The IT Nerd

The CISA’s Acting Director Nick Andersen announced Tuesday plans to overhaul how the agency evaluates and prioritizes software vulnerabilities, moving beyond severity scores alone to focus more heavily on real-world risk and operational impact. The agency said the changes are intended to help organizations better prioritize remediation efforts as the volume of disclosed vulnerabilities continues to grow.

Under the new approach, CISA plans to place greater emphasis on factors such as active exploitation, asset criticality, attack complexity, and the potential consequences of a successful attack. Agency officials said the goal is to help defenders focus resources on vulnerabilities that pose the greatest operational risk rather than relying solely on CVSS scores or the total number of disclosed flaws.

The initiative follows broader efforts by CISA to improve vulnerability management programs, including opening nominations for its KEV Catalog and expanding collaboration with security researchers and vendors. Officials said the updated framework is intended to provide organizations with more actionable guidance for addressing the vulnerabilities most likely to affect critical systems and infrastructure.

Denis Calderone, CTO, Suzu Labs:

   “A risk-based approach to vulnerability management makes a lot of sense to us, and how we approach vulnerability management with our own clients. CVSS alone has never been a reliable way to decide which vulnerabilities to prioritize. Just in the last two weeks we’ve seen a Palo Alto GlobalProtect vulnerability rated 7.8 that was operationally critical, a SolarWinds Serv-U DoS at 7.5 against a product with a documented history of nation-state and ransomware targeting, and a Check Point zero-day where CISA’s own three-day remediation deadline told a completely different story than the score. So, the policy direction here is right. Where we get skeptical is the execution. Risk-based prioritization is significantly harder than “patch everything as fast as you can.” It requires understanding what assets you have, what functions they support, how they’re exposed, and what the real-world consequences of compromise look like. Who is going to ensure that each entity is actually performing effective risk-based assessments and not just checking a compliance box?

   “That question gets harder to answer when you look at the resource picture. CISA has faced roughly half a billion dollars in proposed budget cuts and lost about a third of its workforce. Andersen is describing an approach where CISA engages directly with critical infrastructure entities to identify specific critical functions and the assets that support them. That kind of hands-on, entity-by-entity engagement requires more analytical capacity, not less. The 329 new hires are a good step forward and show the agency is serious about rebuilding operational capability, but risk-based prioritization at the scale of the federal government and critical infrastructure sectors is an enormous undertaking even for a fully staffed agency.

   “The other thing we’d like to see this framework to address is chainability. CVSS scores vulnerabilities in isolation and doesn’t model scenarios where an attacker combines a medium-severity information disclosure with a medium-severity privilege escalation and ends up with critical impact. Neither bug scores as urgent on its own, but together they give you full system compromise. If the goal is to prioritize based on real-world risk, the methodology has to account for how vulnerabilities interact in actual attack chains, not just how they score individually. 

   “Organizations shouldn’t wait for this directive to be fully operationalized. Start building your own prioritization stack now: KEV status, EPSS exploitation probability, and your own environmental context. That combination has been more reliable than CVSS alone for a while now.”

Ryan McCurdy, VP of Marketing, Liquibase:
 

   “CISA’s shift is the right move because severity scores alone do not tell defenders what actually puts the business at risk. A vulnerability on a low-impact system is very different from one affecting a production database, deployment pipeline, or system tied to customer data and critical operations.

   “The next step is connecting vulnerability prioritization to proof of control. Security teams need to know not only which issues are being exploited, but where they sit, what they can impact, who remediated them, and whether the fix moved through a controlled change process. Otherwise, teams can patch one risk while introducing another through rushed, manual, or poorly governed changes.”

Doc McConnell, Head of Policy and Compliance, Finite State:

   “The pace of vulnerability identification is accelerating thanks to AI, and the volume is outpacing response even for well-resourced teams. It makes sense that the federal government is moving from blanket timelines to more individualized, risk-based prioritization.

