my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

48 Hours to Patch or Get Owned: The New Enterprise Reality

John Z Black Mar 10, 2026 Enterprise Security #patching #google-cloud #cisa-kev #ivanti #solarwinds #cisco #sd-wan #vulnerability

48 Hours to Patch or Get Owned

Here’s the one piece of good news from Google’s latest Cloud Threat Horizons Report: your MFA investment is actually working. Weak and stolen credentials dropped to 27% of cloud intrusions. Years of pushing multifactor auth are paying off.

Now the bad news.

Attackers noticed. And they pivoted.

Vulnerability exploitation now accounts for 44.5% of cloud intrusions. Nearly double the credential-theft rate. If the credential door is harder to kick in, they’re going through the software door instead. And that door has a very short window.

Google documented exploitation windows collapsing to 48 hours after public disclosure. Not weeks. Not your comfortable monthly patch cycle. Two days.

CISA Just Proved the Point

Right on cue, CISA slapped three more entries on its Known Exploited Vulnerabilities catalog. All confirmed active exploitation:

  • Ivanti Endpoint Manager auth bypass (CVE-2026-1603). Brand new. Already being exploited. Gives attackers the keys to your endpoint management plane.
  • SolarWinds Web Help Desk deserialization flaw (CVE-2025-26399). Deserialization of untrusted data almost always means remote code execution.
  • Omnissa Workspace ONE SSRF (CVE-2021-22054). This one is from 2021. Five years old. Still being exploited.

And then there’s Cisco Catalyst SD-WAN (CVE-2026-20127), now under mass automated exploitation from numerous unique IPs. Not targeted. Not surgical. Carpet bombing.

The Quiet Campaigns Nobody Talks About

Google also surfaced the long-dwell stuff. Iran-linked UNC1549 maintained access to one victim for over 18 months, exfiltrating roughly a terabyte of data. China-linked UNC5221 spent 18 months inside a VMware vCenter environment stealing source code. And North Korea’s UNC4899 tricked a developer into AirDropping a malicious archive from a personal device to a corporate workstation, then pivoted through CI/CD to steal millions in crypto.

That last one? That’s not a software exploit. That’s a social engineering attack patches can’t fix.

What You Need to Do

Put the 48-hour stat in front of whoever still thinks monthly patching is fine for internet-facing systems.

Patch Ivanti EPM, SolarWinds Web Help Desk, and Omnissa Workspace ONE this week. Patch Cisco SD-WAN immediately. Shrink your patch SLA for cloud-facing infrastructure to 7 days or less for critical KEVs. And audit for the old stuff too, because a five-year-old CVE is still getting people owned.

Your MFA win is real. But it doesn’t matter if the next door over is wide open.

Read the full story: https://gnerdsec.com/blog/48-hours-to-patch-or-get-owned/