Security Flaw? No – A Structural Information Problem

The recent warnings from CISA and Amazon about active attacks on Cisco FMC, Microsoft SharePoint, and Zimbra initially appear to be a routine process in IT security: vulnerabilities are identified, assessed, published – and then patched.

This perspective is convenient. And it is wrong.

Because it overlooks the crucial part: the period during which attacks are already underway without anyone knowing.

When Attacks Begin Before the Warning

This problem is particularly evident in the case of Cisco.

The vulnerability in the Secure Firewall Management Center (CVE-2026-20131, CVSS 10) allows attackers to execute arbitrary code with root privileges without authentication. This does not affect just any system, but a central instance for controlling and monitoring security infrastructure.

According to Amazon’s findings, this vulnerability had been actively exploited since January 26, 2026. However, it was only made public and patched in early March.

In between lies a period of several weeks during which systems could be compromised without operators even knowing that a risk existed.

This period is not a minor detail. It is the most critical moment in the entire lifecycle of a security vulnerability.

SharePoint and Zimbra: Different Technology, Same Structure

Other cases confirm this pattern.

A critical vulnerability (CVE-2026-20963, CVSS 9.8) was observed in Microsoft SharePoint, based on insecure deserialization, allowing authenticated attackers to execute malicious code. Although Microsoft closed the vulnerability in January, the assessment was only later raised to “critical” – again creating a distorted risk picture over time.

Zimbra, in turn, is vulnerable through a cross-site scripting flaw (CVE-2025-66376, CVSS 7.2) that can be exploited via HTML emails. Technically less complex but practically highly effective, as email remains a central attack vector.

The commonality of these cases lies not in the technology but in their structure: Vulnerabilities exist before they become visible – and are actively exploited during this phase.

The Invisible Phase of IT Security

In the classic portrayal of IT security, the problem begins with the publication of a vulnerability.

In reality, it begins much earlier.

Between the first exploit and public disclosure, an invisible time window emerges in which:

• Attacks occur
• Systems are compromised
• and defensive measures are practically impossible

This time window is not an exception but system-immanent.

Because the information about vulnerabilities initially resides only with a few actors: the manufacturers, security researchers – and often the attackers.

Monoculture Amplifies the Risk

This problem only fully unfolds in conjunction with the structure of modern IT landscapes.

Cisco, Microsoft, and Zimbra exemplify a highly concentrated infrastructure where few providers supply central systems for thousands of organizations.

This concentration has a direct consequence: A single vulnerability can immediately affect a large number of systems.

Attacks thus scale not only technically but also structurally. A successful exploit can be reproduced, automated, and widely deployed.

What begins as an isolated vulnerability thus becomes a systemic risk.

Blackbox Systems and the Limits of Control

Additionally, there is a factor often excluded from many security debates: the lack of transparency in proprietary software.

Neither operators nor governmental bodies have full insight into the workings of these systems. Security audits are limited, and independent analyses are often only indirectly possible.

This shifts a central part of security assessment to the providers themselves.

They define:

• when a vulnerability is communicated
• how critically it is rated
• what information is available

This constellation creates a structural dependency that cannot be resolved through operational measures.

Why Classic Security Measures Fall Short

The common recommendations – patch faster, monitor better, optimize processes – all address a point that is already too late.

They address the phase after publication.

The crucial phase lies before that: in the moment when attacks are already occurring but no information is yet available.

In this situation, even highly professional IT organizations are reactive – not because they work poorly, but because they lack the basis for proactive action.

Digital Sovereignty as a Security Prerequisite

The central insight from these cases is uncomfortable but clear:

IT security is not just a technical discipline. It is a question of control over information and systems.

As long as critical infrastructure is based on platforms,

• whose internal logic is unverifiable
• whose vulnerabilities become visible with delay
• and whose information flows are externally controlled

security remains structurally disadvantaged.

Digital sovereignty is thus not an abstract political demand but a concrete prerequisite for effective IT security.

Because without the ability to recognize, assess, and prioritize risks independently, every security strategy remains reactive.

And reaction always begins too late.