OpenAI has expanded its Daybreak cybersecurity initiative to cover fixing vulnerabilities, not just identifying them.

The AI developer has introduced a series of new tools, and signed up a host of partners to lead the scheme, including Accenture, Check Point, Cisco, CrowdStrike, IBM, and more.

"Vulnerability reports, on their own, do not protect anyone. The value comes from validating the issue, understanding its impact, developing and testing a patch, coordinating disclosure, and helping teams deploy the fix," said the firm.

"We are investing alongside our partners to improve these latter steps, in order to turbocharge defenders and convert model capability into real-world risk reduction."

OpenAI said it has tweaked models to discover and generate patches for critical vulnerabilities⁠ in major browsers, network infrastructure, and operating systems such as FreeBSD and the Linux kernel.

To scale the effectiveness of these capabilities, it's launching an update to the Codex Security plugin⁠.

This aims to speed up the process of discovering and patching vulnerabilities in existing systems, as well as automatically preventing new vulnerabilities from ever reaching production.

OpenAI touts GPT-5.5-Cyber capabilities

Notably - and following an initial permissive-only preview - OpenAI confirmed plans to launch the full version of GPT‑5.5‑Cyber through a continued limited release.

The company is also working with researchers, maintainers, enterprises, and partners for its Patch the Planet⁠ initiative, founded with Trail of Bits to help widely used open source projects move from findings to fixes.

More than 30 open source projects have committed to participate so far, including:

• cURL
• Go
• Python
• Sigstore
• pyca/cryptography

OpenAI leans on partners

Elsewhere, the new OpenAI Daybreak Cyber Partner Program ⁠allows participating organizations to use GPT‑5.5 with Trusted Access for Cyber in the security products and services they provide.

This, the firm said, allows their customers to get the benefits of the model’s defensive capabilities and make their software more resilient, but still keeps direct model access in the hands of participating partners.

“Organizations are looking for practical ways to apply AI to strengthen cyber defence while maintaining strong governance and safety controls,” said Ryan Kalember, chief strategy officer at Proofpoint.

“By incorporating GPT-5.5 through the OpenAI Cyber Partner Program into Proofpoint’s products, services, and AI-powered security workflows, we can help security teams improve threat investigation, decision-making, and efficiency as they protect their people, data, and AI agents."

Government engagement

OpenAI said it's also been working with government bodies in Australia, Canada, France, Germany, Japan, the Republic of Korea and the EU, on cyber testing, evaluation, and standards.

"We also have a growing and trusted partnership with the UK government around cyber testing and evaluation, and other areas of mutual interest," said the firm.

"We plan to work directly with eligible operators of critical infrastructure, including government networks, to develop safeguards tailored to the systems they operate."

FOLLOW US ON SOCIAL MEDIA

The rapid rise of flaw-spotting AI means companies need to bolster resilience plans to avoid becoming victims.

That's according to Commvault, which pointed to two key changes in security. Notably, advanced models are spotting a huge number of vulnerabilities — notably with the rise of frontier models like Anthropic Mythos and OpenAI's GPT-5.5 Cyber.

This increased level of automation is enabling threat actors to take advantage of exploits near-instantly, researchers warned. That collapse in the remediation window means resilience is no longer part of recovery, but an "operating requirement".

“AI models will continue to evolve that accelerate remediation timelines and require a new approach to readiness,” said Bill O’Connell, chief security officer (CSO) at Commvault.

O’Connell noted that resilience operations (ResOps) are now vital and an area that cannot be overlooked by IT leaders.

"ResOps gives organizations a way to continuously validate readiness, advance clean recoveries, restore systems with confidence, and build resilience into the way they operate."

CrowdStrike said earlier this year that AI is speeding up the pace of attacks, while Forescout said enterprises should be ready for an explosion in vulnerabilities. All of that means companies need to do more than simply patch in order to stay secure.

"Frontier models change the economics of vulnerability discovery. AI models will reveal exploitable vulnerabilities at such a fast pace, remediation programs must evolve,” said Nick Patience, VP and AI Practice Lead, Futurum Group.

"While a rigorous patching strategy remains critical, the key now is also making sure readiness, resilience, and clean recoveries are top priorities."

