service Provider Console (VSPC).

• CVE-2024-42448 is rated Critical with a CVSS score of 9.9, which potentially allows remote code execution.
• CVE-2024-42449 is rated High with a CVSS score of 7.1, which potentially leaks the NTLM hash of a service account and allows for the deletion of files on the server.

What is the impact?

Although there an no known exploitations of the vulnerabilities in the wild, CVE-2024-42448 could allow remote code execution by an attacker on the server. An attacker would need to launch their attack from an authorized VSPC management agent server in order to exploit either of the disclosed vulnerabilities.

Are updates or workarounds available?

No mitigations are available for the disclosed vulnerabilities. Instead, the vendor is strongly encouraging customers to "update to the latest cumulative patch".

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

has:"html.title" html.title:"Veeam Service Provider Console"

December 2022

Veeam published information on two vulnerabilities in the Veeam Backup & Replication product, originally reported by Nikita Petrov of Positive Technologies.

As of December 16th, CISA had announced the addition of two critical vulnerabilities (tracked as CVE-2022-26500 and CVE-2022-26501) to the KEV catalog. These CVEs were actively being exploited, putting systems at risk. It was critical that these systems were updated to patch these vulnerabilities as soon as possible.

Which versions were affected?

These vulnerabilities affected Backup & Replication versions 9.5, 10, and 11, allowing for exploitation by attackers to achieve unauthenticated remote code execution via the Veeam Distribution Service API. Details on the vulnerabilities (identified as CVE-2022-26500 and CVE-2022-26501) were not published at the time of writing, though Veeam had assigned a "critical" CVSS score of 9.8.

Were updates made available?

Patched releases of Veeam Backup & Replication were made available (see the "Solution" section). Guidance from Veeam was for administrators to update to these newer versions as soon as possible. If near-term updating was not possible, Veeam offered a temporary mitigation strategy via stopping-and-disabling the Veeam Distribution Service (see the "Solution->Notes" section).

How runZero users found potentially vulnerable Veeam instances

We added the default port (9380) for the Veeam Distribution Service API to our runZero Explorer and Scanner. If you were using Explorer or Scanner v2.11.5 or later, you just needed to ensure you had performed a recent scan of your assets prior to running the query below. If you were using an older Explorer or Scanner, users simply added port 9380 to the "Included TCP ports" (under the Advanced tab) and then ran a scan to gather the necessary data.

From the Asset Inventory, users ran the following pre-built query to locate Veeam Distribution Service instances within their network that could have potentially ran vulnerable versions of Veeam Backup & Replication:

tcp_port:9380

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Cisco disclosed certain versions of Cisco Catalyst SD-WAN Controller (formerly vSmart) and Cisco Catalyst SD-WAN Manager (formerly vManage) contain a vulnerability in the peering authentication mechanism. A remote, unauthenticated adversary could exploit this by sending crafted requests to an affected system to bypass authentication and obtain administrative privileges. By leveraging an internal, high-privileged, non-root user account, the adversary could access NETCONF, enabling them to manipulate the network configuration for the entire SD-WAN fabric. The vulnerability has been designated CVE-2026-20127 and has been rated critical with a CVSS score of 10.0.

There is evidence that this vulnerability is being actively exploited in the wild.

On March 11, 2026, CISA published V1: ED 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems. This version supersedes the actions outlined in the original February 25 directive, introducing updated remediation steps and new reporting requirements for affected organizations.

The following deployment environments are affected

• On-Premise deployments
• Cisco Hosted SD-WAN Cloud (Standard, Cisco Managed, and FedRAMP)

The following versions are affected

• Catalyst SD-WAN releases prior to 20.9
• Catalyst SD-WAN release 20.9 versions prior to 20.9.8.2
• Catalyst SD-WAN release 20.11 versions prior to 20.12.6.1
• Catalyst SD-WAN release 20.12.5 versions prior to 20.12.5.3
• Catalyst SD-WAN release 20.12.6 versions prior to 20.12.6.1
• Catalyst SD-WAN release 20.13 versions prior to 20.15.4.2
• Catalyst SD-WAN release 20.14 versions prior to 20.15.4.2
• Catalyst SD-WAN release 20.15 versions prior to 20.15.4.2
• Catalyst SD-WAN release 20.16 versions prior to 20.18.2.1
• Catalyst SD-WAN release 20.18 versions prior to 20.18.2.1

What is Cisco Catalyst SD-WAN Controller and Manager?