   “But this approach demands more sophistication from cyber defenders. In order to make an effective risk-based assessment, they need to understand what they’re protecting. For example, device manufacturers need a deep understanding of their own firmware, including third-party components, to know whether a new vulnerability is present and exploitable in their product.

   “Organizations need to ask themselves: do they have the context they need to make informed prioritization decisions about new vulnerabilities? If not, building that context has to be priority number one.”

Damon Small, Board of Directors, Xcape, Inc.:

   “The Cybersecurity and Infrastructure Security Agency (CISA) is shifting the federal vulnerability baseline from predictable, severity-based scoring to a risk-centric paradigm. While moving beyond Common Vulnerability Scoring System (CVSS) numbers helps manage patch fatigue, calculating real-world operational risk requires localized context that most organizations struggle to automate. This subjective approach demands greater effort from analysts to extract local context, but it shifts the metric from superficial scorekeeping to actionable, risk-aligned defense.

   “Security teams must integrate localized threat intelligence with strict asset discovery to ensure asset criticality tags match actual business functions. Chief Information Security Officers (CISOs) should audit their pipelines immediately to ingest CISA’s expanded Vulnrichment telemetry, prioritizing active exploitation data over static metrics to justify mitigation exceptions to auditors and business units.

   “Critical Takeaways

•    “Context Over Score: Severity scores are officially deprecated as standalone metrics, forcing security leaders to justify patching decisions based on active exploitation and asset criticality.
•    “Telemetry Upgrade Required: Security teams must immediately update vulnerability management pipelines to ingest and process CISA’s expanded context data, rather than relying on traditional automated scanner outputs.
•    “Audit Local Asset Context: CISOs need to establish strict, defensible asset discovery and business-criticality tagging, as automated risk prioritizations are useless without precise local context.
  

   “It turns out that counting to ten over and over was a terrible way to run a security program, even if it did look nice on an executive dashboard.”

Sunil Gottumukkala, CEO, Averlon:

   “Glad to see CISA’s acting director focusing on real-world risk, this shift is overdue. Knowing a vulnerability is exploited in the wild, which the KEV catalog already delivers, answers only half the question. The other half is whether it matters in your environment. Do the specific conditions the exploit depends on, a particular configuration, an exposed or reachable service, actually exist in your fleet. 

   “This directive pushes agencies to answer that second half. Doing it well requires two things: knowing what assets you have and how they are deployed and configured, and understanding how a given CVE is being exploited to assess its real impact on your environment.”

My advice is to take risk and operational impact and make those operational now. Then tweak things based on what is finalized. That way there is forward movement in term of making environments safer for all.

A newly uncovered GitHub exposure involving a CISA contractor leaked privileged AWS GovCloud credentials, plaintext passwords, and internal DevSecOps infrastructure details in what researchers are calling one of the most severe public-sector secret leaks in recent memory.

Dan Moore, Sr. Director, CIAM Strategy & Identity Standards at FusionAuth had this comment:

“A public GitHub repo sat open for six months. AWS GovCloud admin keys. Plaintext passwords. The works.

Researchers at Seralys and KrebsOnSecurity flagged it to CISA and were ignored. When the repo finally came down, the AWS keys stayed live for another 48 hours.

The hygiene failure created the exposure. Ignoring responsible disclosures extended it. But the static, long-lived credentials are the architectural problem that underlies both of those issues. An exposed static secret stays leaked until someone manually kills it. That’s a design error, not a simple mistake.”

This is an epic #fail by a group that should know better. Seriously, heads need to roll over this.

The CISA has added eight vulnerabilities to its KEV catalog, including CVE-2026-20133, another flaw affecting Cisco Catalyst SD-WAN Manager that Federal agencies have been given four days to secure their systems against.

CVE-2026-20133 is an information disclosure vulnerability caused by insufficient file system access restrictions, which can allow an unauthenticated remote attacker to access sensitive information on affected systems through the API. 

