Start here
What to patch first.
159 of these vulnerabilities are actively used in ransomware attacks. Start with these — they're the ones criminals are exploiting right now.
- Patch now159used in ransomware
- Patch this week175critical, or high-severity on internet-facing gear
- Plan to patch421the working backlog
- Monitor54low urgency, fix on next maintenance
Known exploited vulnerabilities
What's being actively exploited.
The CISA KEV catalog, filtered for software small regulated businesses actually run, with a coping action paired to every threat. This isn't every CVE — it's the ones being actively used in attacks right now. Tracking the rest is noise.
Categories
By what it affects.
Topics
By threat or urgency.
Last 90 days
Added recently.
New SMB-relevant additions to KEV in the last 90 days — the urgent items most likely to need action this quarter.
- CVE-2026-20230Plan to patch
Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.
- CVE-2026-34910Patch this week
Ubiquiti UniFi OS Improper Input Validation Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.
- CVE-2026-34909Patch this week
Ubiquiti UniFi OS Path Traversal Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
- CVE-2026-34908Patch this week
Ubiquiti UniFi OS Improper Access Control Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.
- CVE-2026-20262Plan to patch
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
- CVE-2026-10520Patch this week
Ivanti Sentry OS Command Injection Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
- CVE-2026-11645Plan to patch
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Affects anyone using Chrome or Chromium as their browser. The browser is where staff log into cloud apps, banking, and client portals — exploitation can mean session theft or credential exposure for every site you're signed into.
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
- CVE-2026-20245Patch this week
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
- CVE-2026-0257Patch this week
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Affects anyone behind a Palo Alto firewall or using GlobalProtect VPN. The firewall is the network edge; the VPN is how remote workers reach inside the perimeter — exploitation puts an attacker on the internal network without touching a workstation.
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
- CVE-2008-4250Patch this week
Microsoft Windows Buffer Overflow Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
- CVE-2009-1537Plan to patch
Microsoft DirectX NULL Byte Overwrite Vulnerability
Affects anyone running Microsoft DirectX. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
- CVE-2009-3459Plan to patch
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
- CVE-2010-0249Plan to patch
Microsoft Internet Explorer Use-After-Free Vulnerability
Affects anyone running Microsoft Internet Explorer. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
- CVE-2010-0806Plan to patch
Microsoft Internet Explorer Use-After-Free Vulnerability
Affects anyone running Microsoft Internet Explorer. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
- CVE-2026-41091Plan to patch
Microsoft Defender Link Following Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
- CVE-2026-45498Monitor
Microsoft Defender Denial of Service Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
- CVE-2026-42897Plan to patch
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Affects anyone running Microsoft. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
- CVE-2026-20182Patch this week
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
- CVE-2026-6973Patch this week
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
- CVE-2026-0300Patch this week
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Affects anyone behind a Palo Alto firewall or using GlobalProtect VPN. The firewall is the network edge; the VPN is how remote workers reach inside the perimeter — exploitation puts an attacker on the internal network without touching a workstation.
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
- CVE-2026-32202Monitor
Microsoft Windows Protection Mechanism Failure Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-33825Plan to patch
Microsoft Defender Insufficient Granularity of Access Control Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
- CVE-2026-20122Plan to patch
Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
- CVE-2026-20133Plan to patch
Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.
- CVE-2026-20128Patch this week
Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
- CVE-2009-0238Plan to patch
Microsoft Office Remote Code Execution
Affects anyone using Microsoft 365 or Office to compose, store, or send email, documents, or spreadsheets. In a small practice, that's typically where client communications, engagement letters, and case notes live — credential compromise here means an attacker reads everything that platform stores.
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.
- CVE-2026-32201Monitor
Microsoft SharePoint Server Improper Input Validation Vulnerability
Affects anyone running Microsoft SharePoint Server. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
- CVE-2012-1854Plan to patch
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
Affects anyone running Microsoft Visual Basic for Applications (VBA). Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.
- CVE-2025-60710Plan to patch
Microsoft Windows Link Following Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Affects anyone running on-premises Microsoft Exchange Server. If you have Exchange in your office (as opposed to Microsoft 365 hosted email), it's the mail server holding all internal email — full compromise reads every conversation it stores.