The Cisco Catalyst SD-WAN Controller serves as the centralized control-plane element, utilizing the Overlay Management Protocol (OMP) to manage routing intelligence, distribute security keys, and enforce network-wide policies. In contrast, the Cisco Catalyst SD-WAN Manager acts as the centralized management system, providing the graphical interface necessary for the configuration, monitoring, and orchestration of all devices within the fabric.

What is the impact?

Successful exploitation of the vulnerability would allow an adversary to obtain administrative privileges manipulate the network configuration for the entire SD-WAN fabric.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Catalyst SD-WAN releases prior to 20.9 migrate to a fixed release
• Catalyst SD-WAN release 20.9 upgrade to version 20.9.8.2 and later
• Catalyst SD-WAN release 20.11 upgrade to version 20.12.6.1 and later
• Catalyst SD-WAN release 20.12.5 upgrade to version 20.12.5.3 and later
• Catalyst SD-WAN release 20.12.6 upgrade to version 20.12.6.1 and later
• Catalyst SD-WAN release 20.13 upgrade to version 20.15.4.2 and later
• Catalyst SD-WAN release 20.14 upgrade to version 20.15.4.2 and later
• Catalyst SD-WAN release 20.14 upgrade to version 20.15.4.2 and later
• Catalyst SD-WAN release 20.16 upgrade to version 20.18.2.1 and later
• Catalyst SD-WAN release 20.18 upgrade to version 20.18.2.1 and later

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="Cisco vManage" OR os:="Cisco Viptela OS"

Note: The query locates Cisco Catalyst SD-WAN Manager installations.

HPE disclosed multiple vulnerabilities in specific versions of AOS-CX software:

• An authentication bypass in the web-based management interface allows unauthenticated admin password reset. Successful exploitation could allow a remote, unauthenticated adversary to circumvent existing authentication controls and, in some instances, reset the administrator password. The vulnerability has been designated CVE-2026-23813 and has been rated critical with a CVSS score of 9.8.
• An authenticated command injection vulnerability exists due to improper validation of parameters to a certain AOS-CX CLI command. Successful exploitation could allow a remote, low-privilege adversary to inject malicious commands resulting in unwanted behavior. The vulnerability has been designated CVE-2026-23814 and has been rated high with a CVSS score of 8.8.
• An authenticated command injection vulnerability exists in a custom binary used in AOS-CX CLI for an administrative command. Successful exploitation could allow a remote, high-privilege adversary to perform command injection and execute unauthorized commands. The vulnerability has been designated CVE-2026-23815 and has been rated high with a CVSS score of 7.2.
• An authenticated OS command injection vulnerability exists in an administrative AOS-CX CLI command. Successful exploitation could allow a remote, high-privilege adversary to execute arbitrary commands directly on the underlying operating system. The vulnerability has been designated CVE-2026-23816 and has been rated high with a CVSS score of 7.2.
• An unauthenticated open redirect vulnerability exists in the web-based management interface. Successful exploitation could allow a remote, unauthenticated adversary to redirect users to arbitrary, potentially malicious URLs. The vulnerability has been designated CVE-2026-23817 and has been rated medium with a CVSS score of 6.5.

The following versions are affected

• AOS-CX 10.10.xxxx versions prior to 10.10.1180
• AOS-CX 10.13.xxxx versions prior to 10.13.1161
• AOS-CX 10.16.xxxx versions prior to 10.16.1030
• AOS-CX 10.17.xxxx versions prior to 10.17.1001

What is HPE Aruba Networking AOS-CX?

HPE Aruba Networking AOS-CX is a network operating system built on a modular Linux architecture that utilizes a state-database design and REST APIs to enable automated configuration and embedded system-level visibility.

What is the impact?