The KEV addition follows prior exploitation disclosures involving other Cisco SD-WAN vulnerabilities, including CVE-2026-20127, CVE-2026-20122, and CVE-2026-20128, which prompted earlier emergency directives and patching actions. CISA said the latest KEV update reflects continued active targeting of internet-exposed network infrastructure.

John Carberry, Solution Sleuth, Xcape, Inc. had this to say:

   “Cisco SD-WAN flaws, including the addition of CVE-2026-20133 and two other vulnerabilities to the KEV catalog, signal a critical escalation targeting software-defined perimeters. The main threat is not single bugs, but the rapid weaponization of vulnerability chains, using unauthenticated API access to enable severe file-overwrite and credential-extraction attacks.

   “CISA’s unusually short 4-day deadline confirms pervasive, automated exploitation linked to a Five Eyes-identified global campaign. These flaws stem from systemic API-level access control failures. Organizations must go beyond patching to implement the hardening steps in Emergency Directive 26-03: isolate management interfaces and immediately hunt for “rogue peering” or unauthorized root logins that occurred before the patch.

• What is the real risk here? The risk is vulnerability chaining. CVE-2026-20133 (information disclosure) allows an unauthenticated attacker to scrape the API for system details, configurations, and internal IPs. This data is then used to weaponize more critical bugs, such as the file overwrite in CVE-2026-20122, essentially giving the attacker a ‘key’ to take control of the system.
  
• Are we talking about a full-scale attack here? Sophisticated actors, confirmed by CISA and Five Eyes, have targeted SD-WAN management systems globally since at least 2023. This is a critical threat; owning the SD-WAN Manager grants them long-term persistence and control over all network traffic routing.
  
• The “4-day deadline” is the most telling part. CISA’s four-day deadline (April 23, 2026), a significant cut from the usual 14–21 days for KEV items, indicates automated, large-scale exploitation is happening now. Patching without prior collection of forensic logs (admin-tech files) risks merely “painting over the mold” on an already backdoored system. 

   “Asking for a 4-day turnaround on a core networking product is Cisco’s subtle way of admitting they’ve left the screen door open during a hurricane.”

Sunil Gottumukkala, CEO, Averlon follows with this:

   “CISA’s KEV addition is a strong reminder that defenders should not treat CVE-2026-20133 as a routine information disclosure. In an SD-WAN manager, ‘sensitive information’ can include credentials and secrets that materially change the security of the entire environment. Public research shows this flaw can expose the vmanage-admin private key, compromise NETCONF used to manage SD-WAN devices, and leak confd_ipc_secret to enable root escalation.

   “When the vulnerable system is the management plane for distributed network infrastructure, the real-world impact is much larger than what its CVSS rating implies.”

Denis Calderone, CTO, Suzu Labs adds this:

   “Since late February, Cisco Catalyst SD-WAN Manager has been the target of a sustained, escalating campaign. CVE-2026-20127 was the CVSS 10.0 authentication bypass that triggered CISA Emergency Directive 26-03 and forced emergency federal patching. That was wave one. Wave two came in March: CVE-2026-20128, which exposes DCA user credentials, and CVE-2026-20122, which allows an attacker with low-level access to overwrite arbitrary files and escalate to full vManage administration. Both confirmed as actively exploited. Now CVE-2026-20133 is joining the KEV, giving an unauthenticated remote attacker access to sensitive files on the underlying OS through the API. Cisco hasn’t confirmed exploitation of this one. CISA clearly disagrees.

   “There’s also a scoring discrepancy here reviewing. Cisco’s PSIRT submitted this CVE to NVD as 6.5 MEDIUM, with low privileges required. NVD did their own independent analysis and scored it 7.5 HIGH, with no privileges required – matching Cisco’s own advisory, which also says 7.5 and no privileges required. So Cisco’s advisory and Cisco’s NVD submission tell different stories about the same vulnerability. NVD caught it. It is suggested, that since NIST announced they’re pulling back from independent CVE enrichment that this kind of vendor self-scoring inconsistency is exactly the gap that independent enrichment was closing. CVE-2026-20133 is that exact situation playing out in real time.