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
- CVE-2023-36424Plan to patch
Microsoft Windows Out-of-Bounds Read Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation
- CVE-2020-9715Plan to patch
Adobe Acrobat Use-After-Free Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat contains a use-after-free vulnerability that allows for code execution
- CVE-2026-21643Patch this week
Fortinet FortiClient EMS SQL Injection Vulnerability
Affects anyone whose internet connection goes through a Fortinet appliance — typically a FortiGate firewall or FortiClient VPN. The firewall sits between every device in the office and the internet; exploitation can mean an attacker gets inside the network perimeter without touching a workstation.
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
- CVE-2026-34621Plan to patch
Adobe Acrobat and Reader Prototype Pollution Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.
- CVE-2026-1340Patch this week
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- CVE-2026-35616Patch this week
Fortinet FortiClient EMS Improper Access Control Vulnerability
Affects anyone whose internet connection goes through a Fortinet appliance — typically a FortiGate firewall or FortiClient VPN. The firewall sits between every device in the office and the internet; exploitation can mean an attacker gets inside the network perimeter without touching a workstation.
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
- CVE-2026-5281Plan to patch
Google Dawn Use-After-Free Vulnerability
Affects anyone running Google Dawn. Google products typically sit at the identity or browsing layer — exploitation usually affects access to cloud services and stored sessions.
Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
SMB-relevant feed
50 most recent SMB-relevant entries.
- CVE-2026-20230Plan to patch
Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) contain a server-side request forgery (SSRF) Vulnerability that could allow an unauthenticated, remote attacker to write files to the underlying operating system that could be used later to elevate to root.
- CVE-2026-34910Patch this week
Ubiquiti UniFi OS Improper Input Validation Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.
- CVE-2026-34909Patch this week
Ubiquiti UniFi OS Path Traversal Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains a path traversal vulnerability which could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
- CVE-2026-34908Patch this week
Ubiquiti UniFi OS Improper Access Control Vulnerability
Affects anyone running Ubiquiti UniFi networking gear (access points, switches, security gateways, NVRs). The gear carries internal network traffic and often hosts video surveillance — exploitation can expose network traffic or grant management access to the network itself.
Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.
- CVE-2026-20262Plan to patch
Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains a directory or path traversal vulnerability that could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system.
- CVE-2026-10520Patch this week
Ivanti Sentry OS Command Injection Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Sentry (formerly known as MobileIron Sentry) contains an OS command injection vulnerability which could allow a remote unauthenticated user to achieve root-level remote code execution. This vulnerability can be successfully exploited in cases where the Sentry appliance is in an unmanaged state with its endpoints externally reachable. The use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors.
- CVE-2026-11645Plan to patch
Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
Affects anyone using Chrome or Chromium as their browser. The browser is where staff log into cloud apps, banking, and client portals — exploitation can mean session theft or credential exposure for every site you're signed into.
Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
- CVE-2026-20245Patch this week
Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage contains an improper encoding or escaping of output vulnerability. This vulnerability could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system.
- CVE-2026-0257Patch this week
Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
Affects anyone behind a Palo Alto firewall or using GlobalProtect VPN. The firewall is the network edge; the VPN is how remote workers reach inside the perimeter — exploitation puts an attacker on the internal network without touching a workstation.
Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.
- CVE-2008-4250Patch this week
Microsoft Windows Buffer Overflow Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
- CVE-2009-1537Plan to patch
Microsoft DirectX NULL Byte Overwrite Vulnerability
Affects anyone running Microsoft DirectX. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft DirectX contains a NULL byte overwrite vulnerability in the QuickTime Movie Parser Filter in quartz.dll in DirectShow which could allow remote attackers to execute arbitrary code via a crafted QuickTime media file.
- CVE-2009-3459Plan to patch
Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat and Reader contain a heap-based buffer overflow vulnerability which could allow remote attackers to execute arbitrary code via a crafted PDF file that triggers memory corruption.
- CVE-2010-0249Plan to patch
Microsoft Internet Explorer Use-After-Free Vulnerability
Affects anyone running Microsoft Internet Explorer. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
- CVE-2010-0806Plan to patch
Microsoft Internet Explorer Use-After-Free Vulnerability
Affects anyone running Microsoft Internet Explorer. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
- CVE-2026-41091Plan to patch
Microsoft Defender Link Following Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains a link following vulnerability that allows an authorized attacker to elevate privileges locally.
- CVE-2026-45498Monitor
Microsoft Defender Denial of Service Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains an unspecified vulnerability that allows for denial of service.
