John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The 732-Byte Secret to Root: Everything You Know About Hardening Just Failed
Copy Fail (CVE-2026-31431) is a nine-year-old logic flaw that grants root on basically every Linux distro. It's tiny, it's reliable, and your file integrity monitors won't see a thing.
Read More
MoveIt Redux: Progress Software Battles a New Wave of RCE Flaws
New critical RCE vulnerabilities in MoveIt WAF and LoadMaster let attackers reach the management shell and bypass security controls entirely. Your patch window is hours, not days.
Read More
Global Tech Debt Audit: Oracle's April CPU Breaks the Volume Record with 481 Fixes
Oracle just shipped 481 security fixes across 28 product families in a single patch cycle. The Java SE and WebLogic flaws hit CVSS 9.8. This isn't a success story.
Read More
Consumer Advisory: Fake Windows Updates, Qilin in Healthcare, and patches you shouldn't skip
A stealer campaign with 0 detections is hiding inside fake Windows 11 upgrade ads. Qilin ransomware hit a Florida dermatology practice. And CISA added more bugs to the mandatory patch list.
Read More
Your Antivirus Is Harvesting Passwords Now: BlueHammer Hits CISA KEV
The BlueHammer flaw has moved from a research curiosity to an active threat. This Windows Defender zero-day turns your security software into a password harvester by exploiting a race condition to steal credentials. CISA says patch now.
Read More
Management Planes: The Internet's Industrialized Front Door
Hackers have stopped chasing individual servers. They are after the tools that manage thousands of them at once. BeyondTrust, Palo Alto, and Cisco are the current bulls-eye.
Read More
The CI/CD Supply Chain Crisis: Poisoning the Well at the Source
Attackers are ignoring the database and going for the person writing the code. Bamboo, GitLab, and Spinnaker are facing critical flaws that turn your build tools into weapons.
Read More
The Shadow API Tsunami: Toyota, Telefonica, and the 90% Problem
Salt Labs says 90% of security investigations uncover API vulnerabilities. Toyota (6.3M records) and Telefonica Brasil (15M records) just proved the point.
Read More
Patch Now: OpenClaw CVE-2026-41296 Is a Full Sandbox Escape
A TOCTOU race condition in OpenClaw's file handling allows a full sandbox escape. Version 2026.3.31 fixes it. If you're running an older version, stop reading and go patch.
Read More
The Lock Is Broken: Critical Auth Bypasses Hit Cisco, GitHub, and Palo Alto
Four critical authentication bypasses dropped this week across Cisco SD-WAN, GitHub Enterprise, Palo Alto PAN-OS, and Zabbix. This isn't a credential problem. The authentication systems themselves are failing.
Read More
The Switchboard Strike: Why CISA is Scrambling to Secure SD-WAN
CISA just issued an emergency order for federal agencies to hunt for Cisco SD-WAN exploits. It turns out a shadow campaign has been hijacking enterprise network switchboards since 2023. If you run a distributed network, the hunt is on.
Read More
Antivirus as a Weapon: The Defender Trilogy No One Can Patch
A single researcher has spent April taking Windows Defender apart. The results are a set of three zero-days that turn your antivirus into a malware delivery system and then blind it so it can't see the damage.
Read More
NIST Can't Keep Up. Now What?
NIST just admitted the NVD can't score every CVE anymore. With a 263% surge in vulnerability volume, thousands of bugs are going unenriched. Your patch workflow needs to catch up.
Read More
Patch This Week: Two Fortinet CVEs Due Tomorrow, Six More Due April 27, and NIST Changed How NVD Works
Two Fortinet CVEs have a federal remediation deadline of April 16. A separate six-CVE batch is due April 27. NIST restructured NVD prioritization because CVE volume is up 30%. And 2,000+ ShowDoc servers are still unpatched.
Read More
165 CVEs in One Day. Two Zero-Days. One Kerberos Bug That Should Have Your Full Attention.
Microsoft dropped 165 CVEs today including two zero-days, a critical Kerberos credential relay vulnerability, and a FortiClient EMS flaw with a 48-hour CISA deadline. Here's how to prioritize.
