FINANCE & RISK DESK · HONG KONG · WEEKLY

The Patch SLA Died This Week

A ColdFusion flaw was exploited within two hours of disclosure while a Windows Defender flaw sat exploitable for a month, proving the fixed-day patch SLA cannot measure a bimodal threat.
MH

Two Hours, Thirty Days

Adobe shipped a fix for CVE-2026-48282 on June 30, 2026, a path-traversal bug in ColdFusion that lets an attacker run code on a server without logging in. watchTowr, a security research shop, published a technical writeup on July 2. Two hours later, honeypot sensors run by KEVIntel, a vulnerability-intelligence outfit, caught attackers actively exploiting it, the fastest disclosure-to-attack gap tracked all year, per KEVIntel founder Ryan Dewhurst. CISA did not wait for a normal patch cycle. On July 8 the agency added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by July 10, forty-eight hours flat. Shadowserver, the nonprofit that scans the internet for exposed systems, counted nearly 800 ColdFusion servers still sitting open when the order landed. That is the whole modern patch cycle compressed into a week: disclosure, exploitation, emergency order, all before most enterprise change boards would have scheduled the meeting to discuss it. A fifteen-to-thirty-day SLA, the range most risk registers still use for critical flaws, was built for a world where two hours was not a live possibility. This week it was.

The Other End

Compare that to CVE-2026-50656, nicknamed RoguePlanet, a flaw that let an attacker spin up a SYSTEM-level command prompt on a fully patched Windows machine, inside Microsoft's own Defender antivirus engine. A researcher going by Nightmare Eclipse published working exploit code roughly thirty days before Microsoft shipped an emergency out-of-band fix on July 9. Thirty days, wide open, in the product millions of machines trust to watch for exactly this. Same week, Progress Software told customers running its ShareFile file-transfer software to shut down their on-premises servers over what it called a credible external threat, without saying whether that means a live break-in or a flaw nobody has used yet. Three vendors, three timelines, no shared pattern. A risk committee that reports patch compliance as one day-count number, fifteen days, thirty days, whatever the policy says, is reporting a figure that describes none of these. The fix is not a faster SLA. It is retiring the day-count and reporting exposure instead: how many instances face the internet, how critical is the system, is it already in KEV.

Progress still has not said whether ShareFile is a live breach or a flaw nobody has touched yet. CISA can order a forty-eight hour patch. It cannot order a vendor to tell the truth on a normal Tuesday. Monday morning, a risk committee should report exposure on both open items, not a day-count: confirmed status of the ShareFile threat and the current count of internet-facing ColdFusion instances still unpatched.

Sources

PREVIOUS COLUMNS, FINANCE & RISK DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.