   “A defender running CVSS-based prioritization sees 6.5 MEDIUM and this sits in a longer queue. Meanwhile, exploitation is, according to CISA, already happening.

   “And CVSS still doesn’t score for chainability. CVE-2026-20133 is information disclosure. Add CVE-2026-20128 to harvest DCA credentials and CVE-2026-20122 to escalate those credentials to vManage admin, and you have full administrative control of a management platform capable of pushing configuration changes to thousands of SD-WAN devices simultaneously. The individual scores don’t capture that math. KEV does, because KEV reflects what’s actually happening in attacks, not what a scoring rubric says about a vulnerability in isolation.

   “If Catalyst SD-WAN Manager is in your environment, patch all three of these. Not because any single CVE is a ten. Because together they are.”

So once again, it’s time to patch all the things in order to keep your organization safe. Given the tight timeline, this should be considered to be a today problem.

The White House’s proposed fiscal 2027 budget includes a $707 million reduction to CISA, significantly decreasing funding, building on earlier reductions, including a third of its workforce, and further scaling back the agency’s overall budget.

The budget outlines a shift in CISA’s focus toward federal network defense and critical infrastructure protection, while proposing cuts to programs related to external engagement, international affairs, and certain information-related initiatives. Previous proposals from the administration have also targeted reductions in staffing and program consolidation.

The White House’s 2026 budget tried to cut about $491 million from CISA’s spending, but Congress eventually only approved a reduction of approximately $135 million.

The new proposal will require approval from Congress, where funding levels and program priorities may be revised as part of the appropriations process. 

Doc McConnell, Head of Policy and Compliance, Finite State serves up this insight:

   “When CISA was created in 2018, it was built on a recognition that cybersecurity is a shared problem that no single organization can solve alone. CISA’s value lies in the connective tissue it creates, early warning of emerging threats, coordinated vulnerability assessment, and remediation, and partnerships with state and local governments and critical infrastructure operators that bolster our national resilience.

    “That mission is more urgent than ever. Nation-state adversaries are actively and strategically exploiting weaknesses in U.S. cyber defenses, and sophisticated threat actors are targeting critical infrastructure with increasing persistence. While manufacturers bear responsibility for the cybersecurity of their products, including proactively identifying and remediating vulnerabilities and managing supply chain risk. Those efforts are most effective when backed by a strong government cybersecurity function. Now is the time to strengthen our collective ability to detect and respond to threats, not reduce it.”

Aaron Colclough, VP of Operations, Suzu Labs adds this comment:

   “The FY2027 budget proposal ties CISA to a refocus away from weaponization and waste, which tracks with a lot of this administration’s stated priorities for the term. The examples in the text stay high-level, so it is still unclear what exactly would be cut; nothing maps dollars to line items. That vagueness overlaps with functions or offices that were already reduced, so we’re not in a position to say what is net-new from the wording alone. This looks like the president’s usual high opening bid before Congress settles the real numbers.”

John Carberry, Solution Sleuth, Xcape, Inc.:

   “The proposed $707 million reduction to CISA signals a retreat from the public-private partnership model, effectively ending the agency’s role as a primary intelligence collaborator for the commercial sector. By eliminating the Stakeholder Engagement Division and the Joint Cyber Defense Collaborative (JCDC), the administration is forcing enterprise security teams to manage nation-state threats without a centralized federal clearinghouse. This shift places the entire burden of national collective defense onto individual firms at a time of unprecedented geopolitical volatility.

   “Security leaders must immediately de-risk their dependency on CISA for threat telemetry and sector-specific alerts, instead prioritizing deeper involvement in private Information Sharing and Analysis Centers (ISACs) and direct vendor partnerships. Since CISA will pivot its remaining resources almost exclusively toward federal network defense, organizations should also prepare for more aggressive compliance enforcement on federal contractors rather than collaborative support.

