Decoding Threats.
Watching the Wire.
Daily security intelligence curated from the world's leading sources, mapped across 8 core security disciplines β from threat intelligence to application security.
8
Security Domains
Daily
Updates
CVEs
Tracked Live
Latest Intelligence
Recent Articles
Android Enterprise Patch Management: Closing the Gap Between Google's Bulletin and Fleet-Wide Coverage
The June 2026 Android Security Bulletin β which includes an actively exploited zero-day β highlights a structural challenge for enterprise Android fleet management: Google publishes a patch, but enterprise coverage depends on OEM update timelines, carrier approval processes, and EMM deployment policies that can extend the effective exposure window by weeks. This guide covers a practical approach to managing the gap.
Android June 2026 Security Update: Zero-Day CVE-2025-48595 Patched Alongside 124 Vulnerabilities
Google's June 2026 Android Security Bulletin patches 124 vulnerabilities including CVE-2025-48595, an integer overflow in the Android Framework with confirmed limited exploitation consistent with nation-state spyware deployment. Enterprise Android fleets should prioritise this update given the zero-day's targeted exploitation pattern.
ITSM Platform Security Governance: Why ServiceNow, Jira, and Freshservice Are High-Value Targets
The ServiceNow API breach this week highlights a category of platform that organisations consistently underestimate as an attack target: IT Service Management tools. ITSM platforms aggregate privileged information about the organisation's infrastructure, credentials, and operational processes β making them a high-value target and a high-consequence breach.
ServiceNow API Security Configuration: Access Controls, ACLs, and Endpoint Hardening to Prevent Zero-Auth Exposure
The ServiceNow API breach highlights the risk of zero-auth API endpoint exposure in SaaS ITSM platforms. ServiceNow's platform provides granular access control mechanisms β ACLs, application scope policies, and API gateway controls β that, if properly configured, limit the blast radius of similar incidents. This guide covers the core security configuration for ServiceNow REST APIs.
ServiceNow Security Assessment: Auditing API Exposure and Access Control Configuration
Following the ServiceNow API breach, organisations should conduct a targeted security assessment of their ServiceNow instance, focusing on API endpoint exposure, unauthenticated access paths, ACL configuration, and service account privilege scope. This assessment guide covers the key checks and how to perform them without specialist ServiceNow security tooling.
ServiceNow Zero-Auth API Exploitation: Customer Instance Data Exposed Through Unauthenticated Endpoint
ServiceNow disclosed an active security incident beginning 2 June in which an unauthenticated API endpoint allowed attackers to query customer instance data including IT ticket contents, asset inventories, and stored credentials. Exploitation began 2 June; ServiceNow patched the endpoint by 5 June. No CVE was assigned at time of disclosure. Organisations should review ServiceNow access logs for the incident window.
Enterprise Java Middleware Security Governance: Bringing WebLogic and JBoss into the Vulnerability Management Programme
Oracle WebLogic, Red Hat JBoss/WildFly, and IBM WebSphere are foundational enterprise application infrastructure that frequently falls outside the scope of corporate vulnerability management programmes. CVE-2024-21182's CISA KEV addition β 18 months after the patch β reflects what happens when middleware is governed outside the security programme.
Oracle WebLogic CVE-2024-21182 Added to CISA KEV β Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
Opinion & Analysis
Commentary
The ITSM Platform Is the Map to Your Infrastructure β and You've Left It Unlocked
The ServiceNow API breach is the latest confirmation that IT Service Management platforms are among the highest-value targets in the enterprise. They contain everything an attacker needs to plan a targeted intrusion: network topology, patch status, change windows, and credentials. The industry's classification of these platforms as 'IT operations tools' rather than 'sensitive data repositories' is a governance error with real consequences.
CipherWatch Editorial
Security Intelligence Platform
Oracle's Quarterly CPU and the Enterprise Java Patching Culture That Makes WebLogic Vulnerabilities Sticky
CVE-2024-21182 was patched in January 2024. It reached the CISA KEV in June 2026. The 18-month gap is not unique to this CVE β it reflects how enterprise Java middleware is patched in practice, which is to say: slowly, incompletely, and often only under direct pressure.
CipherWatch Editorial
Security Intelligence Platform
For CISOs, CIOs & Board Members
CIO Briefings
Security events translated into business language β financial exposure, regulatory obligations, and board-ready summaries.
CRITICAL: Oracle WebLogic CVE-2024-21182 on CISA KEV β Ransomware Delivery Confirmed, Federal Deadline June 4
CISA added CVE-2024-21182 to the KEV on 1 June as honeypots confirm ransomware delivery via Oracle WebLogic T3/IIOP unauthenticated code execution. Despite a patch being available since January 2024, unpatched WebLogic deployments are being actively targeted. Organisations running WebLogic 12.2.1.4.0 or 14.1.1.0.0 must patch immediately.
CRITICAL: Windows Netlogon CVE-2026-41089 β Unauthenticated Domain Controller RCE, Active Exploitation Confirmed
CVE-2026-41089 (CVSS 9.8) allows an unauthenticated attacker to execute code as SYSTEM on Windows domain controllers via a stack overflow in the Netlogon service. Belgium's CCB confirmed active exploitation on 29 May. A successful exploit provides full Active Directory domain compromise. Patch all domain controllers immediately.
CRITICAL: Citrix NetScaler CVE-2026-3055 Mass Exploitation β Thousands of SAML IDP Appliances Compromised
Fortinet confirmed large-scale active exploitation of CVE-2026-3055 (CVSSv4 9.3) in Citrix NetScaler ADC and Gateway on 28 May. Despite a patch being available since 24 March, thousands of internet-facing appliances remain unpatched after 65+ days. The SAML IDP memory overread can leak session tokens and SAML signing keys. Patch and investigate immediately.
Security Domains
Browse by Domain
Security intelligence mapped across 8 core disciplines.
Risk Mgmt
Governance, compliance, ethics, risk frameworks, legal regulations, and business continuity planning.
Assets
Data classification, ownership, privacy protection, retention policies, and data security standards.
Architecture
Secure design principles, cryptography, physical security, and security models.
Network
Network architecture, protocols, secure communication channels, and network attacks.
IAM
Authentication, authorization, access control models, identity federation, and MFA.
Assessment
Vulnerability assessment, penetration testing, audit strategies, and security metrics.
SecOps
Incident response, forensics, threat intelligence, SIEM, and operational security.
AppSec
Secure SDLC, code review, application vulnerabilities, DevSecOps, and software security testing.
Stay Vigilant
Intelligence is your first line of defence.
CipherWatch compiles and synthesises security news daily from Krebs on Security, The Hacker News, BleepingComputer, CISA advisories, and more β so you stay ahead of the threat curve.
Learn how it works β