Read More
Your 2012 Security Debt Is Someone Else's 2026 Attack Vector
CISA added seven CVEs to its Known Exploited Vulnerabilities catalog. One of them was first patched in 2012. Attackers don't need zero-days when your backlog does the work for them.
Read More
Your WordPress Plugin Auto-Updated. Now You Have Six Backdoors.
Attackers hijacked the Smart Slider 3 Pro update server and pushed a six-layer backdoor to 900,000 sites. The must-use plugin it installed doesn't show up in your WordPress dashboard. Deleting the plugin doesn't remove it.
Read More
9 Hours 41 Minutes: The Patch Window Is Gone
CVE-2026-39987 in Marimo was exploited less than 10 hours after the advisory dropped. No public PoC. The attacker built their own exploit from the description and went to work while most people were still reading their alerts.
Read More
Ivanti Just Got Its 33rd CISA Exploited Vulnerability Entry
CVE-2026-1340 is a pre-auth RCE in Ivanti EPMM, CVSS 9.8, exploited since January. It's the 33rd Ivanti entry on the CISA KEV catalog. At some point that number has to become a procurement conversation.
Read More
Adobe Reader Had a Zero-Day in the Wild for Four Months Before Anyone Patched It
CVE-2026-34621 was sitting in the wild since November 2025. Adobe patched it in April 2026. That's a four-month window where opening the wrong PDF could get you owned.
Read More
Android's April Patch Targets a Security Layer Most Users Have Never Heard Of
April's Android security update fixes a critical zero-interaction DoS and a High-severity flaw in StrongBox, the hardware layer protecting your payment credentials, biometrics, and encrypted storage.
Read More
Docker's Authorization Bypass Is Back. It's Been Broken for a Decade.
Pad an HTTP request past 1MB and Docker's AuthZ plugins see nothing. CVE-2026-34040 has been sitting in Docker Engine since 2016, and researchers showed AI agents can be tricked into exploiting it.
Read More
A Disgruntled Researcher Just Handed Every Attacker a Free Windows Privilege Escalation Exploit
A frustrated researcher publicly released BlueHammer, a working Windows privilege escalation zero-day, after clashing with Microsoft's disclosure process.
Read More
Update Chrome Now. Update FortiClient Now. Here's Why.
Two critical vulnerabilities are being actively exploited right now: a Chrome WebGPU zero-day and a Fortinet pre-auth privilege escalation, and both have patches available today.
Read More
Researchers Broke Cloud GPU Isolation With a Memory Trick Nobody Can Patch
Three new Rowhammer attacks on Nvidia GPUs let a shared cloud tenant escalate to root on the host. It's a hardware flaw. There's no fix. And nobody's talking.
Read More
OpenClaw's Sixth Pairing Bug in Six Weeks Is a Full Admin Takeover
CVE-2026-33579 lets anyone with the lowest access level become full admin on OpenClaw. It's the sixth pairing CVE in six weeks, and 63% of instances run without auth.
Read More
Three Vendors, Three Critical Bugs, All Exploited This Week: The Edge Device Emergency
F5 BIG-IP, Citrix NetScaler, and Fortinet FortiClient EMS all have critical vulnerabilities under active exploitation this week. Here's what happened and what you need to do right now.
Read More
So Bad That German Police Knocked on Doors: The PTC Windchill Flaw Now in CISA's KEV
A critical RCE flaw in PTC Windchill hit CISA's KEV with no patch available yet, and German police started showing up at factory doors in person to warn companies.
Read More
Apple Is Literally Warning Millions of iPhone Users: You're Being Attacked Right Now
Apple pushed lock screen alerts to millions of iPhones warning of active attacks from the Coruna and DarkSword exploit kits -- and some users have no patch path at all.
