Two security advisories landed this week that are worth a few minutes of your attention, even if you run a five-person office. One is a firewall flaw attackers are already using. The other is an Oracle bug that is two years old and somehow still finding victims. Together they make a point we keep coming back to: the danger usually is not the brand-new vulnerability nobody has seen. It is the known one that never got patched.
TL;DR
A Palo Alto firewall authentication-bypass is under active exploitation, and a 2023 Oracle flaw was just added back to the federal known-exploited list. If you run either product, patch now. If you do not, use this as the nudge to confirm your internet-facing gear is current — that is where these attacks land.
What happened
The first issue is an authentication bypass in a widely deployed firewall platform. In plain terms, it lets an attacker reach the management side of the device without valid credentials. Firewalls sit at the edge of the network and are reachable from the internet by design, which makes a bug like this attractive and makes patching it urgent. Security teams are reporting real-world attempts, not theory.
The second is older and, in a way, more telling. A vulnerability first disclosed in 2023 was just added back to CISA's Known Exploited Vulnerabilities catalog — the running list of flaws confirmed to be used in actual attacks. A bug does not land on that list because it is clever. It lands there because someone, somewhere, is still running an unpatched system two years later and getting hit through it.
Why a two-year-old bug still matters
It is easy to assume attackers chase the newest, flashiest exploit. Mostly they do not. Scanning the internet for systems missing a patch that came out two years ago is cheap, quiet, and reliable. The work is already done. The exploit is public. All that is left is to find someone who never applied the fix — and there is always someone.
That someone is rarely a careless person. It is usually a small organization where the device "still works," nobody owns updates, and the firmware screen has not been opened since installation. The system is doing its job, so it is invisible, so it never gets touched.
What to actually do this week
You do not need to track every advisory by hand. You need a short, repeatable response when one is relevant. Here is the version we use with clients.
Start with what faces the internet. Firewalls, routers, VPN endpoints, remote-access tools, and anything else reachable from outside your office are the systems that matter most for these two advisories. Confirm the firmware or software version, compare it to the vendor's fixed release, and update if you are behind. If you run Palo Alto gear specifically, treat that one as same-day.
Next, check whether anything in your environment touches the Oracle products named in the CISA listing. For most small offices the answer is no — but "I assume no" and "I checked and the answer is no" are different levels of safe.
Finally, write down what you found and when you patched it. A one-line record per device turns a scramble into a routine, and it is the difference between guessing next time and knowing.
The pattern underneath
Both of these advisories reward the same habit: knowing what you have that is exposed to the internet, and keeping it current. Most small-business compromises do not come from a brilliant attacker. They come from a patch that was available for weeks or years and never got installed. The fix is not more technology. It is a rhythm and a named owner.
We wrote about building that habit in a small-business patching rhythm that actually sticks, and how to read an advisory without burning your afternoon in reading a CVE without losing your afternoon.
If you are not sure whether any of this touches your network, that is a good question to bring to a free 30-minute IT review. We will help you find what is exposed and tell you straight whether you need to do anything about it.