Vulnerability

TL;DR — MITRE Top 25 CWE for 2025: It’s Not Zero-Days, It’s Your Auth, Inputs, and Uploads...Again

An examination of the MITRE Top 25 CWE for 2025.

Dec 12, 202527 min read

Droids Gone Wild: Privilege Escalation Edition

CISA reports that two Android Framework vulnerabilities, CVE-2025-48572 and CVE-2025-48633, are being actively exploited in the wild, enabling local privilege escalation without user interaction on Android 13–16 devices and therefore require prioritized remediation as part of vulnerability management programs.

Dec 8, 202514 min read

When Your PLC Becomes Everyone’s PLC: ScadaBR’s Unwanted Guest Login

CISA reports that two long-known OpenPLC ScadaBR web vulnerabilities (stored XSS and authenticated arbitrary file upload) are now being actively exploited and must be urgently remediated by federal and other organizations using the software.

Dec 8, 202516 min read

React2Shell: Now With 90% Less Authentication!

CVE-2025-55182 is a critical unauthenticated remote-code-execution flaw affecting React Server Components and downstream frameworks such as Next.js, enabling attackers to execute arbitrary code on vulnerable servers.

Dec 5, 202522 min read

TL;DR — MITRE Top 25 CWE for 2025: It’s Not Zero-Days, It’s Your Auth, Inputs, and Uploads...Again

Droids Gone Wild: Privilege Escalation Edition

When Your PLC Becomes Everyone’s PLC: ScadaBR’s Unwanted Guest Login

React2Shell: Now With 90% Less Authentication!

Loss Magnitude Rubric

Control Strength (CS), Control Failure Rate, and Resistance Strength (RS) Rubric

Doc! Where've You Been?