Boundary Devices and Plugins Prompt Timely Remediation

Vulnerability management has exploded into a two-pronged challenge of resources and prioritization.

More than 48,000 new common vulnerabilities and exposures (CVEs) were published in the National Vulnerability Database in 2025, a 21% year-over-year increase. Yet, only 1% of CVEs were actually exploited in the wild.

Security professionals are the ones stuck in the middle. There’s more alert noise and fatigue than ever, the window between disclosure and exploitation is rapidly shrinking, and not all “critical” vulnerabilities equate to real-life risk. If everything is urgent, nothing is urgent.

We recognize the burden created by unnecessary alerts and don’t take outreach to policyholders lightly, which is why Coalition reserves Zero-Day Alerts (ZDAs) for the most critical and time-sensitive threats that present the greatest potential for financial loss to policyholders. We only send ZDAs when a vulnerability is either actively being exploited by threat actors or we believe exploitation is imminent, and the only recipients of ZDAs are policyholders using the at-risk software or technology.

ZDA Snapshot

• Coalition sent 34 different ZDAs between November 2025 and February 2026

• WordPress plugins (27%) and boundary devices (19%) accounted for nearly half (46%) of all ZDAs in this period

• 97% of policyholders didn’t receive a single ZDA

• On average, Coalition issued ZDAs nearly one week faster than alerts from US federal civilian cybersecurity authorities

• 52% of notified policyholders have fewer than 25 employees

Below, we’ll explore our ZDAs in recent months: what technologies frequently appear behind high-risk vulnerabilities, how we operate as an early-warning system, and when we decide to alert.

1. More than a quarter of ZDAs involved WordPress plugins

Attackers usually aren’t reinventing the wheel. They’re looking for the path of least resistance into a network. Our threat intelligence shows that risk is heavily concentrated in a few specific technology stacks that provide high-level access with minimal friction.

WordPress plugins

Among all ZDAs, 27% involved WordPress plugins. WordPress allows third-party developers to develop plugins, creating a massive third-party ecosystem that isn’t regularly audited by WordPress. Many of these plugins aren’t actively maintained, which creates a welcome avenue for exploitation.

Due to the prevalence of WordPress across the web, plugin authors represented 27% of “vendors” involved in alerts. Some of our ZDAs included:

• CVE-2025-14998: The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover and allows attackers to change user passwords (including administrators) to gain access to accounts. 

• CVE-2025-13773: The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to remote code execution and makes it possible for unauthenticated attackers to execute code on the server.  

Compared to other technologies, like boundary devices or remote monitoring tools, the risk of ransomware resulting from WordPress plugins is relatively low, as they are usually hosted by a third-party. But, these vulnerabilities should still be addressed to prevent public defacement or the site being used to spread malware. If businesses collect personally identifiable information or do eCommerce via a WordPress site, the risk can be elevated.

Businesses can reduce their risk by enabling auto-updates for specific plugins.

Boundary devices

Boundary devices appear frequently in ZDAs, accounting for 19% of all notifications. These devices (VPNs, firewalls, routers, etc.) are designed to enable secure remote access and act as boundaries between internal business networks and the internet. Businesses invest in these tools to bolster their security, but they can also introduce additional risks.

Boundary devices appear frequently in ZDAs, accounting for 19% of all notifications.

When using SSL VPNs, users gain access through login panels that are often exposed to the internet without an additional layer of protection, such as multi-factor authentication. We alert on critical vulnerabilities within SSL VPNs that allow attackers to bypass authentication or steal session cookies. Due to the direct path to internal systems, businesses running legacy SSL VPNs are 3 to 4 times more likely to experience a claim.

Within the realm of boundary devices, certain vendors are notable repeat offenders. In the past quarter, Fortinet alone has accounted for 13.5% of our ZDA notifications. In Coalition’s Risky Tech Ranking, Fortinet now sits at #9 (among 9,533 scored vendors). 

We sent three ZDAs related to Fortinet SSO authentication bugs in less than two months, including CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. 

Mail servers

Mail servers were involved in 8% of ZDAs, primarily due to several vulnerabilities found within SmarterTools SmarterMail, such as: 

• CVE-2025-52691: Allows unauthorized remote attackers to reset administrator passwords, gain access to the interface and execute OS level commands. 

• CVE-2026-23760: Permits unauthenticated attackers to supply a target administrator username and a new password to reset an account, resulting in full administrative compromise of the SmarterMail instance (without verifying existing password or providing a reset token). 