- CVE-2026-42897Plan to patch
Microsoft Exchange Server Cross-Site Scripting Vulnerability
Affects anyone running Microsoft. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Exchange Server contains a cross-site scripting vulnerability during web page generation in Outlook Web Access and when certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
- CVE-2026-20182Patch this week
Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Controller & Manager contain an authentication bypass vulnerability that allows an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
- CVE-2026-6973Patch this week
Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Endpoint Manager Mobile (EPMM) contains an improper input validation vulnerability that allows a remotely authenticated user with administrative access to achieve remote code execution.
- CVE-2026-0300Patch this week
Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability
Affects anyone behind a Palo Alto firewall or using GlobalProtect VPN. The firewall is the network edge; the VPN is how remote workers reach inside the perimeter — exploitation puts an attacker on the internal network without touching a workstation.
Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
- CVE-2026-32202Monitor
Microsoft Windows Protection Mechanism Failure Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.
- CVE-2026-33825Plan to patch
Microsoft Defender Insufficient Granularity of Access Control Vulnerability
Affects anyone running Microsoft Defender. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.
- CVE-2026-20122Plan to patch
Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.
- CVE-2026-20133Plan to patch
Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains an exposure of sensitive information to an unauthorized actor vulnerability that could allow remote attackers to view sensitive information on affected systems.
- CVE-2026-20128Patch this week
Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Manager contains a storing passwords in a recoverable format vulnerability that allows an authenticated, local attacker to gain DCA user privileges by accessing a credential file for the DCA user on the filesystem as a low-privileged user.
- CVE-2009-0238Plan to patch
Microsoft Office Remote Code Execution
Affects anyone using Microsoft 365 or Office to compose, store, or send email, documents, or spreadsheets. In a small practice, that's typically where client communications, engagement letters, and case notes live — credential compromise here means an attacker reads everything that platform stores.
Microsoft Office Excel contains a remote code execution vulnerability that could allow an attacker to take complete control of an affected system if a user opens a specially crafted Excel file that includes a malformed object.
- CVE-2026-32201Monitor
Microsoft SharePoint Server Improper Input Validation Vulnerability
Affects anyone running Microsoft SharePoint Server. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.
- CVE-2012-1854Plan to patch
Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
Affects anyone running Microsoft Visual Basic for Applications (VBA). Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft Visual Basic for Applications (VBA) contains an insecure library loading vulnerability that could allow for remote code execution.
- CVE-2025-60710Plan to patch
Microsoft Windows Link Following Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows contains a link following vulnerability that allows for privilege escalation
Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
Affects anyone running on-premises Microsoft Exchange Server. If you have Exchange in your office (as opposed to Microsoft 365 hosted email), it's the mail server holding all internal email — full compromise reads every conversation it stores.
Microsoft Exchange Server contains a deserialization of untrusted data that allows an authenticated attacker to achieve remote code execution.
- CVE-2023-36424Plan to patch
Microsoft Windows Out-of-Bounds Read Vulnerability
Affects anyone running Windows workstations or servers. In a small CPA, legal, or dental practice, Windows is typically the platform your accounting, document management, or practice management software runs on — exploitation gives an attacker access to whatever client files and credentials live on those machines.
Microsoft Windows Common Log File System Driver contains an out-of-bounds read vulnerability that could allow a threat actor for privileges escalation
- CVE-2020-9715Plan to patch
Adobe Acrobat Use-After-Free Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat contains a use-after-free vulnerability that allows for code execution
- CVE-2026-21643Patch this week
Fortinet FortiClient EMS SQL Injection Vulnerability
Affects anyone whose internet connection goes through a Fortinet appliance — typically a FortiGate firewall or FortiClient VPN. The firewall sits between every device in the office and the internet; exploitation can mean an attacker gets inside the network perimeter without touching a workstation.
Fortinet FortiClient EMS contains a SQL injection vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
- CVE-2026-34621Plan to patch
Adobe Acrobat and Reader Prototype Pollution Vulnerability
Affects anyone opening, editing, or signing PDFs in Adobe Acrobat or Reader. For a CPA or legal practice, PDFs are typically client tax returns, engagement letters, signed agreements, and discovery documents — opening a malicious PDF runs attacker code in the user's session, which can pivot to file shares or email.
Adobe Acrobat and Reader contain a prototype pollution vulnerability that allows for arbitrary code execution.
- CVE-2026-1340Patch this week
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution.
