Security intelligence covering Security Architecture & Engineering: Secure design principles, cryptography, physical security, and security models.https://cipherwatch.io/en-gbhttps://cipherwatch.io/articles/2026-06-14-fortinet-fortisandbox-cve-2026-25089-rce-cvss-9-8/https://cipherwatch.io/articles/2026-06-14-fortinet-fortisandbox-cve-2026-25089-rce-cvss-9-8/Fortinet has patched a critical command injection vulnerability in FortiSandbox that allows an unauthenticated remote attacker to execute arbitrary system commands through the web management interface. CVE-2026-25089, rated CVSS 9.8, requires no credentials to exploit and affects FortiSandbox versions through 5.4.5 — a particularly sensitive target given the appliance's privileged role in malware analysis.Sun, 14 Jun 2026 00:00:00 GMTfortinetfortisandboxcommand-injectioncve-2026-25089unauthenticated-rcesecurity-appliancehttps://cipherwatch.io/articles/2026-06-13-bitlocker-bypass-physical-security-device-theft/https://cipherwatch.io/articles/2026-06-13-bitlocker-bypass-physical-security-device-theft/CVE-2026-50507 bypasses BitLocker pre-boot authentication on devices using TPM-only mode, enabling data access from a stolen device without the Windows login password. With corporate laptops regularly carrying sensitive data, financial information, and cached credentials, the physical theft scenario this vulnerability enables has significant business impact beyond IT.Sat, 13 Jun 2026 00:00:00 GMTbitlockercve-2026-50507physical-securitydisk-encryptiontpmlaptop-securitydata-protectionwindowsendpoint-securityhttps://cipherwatch.io/articles/2026-06-10-windows-bitlocker-bypass-ctfmon-eop-june-zero-days/https://cipherwatch.io/articles/2026-06-10-windows-bitlocker-bypass-ctfmon-eop-june-zero-days/Two of June 2026's six publicly disclosed zero-days target security boundaries rather than remote execution: CVE-2026-50507 bypasses BitLocker pre-boot authentication on stolen devices, and CVE-2026-45586 enables local privilege escalation through the Windows Text Services Framework. Both carry named researcher disclosures and appear in active post-exploitation toolkits.Wed, 10 Jun 2026 00:00:00 GMTbitlockerctfmoncve-2026-50507cve-2026-45586windowszero-dayprivilege-escalationdisk-encryptionphysical-securityhttps://cipherwatch.io/articles/2026-06-10-windows-kernel-http-sys-dhcp-cve-2026-45657-47291-44815-critical/https://cipherwatch.io/articles/2026-06-10-windows-kernel-http-sys-dhcp-cve-2026-45657-47291-44815-critical/CVE-2026-45657 (Windows Kernel), CVE-2026-47291 (HTTP.sys), and CVE-2026-44815 (DHCP Client) each carry CVSS 9.8 and enable unauthenticated remote code execution. All three were publicly disclosed before Microsoft's June patch, giving attackers a head start. This article provides technical detail and remediation guidance for each flaw.Wed, 10 Jun 2026 00:00:00 GMTwindowshttp-sysdhcpcve-2026-45657cve-2026-47291cve-2026-44815rcewormablepatch-tuesdaycvss-9-8kernelhttps://cipherwatch.io/articles/2026-06-03-linux-cifs-cve-2026-46243-kernel-root-privilege-escalation/https://cipherwatch.io/articles/2026-06-03-linux-cifs-cve-2026-46243-kernel-root-privilege-escalation/A long-latent vulnerability in the Linux kernel's CIFS filesystem subsystem allows any unprivileged local user to forge a upcall key and escalate directly to root. Patched kernels reached distribution repositories on 2–3 June; Red Hat, AlmaLinux, Rocky Linux, and CloudLinux all issued security advisories on 3 June. A public proof-of-concept exists.Wed, 03 Jun 2026 00:00:00 GMTlinuxkernelcifsprivilege-escalationcve-2026-46243local-rootlpepatchhttps://cipherwatch.io/articles/2026-06-01-oracle-weblogic-t3-iiop-hardening-guide/https://cipherwatch.io/articles/2026-06-01-oracle-weblogic-t3-iiop-hardening-guide/The