New issue of my “Farath’s Bi‑Weekly Code Security Brief” digs into a trend I’m seeing everywhere:
Tenable Security Center (CVE‑2026‑2630) – authenticated command injection on the platform you trust for vuln intel.
Juniper PTX (CVE‑2026‑21902) – RCE on core routers via on‑box anomaly detection.
Ivanti EPMM & EPM – unauth RCE + auth bypass/SQLi on the mobile and endpoint control plane.
Plus some thoughts on recent Azure control‑plane EoP and why “the cloud provider patched it” isn’t a complete risk story.
The post is opinionated and very pipeline‑centric:
how these bugs actually get abused in real environments
what your SAST/SCA/DAST/IAST stack would see (or totally miss)
concrete Tier‑0/Tier‑1 SLAs I’d use when the vuln is in your scanner/MDM/router instead of your app