vulnerability-analysis
Safeguard articles tagged "vulnerability-analysis" — guides, analysis, and best practices for software supply chain and application security.
360 articles
Log4Shell (Log4j Vulnerability) Explained
A deep dive into Log4Shell (CVE-2021-44228): how the critical Log4j2 RCE flaw worked, its timeline, affected versions, and how to remediate it.
What Was the Heartbleed Bug
A deep dive into CVE-2014-0160 (Heartbleed): the OpenSSL heartbeat flaw, its severity, exploitation timeline, and how to remediate it today.
What Was the Shellshock Vulnerability
Shellshock (CVE-2014-6271) let attackers run code on millions of Bash-based systems via a single crafted header. Here's the full breakdown and fix.
What is EternalBlue
EternalBlue (CVE-2017-0144) turned a patched SMBv1 flaw into WannaCry and NotPetya. Here is the exploit, timeline, and remediation, explained.
The SolarWinds Supply Chain Attack Explained
How Russian intelligence hijacked SolarWinds' build system to backdoor Orion updates for 18,000 customers, and what security teams must do now.
The XZ Utils Backdoor Explained
A trusted maintainer, years of quiet social engineering, and one hidden SSH backdoor: how CVE-2024-3094 nearly compromised the global Linux supply chain.
VMware ESXi CVE-2024-37085 Auth Bypass by Ransomware
CVE-2024-37085 abuses ESXi's AD domain join to grant admin via a specially named group. Exploitation by Akira and Black Basta, detection, and fix.
The Codecov Supply Chain Attack Explained
A breakdown of the 2021 Codecov breach: how the Bash Uploader was compromised, what CI secrets were exposed, and the remediation steps teams need now.
The Kaseya VSA Ransomware Attack Explained
A deep dive into the 2021 Kaseya VSA supply chain ransomware attack: the CVE chain, CVSS/KEV context, full timeline, and remediation steps.
What is Spring4Shell
Spring4Shell (CVE-2022-22965) let attackers gain unauthenticated RCE on Java apps via Spring data binding. Here's the full breakdown and fix.
The left-pad npm Incident Explained
No CVE, no CVSS — just one unpublished package that broke the internet's build pipelines. Here's what left-pad still teaches security teams.
The clawdhub Malicious AI Agent Skills Campaign Explained
A coordinated supply-chain campaign poisoned 1,184+ ClawHub AI agent skills, stealing crypto wallets and SSH keys via CVE-2026-25253.