T3 and IIOP protocols in Oracle WebLogic Server have been the source of 15+ critical vulnerabilities over the past decade. This guide covers the configuration controls that isolate T3/IIOP from untrusted networks — the single most effective defence regardless of which WebLogic CVE is currently being exploited.Mon, 01 Jun 2026 00:00:00 GMToracleweblogict3-protocoliiophardeningjava-deserializationmiddleware-securitynetwork-controlshttps://cipherwatch.io/articles/2026-05-31-privileged-access-workstation-deployment-guide/https://cipherwatch.io/articles/2026-05-31-privileged-access-workstation-deployment-guide/Privileged Access Workstations (PAWs) are the single most effective control for preventing credential theft from domain administrators. They are also the most consistently skipped step in enterprise AD hardening programmes. This guide covers a practical PAW deployment for Tier 0 domain controller administration.Sun, 31 May 2026 00:00:00 GMTpawprivileged-accessactive-directorydomain-controllerhardeningcredential-protectionwindows-securityhttps://cipherwatch.io/articles/2026-05-29-netlogon-dc-network-architecture-attack-surface/https://cipherwatch.io/articles/2026-05-29-netlogon-dc-network-architecture-attack-surface/CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions — made during infrastructure design, sometimes years ago — directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.Fri, 29 May 2026 00:00:00 GMTdomain-controllernetwork-architecturesegmentationactive-directorynetlogoncve-2026-41089zero-trustattack-surfacehttps://cipherwatch.io/articles/2026-05-28-amd-zen2-cve-2026-46174-op-cache-privilege-escalation/https://cipherwatch.io/articles/2026-05-28-amd-zen2-cve-2026-46174-op-cache-privilege-escalation/AMD published Security Bulletin AMD-SB-7052 on 28 May for CVE-2026-46174, a microarchitectural flaw in Zen 2 processor operation caches. A local attacker can exploit timing characteristics of the op-cache to execute code with kernel privileges from a userspace context. PI firmware updates are required; the Xen Project also issued XSA-490 for virtualisation platform impacts.Thu, 28 May 2026 00:00:00 GMTamdzen2cve-2026-46174microarchitectureprivilege-escalationcpu-vulnerabilityfirmwarexenhttps://cipherwatch.io/articles/2026-05-25-unpatched-windows-zero-day-response-hardening/https://cipherwatch.io/articles/2026-05-25-unpatched-windows-zero-day-response-hardening/When a working proof-of-concept for a Windows privilege escalation zero-day is public and no vendor patch exists, the defender's playbook shifts from patching to attack surface reduction. Layered controls can meaningfully raise the bar even when the vulnerable component cannot be removed.Mon, 25 May 2026 00:00:00 GMTwindowszero-dayhardeningapplication-controlattack-surface-reductionwdacapplockerdefense-in-depthhttps://cipherwatch.io/articles/2026-05-20-rag-pipeline-security-architecture-vector-databases/https://cipherwatch.io/articles/2026-05-20-rag-pipeline-security-architecture-vector-databases/The ChromaDB CVE-2026-45829 disclosure exposes a systemic architectural gap in enterprise AI deployments: vector databases used in retrieval-augmented generation pipelines are being deployed without the security controls applied to comparable databases handling sensitive data. The attack surface analysis and architectural recommendations for secure RAG pipeline design apply regardless of which vector database product is in use.Wed, 20 May 2026 00:00:00 GMTrag-pipelinevector-databaseai-securitychromadbsecurity-architecturellm-securitydata-protectionhttps://cipherwatch.io/articles/2026-05-18-pwn2own-90-day-patch-clock-defender-timeline/https://cipherwatch.io/articles/2026-05-18-pwn2own-90-day-patch-clock-defender-timeline/Pwn2Own's 