// #security-culture
0 articles
Commentary tagged #security-culture
CVE-2026-46243 and the Enterprise Linux Kernel Patch Lag Problem
The 19-year latency of CVE-2026-46243 makes headlines. What is less discussed is the operational lag between 'patch available' and 'patch applied' across enterprise Linux fleets. Distribution advisories are published. Patched kernels hit repositories. And then organisations schedule the reboots — often weeks later. CVE-2026-46243 is not unusual in its severity; it is unusual in making the patch lag visible.
CipherWatch Editorial
Security Intelligence Platform
Healthcare Ransomware Is a Structural Problem. The Gentelman Surge Is Not a Surprise.
The Gentelman ransomware surge hitting healthcare this week follows a pattern that has repeated with near-mechanical regularity for five years. The security industry has correctly diagnosed the problem: legacy infrastructure, high willingness to pay, broad RMM attack surface, and regulatory environments that prioritise availability over security. The diagnosis is correct. The treatment is not happening fast enough.
CipherWatch Editorial
Security Intelligence Platform
Oracle's Quarterly CPU and the Enterprise Java Patching Culture That Makes WebLogic Vulnerabilities Sticky
CVE-2024-21182 was patched in January 2024. It reached the CISA KEV in June 2026. The 18-month gap is not unique to this CVE — it reflects how enterprise Java middleware is patched in practice, which is to say: slowly, incompletely, and often only under direct pressure.
CipherWatch Editorial
Security Intelligence Platform
Developer Toolchains Are the New Perimeter — and the Industry Has Not Accepted It
Simultaneous CISA KEV additions for three developer toolchain compromises in one campaign makes the case explicitly: the software supply chain attack surface runs through the tools developers use, not just the code they write. The security industry is still catching up.
CipherWatch Editorial
Security Intelligence Platform