Cyber resilience in the AI era

To help enterprises stay ahead amid these challenges, Commvault recommended four key steps to set up a resilience operations framework, ensuring they can maintain business continuity through an attack, outage or AI driven disruption.

Risk evaluation

The first step is to evaluate the recovery risks, with IT and security assessing how well their current plans will hold up against faster flaw spotting and exploitation cycles caused by AI.

Commvault advised looking beyond backups and asking "harder questions", such as whether critical systems can be restored cleanly and if recovery environments are isolated from compromised production systems.

Similarly, IT and security teams are advised to ensure recovery plans have been mapped to key dependencies.

Isolation is key

After that audit, Commvault said the second step was to isolate recovery to ensure critical data remains secure and backed up to support remediation efforts.

"Maintain immutable, isolated copies of critical data and workloads, separated from production identity, network, and management planes," the company advised.

"These copies help provide a clean fallback when patching or when remediation cannot keep pace."

Beyond that, enterprises should assume that recovery time objectives set before the advent of AI will no longer hold true, and reconsider them against new attack scenarios.

Identify priorities

The third step is to prioritize any systems that are business critical, identifying those that are required for the business to function, be it identity platforms, billing systems, or cloud services.

Then, set out which order they should be recovered. Don't forget to include new dependencies such as data pipelines, model repositories, and agentic workflows.

Automation can bridge gaps

Lastly, organizations should automate where they can, according to Commvault. This could include automated threat scanning or recovery orchestration and restoration.

Regular testing of recovery plans is also critical, the company noted, which can be supported through automation. This is a vital area, researchers warned, largely due to the pace of change brought about by AI.

"Organizations that embrace this four-step process will be better suited to take advantage of rapidly evolving AI models while also mitigating the risks,” Patience added.

FOLLOW US ON SOCIAL MEDIA

Anthropic has announced the public beta for Claude Security, its cybersecurity tool used for scanning codebases, detecting vulnerabilities, and generating patches.

Claude Security can scan full enterprise repositories to flag potential flaws – then open Claude Code to fix them – to reduce detection and response to one session for cyber workers.

In a video demo, Anthropic showed how Claude Security can conduct scans in just a single click, which prompts the tool to analyze relationships between components, data usage, and the viability of source code.

The tool then provides a list of potential vulnerabilities, including how each flaw can be reproduced and justifications for how severe they are. Along the way, Claude Security suggests how confident it is that the vulnerabilities it detects are legitimate.

Claude Security is accessible directly within Claude, or via a dedicated page on its website.

"Strong potential" with Claude Security

Claude Security was previously known as Claude Code Security, which Anthropic first made available to select organizations as a research preview.

The firm said it has collected feedback from hundreds of firms, which has helped make Claude Security more useful for enterprise applications.

For example, Anthropic tweaked the tool to place a greater emphasis on validating AI findings, attaching a confidence percentage to each finding to reduce false positives.

New additions also include scheduled and targeted scans, as well as the option to export findings to Slack, Jira, or as CSV and Markdown files.

"Claude Security surfaced novel, high-quality findings during our early testing of the research preview that helped us identify and address potential security issues before they could affect our environment or our customers,” said Krzysztof Katowicz-Kowalewski, staff product security engineer at Snowflake.

“We see strong potential as we expand its use."

Concerns over AI security threats

Claude Security is underpinned by Claude Opus 4.7, Anthropic’s latest model which comes with embedded cyber guardrails. These are intended to prevent users from using the model for high-risk security tasks.

Anthropic’s new commitment to gating its cyber capabilities comes in the wake of its Project Glasswing launch, which saw it provide its most capable cyber model Claude Mythos Preview to select partners but not the public over safety concerns.

The UK’s AI Security Institute (AISI) has independently verified that the model is more capable at cyber tasks, and that it was the first to complete a 32-step enterprise network attack simulation designed to test LLM cyber exploit capabilities.

“Mythos Preview’s success on one cyber range indicates that it is at least capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained,” the researchers noted.

However, they added that there are differences between real-world environments and simulations, such as the lack of proactive human defenders, which make it difficult to confirm that a model such as Mythos Preview could successfully breach well-defended systems.

FOLLOW US ON SOCIAL MEDIA

Remote desktop protocol (RDP) threats are now a major blind spot for enterprises globally, with threat actors pouncing on exposed servers.