90-day coordinated disclosure rule gives vendors time to patch before technical details are made public. For enterprise defenders, the same 90 days is a known timeline during which the confirmed existence of specific zero-days — but not their technical details — is public. Understanding how to use that window is an underexplored aspect of enterprise vulnerability management.Mon, 18 May 2026 00:00:00 GMTvulnerability-managementpatch-managementpwn2owncoordinated-disclosurecvdenterprise-securityhttps://cipherwatch.io/articles/2026-05-16-vmware-esxi-pwn2own-cross-tenant-code-execution/https://cipherwatch.io/articles/2026-05-16-vmware-esxi-pwn2own-cross-tenant-code-execution/STARLabs SG earned $200,000 at Pwn2Own Berlin 2026 for a single vulnerability enabling cross-tenant code execution on VMware ESXi, allowing code running in one virtual machine to execute in a separate guest VM on the same hypervisor host. The bug has not been assigned a CVE and will not be publicly disclosed for up to 90 days.Sat, 16 May 2026 00:00:00 GMTvmwareesxihypervisorpwn2ownvirtualisationcross-tenantzero-dayhttps://cipherwatch.io/articles/2026-05-13-windows-bitlocker-yellowkey-zero-day-poc-winre/https://cipherwatch.io/articles/2026-05-13-windows-bitlocker-yellowkey-zero-day-poc-winre/Researcher collective Chaotic Eclipse released a proof-of-concept exploit for 'YellowKey,' an unpatched Windows BitLocker bypass that abuses the Windows Recovery Environment to gain access to encrypted drives without the PIN or password. No CVE has been assigned yet and Microsoft has not released a patch. Organisations relying on BitLocker for endpoint data protection should assess their exposure.Wed, 13 May 2026 00:00:00 GMTbitlockerzero-daywindowspocencryption-bypasshttps://cipherwatch.io/articles/2026-05-12-amd-zen2-opcache-elevation-privilege-microcode/https://cipherwatch.io/articles/2026-05-12-amd-zen2-opcache-elevation-privilege-microcode/AMD has disclosed an elevation-of-privilege vulnerability in the micro-op cache of Zen 2 processors, where a low-privileged process can exploit speculative execution behaviour to access privileged memory content. Full remediation requires microcode updates delivered via OEM BIOS firmware. Zen 3 and later generations are not affected. Dell PowerEdge EPYC Rome servers and AMD EPYC Rome cloud instances require priority attention.Tue, 12 May 2026 00:00:00 GMTamdcpu-vulnerabilityprivilege-escalationspeculative-executionfirmwarehttps://cipherwatch.io/articles/2026-05-12-sap-may-2026-patch-day-critical-s4hana-commerce/https://cipherwatch.io/articles/2026-05-12-sap-may-2026-patch-day-critical-s4hana-commerce/SAP's May 2026 Security Patch Day addresses 14 vulnerabilities including two Critical-rated flaws: a SQL injection in S/4HANA Enterprise Search (CVE-2026-34260, CVSS 9.6) and an unauthenticated remote code execution in Commerce Cloud's Spring Security configuration (CVE-2026-34263, CVSS 9.6). Organisations running SAP ERP or e-commerce infrastructure should patch immediately.Tue, 12 May 2026 00:00:00 GMTsapsql-injectionrceerpenterprise-softwarehttps://cipherwatch.io/articles/2026-05-11-google-ads-claudeai-mac-malware-campaign/https://cipherwatch.io/articles/2026-05-11-google-ads-claudeai-mac-malware-campaign/A campaign targeting macOS users — particularly developers — is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.Mon, 11 May 2026 00:00:00 GMTmacosmalwaregoogle-adsclaude-aimalvertisinginfostealerdeveloper-targetingmacsyncedhttps://cipherwatch.io/articles/2026-05-10-microsoft-edge-plaintext-password-process-memory/https://cipherwatch.io/articles/2026-05-10-microsoft-edge-plaintext-password-process-memory/Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.Sun, 