// #attack-surface
2 articles
HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate
Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions — made during infrastructure design, sometimes years ago — directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Commentary tagged #attack-surface
The Third-Party Plugin Is the Perimeter Now — Magento Today, Your Stack Next
CVE-2026-45247 in the Mirasvit Magento extension continues a pattern that security teams have been watching for years: the attack surface of any complex platform is not defined by the core platform's security — it is defined by every third-party component installed on it. This is not a Magento problem. It is an architecture problem that affects every enterprise platform stack.
CipherWatch Editorial
Security Intelligence Platform
The ITSM Platform Is the Map to Your Infrastructure — and You've Left It Unlocked
The ServiceNow API breach is the latest confirmation that IT Service Management platforms are among the highest-value targets in the enterprise. They contain everything an attacker needs to plan a targeted intrusion: network topology, patch status, change windows, and credentials. The industry's classification of these platforms as 'IT operations tools' rather than 'sensitive data repositories' is a governance error with real consequences.
CipherWatch Editorial
Security Intelligence Platform
Managed File Transfer Is a Permanent Attack Surface and You Should Treat It That Way
MOVEit's latest critical vulnerability is not a surprise — it is the latest instalment in an unending series. The industry keeps treating each managed file transfer vulnerability as an exceptional event requiring exceptional response, when the correct model is to treat MFT platforms as inherently hostile internet-facing infrastructure requiring architectural controls that assume compromise is inevitable.
CipherWatch Editorial
Security Intelligence Platform
The 13-Hour Problem: Your AI Inference Infrastructure Is Already a Tier-One Target
LMDeploy was exploited 13 hours after its RCE vulnerability was disclosed. Langflow took 20 hours. Marimo lasted days. The pattern is not bad luck — it is the predictable consequence of treating AI inference infrastructure as development tooling while exposing it like a production web server. The window for getting ahead of this has closed.
CipherWatch Editorial
Security Intelligence Platform