Successful exploitation of the vulnerabilities allows an adversary to bypass authentication controls and potentially execute arbitrary commands on the underlying operating system of the vulnerable device.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• AOS-CX 10.10.xxxx upgrade to version 10.10.1180 and later
• AOS-CX 10.13.xxxx upgrade to version 10.13.1161 and later
• AOS-CX 10.16.xxxx upgrade to version 10.16.1030 and later
• AOS-CX 10.17.xxxx upgrade to version 10.17.1001 and later

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="HPE Aruba CX%" AND protocol:http

Gogs has disclosed that certain versions are affected by a cross-repository Large File Storage (LFS) object overwrite vulnerability due to missing content hash verification. Git LFS is an open-source extension designed to manage large files, such as audio samples, videos, and datasets, more efficiently within Git repositories. Because Gogs stores all LFS objects in a single location without repository isolation, this flaw could allow a remote, unauthenticated adversary to overwrite existing objects. The vulnerability has been designated CVE-2026-25921 and has been rated critical with a CVSS score of 9.3.

The following versions are affected

• Gogs versions prior to 0.14.2

What is Gogs?

Gogs is an open-source, self-hosted Git repository management system written in Go that provides a web-based interface for version control with minimal hardware resource requirements.

What is the impact?

Successful exploitation of the vulnerability enables an adversary to overwrite legitimate LFS objects with malicious content. This introduces a significant risk of a supply-chain attack; because the Gogs web interface does not present integrity warnings, users may unknowingly download and utilize compromised assets.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Gogs upgrade to version 0.14.2 or later

How to find potentially vulnerable systems with runZero

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Gogs AND product:=Gogs

December 2025: CVE-2025-8110

Security researchers at Wiz have reported a 0-day vulnerability in Gogs. This flaw allows remote, authenticated attackers to overwrite arbitrary files on the vulnerable system. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system with the privileges of the Gogs server process.

This vulnerability has been assigned CVE-2025-8110 and has a CVSS score of 7.8.

Note that there is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• Gogs versions 0.13.3 and prior

What is Gogs?

Gogs is a self-hosted Git software forge, allowing users to collaborate on development using Git repositories.

What is the impact?

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are updates or workarounds available?

There is currently no patched fixed version of Gogs available. Users are encouraged to disable auto-registration of users and avoid Internet exposure for any Gogs installations.

How to find potentially vulnerable systems with runZero

From the Service inventory, use the following query to locate potentially vulnerable assets:

_asset.protocol:=http AND protocol:=http AND favicon.ico.image.md5:=5f5b7539f014b9996959f5dcd063d383

Well, we’ve gone and made it even easier with a new Findings tab, right in the console. Down with typey-typing, and up with clicky-clicking! 

Check it out:

For those who missed the earlier posts, BOD 26-02 is CISA’s two-year program requiring federal civilian agencies to identify and address unsupported edge devices like firewalls, VPNs, routers, proxies, etc. The clock started ticking on February 5th which means the first milestone of having a mechanism in place to identify all edge devices (supported and unsupported) in production begins on May 5, 2026.

One wrinkle worth noting is that unlike BOD 22-01 and the KEV, CISA decided to keep their official EOL edge device list private. This Finding maps directly to the query we shared last time, surfacing devices in “EOL Extended” state that are exposed to the public internet and aren’t normal servers, desktops, or laptops.

With this update — free to all customers, even the free-trial folks — runZero users can enjoy a consistent, obvious way to track against what CISA (and we) believe are some of the most critically exposed assets on your network. Going forward, we’ll continue to make things easy and clear for you with this Findings tab as we integrate more fingerprints and profiles of commonly-attacked endpoints, so you can get down to the business of upgrading, retiring, or segmenting off these attractive-to-attackers assets.

Nginx UI disclosed that certain versions of Nginx UI are affected by a vulnerability that allows for unauthenticated backup data downloads and the disclosure of associated encryption keys. This flaw stems from missing authentication on the /api/backup endpoint. Additionally, the AES-256 encryption key and IV (Initialization Vector) required to decrypt the backup are transmitted in plaintext within the X-Backup-Security response header. The vulnerability has been designated CVE-2026-27944 and has been rated critical with a CVSS score of 9.8.

The following versions are affected

• Nginx UI all versions prior to 2.3.3

What is Nginx UI?

Nginx UI is a web-based graphical interface used to manage Nginx server configurations, SSL certificates, and system logs without manual command-line editing.

What is the impact?

