Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2025-53521 is an unauthenticated remote code execution vulnerability in F5's BIG-IP Access Policy Manager (APM). The flaw exists in the apmd process, the daemon responsible for processing live access policy traffic, and is triggered when a BIG-IP APM access policy is configured on a virtual server and the system receives specific malicious traffic. No credentials are required to exploit it. The vulnerability carries a CVSS score of 9.8 and a CVSS score of 9.3.

On March 23, 2026, Cloud Software Group (Citrix) published a security bulletin disclosing two vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Both affect customer-managed on-premises deployments; Citrix-managed cloud services and Adaptive Authentication instances have been updated automatically. CVE-2026-3055 is an out-of-bounds read resulting from insufficient input validation in NetScaler ADC and NetScaler Gateway.

BUFFALO, N.Y., March 24, 2026 — Sedara, a cybersecurity solutions provider specializing in Managed Detection and Response (MDR) and Attack Surface Management (ASM), today announced it has been named a Hot Company in Attack Surface Management in the 14th Annual Global InfoSec Awards, presented by Cyber Defense Magazine during RSAC 2026 Conference in San Francisco. The Global InfoSec Awards recognize cybersecurity innovators worldwide.

CVE-2026-22557 is a path traversal vulnerability in the Ubiquiti UniFi Network Application caused by improper limitation of a pathname to a restricted directory (CWE-22). A malicious actor with network access can exploit the flaw to traverse directory boundaries, access files on the underlying operating system, and manipulate those files to gain unauthorized access to system accounts.

CVE-2026-32746 is a critical out-of-bounds write in GNU Inetutils telnetd caused by insufficient bounds checking in the LINEMODE SLC (Set Local Characters) suboption handler. Public advisories attribute the issue to the add_slc logic not verifying whether the destination buffer is already full before writing additional data. The published CVSS v3.1 score is 9.8, with network attack vector, no required privileges, and no user interaction.

You probably feel this already: the surface you’re responsible for no longer has edges. New assets appear without tickets. A team flips on a SaaS app and suddenly sensitive data, OAuth scopes, and public links widen your blast radius. Your scanners keep finding “stuff,” but little of it changes what you fix next week. That’s the gap attack surface analysis has to close in 2026—seeing more, yes, but mainly acting faster on what actually matters.

CVE-2026-21262 is an elevation of privilege vulnerability affecting Microsoft SQL Server. The issue is caused by improper access control within SQL Server components, allowing an authenticated attacker to elevate privileges over a network.

A simple guide for understanding how ASM actually supports your security program. We often hear organizations ask.

In 2026, the ASM scorecard has moved well past discovery. The market is shifting from visibility to validated proof: what’s exploitable, what connects to critical systems, and what requires immediate action. The latest GigaOm Radar for Attack Surface Management is anchored to that bar. Across 32 vendors, it highlights the platforms that have moved beyond inventory into contextual prioritization and actionable validation. This is the turning point CyCognito is built for.