Exploited Vulnerabilities
The vulnerability signal is not just that new CVEs appeared; it is that exploited software keeps landing in the parts of enterprise architecture that are hard to inventory cleanly: middleware, managed endpoints, mobile fleets and edge infrastructure. CISA KEV coverage and security media reporting should be treated as an exposure-validation queue, not as passive news.
- Use CISA KEV and corroborating reporting as a trigger to prove whether affected products exist in production, internet-facing zones, partner networks or unmanaged business-unit deployments.
- Track exception handling as closely as patch completion. The riskiest systems are often the ones that cannot be updated quickly because ownership, support status or business dependency is unclear.
- For managed endpoints and mobile fleets, patch status should be joined with device posture and enrollment state; an endpoint that is technically patched late can still create credential and data exposure during the delay.
- A weekly vulnerability review should end with named owners, affected asset groups, patch or mitigation dates, and documented residual risk.
Identity & Access Management
The identity story this week is about delegated trust. Vercel and Context.ai point to third-party OAuth and AI tooling as a route into Workspace and developer systems. ADT highlights customer-data exposure through a trusted service provider. DORA coverage shows regulators are increasingly treating identity and operational resilience as linked controls.
- Inventory third-party OAuth apps, AI assistants, browser extensions and developer tools that can read mail, files, tickets, repositories or deployment metadata.
- Review whether vendor and SaaS access paths are logged as first-class security events or only as routine business activity.
- For customer-data handlers, map what data is stored, who can export it, how access is monitored, and how customers are notified when a provider is affected.
- Connect resilience evidence to identity controls: privileged access, service accounts, emergency access, SaaS recovery and vendor continuity plans.
Ransomware & Resilience
The resilience signal is destructive authority. Wiper-style reporting and the Stryker/Intune discussion show that damage may come from malware, but it may also come from legitimate management systems abused by an attacker. Recovery planning has to cover both endpoint restoration and trust in the administrative plane.
- Test whether backup and restore procedures still work when identity, endpoint-management or device-enrollment systems are under suspicion.
- Review who can issue destructive endpoint actions such as wipe, retire, delete or reset, and whether those actions require just-in-time elevation or multiple approval.
- Correlate endpoint telemetry with cloud audit logs. A destructive action initiated from a management console may leave clearer evidence in identity and SaaS logs than on the wiped device.
- Healthcare and critical suppliers should map operational dependencies before an incident: vendor portals, field support workflows, procurement, device telemetry and emergency communications.
- Run an exposure-validation pass for the named exploited technologies and record owner, patch state, mitigation state and exception reason.
- Review third-party OAuth and AI-tool grants with emphasis on mail, Drive, developer-platform and deployment metadata access.
- Audit privileged endpoint-management actions: who can wipe, retire, delete or reset devices, and whether bulk destructive actions require approval.
- Correlate SaaS, identity and endpoint logs for the week’s themes so investigation does not depend on one product console.