Two zero-day patches this week make the same argument from opposite directions. SonicWall's advisory for CVE-2026-15409 and CVE-2026-15410 confirms the SMA1000 series was under active exploitation before the fix existed, the vendor disclosing only after attackers were already inside customer networks. Microsoft's July release covers 622 CVEs, the largest Patch Tuesday on record, with three zero-days and more than 60 rated critical. One vendor is telling customers a hole was open and used against them. The other is telling customers to triage a number that exceeds what most security teams can review in the ten days before next month's cycle starts the count over.
The SonicWall case is the sharper one: SMA1000 appliances sit at the network edge doing remote access, which means exploitation there is a credential and session foothold, not a data leak from some peripheral service. Patch now closes CVE-2026-15409 and CVE-2026-15410, but it does not tell a defender whether the box was already used before the patch existed, and SonicWall's advisory does not specify one. Microsoft's 622 does not need a metaphor. It needs a triage order, and the order is: the three zero-days first, the critical-rated among the other 619 next, and everything else after August's cycle resets the backlog again.
