Source-backed security, PKI, certificate, identity, and post-quantum cryptography topics selected for enterprise relevance. Articles are reviewed before publication and include source attribution.
Last editorial review: June 22, 2026
CVE IDs sourced from CISA KEV catalog and MSRC. Federal remediation deadlines shown are historical — verify current patch status at cisa.gov.
Evergreen Microsoft hardening items for ADCS, Kerberos, LDAP, and CryptoAPI — sourced from MSRC advisories. Not current-month Patch Tuesday releases.
ADCS Web Enrollment NTLM Relay Mitigation — EPA enforcement guidance for certsrv and CES endpoints
Windows LDAP RCE Patch — December 2024 cumulative update for CVE-2024-49112
Kerberos PAC Validation Hardening — enforcement of PAC signature validation on DCs
Netlogon Secure Channel Enforcement Mode — Zerologon full enforcement (enforcement phase completed Feb 2021)
Windows CryptoAPI ECC Certificate Spoofing — certificate chain validation hardening (NSA-disclosed, Jan 2020)
Joint advisories relevant to PKI and enterprise identity. Dates reflect original CISA publication; verify current guidance at cisa.gov.
CISA, FBI, and DC3 warn of Iran-based cyber actors using brute force, password spraying, and MFA push bombing to gain initial access. Certificate-based authentication and phishing-resistant MFA are recommended mitigations.
Advisory covering abuse of legitimate network tunneling tools (Ngrok, Cloudflare Tunnel, etc.) to establish persistent access and bypass perimeter controls. Includes detection guidance and network monitoring recommendations.
CISA, FBI, NSA, and international partners warn of Russian SVR-affiliated actors (APT29/Cozy Bear) exploiting CVE-2023-42793 in JetBrains TeamCity to compromise software build pipelines and supply chain targets.
CVE-2025-47984 — Windows LDAP RCE, CVSS 9.8. Patch applied November 2025 Patch Tuesday. Verify all DCs are updated.
ESC8 NTLM relay to ADCS Web Enrollment remains unmitigated in most enterprise environments. EPA enforcement is the fix.
Azure AD CBA strict CA enforcement deadline: August 12, 2026. Audit your trusted CA store now — see our article.
CISA updated its ADCS hardening guidance. Key recommendation: disable Web Enrollment if not required; enable EPA if it is.
FIPS 203, 204, 205 finalized. ML-KEM and ML-DSA are the primary PQC replacements for RSA/ECDH and ECDSA.
Ballot SC-081 passed: TLS certificate maximum validity reduced to 47 days effective March 2026 (phased rollout through 2029).
Weekly digest of CISA KEV additions, Patch Tuesday highlights, and PKI advisory coverage — delivered to your inbox.
Subscribe Free