Vulnerability Response
In-depth guides and analysis on vulnerability response from the Safeguard engineering team.
16 articles
CVE-2026-0300 in Palo Alto PAN-OS: Patch Posture & SBOM Response
PAN-OS Captive Portal pre-auth RCE scored CVSS 9.3 and landed on CISA KEV with a three-day patch deadline. Defender playbook below.
CVE-2025-53521 in F5 BIG-IP APM: Patch Posture & SBOM Response
F5 BIG-IP APM bug reclassified from DoS to RCE at CVSS 9.8 and landed on CISA KEV. Defender playbook for the late-cycle severity surprise.
CVE-2025-15467 in OpenSSL CMS: Patch Posture & SBOM Response
OpenSSL CMS pre-auth stack buffer overflow scored CVSS 9.8. Mail servers, web servers, and anything that processes S/MIME need the fix. Defender playbook below.
CVE-2025-31133 in runc: Patch Posture & SBOM Response
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
CVE-2025-64446 in Fortinet FortiWeb: Patch Posture & SBOM Response
FortiWeb path traversal + RCE scored CVSS 9.1 and entered CISA KEV after months of targeted exploitation. Defender playbook for the WAF emergency.
CVE-2025-20333 in Cisco ASA: Patch Posture & SBOM Response
Cisco Secure Firewall ASA/FTD buffer overflow scored CVSS 9.9 and was added to CISA KEV the day Cisco published the advisory. Here is the defender playbook.
CVE-2025-9086 in cURL: Patch Posture & SBOM Response
Heap out-of-bounds read in libcurl's cookie path comparison affects nearly every Linux distro. Defender SBOM playbook below.
CVE-2025-55190 in Argo CD: Patch Posture & SBOM Response
Argo CD project details API leaks repository credentials, scored CVSS 9.9. GitOps platforms are now top-tier credential targets. Defender playbook below.
CVE-2025-7775 in Citrix NetScaler: Patch Posture & SBOM Response
NetScaler ADC and Gateway memory overflow scored CVSS 9.2 and landed on CISA KEV with a 48-hour patch deadline. Here is the defender playbook.
CVE-2025-9074 in Docker Desktop: Patch Posture & SBOM Response
Docker Desktop container-to-host escape scored CVSS 9.3. Affected Windows and macOS developer fleets need a fast patch rollout. Defender playbook below.
CVE-2025-53770 in SharePoint (ToolShell): Patch Posture & SBOM Response
On-prem SharePoint deserialization flaw scored CVSS 9.8 and entered CISA KEV the day after public exploitation. Defender playbook below.
CVE-2025-49794 in libxml2: Patch Posture & SBOM Response
libxml2 use-after-free during XPath schematron parsing scored CVSS 9.1. Defender SBOM playbook for one of the most-embedded libraries on the planet.