2. ZDAs had an average lead time of 6.7 days before CISA KEV

Now more than ever, businesses need to know which risks to prioritize, and ideally, before they even appear in the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog. 

Coalition’s ZDAs had an average lead time of 6.7 days before CISA KEV, operating as an early-warning system.

While KEV is a vital industry benchmark, it’s inherently reactive. By the time a CVE is listed in KEV, exploitation is often well underway. To protect policyholders, we need to move faster than standard industry clocks. 

Coalition’s ZDAs had an average lead time of 6.7 days before CISA KEV, operating as an early-warning system.

The rest of the ZDAs between November 2025 and February 2026 have yet to be added to CISA KEV.

We alerted on CVE-2025-52691 18 days before the vulnerability was added to the CISA KEV catalog. For nearly three weeks, Coalition policyholders had the intelligence required to patch while other businesses likely remained unaware of the active risk.

Alerting in action

At Coalition, the Security Research team, which is responsible for evaluating new vulnerabilities, has a curation system in place that automatically notifies when a new, high-to-critical severity vulnerability is published. We don’t rely on a single source, which enables us to leverage publications by the top vulnerability researchers in the world and quickly evaluate the information and determine the appropriate response. 

CVE-2025-52691 is a critical vulnerability in SmarterTools SmarterMail (an alternative option to Microsoft Exchange). The Security Research team quickly identified the risk and notified policyholders:

3. 97% of policyholders didn’t receive a single ZDA

With more than 100 new vulnerabilities published every day in 2025, it would be impossible to alert policyholders of every potential risk without causing significant alert fatigue.

If we’re sending a ZDA, exploitation is imminent or already occurring and the exposed technology is almost certainly vital to a policyholder’s operations, such as a critical business system or network administration device. 

Once we’re certain of the risk, we scan our policyholder base to identify who is exposed. Policyholders will only hear from us if the vulnerability is exploitable in their specific environment, which typically requires that they are using the impacted version of a software system and it is configured in a certain way.

Notifications per policyholder

Through a process that uses a mixture of claims data, AI, honeypots, and human judgement, Coalition can identify patterns or characteristics seen in past vulnerabilities to determine the likelihood of future vulnerability exploitation in the wild. 

Businesses often lack the context necessary to prioritize the risks that matter most. By deliberately sending ZDAs for threats with the greatest potential for exploitation and breach, the rare policyholder notification can cut through the alert noise to make patching as strategic as possible.

The majority of policyholders (97%) did not receive a single alert from us at all. Of those that did, 88% received just 1 ZDA.

The majority of policyholders (97%) did not receive a single alert from us at all. Of those that did, 88% received just 1 ZDA.

Employees per notified policyholder

Of all policyholders notified, 52% had fewer than 1-25 employees.

Small and midsize businesses (SMBs) typically need to be the most selective when choosing when and what to patch. They are more likely to have limited time and resources dedicated to cybersecurity, reducing their ability to regularly monitor and resolve new vulnerabilities.

To make mitigation accessible for SMBs with small or outsourced IT teams, every ZDA includes steps for remediation provided by the vendor. If there is no patch available at the time, Coalition will recommend best practices, such as putting the system behind a firewall or disabling affected services until the patch can be applied.

Policyholders notified by industry

We observed a reasonably balanced dispersion of ZDAs sent across sectors. This is to be expected, as no industry is immune from the risk of vulnerable software. 

The technologies and vendors most commonly targeted by threat actors are widely used across all sectors. WordPress plugins, boundary devices, like firewalls or VPNs, mail servers, and remote tools are industry-agnostic and commonly used by most businesses that touch the internet.

Stay ahead of critical risks

Issuing timely and prioritized ZDAs is a core component of Active Insurance.

Most businesses don’t have the time, resources, or security know-how to monitor various threat intelligence sources or KEV catalogs and accurately prioritize risks without hitting patching paralysis. Coalition is able to help provide actionable guidance and hands-on help to remediate vulnerabilities.

And that’s just one way to take control of cyber risk. Within Coalition Control®, businesses can also unlock actionable steps to improve their overall cyber health, third-party risk management, and more.

EASILY SPOT & STOP CYBER THREATS IN ONE PLACE

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. 

Copyright © 2026. All rights reserved. Coalition, Coalition Control and the Coalition logo are trademarks of Coalition, Inc. All other products and company names are the intellectual property of their respective brand owners.