10 May 2026 00:00:00 GMTmicrosoft-edgepassword-managercredential-securitymemory-securityprocess-dumpbrowser-securitydesign-flawhttps://cipherwatch.io/articles/2026-05-10-proton-mail-post-quantum-encryption-pqc/https://cipherwatch.io/articles/2026-05-10-proton-mail-post-quantum-encryption-pqc/Proton Mail has added optional post-quantum encryption for new emails sent between Proton Mail accounts, protecting against harvest-now-decrypt-later (HNDL) attacks in which adversaries collect encrypted communications today with the intention of decrypting them when sufficiently powerful quantum computers become available. The feature uses the CRYSTALS-Kyber (ML-KEM) algorithm standardised by NIST in 2024. Existing encrypted emails are not retroactively re-encrypted.Sun, 10 May 2026 00:00:00 GMTpost-quantumcryptographyproton-mailemail-securitypqcml-kemkyberharvest-now-decrypt-laterhttps://cipherwatch.io/articles/2026-05-07-eclipse-basyx-cve-2026-7411-cvss10-ics-rce/https://cipherwatch.io/articles/2026-05-07-eclipse-basyx-cve-2026-7411-cvss10-ics-rce/Two critical vulnerabilities in Eclipse BaSyx V2 — the open-source Industrial Internet of Things Asset Administration Shell implementation used in Industry 4.0 infrastructure — allow an unauthenticated attacker to achieve remote code execution and bypass network segmentation. CVE-2026-7411 (CVSS 10.0) enables arbitrary file write on the BaSyx server; CVE-2026-7412 (CVSS 8.6) enables blind SSRF that can bypass OT network isolation. Patches are available in BaSyx V2 milestone-10.Thu, 07 May 2026 00:00:00 GMTicsot-securityeclipse-basyxindustry-4asset-administration-shellcvercessrfiiotcritical-infrastructurehttps://cipherwatch.io/articles/2026-05-07-firefox-tor-cve-2026-6770-indexeddb-cross-origin-leak/https://cipherwatch.io/articles/2026-05-07-firefox-tor-cve-2026-6770-indexeddb-cross-origin-leak/A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.Thu, 07 May 2026 00:00:00 GMTfirefoxtor-browsercveprivacyindexeddbcross-originanonymitybrowser-securityhttps://cipherwatch.io/articles/2026-05-05-openssh-cve-2026-35414-certificate-auth-bypass/https://cipherwatch.io/articles/2026-05-05-openssh-cve-2026-35414-certificate-auth-bypass/A single-character defect in OpenSSH's certificate Subject Alternative Name parsing allows an attacker with a maliciously crafted certificate to bypass host-based and user certificate authentication entirely, potentially gaining unauthorised access to systems relying on certificate-based SSH for privileged access. Researchers have named the vulnerability SplitSSHell. Operators using OpenSSH certificate authentication for root or privileged user access should review their CA trust chains immediately.Tue, 05 May 2026 00:00:00 GMTopensshcvecertificate-authenticationcryptographylinuxinfrastructure-securityprivileged-accesshttps://cipherwatch.io/articles/2026-05-04-lotus-wiper-venezuela-energy-ics-sabotage/https://cipherwatch.io/articles/2026-05-04-lotus-wiper-venezuela-energy-ics-sabotage/A destructive wiper malware tracked as Lotus Wiper has been deployed against Venezuelan state energy company PDVSA and associated electricity generation infrastructure. Unlike generic wipers, Lotus Wiper includes ICS-aware modules that identify and corrupt engineering workstation configurations, HMI databases, and OT historian data before wiping. The campaign represents the most targeted wiper deployment against Latin American energy infrastructure on record.Mon, 04 May 2026 00:00:00 