Normal view

Oracle’s Second Monthly Security Updates Deliver 245 Patches 

17 June 2026 at 11:04

Oracle has released its June 2026 Critical Security Patch Update to fix vulnerabilities in Communications, EBS, Enterprise Manager and other products.

The post Oracle’s Second Monthly Security Updates Deliver 245 Patches  appeared first on SecurityWeek.

Cisco SD-WAN make-me-root bug under attack

15 June 2026 at 23:48
Cisco today issued a fix for a Catalyst SD-WAN Manager bug that attackers have already spotted and exploited to get root privileges, according to both the networking vendor and the feds. The vulnerability, tracked as CVE-2026-20262, is in the web UI of Cisco Catalyst SD-WAN Manager, and exists because the software is not properly validating user-supplied input during a file upload process. “An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected API endpoint of the affected system,” the vendor warned in a Monday security advisory. “A successful exploit could allow the attacker to create or overwrite any file on the underlying operating system. This file could later be used to elevate to root.” There is one caveat: to exploit this bug, the attacker must have valid credentials with at least a lower-privileged, single-task user account. That probably explains the medium-severity, 6.8 CVSS rating for this bug. Still, valid credentials aren’t hard to come by these days, and considering this CVE is already under attack, we know someone had some success. “In June 2026, the Cisco PSIRT became aware of limited exploitation of this vulnerability,” the security alert said. “Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.” The flaw affects all deployment types, regardless of device configuration. There are no workarounds, but upgrading to a fixed software version will patch the flaw. Also on Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20262 to its Known Exploited Vulnerabilities catalog, citing “evidence of active exploitation.” America’s lead cyber-defense agency also set a two-week deadline for all federal agencies to apply the patch. This latest Cisco SD-WAN bug under attack comes less than two weeks after Switchzilla warned that a high-severity vulnerability in Catalyst SD-WAN Manager vulnerability (CVE-2026-20245) was under active exploitation. At the time of disclosure, this SD-WAN vuln did not have a fix. Cisco issued an advisory for that zero-day on June 4, and finally released patches for all affected versions on June 12. This is the eighth Cisco SD-WAN bug to be listed in CISA’s Known Exploited Vulnerabilities catalog so far this year.®

Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9

10 June 2026 at 13:04
It's patch time for Ivanti customers again after the security shop disclosed another two critical vulnerabilities in one of its products. Both bugs affect Ivanti Sentry, a mobile gateway that forms part of its broader unified endpoint management platform. The first and worst of the two is CVE-2026-10520 (10.0), a max-severity vulnerability that allows a remote, unauthenticated attacker to execute code with root privileges. Flaws that allow root-level code execution without authentication are about as bad as vulnerabilities get, which explains the perfect-10 rating. The only saving grace is that, by the vendor's reckoning, no one has successfully exploited it in the wild… yet. Public disclosures tend to start a figurative countdown timer when it comes to attackers exploiting bugs, and although Ivanti gave little away about CVE-2026-10520 in its advisory, other researchers have already published breakdowns of the patch, offering clues as to how unpatched systems could still be attacked. According to watchTowr, the vulnerability stemmed from an exposed API running under Apache Tomcat. An attacker could feed the API a specially crafted message, which is parsed as a MICS configuration command and executed by the backend handler with root privileges. It looks like Ivanti fixed this by preventing this attacker-supplied string from being accepted, replacing it with a single, hard-coded command. It also updated the Apache configuration rules to block unauthenticated access to the affected endpoint. The second critical Ivanti Sentry vulnerability is tracked as CVE-2026-10523, and is scarcely less serious, carrying a near-maximum 9.9 CVSS. The authentication bypass bug allows remote, unauthenticated attackers to create admin accounts, granting themselves top privileges on an affected system. Customers are advised to address both security flaws immediately. They can upgrade to versions 10.5.2, 10.6.2, or 10.7.1. Ivanti's disclosure this week comes after it fixed two separate critical vulnerabilities affecting its Endpoint Manager Mobile (EPMM) in January. The bugs were both handed 9.8 CVSS scores and were exploited as zero-days. Even the Dutch data protection authority reported itself to parliament after attackers breached it as part of the pre-patch exploits. ®