That's according to Forescout Vedere Labs, which spotted 1.8 million RDP and 1.6 million virtual network computing (VNC) servers exposed on the internet – and many of those are running old versions of Windows.

Forecourt said that third-party access is essential for businesses across many industries, be it for hybrid work or remote monitoring and maintenance.

"This is especially true in critical infrastructure sectors with mission-critical remote sites, including utilities, transportation, and oil and gas," the company said in a blog post.

Remote access has traditionally been managed by VPNs or RDP and VNCs. These approaches were “designed to extend networks”, researchers noted, but not to control interactions, which is increasing attack surfaces.

Indeed, such systems often lack the necessary authentication and authorization controls that organizations require to keep secure – and once inside, attackers gain "broad, persistent" access.

Millions of servers exposed

The researchers used device-search site Shodan to look for RDP and VNC servers, finding millions exposed on the internet, most of which are in China and the US.

However, Forecourt noted that's possibly because some of the spotted systems are actually honeypots, admitting not all of the remainder will provide access to an enterprise network.

"After excluding them, we identified 91,000 exposed RDP servers and 29,000 exposed VNC servers that could be categorized by industry," the researchers noted.

More than four-in-ten exposed RDP servers are running Windows 10, while a further 18% are on end-of-life Windows versions, the researchers noted.

The study found that 19,000 of the exposed RDP servers were vulnerable to a single exploit known as BlueKeep that was discovered seven years ago.

Similarly, many of the exposed VNC servers had authentication disabled, meaning anyone could interact with the applications presented by the device.

The post noted that these exposed remote-access assets are at left "open to compromise by threat actors to perform a range of activities, such as defacing systems, disrupting processes, wiping data, or moving laterally into the wider network."

What's the risk?

When it comes to RDPs, 32% of the exposed servers were in retail, followed by services at 23%. For VNCs, 28% of the exposed servers were in education, followed by 22% in services.

However, Forecourt noted: "Exposure volume alone does not define risk. Different sectors face different operational realities."

Indeed, researchers noted that transportation environments are complex because of multi-vendor access requirements, while manufacturing is an attractive ransomware target and has seen previous RDP-based attacks.

Water and other utilities may have limited budgets and are frequently targeted by hacktivists.

Forescout said that mitigating these risks requires taking a different approach to remote access, treating it as a controlled operational workflow via secure remote access systems for more security and control as well as accountability.

"Access should be governed with the same rigor as procedures on the plant floor," the company added.

FOLLOW US ON SOCIAL MEDIA

Enterprises should brace themselves for an explosion of vulnerabilities as AI accelerates the discovery of software flaws, according to a senior Forescout figure.

Daniel dos Santos, VP of research at the cybersecurity firm, told ITPro that recent advances in AI mean organisations could face a torrent of vulnerabilities – and many could struggle to keep pace.

Dos Santos' comments come in the wake of a recent study by Forescout highlighting marked AI-driven gains in vulnerability detection. Testing conducted by the cybersecurity firm last year found that more than half (55%) of AI models failed basic vulnerability research, for example, while 93% failed to exploit software flaws. Fast forward a year, and the situation has changed dramatically. In a follow-up study, Forescout found that all tested models were able to successfully identify vulnerabilities.

Dos Santos said this signals a step change in how cybersecurity professionals can react to – and mitigate – vulnerabilities at a rapid pace, and they've been rising even prior to the generative AI boom.

"The reality is we have been seeing an increase in CVEs anyway, even pre-AI. The thing is that it typically required very specialized knowledge to find these things," he said. "And now with AI, it requires less specialized knowledge.

Dos Santos highlighted the recent Project Glasswing announcement by Anthropic, a gated release of its cybersecurity-focused Claude Mythos model.

The new AI model was found to excel in vulnerability identification and is an exciting development for security professionals worldwide. But while security teams will reap the rewards of increased capabilities on this front, the potential volume of vulnerabilities could prove troublesome.

As it stands, dos Santos said the CVE identification process is extensive. Researchers approach vendors, who have to confirm it, and who thereafter have to assign it a CVE ID. This process can take up to around three months, though AI has the potential to shorten that, which is a blessing and a curse.

"I'm wondering what will happen with the much larger number of reports that will come into vendors' hands," he said. "Are they going to delay things? Are they going to accelerate things?"

