The University of Nottingham Was Breached via a Server. Your Endpoint Applications Are the Same Risk.

Endpoint Application Vulnerability Management

On 9 June 2026, the University of Nottingham suffered a significant cyber-attack. Approximately 450,000 individuals (students, alumni and applicants) had their personal data exposed. Names, student IDs, financial information, dates of birth, national insurance numbers, and in some cases sexual orientation were all potentially accessed.

Reports indicate the attack may have involved a known vulnerability in Oracle WebLogic, a Java application server used as part of the university’s Campus Solutions student record system. The investigation is ongoing and the full picture has not yet been confirmed publicly.

What is clear is this: Oracle WebLogic is server-side middleware. It runs on servers, not on client devices. It is not the kind of application that an endpoint application management tool would discover across a fleet of laptops and desktops.

We are saying this explicitly because the temptation, when a breach involves an ‘application vulnerability‘, is to imply that any application management tool would have caught it. That claim would be misleading. And in a space where technical credibility matters, we would rather be honest.

But here is what this incident does illustrate, and why it is directly relevant to every IT Director and CISO managing a client-side application estate.

One Server. Thousands of Endpoints. The Same Structural Problem.

The University of Nottingham was breached through one server running an unpatched, vulnerable version of Oracle WebLogic. One application. One system. One point of entry.

Most organisations (universities, financial institutions, government bodies and enterprise businesses) have an equivalent risk distributed not across one server, but across thousands of endpoint devices.

Every managed laptop and desktop in your estate is running dozens of applications. Some are business-critical. Some were installed years ago by users who have since left. Some are running versions that were last patched in 2023. Some have known CVEs that have been published, catalogued and in some cases actively exploited in the wild, but nobody on your IT team knows those versions are running in your environment.

This is not a hypothetical. It is the default state of most enterprise endpoint application estates.

The University of Nottingham’s attackers found one vulnerable application on one server. In a typical unmanaged endpoint estate, the same search would return dozens of applications across hundreds of devices: browser extensions, PDF tools, productivity software, remote access clients and collaboration platforms, each carrying its own vulnerability exposure, none of it visible in real time without automated monitoring.

The server was theirs. The endpoints are yours.

Why Endpoint Application Estates Carry Persistent Vulnerability Exposure

The reason endpoint application vulnerability is so difficult to manage manually is structural, not organisational. It is not a failure of diligence; it is a function of scale and velocity.

A typical enterprise endpoint estate includes hundreds of distinct applications deployed across thousands of devices, many installed without formal IT approval; continuous version drift, where users defer updates, auto-updates fail silently and IT teams push patches inconsistently across device groups; high device turnover, particularly in Higher Education where student devices cycle annually and staff devices accumulate software over years; shadow IT applications installed independently of central IT and invisible to any asset management tool that relies on formal deployment records; and legacy software that remains installed long after business need has passed, never formally retired and accumulating CVEs with no remediation plan.

Against this backdrop, the CVE database publishes hundreds of new vulnerabilities every month. Manual processes, including periodic audits, spreadsheet inventories and ad hoc patch cycles, cannot maintain currency. By the time a manual review identifies a vulnerable application across a 2,000-device estate, the estate has already changed and the review is already out of date.

This is the environment in which attackers operate. They have access to the same CVE data your team does. The difference is that they are using it to find targets, and most endpoint estates give them plenty to work with.

What ALICE Surfaces Across the Endpoint Estate

ALICE (Application Lifecycle Intelligence and Compliance Engine) is designed for exactly this problem: providing continuous, automated visibility across the client-side application estate so that IT teams find vulnerabilities before attackers do.

Connected to an organisation’s Microsoft environment, ALICE continuously discovers and maps every application installed across managed endpoints: what is running, on which devices, at which version, and what known vulnerabilities are associated with that version. This is not a point-in-time audit. It is a live, always-current picture of the full endpoint application estate.