   “It turns out “Shields Up” was a limited-time offer.”

Seemant Sehgal, Founder & CEO, BreachLock had this comment:

    “You don’t cut the fire department and then wonder why buildings burn. CISA isn’t the bureaucratic overhead, for practitioners it’s the lifeline between government intelligence and the private sector running the infrastructure this country depends on. Cutting its budget by $707 million, on top of what’s already been cut, is a gift to every nation-state actor that’s been quietly targeting U.S. critical infrastructure.”

This is a pretty dumb idea from the White House. Though I am not shocked by this as this is how this administration rolls. And I suspect it will not take long for this administration to figure out how dumb this idea is.

The CISA has ordered federal agencies to patch a remote code execution vulnerability in the n8n workflow automation platform that could allow attackers to steal stored credentials such as API keys, OAuth tokens, and passwords, or pivot into connected systems that rely on the automation platform.

Security researchers found that multiple vulnerabilities in n8n could allow attackers to execute commands on vulnerable systems, escape sandbox protections, and potentially take full control of affected servers. One flaw involves an expression injection vulnerability that allows attackers to submit malicious input that is evaluated by the platform, while a second issue can be chained to bypass sandbox protections and execute commands directly on the host system.

Because n8n often stores credentials used to connect to external services and infrastructure, researchers warned that a compromised instance could expose multiple integrated systems and sensitive data across an organization’s environment.

n8n has more than 50,000 weekly npm downloads and over 100 million Docker pulls.

John Carberry, Solution Sleuth, Xcape, Inc.:

   “Federal agencies are racing to patch n8n workflow automation servers following a CISA directive targeting an actively exploited expression injection vulnerability. Despite previous security updates, researchers discovered multiple bypasses (CVE-2026-25049 and CVE-2026-27577) that allow attackers to escape the platform’s sandbox and execute arbitrary code on the host system. This cycle of incomplete patching is particularly dangerous for automation tools that serve as a central repository for sensitive API keys and OAuth tokens across the Enterprise.

   “For security professionals, this highlights the fragility of relying on software-defined sandboxes when the underlying application logic remains inherently permissive. Defenders must prioritize immediate updates to version 1.76.3 or later and audit all connected service credentials for signs of lateral movement. We need to stop treating sandbox escapes as isolated bugs and recognize them as fundamental design failures that require more than a quick syntax fix.

   “Patching a sandbox escape with a regex filter is like trying to fix a leaky dam with a Post-it note.”

Denis Calderone, CTO, Suzu Labs:

   “n8n is under sustained assault from multiple angles right now, and CISA just confirmed this latest one is being actively exploited. We’ve seen four critical RCE vulnerabilities in just the last three months, and an active supply chain attack to boot.

   “At its core, n8n is a credential vault. It stores API keys, OAuth tokens, database passwords, cloud storage credentials for every service it connects to, and it connects to a lot of services. Compromise one n8n instance and you don’t just own the automation platform, you get the keys to every system it touches. Numerous vulnerabilities from VMware to Cisco to n8n have been bringing to light the inherited trust problem once again. The underlying issue here is that your management and orchestration tools carry the deepest trust in your environment, and attackers know it.

   “What makes this one particularly concerning is the attack surface. Shadowserver is tracking over 40,000 unpatched instances still sitting on the open internet, and researchers identified more than 100,000 potentially vulnerable deployments globally. The patch has been available since December. That’s three months of exposure while these things are being actively exploited, and exploitation apparently spiked over the Christmas holiday when teams were thin.

   “If you’re running n8n, patch immediately, audit what credentials are stored in it, and restrict who can create or edit workflows. Yes, n8n needs internet-facing endpoints for webhooks and forms, but that doesn’t mean the management interface and credential store should be exposed along with them. Separate your webhook endpoints from your admin panel, and put the editor behind a VPN or proper access controls.”