Vendors are already struggling with rising vulnerability reports, dos Santos noted, and that's just for legitimate reports. As ITPro previously reported, open source projects have been forced to shut down bug bounty programs due to an onslaught of "AI slop" bug reports.

"The volume of findings is much larger, but also the volume of not real findings, let's say right findings that are reported by AI, but they are not real vulnerabilities, so vendors have to triage those as well, and that's not an easy task," dos Santos told ITPro.

What agents can do for threat actors

Despite facing a potential onslaught of vulnerability reports, security professionals will benefit from more powerful AI tools, enabling them to counter threats more efficiently.

But these gains will also benefit threat actors. Forescout's research found that more than half of the AI models tested were capable of generating exploits autonomously.

A slew of studies over the last 18 months have highlighted the increased use of AI among cyber criminals. Trend Micro analysis showed threat actors were using the technology to dissect threat intelligence reports, while researchers identified what they believed to be the first "AI-powered" ransomware strain.

Dos Santos told ITPro that tracking of underground community forums shows cyber criminals are increasingly warming to the use of AI tools in operations. More experienced operators, for example, are going so far as to mentor others in how to maximize their use of the technology – helping to lower the barrier of entry.

This same process is unfolding with agentic AI, he added, which marks a step change in attackers' capabilities.

"It lowers the barriers for finding vulnerabilities, also for threat actors to definitely exploit targets. I think the main change that we have seen in making these tools much more powerful in the past year, more or less, was the rise of agents," he said.

"The fact that they can do some things autonomously, it's not just somebody talking to a machine. I think we are at the point where threat actors are exploring the capabilities of what agents can do for them, and that's also something that will lead to an explosion into other types of attacks."

Just a week after revealing critical vulnerabilities in Linux’s AppArmor security layer, Qualys researchers are warning of a flaw affecting Ubuntu that can also allow an unprivileged user to gain full root access.

The high‑severity Local Privilege Escalation vulnerability, tracked as CVE‑2026‑3888, affects default installations of Ubuntu Desktop 24.04 and later.

The flaw allows an unprivileged local attacker to escalate privileges to full root access by exploiting an unexpected interaction between two trusted system components: snap‑confine.

This manages execution environments for snap applications and systemd-tmpfiles, which automatically cleans up temporary files and directories older than a defined threshold.

While the exploit requires a specific time‑based window that varies between 10 and 30 days depending on the version of Ubuntu, a successful attack could result in complete system compromise, researchers warned.

How the Ubuntu vulnerability works

The flaw identified by Qualys works by abusing the cleanup behavior of systemd‑tmpfiles.

Once a critical directory required by snap-confine, tmp/.snap, is automatically deleted by the system's cleanup daemon, an attacker can recreate it with malicious content.

Then, during the next sandbox initialization, snap‑confine bind‑mounts the attacker‑controlled files as root, enabling arbitrary code execution with full privileges.

"Think of it this way: the system’s housekeeping service unknowingly clears a secure room, and an attacker slips in to rebuild it with their own materials — so when the security team returns, they lock in the attacker’s setup and hand over full access," researchers said.

Patch issued, but be wary

CVE-2026-3888 carries a CVSS v3.1 score of 7.8 (High), and organizations are advised to apply patches immediately.

The flaw has already been patched in Ubuntu 24.04 LTS onward, with other versions including:

• snapd versions prior to 2.73+ubuntu24.04.1
• Ubuntu 25.10 LTS - snapd versions prior to 2.73+ubuntu25.10.1
• Ubuntu 26.04 LTS (Dev) - snapd versions prior to 2.74.1+ubuntu26.04.1
• upstream snapd - versions prior to 2.75

While older Ubuntu LTS releases from 16.04 through 22.04 aren't vulnerable in default configurations, Qualys still recommends applying the patch as a precaution in cases where non-default setups might resemble the behavior of newer releases.

Separate Ubuntu desktop flaw identified

Almost as an aside, Qualys said it had also discovered a separate vulnerability through a proactive security effort prior to the release of Ubuntu Desktop 25.10.

A race condition in the rm utility allowed an unprivileged local attacker to replace directory entries with symlinks during root-owned cron executions.