AI is making Patch Tuesday (kinda) fun again

10 June 2026 at 00:49
Microsoft set a record with its June Patch Tuesday release, addressing 206 CVEs across its products and shipping fixes for them, with 38 deemed critical and the rest important. Three are listed as publicly known, but none (so far) have been exploited in the wild. We have no idea how many of these June bugs were uncovered using AI tools. Unlike last month’s patching event, when Redmond disclosed its agentic bug-hunting system found 16 of the 137 vulnerabilities, there’s no word on any AI assists for new releases. Still, it’s safe to assume AI played a major role. As Tom Gallagher, VP of engineering at Microsoft Security Response Center, said about May's Patch Tuesday with a whopping 30 critical flaws: “We expect releases to continue trending larger for some time.” June’s Patch Tuesday proved Gallagher correct, surpassing May in both overall volume and critical bugs. “I’ve been counting CVEs on Patch Tuesday since 2017, and this is by far the largest monthly release in that time,” Zero Day Initiative’s bug hunter in chief Dustin Childs said in his review. “It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” he added, asking, as we did: How many were found via AI? And: “How many patches were generated using AI to assist in coding or testing? What quality issues may exist in these patches? And likely most importantly, is this the new normal?” Childs noted that May and April also saw mega releases. “Should sysadmins adjust their processes for prioritization and patch deployment based on this new volume of updates? Unfortunately, Microsoft is not providing those answers right now,” he wrote, adding in this fun fact: “The current number of CVEs shipped by Microsoft this year exceeds the total number of CVEs shipped in all of 2018.” Wowza. While it’s fun to watch from a purely speculative standpoint, as in: "Will Microsoft top 300 next month?", our thoughts and prayers are nonetheless with sysadmins and vulnerability management teams drowning in the AI-induced vulnpocalypse by now. None of the Patch Tuesday security holes are listed as under attack – at least not yet – but three are listed as publicly known. Let’s take a look at those first. Three known vulnerabilities CVE-2026-49160 is an HTTP.sys denial of service vulnerability that we wrote about earlier this month. Calif researcher Quang Luong discovered the attack with an assist from OpenAI's Codex agent, named it HTTP/2 Bomb, and said it exploits the HTTP/2 header compression algorithm by sending thousands of tiny messages to the server, forcing it to rapidly allocate memory and ultimately crash. At the time, a Microsoft spokesperson told The Register that Redmond was “aware and actively investigating appropriate mitigations.” On Tuesday, the tech giant fixed the security issue by introducing a new MaxHeadersCount registry setting, which allows users to limit the number of headers included in HTTP/2 and HTTP/3 requests, and should prevent denial-of-service attacks. CVE-2026-50507, a security feature bypass bug in Windows BitLocker, is the second CVE listed as publicly disclosed, and “exploitation more likely.” An attacker with physical access to the vulnerable system could bypass the BitLocker Device Encryption feature and gain access to the device's encrypted data, according to the advisory. This flaw also seems to be a patch for one of the zero-days dropped in the ongoing war between Microsoft and a disgruntled bug hunter known as Nightmare Eclipse - likely the YellowKey vulnerability disclosed in May. Nightmare has published details about and in some cases, full proof-of-concept exploit code for six zero-days, and promised a “bone shattering” release on June 14. The third publicly known bug, CVE-2026-45586, is a Windows Collaborative Translation Framework (CTFMON) elevation of privilege vulnerability that can be abused by an authorized attacker to elevate privileges locally and gain SYSTEM access. From there, miscreants could deploy malware, steal data, and move laterally through the victim's environment - so patch this one sooner. Plus these two (of 38) critical bugs In addition to those three known vulnerabilities that made the rounds before Microsoft issued a patch, a couple of critical-rated 9.8 security flaws are worth highlighting this month. The first, CVE-2026-45657, is a Windows kernel remote code execution (RCE) bug that allows remote, unauthenticated attackers to run code with system-level privileges without any user interaction. It’s due to an error in how the Windows kernel processes some TCP/IP data, and can be exploited by sending malicious network packets to a vulnerable Windows system, thus triggering the flaw. While it’s listed as “exploitation less likely” by Redmond, we like Childs’ response. “Rest assured that every researcher and bug shop on the planet is reversing this patch right now trying to create an exploit,” he said. “Test and deploy this patch quickly.” CVE-2026-47291, an HTTP.sys RCE vulnerability that also earned a 9.8 CVSS rating, deserves attention as it can also be triggered with zero user interaction and Microsoft says it’s “more likely” to be exploited. “This vulnerability creates severe business risk because HTTP.sys is used by Windows services that process HTTP traffic,” Alex Vovk, CEO and co-founder of patch-management vendor Action1, told The Register. “A successful attack could lead to server takeover, malware deployment, data theft, service disruption, and lateral movement across the environment. Internet-facing systems are especially exposed.” The good news: systems using the Windows HTTP stack’s default MaxRequestBytes registry value are not affected. In the advisory, Redmond provides detailed instructions on how to edit registry settings, which can buy admins some time (and security) while deploying the patch. ®

Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits

14 May 2026 at 01:27
The vulnpocalypse has begun. Palo Alto Networks usually finds five vulnerabilities a month, but on Wednesday said it scanned its entire codecase using the latest frontier models, including Anthropic’s Mythos, and found 75 security holes, covered in 26 CVEs. This comes a day after Microsoft said it used its new agentic bug hunting system called MDASH to find 17 vulnerabilities across its products - on a record-setting Patch Tuesday that saw Redmond disclose a whopping 30 critical CVEs. Plus, last week Mozilla said it fixed 423 Firefox bugs in April, which is more than five times higher than the 76 fixes issued in March and almost 20 times higher than its 21.5 monthly average last year. The browser maker previously said Mythos found 271 flaws in Firefox 150. It shouldn’t be all that shocking. Security vendors have long warned about attackers using AI, and how this means defenders need to operate at AI speed to protect their own networks and systems (aka buying their AI-infused products). Now that models have become really good at finding bugs in code, security shops are using AI to scan their own software, hopefully to uncover and fix flaws before the baddies do. And this trickles down to two things: more patches, and more work for admins. Zero Day Initiative’s chief vuln finder Dustin Childs agrees with this assessment. “At first, yes, this means more patches and thus more work for admins,” he told The Register. “The goal over time would be to eliminate as many as possible, and, over time, that monthly number goes down.” What will make this whole AI bug hunting season “really painful,” he continued, is if the patches don’t work or - worse yet - break things. “Many customers don’t trust patches as it is, so if AI-related patches break things, they are less likely to apply as time goes on,” Childs added. “This will be true even if AI only finds the bugs and doesn’t make the patches.” Bug hunting on steroids This isn’t to say security companies should avoid AI to find and fix flaws. “All vendors should use what tools they have to find and remediate bugs before they are exploited in the wild,” Childs said. “Ideally, they would find the bugs before they even ship, but I’m not holding my breath for that to happen.” Both Microsoft and Palo Alto Networks (PAN) are part of Anthropic’s Project Glasswing, which means they are among the select group of entities allowed to test Mythos, the much-hyped LLM, to find security holes in their own products. Palo Alto Networks began testing Mythos on April 7, and has since continued using the LLM and other frontier models, including Claude Opus 4.7 and OpenAI’s GPT-5.5-Cyber, according to Chief Product and Technology Officer Lee Klarich. “Today, we released our May ‘Patch Wednesday’ security advisories,” Klarich said in a Wednesday blog, adding that “this is the first time where the majority of findings were the result of frontier AI models scanning our code.” The LLMs scanned over 130 Palo Alto Networks products and platforms platforms, and as noted above found 75 issues, covered in 26 CVEs. None of these bugs are under exploitation, and as of Wednesday the company has fixed all bugs in its SaaS-delivered products and coded patches for all customer-operated products. Maybe 5 months before 'AI-driven exploits the new norm' “We intend to fix every vulnerability we find before advanced AI capabilities become widely available to adversaries,” Klarich said in his blog, adding that his company expects “a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm.” A day earlier, Microsoft said its new multi-model agentic scanning harness (codename MDASH) helped researchers find 16 new vulnerabilities across the Windows networking and authentication stack, as disclosed in May’s Patch Tuesday event. This included four critical remote code execution flaws in components such as the Windows kernel TCP/IP stack and the IKEv2 service. “Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end,” Microsoft VP of agentic security Taesoo Kim said in a Tuesday blog. Tom Gallagher, VP of engineering at Microsoft Security Response Center, admitted that “this month's release sits on the larger side of a hotpatch month.” Gallagher said he expects AI-assisted bug hunting to increase Patch Tuesday releases as both Microsoft and third-party researchers use these tools to boost vulnerability discovery. And yes, all of this ultimately means more patches and more work. More patches = more work “Finding bugs has always been the cheap end of the pipeline,” Luta CEO Katie Moussouris told The Register. “Triage, disclosure, building patches that do not break production, and getting customers to deploy them is the expensive end, and nobody has funded it for this volume.” Moussouris helped convince Redmond's top brass that Microsoft needed a bug bounty program in 2013, and three years later started her own bug bounty consultancy. She noted Palo Alto Networks’ staggering jump in CVEs this month. “Multiply that across every vendor and the bottleneck becomes admins and vulnerability management teams,” Moussouris said. And she also stressed that people should be using these new models to find vulnerabilities. “It is exactly what defenders should be doing,” Moussouris said. “Both PAN and Microsoft landed on the same answer: no single model catches everything. PAN ran Claude Mythos, Claude Opus 4.7, and GPT-5.5-Cyber because each finds bugs the others miss,” she added. “Microsoft orchestrates over 100 specialized agents across multiple models. Add threat intel and codebase context, and Microsoft rediscovered 96 percent of five years of confirmed bugs in a critical Windows component. The asymmetry is temporary, PAN puts adversary parity at three to five months, so any vendor not scanning their own code now is letting someone else find their bugs first.”®