GMTwiper-malwareicsot-securityvenezuelaenergy-sectorcritical-infrastructurepdvsasabotagehttps://cipherwatch.io/articles/2026-05-02-linux-copyfail-cisa-kev-active-exploitation/https://cipherwatch.io/articles/2026-05-02-linux-copyfail-cisa-kev-active-exploitation/CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.Sat, 02 May 2026 00:00:00 GMTlinux-kernelprivilege-escalationcisa-kevactively-exploitedlpekernel-hardeninghttps://cipherwatch.io/articles/2026-05-01-linux-copy-fail-lpe-kernel-all-distros/https://cipherwatch.io/articles/2026-05-01-linux-copy-fail-lpe-kernel-all-distros/A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.Fri, 01 May 2026 00:00:00 GMTlinuxkernellpecopy-on-writeprivilege-escalationactively-exploitedserver-securityhttps://cipherwatch.io/articles/2026-04-29-milesight-aiot-camera-cisa-ics-advisory-five-cves/https://cipherwatch.io/articles/2026-04-29-milesight-aiot-camera-cisa-ics-advisory-five-cves/CISA advisory ICSA-26-113-03 covers five vulnerabilities across 18-plus Milesight AIOT camera model families, including a CVSS 9.8 flaw where all devices share a hard-coded factory SSL private key that cannot be changed. An attacker with the key — which is extractable from any unit — can conduct undetectable man-in-the-middle attacks against the entire deployed fleet. Organisations using Milesight cameras in operational technology or physical security environments should isolate these devices immediately.Wed, 29 Apr 2026 00:00:00 GMTicscisa-advisoryiot-securityhard-coded-credentialscameracve-2026-32644https://cipherwatch.io/articles/2026-04-28-fast16-pre-stuxnet-nsa-ota-malware-sentinel-labs/https://cipherwatch.io/articles/2026-04-28-fast16-pre-stuxnet-nsa-ota-malware-sentinel-labs/SentinelLabs has published research identifying Fast16, a Lua-based OT sabotage framework compiled in 2005 that predates Stuxnet and is attributed to a US intelligence-linked operation targeting Iranian high-precision calculation software. The discovery rewrites the timeline of state-sponsored ICS sabotage and provides new technical context for understanding the development of destructive OT malware.Tue, 28 Apr 2026 00:00:00 GMTot-securityicsmalware-researchstate-sponsoredstuxnetluasabotagehttps://cipherwatch.io/articles/2026-04-27-linux-kernel-nf-tables-cve-2026-23231-lpe/https://cipherwatch.io/articles/2026-04-27-linux-kernel-nf-tables-cve-2026-23231-lpe/A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows a local attacker to escalate privileges to root on unpatched systems. CVE-2026-23231 affects kernels 5.14 through 6.9 and most major distributions including RHEL 9, Ubuntu 22.04/24.04, Debian 12, and SLES 15. Stable kernel patches are available and distribution security teams are issuing advisories.Mon, 27 Apr 2026 00:00:00 GMTlinux-kerneluse-after-freeprivilege-escalationnetfiltercve-2026-23231https://cipherwatch.io/articles/2026-04-26-cve-2026-6074-intrado-911-emergency-gateway/https://cipherwatch.io/articles/2026-04-26-cve-2026-6074-intrado-911-emergency-gateway/CISA ICS advisory ICSA-26-113-06 discloses CVE-2026-6074, a CVSS 9.1 path traversal flaw in Intrado 911 Emergency Gateway versions 5.x–7.x that allows unauthenticated network access to read, write, and delete arbitrary files on the management interface. Exploitation could modify 911 call routing rules or disable emergency call processing. Intrado patched on March 2 2026 and is directly contacting affected PSAP operators.Sun, 26 Apr 2026 00:00:00 GMTicscritical-infrastructure911cisa-advisorypath-traversalunauthenticatedcvss-criticalhttps://cipherwatch.io/articles/2026-04-24-azure-iot-central-privilege-escalation-cve-2026-21515/https://cipherwatch.io/articles/2026-04-24-azure-iot-central-privilege-escalation-cve-2026-21515/A CVSS 9.9 privilege escalation vulnerability