Successful exploitation of the vulnerability enables a remote, unauthenticated adversary to download and decrypt a full system backup containing sensitive information, such as user credentials, session tokens, SSL private keys, and Nginx configurations.

Are updates or workarounds available?

Users are encouraged to update to the latest version as quickly as possible:

• Nginx UI upgrade to version 2.3.3 and later

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:=http AND protocol:=http AND favicon.ico.image.mmh3:="-1565173320"

Juniper Networks disclosed certain versions of Junos OS Evolved on PTX series routers contain a vulnerability in the On-Box Anomaly Detection framework. A remote, unauthenticated adversary could exploit this by sending crafted requests to an affected system to bypass authentication and execute code with root access. The vulnerability has been designated CVE-2026-21902 and has been rated critical with a CVSS score of 9.8.

The following versions are affected

• Junos OS Evolved on PTX Series versions 25.4 through 25.4R1-S1-EVO
• Junos OS Evolved on PTX Series versions prior to 25.4R2-EVO

What is Junos OS Evolved?

Junos OS Evolved is a next generation network operating system made by Juniper Networks that power many of their high-end routing and data center platforms.

What is the impact?

Successful exploitation of the vulnerability could allow an adversary the ability to remotely execute code as the root user. This would allow them to take complete control of the device.

Are updates or workarounds available?

Administrators are encouraged to update to the latest version as soon as possible. Additionally, administrators can disable the affected service on vulnerable devices using the following:

request pfe anomalies disable

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate potentially impacted assets:

os:="Juniper Junos OS Evolved" AND   
  ((os_version:>="25.4R1-EVO" AND os_version:<"25.4R1-S1-EVO") OR   
  (os_version:>"25.4R1-S1-EVO" AND os_version:<"25.4R2-EVO"))

Note: The query locates all potentially vulnerable Junos OS Evolved installations. However, it does not specifically identify PTX Series routers.

Attackers exploit edge device zero-days, abuse forgotten cellular backup links, and pivot through multi-homed systems that quietly route around every control you've deployed. The tools most teams rely on, including passive monitoring, vulnerability scanners, and OEM software, consistently miss the exposure paths that matter most.

In his presentation, Segmentation Theater, HD breaks down how to address these gaps. Below, we’ve highlighted several key failure modes and what you can do about them. 

The thing protecting your OT environment is also the thing attackers walk through first

Firewalls are the load-bearing wall of OT segmentation. They show up at every Purdue level, and they work…right up until they don't. Mandiant looked back at a full year of OT incident response and found that roughly 30% of those incidents started with initial access through a perimeter security device. Palo Alto, Ivanti, Fortinet, the products we've spent years deploying to protect these environments, were the top three compromised entry points. The attackers aren't looking for some exotic OT-specific exploit. They're using a Fortinet zero-day and walking right in.

The structural problem here is that when you deploy a single firewall vendor from your enterprise zone all the way down to Level 2, you haven't built defense in depth, you've built a single control that spans everything. An authentication bypass at the top collapses the whole stack. Layering vendors helps, but it doesn't solve the underlying issue, which is that firewalls have become both the most critical and the most attacked component in OT networks simultaneously. They need to be treated like assets you actively monitor, not infrastructure you set and forget.

Your devices are routing between zones you're trying to keep separate

A device that has two network connections, a wired OT segment and guest Wi-Fi for example, can route traffic between them without a single packet ever touching your firewall. No alert. No log entry. Just quiet, invisible bridging.

We did research on how many devices have IP forwarding enabled by default and the honest answer is: most of them, including printers, smart TVs, and ESP32-based IoT hardware. We had a harder time finding devices that didn't have it on than ones that did. The situation gets worse when developers install tools like Docker on workstations that sit on OT-adjacent segments. Docker enables IP forwarding across all interfaces as a side effect of its virtual networking. The developer doesn't know they've just turned their workstation into a multi-interface router. Nobody told them that was a firewall configuration problem they now own.

At scale, these unintended connections compound fast. In a network of 30 devices the path graph is already messy. In an enterprise with thousands of employees and dozens of OT sites, you've effectively got one big hairball where any point can reach any other in a hop or two.

