Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
CISA KEV May 2026: Complete List of Known Exploited Vulnerabilities Added This Month and Enterprise Response Guidance
CISA's Known Exploited Vulnerabilities catalogue received multiple additions in May 2026, including developer toolchain supply-chain compromises, network appliance vulnerabilities, and Microsoft Windows flaws. This guide consolidates the May 2026 KEV additions with enterprise response guidance for each category.
May 2026 Vulnerability Retrospective: Patch Prioritisation Guide for Enterprise Security Teams
May 2026 produced an unusually dense cluster of high-severity vulnerabilities: Netlogon CVSS 9.8, Ubiquiti CVSS 10.0 Γ 3, AMD Zen 2 CVSS 8.8, golang/crypto CVSS 10.0, Linux ptrace four-exploit-chain. This retrospective ranks them by risk for organisations still working through the patching backlog.
Identity Containment After Domain Controller Compromise: IAM Response for CVE-2026-41089 Post-Exploitation
If forensic investigation reveals CVE-2026-41089 exploitation occurred before patching, the identity response is as critical as the technical remediation. All credential material accessible from the domain controller must be treated as compromised. This guide covers the identity containment sequence for a confirmed Active Directory domain controller breach.
Zero-Day Response Maturity: Assessing Your Organisation's Capability Against May 2026's Vulnerability Cluster
May 2026 produced multiple simultaneous zero-days and CVSS 9.0+ vulnerabilities with active exploitation. The month serves as an inadvertent assessment of enterprise vulnerability response capability. This framework evaluates response maturity across five dimensions using the month's events as test cases.
Domain Controller Hardening After Netlogon CVE-2026-41089: Reducing the Attack Surface Beyond Patching
Patching CVE-2026-41089 closes the specific vulnerability, but domain controllers remain highly targeted infrastructure. This guide covers the access control, network segmentation, and monitoring controls that reduce DC attack surface against the class of unauthenticated RCE threats that Netlogon represents.
Netlogon CVE-2026-41089 Detection and Forensics: Hunting for Domain Controller Compromise
With active exploitation of CVE-2026-41089 confirmed, security teams must run parallel tracks: patching domain controllers and investigating whether exploitation has already occurred. A successful Netlogon exploitation typically leads to Golden Ticket persistence and stealthy domain admin account creation β the forensic indicators are specific and searchable.
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions β made during infrastructure design, sometimes years ago β directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Netlogon CVE-2026-41089: Enterprise Risk Management Framework for Active Directory Compromise Scenarios
A CVSS 9.8 vulnerability with active exploitation and a public PoC against domain controllers requires risk management decisions at the business level, not just patching at the technical level. This guide covers the risk assessment, escalation triggers, and business continuity considerations that security leadership should present to boards and executives.
Opinion & Analysis
Commentary
Netlogon Will Be Exploited Again. The Question Is Whether Your Architecture Has Changed Since Zerologon.
CVE-2026-41089 is the third significant Netlogon vulnerability with active exploitation in six years. Zerologon (CVE-2020-1472) prompted an industry-wide reckoning with domain controller exposure. If your DC network architecture has not materially changed since 2020, the reckoning was incomplete.
CipherWatch Editorial
Security Intelligence Platform
65 Days Unpatched: The Citrix NetScaler Exploitation Pattern Nobody Has Solved
CVE-2026-3055 was patched in March. In late May, Fortinet confirms large-scale exploitation of thousands of unpatched NetScaler appliances. This cycle has repeated with every major Citrix vulnerability for years. The gap between patch availability and patch deployment on network appliances is a structural problem with a known solution that the industry is not implementing.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
CRITICAL: Windows Netlogon CVE-2026-41089 β Unauthenticated Domain Controller RCE, Active Exploitation Confirmed
CVE-2026-41089 (CVSS 9.8) allows an unauthenticated attacker to execute code as SYSTEM on Windows domain controllers via a stack overflow in the Netlogon service. Belgium's CCB confirmed active exploitation on 29 May. A successful exploit provides full Active Directory domain compromise. Patch all domain controllers immediately.
CRITICAL: Citrix NetScaler CVE-2026-3055 Mass Exploitation β Thousands of SAML IDP Appliances Compromised
Fortinet confirmed large-scale active exploitation of CVE-2026-3055 (CVSSv4 9.3) in Citrix NetScaler ADC and Gateway on 28 May. Despite a patch being available since 24 March, thousands of internet-facing appliances remain unpatched after 65+ days. The SAML IDP memory overread can leak session tokens and SAML signing keys. Patch and investigate immediately.
Three Maximum-Severity Security Flaws Discovered in Ubiquiti Network Management Software β Update Required Immediately
Ubiquiti has disclosed three maximum-severity (CVSS 10.0) security vulnerabilities in UniFi OS β the management software that controls Ubiquiti Wi-Fi access points, switches, and network gateways. Attackers with network access to the management interface can gain full administrative control without any password. Organisations using Ubiquiti UniFi equipment must apply updates immediately.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β