// #zero-trust
5 articles
Domain Controller Network Architecture: How DC Placement Determines Netlogon Attack Surface
CVE-2026-41089's exploitability in a given environment is almost entirely determined by which networks can reach domain controllers on TCP 445. DC placement decisions — made during infrastructure design, sometimes years ago — directly determine how many machines a Netlogon-class vulnerability exposes. Reviewing DC reachability is the highest-leverage response.
Pwn2Own Week Exposes the Limits of Identity as a Security Control — What IAM Teams Should Review
The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
Microsoft Entra Passkeys Rolling Out to All Windows Devices — Phishing-Resistant MFA Now Generally Available
Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.
Microsoft Entra ID Entitlement Management SSRF (CVE-2026-35431, CVSS 10.0) — Cloud IAM Attack Surface Disclosed Before Silent Server-Side Fix
A perfect-score SSRF vulnerability in Microsoft Entra ID Entitlement Management allowed unauthenticated network-accessible exploitation of Microsoft's cloud identity governance platform. Microsoft patched it server-side with no customer action required, but the disclosure surfaces a structural question enterprise security teams need to answer: how do you monitor for exploitation of a vulnerability in infrastructure you don't control?
Commentary tagged #zero-trust
Air-Gapping Is Not a Security Strategy — Operation Highland Proves It Never Has Been
Velvet Ant's ten-year persistence inside an air-gapped network is being reported as an extraordinary technical achievement. It isn't. It is a predictable consequence of substituting physical isolation for security architecture, and the organisations still treating air gaps as a primary control are making the same mistake that left a critical infrastructure network exposed for a decade.
CipherWatch Editorial
Security Intelligence Platform
Two PAN-OS GlobalProtect Authentication Bypasses in Three Months Is a Pattern, Not a Coincidence
CVE-2026-0257, a second actively exploited Palo Alto Networks GlobalProtect authentication bypass in the same three-month window as CVE-2026-0300, is not bad luck. It reflects the structural dynamics of high-value attack surface concentration: when enterprise VPN infrastructure is widely deployed, highly privileged, and technically complex, it attracts sustained, focused research from both legitimate researchers and threat actors.
CipherWatch Editorial
Security Intelligence Platform
Attackers Discovered That Developer Tools Make Better C2 Infrastructure Than Their Own Servers
KidsProtect's use of VS Code Remote Tunnels and Discord webhooks for command-and-control is not a stalkerware quirk — it is the latest example of a systematic shift toward legitimate cloud services as attack infrastructure. When defenders cannot block VS Code tunnels without breaking developer workflows, the standard network-layer controls that security architecture depends on stop working.
CipherWatch Editorial
Security Intelligence Platform
Managed File Transfer Is a Permanent Attack Surface and You Should Treat It That Way
MOVEit's latest critical vulnerability is not a surprise — it is the latest instalment in an unending series. The industry keeps treating each managed file transfer vulnerability as an exceptional event requiring exceptional response, when the correct model is to treat MFT platforms as inherently hostile internet-facing infrastructure requiring architectural controls that assume compromise is inevitable.
CipherWatch Editorial
Security Intelligence Platform