Sonny

More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)

Today, Ivanti published an advisory. “No way?” we hear you say. "Yes way!" Today’s advisory outlines two vulnerabilities in Ivanti’s Sentry product, appealing directly to our inner desire for sophisticated server-side, pre-authenticated vulnerabilities. CVE-2026-10520 * An OS Command Injection vulnerability in Ivanti Sentry

You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)

If you squint and look at the CISA KEV list, you might think it's made up exclusively of vulnerabilities in file transfer solutions. While this would be wrong (and you shouldn’t squint, it’s bad for your eyes), file transfer solutions do play a decent role in

The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains)

SolarWinds. Ivanti. SysAid. ManageEngine. Giants of the KEV world, all of whom have ITSM side-projects. ITSMs, as a group of solutions, have played pivotal roles in numerous ransomware gang campaigns - not only do they represent code running on a system, but they hold a significant amount of sensitive information.

Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)

When Ivanti removed the embargoes from CVE-2026-1281 and CVE-2026-1340 - actively exploited pre-auth Remote Command Execution vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM) solution - we sighed with relief. Clearly, the universe had decided to continue mocking Secure-By-Design signers right on schedule - every January.

What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)

Happy Friday, friends and.. others. We’re glad/sorry to hear that your week has been good/bad, and it’s the weekend/but at least it’s almost the weekend! What’re We Doing Today, Mr Fox? Today, in a tale that seems all too familar at this point,

Well, Well, Well. It’s Another Day. (Oracle E-Business Suite Pre-Auth RCE Chain - CVE-2025-61882)

We bet you thought you’d be allowed to sit there, breathe, and savour the few moments of peace you’d earned after a painful week in cyber security. Obviously, you were horribly wrong, and you need to wake up now - we’re back, it’s all on fire, and

It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) - Part 2

We’re back, just over 24 hours later, to share our evolving understanding of CVE-2025-10035. Thanks to everyone who reached out after Part 1, and especially to the individual who shared credible intel that informed this update. In Part 1 we laid out an odd and worrying picture:

Is This Bad? This Feels Bad. (Fortra GoAnywhere CVE-2025-10035)

File transfer used to be simple fun - fire up your favourite FTP client, log in to a glFTPd site, and you were done. Fast forward to 2025, and the same act requires a procurement team, a web interface, and a vendor proudly waving their Secure by Design pledge. Ever seen

You Already Have Our Personal Data, Take Our Phone Calls Too (FreePBX CVE-2025-57819)

We’re back - it’s a day, in a month, in a year - and once again, something has happened. In this week’s episode of “the Internet is made of string and there is literally no evidence to suggest otherwise”, we present even further evidence that as a species we

The One Where We Just Steal The Vulnerabilities (CrushFTP CVE-2025-54309)

On July 18, 2025, users of CrushFTP woke up to an announcement: As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the face of impressively indisputable evidence, and using their