Vishal Agarwal, CTO, Averlon:

   “Automation platforms like n8n often sit in the middle of many internal systems and services, storing the API keys, tokens, and credentials needed to connect them. When vulnerabilities appear in these platforms, the real risk isn’t just the initial compromise. It’s the blast radius: what those stored credentials allow an attacker to reach next, and how far that reach extends across connected systems.

   “Even if the initial access comes from a regular user account, these vulnerabilities can expose much more powerful credentials stored within the platform. Organizations should not only patch quickly but also map the pathways those credentials create across their environment.”

I am glad that the CISA is around because it forces organizations to take cybersecurity seriously. Of course organizations have to take cybersecurity seriously. But that’s another story.

There is a new urgent directive from the CISA released this morning which is Emergency Directive 26-03, warning that threat actors are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN systems used across federal networks. The directive requires agencies to immediately inventory affected systems, collect forensic artifacts, apply patches, and hunt for signs of compromise. 

The vulnerabilities include CVE-2026-20127, a critical authentication bypass flaw (CVSS 10) that could allow an unauthenticated attacker to gain administrative access to SD-WAN infrastructure and potentially manipulate network configurations. 

Bobby Kuzma, Director of Offensive Operations at ProCircular had this to say:

“CISA has clear reason to believe that these vulnerabilities have been, and likely continue to be, exploited by threat actors to compromise government systems and networks. The requests for artifact collection and submission make it clear they’re working to identify the scope of the threat. While contractors and civilian organizations are not required or requested to follow similar collection steps, if you have Cisco SD-WAN appliances in your environment, this is a good time to collect artifacts and review patch statuses and logs.”

Once again it’s time to patch all the things. Though this time around, this patching exercise is pretty urgent and should be done without delay.

The CISA has given US government agencies three days to patch their systems against a maximum-severity hardcoded credential vulnerability (CVE-2026-22769)in Dell’s RecoverPoint solution exploited by the UNC6201 Chinese hacking group since mid-2024 https://www.cisa.gov/news-events/alerts/2026/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog.

Ensar Seker, CISO at threat intelligence company SOCRadar:

“When CISA orders agencies to patch within three days, that signals confirmed active exploitation and real operational risk. This is not theoretical exposure. A hardcoded credential vulnerability like CVE-2026-22769 effectively removes authentication as a barrier. If exploited, it can lead to root-level persistence, which is extremely difficult to detect and eradicate.

“The three-day mandate reflects two things: first, the vulnerability likely provides reliable post-exploitation value; second, federal systems running backup and recovery platforms are high-value targets. Backup infrastructure is especially sensitive because compromising it weakens an organization’s last line of defense against ransomware and destructive attacks. What makes this particularly concerning is that exploitation reportedly began in mid-2024. That means adversaries may have had months of dwell time in some environments. Even after patching, agencies must assume possible compromise and validate integrity, credentials, and persistence mechanisms.

“The real takeaway for enterprises is this: if federal agencies get three days, the private sector should not assume they have three weeks. When a vulnerability combines maximum severity, hardcoded credentials, and active exploitation, patching becomes a board-level risk discussion, not just an IT task.”

On top of that, the CISA published an advisory warning that a critical security vulnerability (CVE-2026-1670) has been identified in four Honeywell CCTV camera models that could allow attackers to bypass authentication and take control of device accounts.

The flaw is classified as “missing authentication for critical function” and has been given a CVSS severity score of 9.8.

According to the advisory, the vulnerability stems from an unauthenticated API endpoint that lets attackers remotely change the “forgot password” recovery email address associated with a camera account. By modifying this recovery email without needing credentials, an attacker could potentially take over the account and gain unauthorized access to live camera feeds or administrative functions.

Honeywell is a widely deployed global supplier of security and video surveillance equipment, including many NDAA-compliant cameras used in government, industrial, and commercial critical infrastructure environments. 