Successful exploitation could potentially lead to arbitrary file deletion as root or further privilege escalation by targeting snap sandbox directories.

"The vulnerability was reported and mitigated prior to the public release of Ubuntu 25.10," said Saeed Abbasi, senior manager of Qualys's Threat Research Unit.

"The default rm command in Ubuntu 25.10 was reverted to GNU coreutils to mitigate this risk immediately. Upstream fixes have since been applied to the uutils repository."

FOLLOW US ON SOCIAL MEDIA

Qualys researchers have uncovered a set of nine vulnerabilities in Linux's built-in security layer, AppArmor, that affect more than 12 million enterprise systems around the world.

Researchers at the company's Threat Research Unit said the flaws allow unprivileged local users to circumvent kernel protections, escalate to root privileges, and weaken container isolation.

Notably, these flaws have existed since 2017 and affect more than 12.6 million enterprise Linux instances worldwide - any organization running Ubuntu, Debian, or SUSE will be affected, according to Qualys.

Industries most affected are likely to include cloud computing, banking and finance, manufacturing, healthcare, telecommunications, and government.

AppArmor is a Linux security module that provides mandatory access control (MAC) by applying profiles to applications. It's been part of the mainline Linux kernel since version 2.6.36.

"As the default mandatory access control mechanism for Ubuntu, Debian, SUSE, and numerous cloud platforms, its ubiquity across enterprise environments, Kubernetes, IoT, and edge environments amplifies the threat surface significantly," warned Qualys senior manager, Threat Research Unit, Saeed Abbasi in an advisory.

What Linux users need to know about "CrackArmor"

Dubbed “CrackArmor”, the vulnerabilities are confused-deputy flaws that allow unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel.

The flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion, and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.

"Consequently, these findings expose critical gaps in our reliance on default security assumptions," said Abbasi. "It fundamentally undermines system confidentiality, integrity, and availability globally, extending the vulnerability exploitation window for legacy deployments."

Qualys said it has developed Proof of Concepts (PoCs) demonstrating the full exploitation chain for the CrackArmor vulnerabilities. These, along with working exploits, have been shared with the security team to work on immediate remediation.

While the firm is withholding the public release of the exploit code for the time being, the technical nature of the flaws allows for independent validation by the security community, it said.

There are no CVEs as yet, which can take a couple of weeks longer for upstream kernel issues. However, Abbasi warned enterprises shouldn’t underestimate the potential risks.

"Don’t let the absence of a CVE number downplay the significance. If you’re running affected versions, treat this advisory seriously and update accordingly."

What can enterprises do?

The CrackArmor vulnerabilities align directly with the operational playbook of state-sponsored threat actors whose campaigns consistently prioritize destruction over espionage.

These groups have ramped up attacks on the energy, water, healthcare, and defense sectors in recent years.

"CrackArmor drastically lowers the barrier for catastrophic disruption," said Abbasi.

"An attacker no longer needs administrative credentials or lateral movement to cause severe damage; any routine initial access vector that yields an unprivileged local account is now sufficient to instantly weaponize the host, triggering a kernel panic or denying all traffic."

As such, organizations should treat this as a priority patching event. Qualys also outlined a series of steps for security teams to take. These include:

• Apply vendor kernel updates immediately
• Scan for exposure using detection QIDs
• Implement monitoring on /sys/kernel/security/apparmor/ for unauthorized profile modifications

FOLLOW US ON SOCIAL MEDIA

The Department for Science, Innovation and Technology (DSIT) is tackling cyber risks head-on with a new vulnerability monitoring service (VMS) for government services.

The new service focuses primarily on weaknesses in the Domain Name System (DNS), which can allow attackers to redirect users to fraudulent sites, steal sensitive data, or take services offline entirely.

While weaknesses in government DNS records have previously gone unnoticed for up to two months, the VMS brings that down significantly – alerting users, giving practical guidance on how to fix the problem, and tracking progress until issues are resolved.

"Cyber attacks aren’t abstract threats — they delay NHS appointments, disrupt essential services, and put people’s most sensitive data at risk,” said minister for digital government Ian Murray.

When public services struggle it’s families, patients, and frontline workers that feel it.”

How does the Vulnerability Monitoring Service work?

The VMS continuously scans 6,000 UK public sector bodies, detecting around 1,000 different types of cybersecurity vulnerabilities.