Doozy of a Patch Tuesday includes 30 critical Microsoft CVEs

13 May 2026 at 01:51
Microsoft released fixes for 137 CVEs on Tuesday, none of which are known to have been targeted by attackers. But the news is not all good as Redmond rated a whopping 30 flaws as critical, with 14 earning a 9.0 or higher CVSS severity rating, including one perfect 10. Plus, everyone who celebrates the monthly patchapalooza event received validation for what we all widely suspected last month: Yes, Redmond (and everyone else, for that matter) is using AI to find a ton more bugs than ever before. And that means a lot more work for all the folks applying and testing the patches. “This month's release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time,” Tom Gallagher, VP of engineering at Microsoft Security Response Center, said in a note on this month's Patch Tuesday. Microsoft also said its secret-until-now AI bug hunting system, codenamed MDASH, found 16 of the vulnerabilities addressed in this month’s release. Redmond additionally announced it is making the tool available to a limited number of customers in private preview, along the lines of Anthropic’s Mythos and Project Glasswing. In other words: no break for Microsoft admins this May Patch Tuesday. Let’s take a look at some of the nastiest/most-interesting bugs that also received some of the highest-CVSS ratings this month, coming in hot at 9.8 and 9.9. First up: CVE-2026-41096. This one is a critical, 9.8-rated Windows DNS Client remote code execution (RCE), and while Redmond says exploitation is “unlikely,” we’d suggest patching it ASAP. It’s due to a heap-based buffer overflow, and no authentication or user interaction is needed to exploit it (it's done by sending a specially crafted DNS response to a vulnerable system), potentially leading to memory corruption and RCE. “Since the DNS Client runs on virtually every Windows machine, the attack surface is enormous,” Zero Day Initiative bug hunting boss Dustin Childs warned. “An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise.” Plus, it could happen across a ton of enterprise systems very rapidly, Jack Bicer, Action1 vulnerability research director told The Register. “This CVE requires immediate attention,” he said. “Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.” Another especially bad bug, CVE-2026-42898 in Microsoft Dynamics 365 on-premises systems, achieved a near-perfect 9.9 CVSS rating and also leads to RCE. Any authenticated user can trigger this vuln - it doesn’t require admin or other elevated privileges. As Redmond explains: “An attacker with the required permissions could modify the saved state of a process session in Dynamics CRM and trigger the system to process that data, which could result in the server unintentionally executing malicious code.” Since exploitation could lead to a scope change, meaning the bug can affect systems beyond the vulnerable component, it’s a pretty serious risk to enterprises and should be prioritized. “Scope changes are pretty rare, so if you’re running Dynamics 365 On-Prem, definitely test and deploy this patch quickly,” Childs said. The second of two 9.8-rated bugs is CVE-2026-41089. It’s a stack-based buffer overflow in Windows Netlogon that allows an unauthenticated, remote attacker to execute code on vulnerable machines by sending a specially crafted network request to a Windows server acting as a domain controller. As Childs points out: the fact attackers can exploit this flaw without credentials or user interactions makes it wormable “This is the highest-impact bug that requires immediate patching: a compromised domain controller is a compromised domain,” he added. The silver lining this month for defenders is that the single CVE earning a perfect 10.0 CVSS rating is in Azure DevOps, and doesn’t require users to fix anything. CVE-2026-42826 is an information disclosure vulnerability in the DevOps toolchain “has already been fully mitigated by Microsoft,” according to Redmond. “There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.” ®

Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025

11 February 2026 at 13:14

It also fixed a high-severity authentication bypass that could be exploited remotely without authentication to obtain credentials.

The post Ivanti Patches Endpoint Manager Vulnerabilities Disclosed in October 2025 appeared first on SecurityWeek.

How to discover and secure ownerless corporate IT assets

15 December 2025 at 21:39

Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data that’s a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user account… Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT — with one key difference: nobody wants, knows about, or benefits from these assets.

In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.

Physical and virtual servers

Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.

Prevalence: high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.

Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.

This data should be supplemented by external vulnerability scans that cover all of the organization’s public IPs.

Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.

To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.

Forgotten user, service, and device accounts

Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.

Prevalence: very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.

Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, it’s advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.

Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.

For service accounts, it’s also essential to routinely review both the strength of passwords, and the expiration dates for access tokens — rotating them as necessary.

Forgotten data stores

Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services — even “secure” ones — has been a key source of major breaches in 2024–2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.

Prevalence: high. Archive data, data copies held by contractors, legacy database versions from previous system migrations — all of these often remain unaccounted for and accessible for years (even decades) in many organizations.

Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery:

  • Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview
  • Specialized Data Discovery and Data Security Posture Management solutions
  • Automated analysis of inventory logs, such as S3 Inventory

Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organization’s security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the company’s brand.

Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage — or to confirm it’s truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, it’s crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data that’s accessible without restrictions, passwords, or encryption.

Unused applications and services on servers

Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources.

Prevalence: very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete.

Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis — focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers.

Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default.

Outdated APIs

Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter.

Prevalence: high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if it’s still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched.

Detection: at the WAF or NGFW level, it’s essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic.

Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions.

For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces.

Software with outdated dependencies and libraries

Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues.

Prevalence: Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software.

Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, it’s mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components.

Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, it’s crucial to regularly audit the status and age of dependencies.

For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, it’s essential to maintain an up-to-date software bill of materials (SBOM).

You can read more about timely and effective vulnerability remediation in a separate blog post.

Forgotten websites

Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organization’s brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and weren’t renewed — making them available for purchase by anyone.

Prevalence: high — especially for sites launched for short-term campaigns or one-off internal activities.

Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the company’s IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organization’s brand.

Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the company’s domains.

Unused network devices

Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring — no EDR or SIEM integration — yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations.

Prevalence: medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups.

Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against what’s actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections.

Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers — to prevent leaks of network settings, passwords, office video footage, and so on.

❌