// Articles
389 articles β page 4 of 17
ServiceNow API Security Configuration: Access Controls, ACLs, and Endpoint Hardening to Prevent Zero-Auth Exposure
The ServiceNow API breach highlights the risk of zero-auth API endpoint exposure in SaaS ITSM platforms. ServiceNow's platform provides granular access control mechanisms β ACLs, application scope policies, and API gateway controls β that, if properly configured, limit the blast radius of similar incidents. This guide covers the core security configuration for ServiceNow REST APIs.
ServiceNow Security Assessment: Auditing API Exposure and Access Control Configuration
Following the ServiceNow API breach, organisations should conduct a targeted security assessment of their ServiceNow instance, focusing on API endpoint exposure, unauthenticated access paths, ACL configuration, and service account privilege scope. This assessment guide covers the key checks and how to perform them without specialist ServiceNow security tooling.
ServiceNow Zero-Auth API Exploitation: Customer Instance Data Exposed Through Unauthenticated Endpoint
ServiceNow disclosed an active security incident beginning 2 June in which an unauthenticated API endpoint allowed attackers to query customer instance data including IT ticket contents, asset inventories, and stored credentials. Exploitation began 2 June; ServiceNow patched the endpoint by 5 June. No CVE was assigned at time of disclosure. Organisations should review ServiceNow access logs for the incident window.
Enterprise Java Middleware Security Governance: Bringing WebLogic and JBoss into the Vulnerability Management Programme
Oracle WebLogic, Red Hat JBoss/WildFly, and IBM WebSphere are foundational enterprise application infrastructure that frequently falls outside the scope of corporate vulnerability management programmes. CVE-2024-21182's CISA KEV addition β 18 months after the patch β reflects what happens when middleware is governed outside the security programme.
Oracle WebLogic CVE-2024-21182 Added to CISA KEV β Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
Oracle WebLogic Security Assessment Guide: Discovering Exposure Before the Next T3 Exploit
Enterprise Java middleware is often the least-assessed component of the application security programme. Oracle WebLogic installations are frequently discovered during incident response rather than proactive inventory. This guide covers the discovery, assessment, and continuous monitoring steps for WebLogic security.
Oracle WebLogic T3 and IIOP Hardening: Eliminating the Attack Surface Behind CVE-2024-21182
The T3 and IIOP protocols in Oracle WebLogic Server have been the source of 15+ critical vulnerabilities over the past decade. This guide covers the configuration controls that isolate T3/IIOP from untrusted networks β the single most effective defence regardless of which WebLogic CVE is currently being exploited.
Implementing the Active Directory Tier Model: A Practical Guide for Post-Netlogon Environments
Microsoft's Active Directory Tier Model separates administrative access by privilege level to prevent credential theft from cascading into full domain compromise. CVE-2026-41089's impact in poorly segmented environments makes the Tier Model the single highest-leverage post-incident investment. This guide covers the implementation sequence for organisations starting from scratch.
One Week After CVE-2026-41089: Taking Stock of the Netlogon Response Across Enterprise Environments
Seven days after Belgium's CCB confirmed active exploitation of the Netlogon CVSS 9.8 vulnerability, the picture of enterprise response is mixed. Domain controllers in well-governed environments are patched; a significant population of legacy and unmanaged DCs remain exposed. This review covers the response pattern and what it reveals about enterprise patch discipline.
Privileged Access Workstation Deployment: The Missing Piece of Most Active Directory Hardening Programmes
Privileged Access Workstations (PAWs) are the single most effective control for preventing credential theft from domain administrators. They are also the most consistently skipped step in enterprise AD hardening programmes. This guide covers a practical PAW deployment for Tier 0 domain controller administration.
Q2 2026 Enterprise Threat Landscape: Unprecedented Vulnerability Density and What It Means for Security Programmes
Q2 2026 (AprilβJune) has produced more simultaneous high-severity vulnerabilities in enterprise-critical infrastructure than any comparable period in recent years. Netlogon CVSS 9.8, three CVSS 10.0 in UniFi OS, AMD microarchitecture flaws, Linux kernel LPEs, and two Citrix exploitation waves β analysing the pattern reveals structural implications for how enterprises manage vulnerability risk.