in Azure IoT Central exposes sensitive platform data allowing authenticated low-privilege attackers to gain administrative control. April 2026 Patch Tuesday addressed the flaw — audit IoT Central role assignments and rotate provisioning credentials now.Fri, 24 Apr 2026 00:00:00 GMTazureiotprivilege-escalationcloud-securitypatch-tuesdayhttps://cipherwatch.io/articles/2026-04-24-siemens-simatic-ics-tpm-cve-2025-2884-cisa-advisory/https://cipherwatch.io/articles/2026-04-24-siemens-simatic-ics-tpm-cve-2025-2884-cisa-advisory/CISA advisory ICSA-26-111-01 covers a TPM 2.0 out-of-bounds read vulnerability in Siemens SIMATIC CN 4100, Field PG M5/M6, and IPC BX series industrial computers. The flaw enables information disclosure or denial of service against the hardware root of trust, with direct implications for Secure Boot integrity and the trusted execution environment of industrial control systems.Fri, 24 Apr 2026 00:00:00 GMTicssiemenssimatictpmhardware-securityot-securitycisa-advisorysecure-boothttps://cipherwatch.io/articles/2026-04-17-wolfssl-cve-2026-5194-certificate-forgery/https://cipherwatch.io/articles/2026-04-17-wolfssl-cve-2026-5194-certificate-forgery/A critical cryptographic validation flaw in wolfSSL, a lightweight TLS library embedded in billions of IoT devices, routers, industrial control systems, and automotive components, allows attackers to present forged X.509 certificates that pass signature verification without a legitimate private key. The vulnerability enables man-in-the-middle attacks and authentication bypass across an enormous installed base. wolfSSL version 5.9.1, released 8 April 2026, provides the fix.Fri, 17 Apr 2026 00:00:00 GMTcve-2026-5194wolfssltlscertificate-forgeryiotcryptographyhttps://cipherwatch.io/articles/2026-04-16-openssh-10-3-cve-2026-35385-scp-privilege-escalation/https://cipherwatch.io/articles/2026-04-16-openssh-10-3-cve-2026-35385-scp-privilege-escalation/OpenSSH 10.3 fixes CVE-2026-35385 (CVSS 7.5), a privilege escalation flaw in the legacy SCP protocol where files downloaded as root without the -p flag may retain their setuid or setgid bits. Any Linux or macOS system with OpenSSH prior to 10.3 and a workflow involving scp downloads as root is affected.Thu, 16 Apr 2026 00:00:00 GMTopensshsshscpprivilege-escalationlinuxsetuidcve-2026-35385openssh-10-3priority-producthttps://cipherwatch.io/articles/2026-04-14-linux-kernel-netfilter-cve-2026-31414-patch-batch/https://cipherwatch.io/articles/2026-04-14-linux-kernel-netfilter-cve-2026-31414-patch-batch/A cluster of Linux kernel vulnerabilities in the netfilter subsystem — led by CVE-2026-31414 — has been patched across stable kernel branches, affecting versions 6.1 through 6.10. The flaws span NULL pointer dereferences and connection tracking weaknesses that can cause privilege escalation or denial of service. Enterprise Linux distributions are releasing updates; unmanaged servers and container hosts running custom kernel builds require manual attention.Tue, 14 Apr 2026 00:00:00 GMTlinuxkernelnetfiltercveprivilege-escalationdenial-of-servicepatchserver-securityhttps://cipherwatch.io/articles/2026-04-10-cnsa-2-post-quantum-cryptography-2027-deadline/https://cipherwatch.io/articles/2026-04-10-cnsa-2-post-quantum-cryptography-2027-deadline/With NIST's post-quantum cryptography standards finalised and the NSA's CNSA 2.0 deadline requiring all new National Security System acquisitions to be quantum-resistant by January 2027, the migration window for enterprise and federal contractor environments is closing fast. Most organisations have yet to inventory their cryptographic assets, let alone begin migration.Fri, 10 Apr 2026 00:00:00 