In practice, ALICE delivers four capabilities that manual processes cannot replicate at scale.

First,

continuous automated discovery across every managed endpoint. ALICE identifies every installed application across the device estate, including applications that were never formally deployed, never logged in the CMDB and would never appear in a scheduled audit. Version data is captured at device level, so the team knows not just that an application is present, but which version is running on which device.

Second,

real-time CVE mapping across the full application inventory. ALICE cross-references the discovered application inventory against vulnerability data continuously. When a CVE is published for any application version present in the estate, ALICE flags the exposure immediately, at device level, without requiring the IT team to manually monitor vulnerability feeds or cross-reference inventory data.

Third,

prioritised remediation intelligence. Not every vulnerability requires the same response. ALICE prioritises CVEs by severity, exploitability and the sensitivity of the affected devices. Critical exposures surface immediately for urgent action. Lower-severity items are queued systematically. The team is always working on the right risk, in the right order.

Fourth,

continuous monitoring rather than periodic auditing. A scheduled monthly audit tells you what was installed last month. ALICE tells you what is installed now. New CVEs are published daily. New applications are installed constantly. Continuous monitoring is the only approach that keeps pace with the actual risk exposure of a live endpoint estate.

The Higher Education Context

Higher Education has become a consistently targeted sector for cyber-attack groups, and the reasons are structural: large, complex IT environments; high user turnover; a culture of self-managed software; limited central IT visibility over departmental devices; and legacy systems that persist because replacement is complex and expensive.

For a university IT team managing 10,000 devices running an average of 40 applications each, that is 400,000 application instances to track, version-check and vulnerability-map. No manual process achieves that at the frequency the risk environment demands.

What Good Looks Like

The ICO’s response to the Nottingham breach was direct. Ian Hulme, Interim Executive Director of Supervision, stated: ‘Universities, as major data controllers handling significant volumes of sensitive personal data, must treat cyber-security and data protection as a core organisational priority. We expect senior leaders across the sector to take ownership of these risks, ensure appropriate safeguards are in place, and respond swiftly and effectively to incidents.’

That statement applies equally to the server estate and the endpoint estate. The board-level accountability the ICO is calling for requires visibility across both, and the endpoint application layer is, for most institutions, the less monitored of the two.

ALICE provides the foundation for endpoint application security governance: a complete application inventory across every managed endpoint, always current; real-time CVE mapping so vulnerabilities are surfaced when they are published, not when the next audit runs; prioritised remediation queues so critical exposures receive immediate attention; audit-ready evidence trails for compliance and regulatory reporting; and end-of-life and shadow IT visibility covering the applications most likely to carry unaddressed vulnerabilities.

The Question Worth Asking

The University of Nottingham was breached through a server vulnerability. That specific risk sits outside the endpoint application estate that ALICE manages.

But the underlying failure, an application running at a vulnerable version and unmonitored until an attacker found it, is not unique to servers. It is the default state of most endpoint application estates managed manually.

If your organisation manages 1,000 endpoints manually, with periodic audits and reactive patch cycles, the honest question is not whether vulnerable application versions exist in your estate. They do. The question is whether you will find them before someone else does.

ALICE is built to make sure the answer is yes.

See What's Running Across Your Endpoint Estate

Connect ALICE to your Microsoft environment and gain immediate, continuous visibility into every application installed across your managed devices, including version data, CVE exposure and end-of-life status.

Full access. No commitment. Bespoke pricing during your trial.

Latest Posts

Windows 11 Migration Applications Enterprise

Back to Blog Start your free 14-day trial Your Windows 11 migration won’t fail because of Windows. It will fail……

Application Governance Audit Enterprise

Back to Blog Start your free 14-day trial An application governance audit should not be an event. It should be……

Application Discovery Enterprise IT

Back to Blog Start your free 14-day trial You have Microsoft Intune. You have an application inventory. And you are……