The 18-Year-Old Heap Overflow That Never Left NGINX

This week's most uncomfortable disclosure didn't come from a nation-state campaign or a ransomware gang — it came from an 18-year-old bug sitting quietly inside software running a third of the internet. Alongside it, a recurring reminder that incomplete patches can generate more false confidence than no patch at all.

An Eighteen-Year Wait in NGINX's Rewrite Engine

Researcher depthfirst disclosed a heap buffer overflow in NGINX's ngx_http_rewrite module that has existed since the module was first written. The flaw affects both NGINX Plus and NGINX Open Source and allows an unauthenticated attacker to achieve remote code execution with no credentials required. The practical exposure is enormous: NGINX serves somewhere north of 30% of all web traffic globally, and nearly every non-trivial deployment uses rewrite rules. The bug's age is less a commentary on NGINX's quality than a reminder that memory-safety issues in C codebases accumulate silently, wait, and then arrive all at once.

SonicWall's Incomplete Fix and the MFA That Wasn't

Threat actors are actively brute-forcing SonicWall Gen6 SSL-VPN appliances and bypassing MFA — not because MFA is inherently broken, but because the vendor's patch was incomplete. Attackers who obtain valid credentials can still reach the network on unfully-updated appliances; the enforcement gap allows authenticated-looking sessions to proceed. Confirmed downstream payloads have included ransomware tooling. A patch that doesn't fully close a vulnerability creates a false confidence that can be worse than no patch — it suppresses urgency to find alternative mitigations while leaving the door open.

Microsoft's AI Auditor and a 138-Patch Tuesday

Microsoft shipped fixes for 138 vulnerabilities this cycle, 30 rated Critical, including RCE flaws in DNS Server and Netlogon — both high-value targets in Active Directory environments where lateral movement is trivial once an attacker has a foothold. More notable was the disclosure of MDASH, a multi-model AI system Microsoft built internally to find and triage vulnerabilities at scale, which reportedly discovered 16 of this month's patched flaws. An AI system making a measurable dent in a vendor's own patch backlog is a different proposition from the usual AI-security marketing. The practical implication cuts both ways: the same class of tooling will be available to offense on roughly the same timeline.

Checkout Skimmers and the Plugin Attack Surface

A critical flaw in the Funnel Builder plugin for WordPress is under active exploitation, with attackers injecting malicious JavaScript into WooCommerce checkout pages to skim payment card data. The vector is standard and well-worn: a widely-deployed plugin, a window between disclosure and patching, and a payment flow worth exfiltrating. Anyone running WooCommerce should audit installed plugins and confirm Funnel Builder is patched or removed. Web skimming through third-party plugin flaws hasn't slowed — it has simply migrated from Magento to WordPress as the dominant target surface.

The Irony of a Compromised Email Security Gateway

Researchers disclosed multiple critical vulnerabilities in SEPPMail Secure E-Mail Gateway — an enterprise email security product — enabling unauthenticated remote code execution and arbitrary mail access from outside the network. The attack surface here is particularly sharp: an attacker who compromises the security layer has immediate access to everything the product was purchased to protect. Inline email security appliances have become a recurring feature of breach timelines; they are high-value, trusted, and often under-patched relative to the systems they guard.

The through-line this week is the distance between what a security control is supposed to do and what it actually does under adversarial conditions — an MFA implementation bypassable through an incomplete patch, a decades-old memory flaw in ubiquitous infrastructure, a security appliance that introduces the exposure it was sold to prevent. That gap doesn't close through better tooling announcements. It closes through complete patches, aggressive patch cadence, and treating your security products as part of your attack surface rather than exempt from it.