In partnership with
Why does every QBR sound like it took an hour to prep?
The strategic-account QBR has a different feeling. The CSM walks in knowing the buying committee, usage trends, support history, news on the company. They've blocked an hour to prep. The customer feels seen.
The other 190 QBRs don't get that hour. The CSM scans the dashboard five minutes before the call. They wing it. The customer answers the same baseline questions for the third time this year.
What if every QBR was a strategic-account QBR? Two minutes before the call, your CSM has the full brief in Slack: usage trends, support history, NPS, news on the company, what their champion just posted on LinkedIn.
Every customer feels like your top customer. Even when there are 200 of them.
3,000+ tools connected. SOC 2 certified. Your data never trains models.
"It was almost instantly adopted by the bulk of my team." Boris Wexler, CEO, Space Dinosaurs
Different week, same dumpster fire with a fresh coat of paint.
Let’s dive in.
Risk Level: Critical
Business Impact: Exploited WebLogic flaws can expose enterprise middleware, sensitive application data, and backend systems tied to critical business workflows.
What You Need to Know
CISA ordered federal agencies to patch CVE-2024-21182, a two-year-old Oracle WebLogic Server flaw now confirmed as actively exploited, with reporting from BleepingComputer and SC Media noting that unauthenticated attackers with network access may remotely compromise affected servers.
Why This Matters
“Old vulnerability” does not mean “dead vulnerability.”
WebLogic often sits close to business-critical applications and backend data.
KEV status means exploitation is real, not theoretical.
Executive Actions
🩹 Patch affected WebLogic servers immediately and verify the running version.
🔒 Restrict WebLogic admin and application access to trusted networks where possible.
🔎 Hunt for abnormal requests, unexpected deployments, new users, and suspicious outbound traffic.
🔑 Rotate credentials tied to affected applications if exposure is suspected.
Risk Level: Critical
Business Impact: Mobile exploitation can enable privilege escalation, spyware-style access, and compromise of devices used for email, MFA, and business apps.
What You Need to Know
Google’s June Android update fixes 124 vulnerabilities, including actively exploited CVE-2025-48595, a Framework privilege-escalation flaw affecting Android 14 and later, according to BleepingComputer and The Hacker News.
Why This Matters
Phones are identity devices now, not accessories.
Mobile compromise can expose email, tokens, MFA prompts, and business app sessions.
Targeted exploitation often becomes broader once techniques spread.
Executive Actions
📱 Enforce Android patch compliance through MDM.
🔐 Require stronger MFA for privileged and high-risk workflows.
🔎 Monitor for suspicious new device registrations and unusual mobile login behavior.
🧾 Update mobile IR playbooks to include session invalidation and credential rotation.
Risk Level: High
Business Impact: Compromised VoIP phones can become footholds inside enterprise networks, enabling reconnaissance, persistence, and possible lateral movement.
What You Need to Know
A critical vulnerability in HP Poly Voice devices, CVE-2026-0826, allows remote code execution with root privileges when the ICE feature is enabled, according to SecurityWeek’s coverage.
Why This Matters
VoIP devices are often forgotten during patching and monitoring.
Root access on phones can give attackers a quiet network foothold.
“It’s just a phone” is exactly the kind of sentence that ages badly.
Executive Actions
☎️ Inventory affected HP Poly devices and apply firmware updates.
🔒 Disable unnecessary ICE exposure or features where not required.
🧱 Segment VoIP networks away from sensitive business systems.
🕵️ Monitor for abnormal phone traffic, config changes, and unexpected outbound connections.
Leadership Insight:
This week’s lesson is not complicated:
Attackers are exploiting the boring stuff… old middleware, mobile patch gaps, VoIP phones, archive tools, Windows auth flows, and Redis servers. None of this is flashy. All of it can burn your week down.
The executive takeaway: stop measuring risk by how exciting the technology sounds. Measure it by where it sits, what it touches, and how fast attackers can turn it into access.
Real-World Ads, Simple to Run
With AdQuick, executing Out Of Home campaigns is as easy as running digital ads. Plan, deploy, and measure your real-world advertising effortlessly — so your team can scale campaigns and maximize impact without the headaches.
Risk Level: High
Business Impact: NTLMv2 hash theft can enable relay attacks, credential abuse, and lateral movement inside Windows environments.
What You Need to Know
Researchers disclosed an unpatched Windows search: URI issue that can force systems to send NTLMv2 hashes over SMB when users interact with crafted content, as explained in The Hacker News report.
Why This Matters
NTLM theft remains one of the fastest ways to turn one click into domain risk.
Relay attacks can bypass password guessing entirely.
Unpatched issues require compensating controls immediately, not someday.
Executive Actions
🔐 Reduce NTLM exposure and enforce SMB hardening where possible.
🧱 Block outbound SMB to the internet.
🕵️ Monitor for unusual NTLM authentication attempts and external SMB traffic.
🧠 Warn users about opening unexpected files, links, or search-driven prompts.
Risk Level: High
Business Impact: Redis compromise can expose cached secrets, application data, session state, and backend infrastructure access.
What You Need to Know
A Redis vulnerability, CVE-2026-23479, enables authenticated remote code execution and existed for more than two years before being patched in May, with details published in The Hacker News write-up.
Why This Matters
“Authenticated” does not mean low risk when credentials are stolen constantly.
Redis often holds high-value application data and session context.
Long-lived bugs can become attractive once public technical details exist.
Executive Actions
🩹 Patch Redis to fixed versions immediately.
🔒 Restrict Redis access to trusted application networks only.
🔑 Rotate Redis credentials and related app secrets if exposure is possible.
🔎 Monitor for suspicious Redis commands, new connections, and abnormal data access.
Risk Level: High
Business Impact: Archive exploitation can deliver malware, persistence, and data theft through files users are trained to open.
What You Need to Know
Russia-linked Gamaredon activity is exploiting a WinRAR vulnerability, CVE-2025-8088, to deploy GammaPhish and GammaWorm for persistence, data theft, and propagation, according to The Hacker News and SC Media.
Why This Matters
Archive files remain a reliable delivery method because they look routine.
Espionage actors prioritize persistence and quiet data collection.
File-handler vulnerabilities often bypass normal “don’t click links” training.
Executive Actions
🧩 Patch WinRAR and archive tools across endpoints.
📎 Block or sandbox high-risk archive attachments.
🕵️ Hunt for suspicious extraction behavior, new persistence, and unusual script execution.
🔐 Prioritize monitoring for users handling sensitive government, legal, or operational data.
🩹 Patch WebLogic, Android, Redis, WinRAR, and HP Poly devices based on exposure
🔐 Reduce NTLM risk: block outbound SMB and tighten authentication controls
📱 Treat mobile patching as identity protection, not device maintenance
☎️ Segment VoIP and “forgotten” device networks from core business systems
🔎 Hunt for exploitation on systems that were exposed before patching
🔑 Rotate secrets where middleware or cache-layer compromise is plausible
💡 If your patch priority is based on how boring the asset sounds, congratulations — you’ve built an attacker-friendly roadmap. 💡
J.W.
(P.S. Check out our partners! It goes a long way to support this newsletter!)
Renewals stop being a fire drill.
Most churn blindsides the CSM in renewal week. Champion left. Usage dropped. NPS slid months ago.
A colleague in Slack watches the signals around the clock. Your CSMs catch every risk months before renewal.
11,000+ teams use Viktor daily. SOC 2 certified. Your data never trains models.