- CVE-2026-35616Patch this week
Fortinet FortiClient EMS Improper Access Control Vulnerability
Affects anyone whose internet connection goes through a Fortinet appliance — typically a FortiGate firewall or FortiClient VPN. The firewall sits between every device in the office and the internet; exploitation can mean an attacker gets inside the network perimeter without touching a workstation.
Fortinet FortiClient EMS contains an improper access control vulnerability that may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests.
- CVE-2026-5281Plan to patch
Google Dawn Use-After-Free Vulnerability
Affects anyone running Google Dawn. Google products typically sit at the identity or browsing layer — exploitation usually affects access to cloud services and stored sessions.
Google Dawn contains an use-after-free vulnerability that could allow a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. This vulnerability could affect multiple Chromium-based products including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
- CVE-2025-43510Plan to patch
Apple Multiple Products Improper Locking Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.
- CVE-2025-43520Monitor
Apple Multiple Products Classic Buffer Overflow Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.
- CVE-2025-31277Plan to patch
Apple Multiple Products Buffer Overflow Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management contain a deserialization of untrusted data vulnerability in the web-based management interface that could allow an unauthenticated, remote attacker to execute arbitrary Java code as root on an affected device.
- CVE-2026-20963Patch this week
Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
Affects anyone running Microsoft SharePoint. Microsoft products in a small practice typically sit close to credentials, email, or document workflows — treat the patch as in-scope.
Microsoft SharePoint contains a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network.
- CVE-2026-3910Plan to patch
Google Chromium V8 Improper Restriction of Operations Within the Bounds of a Memory Buffer Vulnerability
Affects anyone using Chrome or Chromium as their browser. The browser is where staff log into cloud apps, banking, and client portals — exploitation can mean session theft or credential exposure for every site you're signed into.
Google Chromium V8 contains an improper restriction of operations within the bounds of a memory buffer vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
- CVE-2026-3909Plan to patch
Google Skia Out-of-Bounds Write Vulnerability
Affects anyone running Google Skia. Google products typically sit at the identity or browsing layer — exploitation usually affects access to cloud services and stored sessions.
Google Skia contains an out-of-bounds write vulnerability that could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability affects Google Chrome and ChromeOS, Android, Flutter, and possibly other products.
- CVE-2026-1603Patch this week
Ivanti Endpoint Manager (EPM) Authentication Bypass Vulnerability
Affects anyone using Ivanti VPN (Connect Secure or Pulse) or Ivanti endpoint management. The VPN is what remote workers use to reach internal systems; the endpoint management tool typically has admin reach into every laptop — exploitation in either is high-impact.
Ivanti Endpoint Manager (EPM) contains an authentication bypass using an alternate path or channel vulnerability that could allow a remote unauthenticated attacker to leak specific stored credential data.
- CVE-2023-43000Plan to patch
Apple Multiple products Use-After-Free Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple macOS, iOS, iPadOS, and Safari 16.6 contain a use-after-free vulnerability due to the processing of maliciously crafted web content that may lead to memory corruption.
- CVE-2021-30952Plan to patch
Apple Multiple Products Integer Overflow or Wraparound Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple tvOS, macOS, Safari, iPadOS and watchOS contain an integer overflow or wraparound vulnerability due to the processing of maliciously crafted web content that may lead to arbitrary code execution.
- CVE-2023-41974Plan to patch
Apple iOS and iPadOS Use-After-Free Vulnerability
Affects anyone running Macs, iPhones, or iPads in the office. For a small practice, Apple endpoints are typically how staff handle email, browse client portals, and store local case files — exploitation gives an attacker access to that data on the device.
Apple iOS and iPadOS contain a use-after-free vulnerability. An app may be able to execute arbitrary code with kernel privileges.
- CVE-2022-20775Patch this week
Cisco SD-WAN Path Traversal Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco SD-WAN CLI contains a path traversal vulnerability that could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
- CVE-2026-20127Patch this week
Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
Affects anyone with Cisco networking or security appliances on their network — typically a firewall, switch, or remote-access VPN. That device controls traffic to and from every workstation; exploitation can mean an attacker pivots inside the network without touching any user device.
Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, contain an authentication bypass vulnerability could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Not sure where to start
You don't have to triage 809 vulnerabilities yourself.
We watch this list daily and tell you which ones touch the software you actually run. Free 30-minute briefing — share what you have, get a prioritized short list back, and we tell you when you don't need us.