Nick Mo, CEO & Co-founder, Ridge Security Technology Inc. provided this comment:

   “IoT assets like cameras and smart printers remain massive security blind spots. While organizations obsess over protecting “crown jewel” databases, attackers exploit these overlooked devices as easy entry points.

   “The Honeywell zero-day (CVE-2026-1670) shows how a single vulnerability in a CCTV system can compromise critical infrastructure. Whether it’s a sophisticated exploit or a basic failure—like the 2025 Louvre heist where the password was just “Louvre”—the risk is the same: neglected hardware creates an open door.

   “Security testing must include every connected device. Find the holes before the hacker does.”

Michael Bell, Founder & CEO, Suzu Labs had this comment:

   “The device you installed to protect the building just became the way into the network. CVE-2026-1670 lets an unauthenticated attacker change the password recovery email on affected Honeywell cameras and take over the account, no credentials needed. These are NDAA-compliant models that go into government facilities and critical infrastructure, and the vulnerability is an open API endpoint on a password reset function.

   “A physical security contractor puts the cameras up, plugs them into whatever network is available, and IT may never know they’re there. Nobody patches a device nobody knows they own, and nobody segments a device that isn’t in the asset inventory. CISA hasn’t seen active exploitation yet, so there’s still a window to get ahead of this one.”

John Carberry, Solution Sleuth, Xcape, Inc. adds this comment:

   “The discovery of CVE-2026-1670 in Honeywell CCTV cameras serves as a stark reminder that the surveillance systems safeguarding our critical infrastructure are frequently exposed to the public Internet. By leaving a “forgot password” API endpoint unauthenticated, Honeywell inadvertently enabled remote hijacking of device accounts. Attackers could simply redirect recovery emails to themselves, gaining unauthorized access.

   “This vulnerability, boasting a near-perfect CVSS score of 9.8, grants attackers a straightforward route from digital compromise to physical surveillance. This affects NDAA-compliant systems in government and industrial sectors. For Security Operations Center (SOC) teams, the presence of these devices on public-facing networks without VPNs or stringent access controls now constitutes an immediate liability.

   “This issue highlights a fundamental lapse in secure-by-design principles for hardware entrusted with protecting our most sensitive assets. As we increasingly adopt “smart” security solutions for our perimeters, it’s crucial to understand that an unpatched camera is not only a guardian, but it can also become an open portal for pivoting to other sensitive systems.

   “Organizations utilizing affected models must prioritize firmware updates, limit external access through network segmentation, and diligently monitor for any unauthorized configuration changes.

   “When your security cameras can be commandeered remotely, the watcher becomes the watched.”

The CISA does a lot of good work to keep people safe from a cybersecurity standpoint. Thus I would heed their warnings and take action ASAP when they appear.

The CISA has added to its KEV catalog and is giving federal agencies till Friday to patch the actively exploited, critical security (9.8) flaw reported last week in SolarWinds’ Web Help Desk software.

The bug involves an untrusted data deserialization weakness that allows a remote, unauthenticated attacker to execute arbitrary code on affected systems. 

Horizon3.ai researchers revealed that the recently identified SolarWinds vulnerability, tracked as CVE-2025-40551, stems from an earlier flaw uncovered in 2024 (CVE-2024-28986) and the new bug is part of an ongoing chain of issues caused by incomplete remediation of the original vulnerability, allowing attackers to bypass previous fixes. 

In response to the discovery, SolarWinds has released updates in its Web Help Desk 2026.1 release that address this and several related vulnerabilities, including several with high severity ratings, some of which can also bypass authentication controls or allow similar impacts such as privilege escalation or arbitrary actions by unauthenticated users. 

Vishal Agarwal, CEO, Averlon had this comment:

   “What stands out is not one critical CVE, but a series of six caused by incomplete fixes of the same underlying weakness. This incident shows how easy it is to patch the reported bug without eliminating the root problem. Engineers are moving fast, working at scale, and are not security specialists. The answer isn’t more expertise. It’s better reasoning that helps teams fix the system, not just the CVE.”