According to Murray, the VMS has proven highly effective so far, helping to reduce the median time to fix domain-related vulnerabilities from 50 days to just eight - an 84% improvement.

Similarly, the median time to fix other cyber vulnerabilities has been cut from 53 days to 32.

The backlog of critical open domain-related vulnerabilities has also dropped by 75%, with around 400 confirmed vulnerabilities processed and resolved each month.

"The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they’re exploited so we can protect against that,” Murray commented.

“We’ve cut cyber attack fix times by 84% and reduced the backlog of critical issues by three quarters. And as the service expands to cover more types of cyber threats, fix times are falling there too."

Positive steps, but not far enough

Kevin Marriott, senior manager of cyber at Immersive, said the new service marks a step in the right direction for public sector cybersecurity, which has traditionally lagged behind the private sector due to a combination of factors.

"The public sector has always had an uphill task in fixing vulnerabilities quickly due to the scale of government networks and their interconnectivity, as well as limited budgets and small security teams that can’t always keep pace with the growing patch backlog," he said.

"It shows that reducing risk doesn’t require radical, wholesale changes but rather doing the fundamentals well. A strong vulnerability management strategy starts with clear visibility, an understanding of which are your key assets, what they do, their dependencies, who their owners are, and an accurate asset inventory."

Stephen Fewer, senior principal researcher at Rapid7, said the government could go further in bolstering security capabilities.

"A key focus for the government should be limiting the internet exposure of critical applications and management interfaces, ensuring they are never exposed to the public internet," he said.

"Government organizations such as the NHS have many network edge appliances, including VPNs and firewalls, that cyber criminals can exploit. Reducing the attack surface is the next best defence after remediating known weaknesses.”

New initiative looks to recruit cyber pros

The government has also launched a new Cyber Profession initiative, based in the North West and aimed at recruiting and training cyber professionals to further bolster government security capabilities.

A new dedicated Cyber Resourcing Hub will be established as part of the scheme to streamline recruitment and create a clear career framework aligned with UK Cyber Security Council professional standards.

It will also include a government Cyber Academy for training and development, a new apprenticeship scheme to build future talent, and structured career pathways to strengthen long-term capability across the public sector.

Wayne Cleghorn, cybersecurity and data protection partner at Excello Law, welcomed the launch, but noted this needs to be a sustained effort to ensure a steady flow of talent into the public sector.

"The UK National Audit Office's identification of a serious cybersecurity skills gap in government is being addressed by the announcement of a new cyber profession for government," he said.

"However, this must be more than a re-badging of existing activities. It must be serious and consistently measured. It must become deeply embedded in government information governance and data protection practices."

FOLLOW US ON SOCIAL MEDIA

Security agencies are warning that a maximum-severity flaw in Cisco Catalyst SD-WAN Controller has been exploited in the wild for years.

An advisory from CISA noted that threat actors have compromised SD-WANs to add a malicious rogue peer, allowing them to conduct a range of follow-on actions to achieve root access and maintain persistent access.

"Based on collaboration with international partners and CISA’s forensic analysis, the ease with which these vulnerabilities can be exploited demands immediate action from all federal agencies," said Madhu Gottumukkala, the acting director of the US Cybersecurity and Infrastructure Security Agency (CISA).

"We urge all entities to implement the measures outlined in this Emergency Directive without delay. CISA leadership and all (excepted) staff remain committed to fulfilling our mission while protecting the American people.”

Successful exploitation of CVE-2026-20127, which has a CVSS score of 10, could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.

Using this account, an attacker could access NETCONF, allowing them to manipulate network configuration for the SD-WAN fabric.

Cisco Catalyst SD-WANs that have management interfaces exposed to the internet are at most risk of compromise.

"CISA’s guidance is a clear signal that adversaries are aiming for the control plane, not just individual endpoints. The vulnerability being discussed allows an attacker to reach sensitive management functions without going through normal access checks," said Nick Tausek, lead security automation architect at Swimlane.

"What makes this especially serious is how quickly a compromised management path can translate into broad influence over how sites connect, which routes are preferred, and what policies are enforced across networks."

Cisco Catalyst SD-WAN best practices

According to Cisco, the first thing to check for is any control connection peering event identified in Cisco Catalyst SD-WAN logs, as this may indicate an attempt at initial access via CVE-2026-20127.