Windows Domain Controller Security Monitoring: Building an Event Log Detection Baseline
Effective detection of domain controller attacks requires more than collecting logs β it requires specific audit policy configuration, a curated set of detection rules, and a SIEM pipeline with alert response SLAs. This guide covers the complete baseline configuration for DC security monitoring after CVE-2026-41089 highlighted the importance of pre-compromise visibility.
CISA KEV May 2026: Complete List of Known Exploited Vulnerabilities Added This Month and Enterprise Response Guidance
CISA's Known Exploited Vulnerabilities catalogue received multiple additions in May 2026, including developer toolchain supply-chain compromises, network appliance vulnerabilities, and Microsoft Windows flaws. This guide consolidates the May 2026 KEV additions with enterprise response guidance for each category.
May 2026 Vulnerability Retrospective: Patch Prioritisation Guide for Enterprise Security Teams
May 2026 produced an unusually dense cluster of high-severity vulnerabilities: Netlogon CVSS 9.8, Ubiquiti CVSS 10.0 Γ 3, AMD Zen 2 CVSS 8.8, golang/crypto CVSS 10.0, Linux ptrace four-exploit-chain. This retrospective ranks them by risk for organisations still working through the patching backlog.
Identity Containment After Domain Controller Compromise: IAM Response for CVE-2026-41089 Post-Exploitation
If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.
Zero-Day Response Maturity: Assessing Your Organisation's Capability Against May 2026's Vulnerability Cluster
May 2026 produced multiple simultaneous zero-days and CVSS 9.0+ vulnerabilities with active exploitation. The month serves as an inadvertent assessment of enterprise vulnerability response capability. This framework evaluates response maturity across five dimensions using the month's events as test cases.
Domain Controller Hardening After Netlogon CVE-2026-41089: Reducing the Attack Surface Beyond Patching
Patching CVE-2026-41089 closes the specific vulnerability, but domain controllers remain highly targeted infrastructure. This guide covers the access control, network segmentation, and monitoring controls that reduce DC attack surface against the class of unauthenticated RCE threats that Netlogon represents.
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation β the forensic indicators are specific and searchable.
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions β made during infrastructure design, sometimes years ago β directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Netlogon CVE-2026-41089: Enterprise Risk Management Framework for Active Directory Compromise Scenarios
A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.
Windows Netlogon CVE-2026-41089 (CVSS 9.8): Unauthenticated Domain Controller RCE Now Actively Exploited
Belgium's Centre for Cybersecurity (CCB) confirmed active exploitation of CVE-2026-41089 on 29 May β a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) that allows unauthenticated remote code execution on domain controllers. CVSS 9.8. A public PoC is available. Patch domain controllers as an emergency priority.
AMD Zen 2 Firmware Update Strategy: Managing CPU Microcode Patches Across Enterprise Hardware
CVE-2026-46174 requires a PI firmware (BIOS/UEFI) update to deliver the AMD Zen 2 microcode fix β not a software patch. For enterprises running AMD EPYC Rome servers or Zen 2-based workstations, this means a separate patch track from OS-level vulnerability management. An asset-based approach to CPU generation inventory is the prerequisite.
AMD Zen 2 CVE-2026-46174: Operation Cache Microarchitecture Flaw Enables Kernel Privilege Escalation
AMD published Security Bulletin AMD-SB-7052 on 28 May for CVE-2026-46174, a microarchitectural flaw in Zen 2 processor operation caches. A local attacker can exploit timing characteristics of the op-cache to execute code with kernel privileges from a userspace context. PI firmware updates are required; the Xen Project also issued XSA-490 for virtualisation platform impacts.
Citrix NetScaler CVE-2026-3055 Exploitation Escalates β Fortinet Confirms Large-Scale Attacks on Internet-Facing ADC
Fortinet's threat intelligence team has confirmed large-scale active exploitation of CVE-2026-3055, the Citrix NetScaler SAML IDP memory overread vulnerability (CVSSv4 9.3) patched in March. More than 65 days after the patch was available, thousands of internet-facing NetScaler ADC appliances remain unpatched and are being targeted by automated exploitation frameworks.