GMTpost-quantumcryptographypqcnistcnsa-2migrationencryptionquantum-computinghttps://cipherwatch.io/articles/2026-04-10-secure-boot-certificate-expiry-june-2026/https://cipherwatch.io/articles/2026-04-10-secure-boot-certificate-expiry-june-2026/Microsoft's 2011 Secure Boot signing certificates expire on 26 June 2026, with the Windows bootloader certificate following in October. Organisations that fail to apply firmware and OS updates before these deadlines lose the ability to receive boot-level security fixes and risk UEFI bootkit exposure. Microsoft has begun displaying warnings in Windows Security app in April 2026, but the update process requires OEM firmware coordination that takes weeks.Fri, 10 Apr 2026 00:00:00 GMTsecure-bootueficertificate-expirymicrosoftbootkitpkifirmwarewindowsenterprise-securityhttps://cipherwatch.io/articles/2026-04-05-linux-kernel-cve-2026-31394-ap-vlan-privilege-escalation/https://cipherwatch.io/articles/2026-04-05-linux-kernel-cve-2026-31394-ap-vlan-privilege-escalation/CVE-2026-31394 is a privilege escalation vulnerability in the Linux kernel's AP VLAN (access point virtual LAN) network driver. Highlighted in Microsoft's Windows Update security reference guide and tracked by multiple Linux distributions, the flaw allows a local user with network namespace access to escalate privileges. Virtual machine hosts, Kubernetes nodes, and container infrastructure are the highest-risk deployment contexts.Sun, 05 Apr 2026 00:00:00 GMTlinuxkernelcve-2026-31394privilege-escalationvlanvirtualisationkubernetescontainerhttps://cipherwatch.io/articles/2026-04-02-macos-coremedia-rce-zdi-26-230-apple-patch/https://cipherwatch.io/articles/2026-04-02-macos-coremedia-rce-zdi-26-230-apple-patch/Zero Day Initiative researchers have disclosed ZDI-26-230, an out-of-bounds write vulnerability in the Apple macOS CoreMedia framework that could allow remote code execution when a user processes a specially crafted media file. A companion vulnerability ZDI-26-231 discloses a separate macOS information disclosure flaw. Both were disclosed on 30 March 2026 following Apple's 120-day coordinated disclosure window.Thu, 02 Apr 2026 00:00:00 GMTmacosapplecoremediarcezdiout-of-bounds-writemedia-processinghttps://cipherwatch.io/articles/2026-03-27-ptc-windchill-cve-2026-4681-german-police-warning/https://cipherwatch.io/articles/2026-03-27-ptc-windchill-cve-2026-4681-german-police-warning/A critical unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM — industrial PLM software used across manufacturing, aerospace, and defence — prompted German federal and state police to physically dispatch officers to affected companies on the weekend of 27 March. No patch was available at time of the emergency response. PTC has provided a temporary workaround via Apache/IIS rule modification while developing a permanent fix.Fri, 27 Mar 2026 00:00:00 GMTptcwindchillplmindustrialotrcedeserializationno-patchcve-2026-4681germanycritical-infrastructuremanufacturinghttps://cipherwatch.io/articles/2026-03-23-vmware-aria-operations-cve-2026-22719-cisa-kev/https://cipherwatch.io/articles/2026-03-23-vmware-aria-operations-cve-2026-22719-cisa-kev/CISA has added CVE-2026-22719, a command injection vulnerability in VMware Aria Operations, to the Known Exploited Vulnerabilities catalogue with a federal agency patch deadline of 24 March. The flaw allows unauthenticated remote attackers to execute arbitrary commands on the management infrastructure and was patched by Broadcom in February — but active exploitation has been confirmed before many organisations applied the fix.Mon, 23 Mar 2026 00:00:00 GMTvmwarearia-operationscommand-injectioncisa-kevunauthenticatedcve-2026-22719broadcommanagement-infrastructure