The least-secure thing on your network is often the thing managing everything else

Serial console servers, KVM-over-IP switches, and IPMI interfaces are everywhere in OT environments. They exist because you need a way to get remote access to hardware that can't otherwise be managed remotely. They're also consistently the worst-secured devices in the building. Across MOXA, Digi, Pi KVM, SuperMicro IPMI, runZero has found unauthenticated session access, insecure proprietary protocols, and hardcoded credentials. These are consumer-grade bugs sitting directly in front of hardened industrial equipment.

SuperMicro IPMI is a good example of how slowly this problem moves. California passed a law requiring device manufacturers to ship with unique passwords instead of hardcoded defaults. SuperMicro now ships with a password derived from your device serial number. Progress. They also still ship with IPMI and RAKP enabled by default, which is enough for an attacker to dump and crack credentials remotely without any exploitation at all. The attacker doesn't need to go after your hardened server. They go after the KVM attached to its serial port, and they're in.

IPv6 is already on your network & you're probably not watching it

A quick count on a modern laptop turns up 28 active network interfaces, the majority of them IPv6. This is normal. What's not normal is that most teams are only writing firewall rules for IPv4. A device with solid IPv4 filtering and no equivalent IPv6 rules may be exposing databases, fileshares, and credential stores to anyone on the same subnet through its IPv6 address, an address nobody is scanning for, and that doesn't show up in any normal monitoring.

Recently, a customer using runZero was flagged for having a device with a public IP. The customer looked at it and said, that's impossible and that they knew every public IP on this network. It was a packet capture server which was supposed to be completely internal. It had a global IPv6 address assigned by the upstream ISP router that nobody had ever noticed. The device was globally reachable in a way the customer had no visibility into whatsoever. This is not an unusual story. Shodan has indexed over 200 million IPv6 addresses, partly by running NTP servers that quietly log the source address of anything that syncs to them. Your OT devices might already be in there.

So what can you do? It goes beyond monitoring

Passive monitoring alone won't catch any of this. Span port captures don't see traffic that bypasses your choke points. They don't find multi-homed devices. They don't surface link-local IPv6 paths. Vulnerability scanners will tell you whether your firmware is out of date but they won't tell you whether your network is bridged in ways it shouldn't be.

This is the problem runZero was built to solve. We use safe, active scanning designed specifically for fragile OT environments to query devices and have them report back everything: all interfaces, all IP addresses, IPv4 and IPv6, secondary NICs, VPN adapters, cellular connections. We cross-reference internal fingerprints against our internet-wide scan data so you can find out if something internal is externally reachable without having to start from the internet side. We find the bridges, the unexpected management interfaces, the IPv6 exposure, the out-of-band hardware that's been forgotten in a rack somewhere.

The point isn't that these problems are unfixable. It's that you can't fix what you can't see. The first step is knowing what's actually on your network, not the diagram version, the real one.

Book a demo to see how runZero can help in your environment, or begin your free trial here.

Working solely with Enterprise customers at runZero, the topic of “how can we effectively and accurately discover all the assets in our attack surface” comes up quite frequently. At this scale, security teams must balance availability, segmentation, and performance while defending against increasingly sophisticated threats. Asset visibility, continuous discovery, and attack surface monitoring become even more pertinent the larger the environment is.

In this guide, we’ll walk through how to optimize runZero for large-scale deployments using a hypothetical retail enterprise example.

Ex. scenario: global retail enterprise with six hour scan window

Let’s discuss a hypothetical scenario where runZero is working with a large retail provider called ACME Corp and they want to achieve a six hour scan window for their whole infrastructure. This large retail has different brands they manage each with their own datacenter, stores, distribution centers and corporate offices. To add complexity, these brands use overlapping private IP ranges (e.g., multiple business units using 192.168.10.0/24) because they function as semi-independent entities.

Let’s dive into how runZero offers the flexibility and options to perform effective and accurate discovery of the retail provider’s total attack surface.

Establishing the ground rules: Sites and IP organization

First thing will be setting the foundation of IP address organization, since the brands are using overlapping IP addresses and they are distinct entities, we will leverage the concept of Sites in runZero. Sites allows enterprises to organize their data and each runZero Site is a unique view of the entire IP address space.

