There is a particular flavour of Monday where you open your feeds and every single one is shouting about the same thing. This week it was SMB again. The SMBv3 compression hole, the one that earned a CVSS score that makes managers forward emails with three exclamation marks, has been doing the rounds, and the proof-of-concept work has matured enough that people are nervous rather than merely interested.
I am not going to pretend I found anything novel in the technical writeups. Smarter people than me pulled the protocol apart and explained, calmly, that a malformed compressed packet against an unpatched SMBv3 endpoint is not a good day for you. The detail that actually mattered to me was duller. It was the question of how many machines on my watch were still exposed, and the answer was "more than I would like, fewer than I feared".
Here is the bit nobody writes the headline about. The disclosure is the easy part. The patch existed. The hard part is the long tail: the file server somebody stood up in 2017 and forgot, the lab box that is "temporary", the appliance that ships SMB enabled because a vendor decided you might want it one day. None of those are in your asset inventory because, let us be honest, your asset inventory is a spreadsheet that stopped being true some time around the second reorg.
So I spent the morning doing the unglamorous thing. I blocked 445 at the boundary where I could, confirmed the workaround that disables SMBv3 compression on the handful of boxes I could not patch immediately, and then went looking for the ones I did not know about. That last step is always the one that finds the surprise. Today's surprise was a Windows box quietly serving a share to exactly nobody, which is the most Windows thing imaginable.
What I keep coming back to is that the severity of a disclosure and the effort it demands of you are only loosely related. A terrifying CVE on a host you patched last Tuesday is a non-event. A medium one on a machine you forgot you owned can ruin a fortnight. The score tells you how bad it could be. Your inventory tells you how bad it actually is, and most of us are flying that second instrument blind.
I am not writing this to be wise after the fact. I will forget a box next time too. But if the takeaway from a noisy week is "go and find the machines you forgot about", that is a more useful outcome than another reshared CVSS number. The patch ships in an afternoon. Knowing what you run is the work of years, and it is never finished.