Blog

The latest news and developments

Latest Blogs and News

Secora Consulting’s blog is a mixture of news and developments in the security world and technical breakdowns of our services. Bookmark this page to stay informed.

Pentesting

Vulnerability Watchlist: Week Ending 14 June 2026

Every week we track what lands in the CISA Known Exploited Vulnerabilities (KEV) catalogue, the list of flaws that attackers are actively using in the wild. These aren’t theoretical risks sitting in a researcher’s notebook. They’re confirmed in-use, which is exactly why they deserve a place at the top of your patching queue. The week ending 14 June 2026 added seven new entries. That’s a touch above the recent 13-week average of around six per week, so the volume itself is fairly ordinary.

Pentesting

Vulnerability Watchlist: Week Ending 7 June 2026

The CISA Known Exploited Vulnerabilities (KEV) catalogue, is a list of flaws that attackers are actively using in the wild. These aren’t theoretical, they’re confirmed in-use, which is why they deserve a place at the top of your patching queue. The week ending 7 June 2026 added five new entries. That’s roughly in line with the recent 13-week average of around six per week, so nothing unusual in the volume. The severity mix, however, is worth a closer look as there is one Critical and four High, with every single one rated as actionable.

GRC

Increase Your Credit Unions Cybersecurity Posture With Secora Consulting

Irish Credit Unions are under growing pressure to demonstrate that their IT systems, data and member assets are properly protected. The Central Bank of Ireland’s Thematic Review on IT risk made that expectation formal and urgent. The regulator’s message was unambiguous: responsibility for IT risk, security and resilience no longer sits with your IT provider. It sits with your board. And when the Central Bank comes knocking, it will want evidence, not reassurances.

Penetration Testing

From Redirect to Hijack: Chaining OIDC Misconfigurations for Token Theft

This post, written by Brian, Security Consultant at Secora Consulting, describes how a weakness in an OAuth/OpenID Connect login flow let him turn a redirect issue into session hijacking, based on his own firsthand experiences. During a web application penetration test , I found what initially looked like a standalone redirect validation issue in an OAuth/OpenID Connect (OIDC) login flow. Digging further into the authorisation flow revealed that this validation weakness was only the starting point of a larger problem.

Harsh Banshpal

Telnet Security Risks: Why It is Still Dangerous and What to Use Instead

From a penetration tester’s point of view, Telnet is one of those findings that immediately stands out. Not because it is complex or interesting, but because it is simple and risky. If Telnet is exposed in an environment, it often becomes one of the easiest ways for an attacker to gain access. Many organisations still rely on Telnet in legacy systems, network devices and internal tools. That alone is risky. Recent vulnerabilities have made the situation much worse.

Penetration Test

Why CVSS Scores Fall Short: How to Measure the Real Business Impact of Vulnerabilities

Organisations commonly rely on CVSS (Common Vulnerability Scoring System) scores of a vulnerability to understand their security posture. While this approach helps identify technical weaknesses, it often fails to answer a more important question: What is the actual risk to the business if a vulnerability is exploited? CVSS provides a measure of technical severity, but it does not account for exploitability in a real environment, the value of the affected asset or the operational impact of exploitation.