Damon Small, Board of Directors, Xcape, Inc. follows with this comment:

   “SolarWinds’ Web Help Desk has a critical remote code execution vulnerability (CVE-2025-40551) stemming from untrusted data deserialization, which is the same root cause as a flaw patched two years ago, discovered by the same researcher who found the original issue. CISA has added it to the Known Exploited Vulnerabilities catalog, confirming active exploitation and requiring immediate patching to version 2026.1.

   “While this is the only confirmed exploit currently, the January 2026 patch also addressed three other critical vulnerabilities, including authentication bypasses, that could be chained together for full system compromise. Organizations must patch immediately to avoid becoming the next breach headline.

   “When the same researcher finds the bypass to your two-year-old patch, that’s not a vulnerability; that’s a sequel nobody asked for.”

Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. adds this comment:

   “These CVEs are quite serious and involve Remote Code Execution (RCE) attacks caused by authentication bypass or improper data deserialization. “Help Desk” software is an obvious target and an easy entry point into an enterprise network, enabling attackers to cause further damage. Security teams should patch these vulnerabilities right away.”

I truly thought that we were done with the dumpster fire that was SolarWinds. But I guess like the bad guy who dies at the end of the movie only to come back in the sequel, nothing of this sort truly goes away.

The CISA has put out new guidance identifies product categories where post-quantum cryptography (PQC) is now considered “widely available” and explicitly advises agencies to procure only PQC-capable products in those categories going forward. The update covers cloud services, endpoint security, collaboration software, and web infrastructure, while signaling that networking, identity, and core infrastructure products are close behind.

You can look at the guidance from the CISA here: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards

Peter Bentley, COO of Patero, a post-quantum cryptography company working with federal agencies, critical infrastructure operators, and defense-adjacent environments, shared his perspective below.

On the “so what” of CISA’s PQC product categories list: “CISA’s new product categories list is less about theory and more about signaling where federal buying power is heading. It tells agencies and vendors alike: these are the technology lanes where post-quantum readiness will matter first. While it isn’t a mandate on its own, it functions as a procurement signal with real compliance gravity—and that makes it a market-shaping lever.”

On what agencies and vendors should not misunderstand: “The biggest mistake would be treating this as a future-dated checklist. Once categories are named, they tend to show up quickly in acquisition language, evaluation criteria, and security reviews. Vendors that wait for a formal mandate risk discovering that they’re already behind the curve when procurements begin to prefer PQC-capable solutions.”

On the biggest technical and operational trap: “The hardest part isn’t selecting a post-quantum algorithm—it’s knowing where cryptography actually lives. Most organizations don’t have a complete cryptographic inventory, and many products weren’t designed for crypto agility. Without that visibility, and arguably developing an Cryptographic Discovery and Inventory best practice, ‘PQC-enabled’ becomes a marketing label instead of a verifiable capability, especially in hybrid or mixed-vendor environments.” Patero provides a comprehensive easy to use tool to establish cryptographic visibility and best practices. 

On hybrid deployments and false confidence: “Hybrid approaches are often necessary, but they’re also where programs stumble. If hybrid cryptography isn’t implemented cleanly—with clear boundaries, validation evidence, and a migration path—it can add complexity without delivering real quantum resilience. Buyers will increasingly look past buzzwords and ask what’s actually protected, where, and for how long.”

On what CISA should do next: “To make this list actionable, CISA should pair categories with minimum capability profiles—what functions must be quantum-safe, what evidence buyers should request, and how claims should be validated. That would turn a useful taxonomy into a procurement-ready tool agencies can apply consistently.”

On what industry must do now: “Vendors should assume the window for ‘we’re watching PQC’ is closing. The companies that stay eligible for federal business will be the ones that can show cryptographic inventories, interoperable hybrid deployments, and a credible roadmap—not just algorithm support. Post-quantum readiness is moving from R&D into go-to-market reality.”