While many organizations use Sites to segment by geography, they are equally effective for:

• Business unit separation
• Brand isolation
• Temporary environments
• One-off testing

For ACME Corp, the best practice would be:

• Create one runZero Site per brand
• Upload subnet allocations per Site
• Apply structured tagging for reporting, dashboards, and queries

This approach ensures that overlapping IP ranges do not collide in reporting or discovery results.

Assuming here that runZero Explorers have already been deployed to the network, the next phase is to explore the plethora of configuration options available from runZero to customize the active scans.

runZero provides several key controls that directly influence scan speed and network impact. Adjusting these settings impacts performance in terms of Explorer availability, network traffic load, and scan completion times.

Performance tuning (scan speed)

To ensure scans complete within their scheduled frequency without overwhelming the network, runZero provides several performance tuning options. The most direct way to reduce scan time is to increase the rate at which probes are sent. Increasing the scan speed (specially for IT/IoT environments that don't have fragile devices) and dividing up the scan scope will reduce the time to cover the network scanning.

Scan Speed (Packets Per Second): The default scan rate is 1,000 packets per second. For large, robust networks (e.g., data centers or high-speed corporate LANs), increasing this significantly (e.g., 10,000+ pps) to reduce the completion time. A rate of 1,000 packets per second is standard, while 10,000+ is available for large, fast networks. However, higher speeds increase the load on the network and may cause congestion on slower links.Note: The approximate formula for scan time is `hosts × ports × attempts ÷ scan speed`. Increasing the packet rate directly decreases the duration.

Max Group Size: This setting determines how many IP addresses are scanned simultaneously. Increasing this (default is 4,096) allows for higher concurrency, which is essential for utilizing high packet rates effectively. Reducing this number lowers the concurrency of connections, which helps prevent crashing stateful devices like firewalls and routers that have limited session tables. In enterprise environments with high-capacity infrastructure, raising this value often improves efficiency.

Max Host Rate: This limits the packets sent to a single host per second. While the default is conservative (40 pps) to protect fragile devices, increasing this for known robust segments can marginally speed up the scan of individual assets. This limits the packets sent to a single host per second. Lowering this is critical when scanning fragile IoT or OT environments to prevent device instability.

Scan frequency options

runZero allows users to configure scans to run based on specific temporal requirements:

Scheduled and Recurring Tasks: Scans can be set to run once at a specific future date or on a recurring basis. Recurring options include standard intervals (such as daily, weekly, or monthly) as well as more granular options like "Every N Hours" or specific multiples of minutes...

Continuous Scanning: For organizations requiring near real-time visibility, runZero supports continuous recurring scans. These scans run back-to-back; as soon as one scan completes, the next begins. It is important to note that an Explorer running a continuous scan will not be able to run additional tasks unless its concurrency setting is increased beyond the default of 1.

Impact on performance and resources

Adjusting the frequency and speed of scans directly affects the load on the network and the Explorer.

Important considerations:

• Windows Explorers are limited to a single concurrent scan task due to raw packet driver limitations. If a continuous scan is running, other tasks (such as integrations or on-demand scans) may be queued or blocked.
• Linux/macOS Explorers can perform multiple tasks simultaneously. runZero recommends keeping concurrent tasks between 1 and 4 to manage system resources effectively.

Scheduling Grace Period: To prevent scan failures caused by busy Explorers, users can configure a "scheduling grace period." This defines how long a task will wait for an available Explorer before timing out (e.g., if an Explorer is busy with a previous scan in a high-frequency schedule).

This is critical in high-frequency or distributed scan strategies.

Optimization for large IP spaces

Large CIDRs such as /16 or /8 ranges can significantly increase scan time — especially when sparsely populated. To address this, runZero offers two powerful optimization methods called Prescan Modes:

Subnet Sampling: This feature speeds up discovery by sending a small number of probes to a subnet to determine if it is active before launching a full scan. This significantly reduces the time required to scan large, sparse network ranges (e.g., /16 or /8), allowing for more frequent discovery cycles. Enabling the option "Only scan subnets with active hosts" This runs a pre-scan phase where runZero samples a percentage of a subnet (default 3%). If no assets respond, the subnet is skipped entirely. This dramatically reduces wasted time in unused address space and is essential for scanning massive environments within strict windows.