Read More
Citrix Patches CVE-2026-3055 in NetScaler: A 9.3 Memory Flaw That Looks a Lot Like CitrixBleed
Citrix patched a CVSS 9.3 unauthenticated memory read in NetScaler ADC and Gateway that can leak session tokens. No active exploitation yet, but the history of CitrixBleed says don't wait.
Read More
CISA Added Five Actively Exploited Flaws to Its List. You Have Until April 3.
CISA added five actively exploited vulnerabilities to its KEV catalog, including three Apple flaws tied to the DarkSword iOS exploit kit and a CVSS 10.0 RCE in Craft CMS. The April 3 deadline is for federal agencies. The exploitation isn't.
Read More
Update Everything: Chrome Zero-Days, Android's March Bulletin, and the Patch Gap That Puts You at Risk
Two Chrome zero-days under active attack, 129 Android vulnerabilities in March, and the stubborn reality that 'patch available' and 'you're protected' are two very different things.
Read More
The Toolchain Turned Hostile: Trivy and Langflow Show Security Pipeline Fragility
A compromised Trivy vulnerability scanner and an AI pipeline builder exploited within 20 hours of disclosure reveal a deepening problem: the tools developers trust for security are becoming high-value attack targets.
Read More
Patch Weekend Is Here: Why Oracle IAM and Cisco FMC Can't Wait
Oracle pushed an emergency out-of-band patch for a critical identity manager RCE. CISA set a Sunday deadline on a max-severity Cisco firewall management flaw. Both hit identity and perimeter management simultaneously.
Read More
iPhone Exploit Kits Go Mainstream: DarkSword, Coruna, and the End of 'iOS Is Enough'
New research from Google, iVerify, and Lookout confirms iOS exploit kits have moved from rare targeted spyware to website-level deployment against broad populations. A companion toolkit was found targeting US government officials specifically.
Read More
Hidden Admin Surfaces Are Still the Fastest Way In
Fresh KVM and telnetd exposure reporting shows old management interfaces remain high-impact attack shortcuts.
Read More
The Control-Plane Exposure Problem: ScreenConnect, SharePoint, UniFi, and Magento
Today's critical bugs are not equal. ScreenConnect, SharePoint, UniFi, and Magento all threaten high-leverage control surfaces where one compromise can cascade.
Read More
Patch Cycles Are Now Running Behind the Exploit Curve
A GNU telnetd PoC is already circulating. CISA added another KEV entry. Rapid7 says exploited high/critical vulns surged 105% and attack timelines collapsed. Meanwhile teams are still digesting Microsoft's 83-vulnerability March dump.
Read More
Your Management Stack Is the Shortcut Attackers Are Looking For
CISA flagged endpoint management systems after a real incident. Researchers dropped pre-auth RCE chains for BMC FootPrints ITSM. IP-KVM gear is a network takeover path. The pattern is clear: attackers go for the systems that control everything else.
Read More
Zero-Day by Default: Why Cisco FMC Should Reorder This Week's Patch Queue
Interlock operators have been exploiting a Cisco FMC zero-day since January. If you're still sorting patch queues by CVSS score, that's the problem.
Read More
Patch Alert: Wing FTP Exploited, Two Patch Tuesday Zero-Days, and a D-Link RCE That Doesn't Need a Login
Three vulnerability disclosures in one week across different parts of the stack. Wing FTP is actively exploited, March Patch Tuesday dropped two zero-days, and D-Link has an unauthenticated RCE in its DNS config.
Read More
Google Paid Nearly $17 Million in Bug Bounties Last Year. What That Number Actually Tells Us.
Google's record $17 million in bug bounties sounds huge. Then you look at the exploit broker market, where a single iOS chain sells for $2.5 million, and the math gets interesting.
Read More
Two Vulnerabilities, Two Patches, One Message: Critical Enterprise Flaws Need Immediate Attention
Microsoft shipped an emergency out-of-band RRAS patch days after Patch Tuesday. HPE has a switch vulnerability that lets attackers reset admin passwords with zero credentials. Both need patching now.
Read More