Another zero-day patched just in time for no one to notice. Welcome to Thursday, June 25, 2026, aka the day the security industry collectively blinked and realized the same problems it warned about last week are still paying rent in production. Pour yourself something smoky and aged – bourbon, scotch, even that fancy rum you bought “for the holidays” and never used – because today’s theme is the classic trio: exploited before patched, vulnerabilities in everything that moves, and vendors acting surprised that attackers do, in fact, attack.
The Real Story: Exploitation Does Not Wait for Your Change Window
The top “fun” item is Cisco SD-WAN zero-day CVE-2026-20245 exploited months before patching. That’s not just a disclosure story. That’s an operational story. Somewhere, an org bought into a “managed” network experience, ran it for months without the compensating controls that would have mattered, and then watched the news confirm what defenders already suspect: threat actors are living in the gap between “we have a ticket” and “we actually deployed the fix.”
Let’s be clear. Calling it “months before patching” is the polite version. The likely reality is: exploitation started before monitoring was ready, before segmentation got tightened, and before anyone had the courage to say “we can’t reduce risk if we refuse to patch.” But sure, keep telling leadership that the risk is “being assessed.” Risk assessment is great. It’s also a wonderful way to postpone consequences until after the breach.
Meanwhile, the Patch Backlog Brings More Condolences
And it’s not just Cisco. The newsletter also highlights Chrome 149 resolving 18 severe vulnerabilities, with use-after-free defects that can lead to remote code execution. Add GitLab patching 13 vulnerabilities (including high-severity issues) and curl resolving a 25-year-old bug pile-up, and you get the security equivalent of a broken faucet. Water is everywhere, the bucket is small, and everyone’s arguing about whether the label on the can says “fix” or “prevent.”
This is where IT culture shines. The culture that treats patching like a seasonal activity. The culture that celebrates “security tools” while the boring stuff – update discipline, lifecycle management, and ruthless exposure reduction – gets shoved into a backlog labeled “someday.”
OT and Reality: Your “No Evidence” Slide Is Not a Shield
On the OT side, there’s the report about Cal Water saying it found no evidence of OT systems breached after the Iranian Handala cyberattack. Look, I’m glad they didn’t get wrecked. But the phrasing matters. “No evidence” is not “no risk.” It’s often “we looked and didn’t see what we wanted to see,” which usually means the adversary’s favorite technique – living quietly – is still winning the popularity contest.
So What Should You Do Besides Read Newsletters?
Patch like your job depends on it, because in practice it does. For the billionth time, implement exposure reduction you can actually measure: segment, least privilege, tighten access paths, and validate that the compensating controls work before the vendor tells you to wait for the next release. If you rely on dashboards and dashboards alone, don’t be shocked when the attacker relies on the same assumptions.
Read the original roundup: Cisco SD-WAN Zero-Day Exploited Months Before Patching