Host Ping: Enabling "Limit scans to pingable hosts", in this mode, runZero first checks if a host responds to ICMP, TCP, or UDP pings. If it does not respond, the system skips the full deep-dive scan for that specific IP. This drastically reduces time but may miss assets that block pings.

This setting should be evaluated based on security tolerance and network policy.

Enforcing the window

To ensure we are adhering to the six hour window, runZero provides a hard limit configuration.

Scan Duration Limit: A maximum duration (in hours) can be specified for a scan task. If the scan is still running after six hours, runZero will automatically cancel the task. This ensures scan activity never bleeds outside the provided six hour maintenance window.

Distributed scanning (Explorer Groups)

A single Explorer scanning a global enterprise is often a bottleneck.

Explorer Groups: Explorers can be deployed and organized into an "Explorer Group" and when assigned the scan task to a group, the platform distributes the workload among the available Explorers in that group. This allows parallelization of the scanning effort to fit within the six hour window.

For ACME Corp:

• Deploy Explorers per data center or region
• Group them by brand or geography
• Run scans in parallel across Sites

This is often the most impactful method for achieving aggressive scan windows.

Concurrent Scans: If Linux or macOS Explorers are used, they can be configured to run multiple scan tasks simultaneously (Windows Explorers are limited to one concurrent scan). This is helpful to break a large network into multiple smaller sites and schedule them to run at the same time.

Scope management

Exclusions: Some subnets create disproportionate delays and If there are specific subnets known to be slow (e.g., legacy networks) or that contain "tarpits" (firewalls that respond slowly to every probe), adding them to the Excluded hosts list will prevent them from consuming disproportionate amounts of time.

Adding these to the Excluded Hosts list prevents them from consuming excessive time during global scans.

This allows prioritization of high-value segments while isolating problematic areas for separate tuning.

Summary: Checklist for achieving a six hour global scan

As a summary, to meet a strict enterprise-wide window:

✔ Deploy multiple Explorers and use Explorer Groups

✔ Segment environments using Sites

✔ Enable Subnet Sampling for large ranges

✔ Increase scan speed where infrastructure permits

✔ Adjust Max Group Size and Host Rate per segment

✔ Configure a six hour Scan Duration Limit

✔ Exclude known bottlenecks

Final Thoughts

Large global enterprises do not fail at asset discovery due to scale and complexity but because of tool limitations and operational constraints.

runZero’s flexibility in segmentation, distributed scanning, prescan optimization, and performance tuning allows security architects to design discovery programs that are both comprehensive and operationally safe.

When configured strategically, even the most complex retail or global enterprise network can achieve accurate, repeatable asset visibility — within a defined and predictable time window.

Start a free trial or request a demo today to see firsthand how runZero can bring clarity to your most complex environments and turn visibility into your greatest security advantage.

A vulnerability has been disclosed in Roundcube Webmail stable versions from 1.5 prior to 1.5.10, and stable versions 1.6 prior to 1.6.11 that would allow a remote, authenticated attacker to perform remote code execution (RCE) due to deserialization of untrusted data. The _from parameter in a URL is not validated in program/actions/settings/upload.php, resulting in untrusted PHP Object Deserialization. This vulnerability has existed within the product for approximately 10 years.

This vulnerability has been designated CVE-2025-49113 and has a CVSS score of 9.9 (critical).

There is evidence that this vulnerability is being actively exploited in the wild.

What is the impact?

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.

Are any updates or workarounds available?

Roundcube has released updates to mitigate this issue. Users are encouraged to update to the latest stable version as quickly as possible.

• For Roundcube Webmail stable version 1.5, update to version 1.5.10 or later.
• For Roundcube Webmail stable version 1.6, update to version 1.6.11 or later.

How do I find Roundcube Webmail installations with runZero?

From the Service Inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND ((has:html.title AND html.title:="RoundCube%") OR (has:favicon.ico.image.md5 AND (favicon.ico.image.md5:="924a68d347c80d0e502157e83812bb23" OR favicon.ico.image.md5:="f1ac749564d5ba793550ec6bdc472e7c" OR favicon.ico.image.md5:="ef9c0362bf20a086bb7c2e8ea346b9f0")))