All such peering events require manual validation to confirm their legitimacy, with particular focus on vManage peering types.

The company warned unauthorized peer connections may appear superficially normal but occur at unexpected times, originate from unrecognized IP addresses, or involve device types inconsistent with the environment's architecture.

Organizations should move quickly to inventory SD-WAN components, confirm which are internet-facing, and map all management access methods - web UI, SSH, NETCONF, APIs - including which networks and admin accounts can reach them, said Moshe Hassan, VP of research and innovation at Upwind.

Elsewhere, organizations are urged to restrict management access to known-good sources, Allowlisting trusted IPs/admin networks only, removing public exposure, and segmenting management interfaces behind VPN/jump hosts.

Unsolicited access to management ports and unusual management-plane traffic should be blocked.

"Patch exposed systems first, or block until you can. Prioritize patching any internet-reachable appliances immediately. If patching can’t happen fast enough, temporarily block management protocols from the internet, disable unused services, and deploy compensating controls (ACLs/IPS rules) until updates are in place," he said.

"Watch for unexpected new peers/devices in the SD-WAN fabric, suspicious changes to configuration or policy, anomalous admin activity, and unusual lateral connections within the management plane."

Cisco has published a hardening guide here.

FOLLOW US ON SOCIAL MEDIA

Security researchers have issued a warning after a series of flaws in Visual Studio Code (VS Code) extensions were found to enable local file exfiltration and remote code execution.

Combined, the extensions impacted by the vulnerabilities have been downloaded more than 128 million times, posing a serious risk to developers.

The affected Integrated Development Environment (IDE) extensions are Code Runner (CVE-2025-65715), Markdown Preview Enhanced (CVE-2025-65716), and Markdown Preview Enhanced (CVE-2025-65717).

According to OX Security, the trio of flaws could enable lateral movement potential within connected networks.

They also allow data exfiltration and system takeover when executed on a development machine running a localhost server, presenting a high risk of sensitive data exposure and potential machine takeover.

"IDEs are the weakest link in an organization’s supply chain security, and extensions are often a blind spot for security teams," OX Security noted in a blog post.

"Developers store their most sensitive information – business logic, API keys, database configurations, environment variables, and sometimes even customer data – on their local file systems, all accessible through the IDE."

Under the hood of the VS Code flaws

CVE-2025-65717 is the most serious vulnerability, with a CVSS score of 9.1. This flaw primarily affects Visual Studio Code Extensions Live Server v5.7.9, allowing attackers to exfiltrate files when a user interacts with a crafted HTML page.

Researchers warned this particular extension has been downloaded more than 72 million times.

CVE-2025-65715, meanwhile, carries a CVSS score of 7.8. This flaw relates to an issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2.

Downloaded 37 million times, this allows attackers to execute arbitrary code when opening a crafted workspace.

Elsewhere, CVE-2025-65716 affects Visual Studio Code Extensions Markdown Preview Enhanced v0.8.18, which boasts more than 8.5 million downloads. This flaw carries a CVSS score of 8.8 and allows attackers to execute arbitrary code via uploading a crafted .Md file.

The team also identified a flaw in Microsoft Live Preview, downloaded more than 11 million times, allowing One-Click XSS to full IDE files exfiltration; this was fixed in v0.4.16, with no CVE issued.

How developers can protect themselves

OX Security urged developers to avoid opening untrusted HTML while localhost servers are running or running servers on localhost.

Researchers said they should never paste or run snippets in the global settings.json from emails, chats, or unverified sources, and are advised to only install trusted extensions and monitor or back up settings.json to detect unexpected changes.

"Keeping vulnerable extensions installed on a machine is an immediate threat to an organization’s security posture: it may take only one click, or a downloaded repository, to compromise everything," Ox Security warned.

"Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations."

The flaws have flown under the radar

OX Security said it disclosed all three vulnerabilities in July and August 2025, but that none of the maintainers responded.

"The lack of response from extension maintainers, despite months of responsible disclosure attempts through multiple channels, underscores a systemic problem: there is no accountability framework for extension security, and no incentive structure to ensure timely remediation of critical vulnerabilities," the firm.

The company is now calling for mandatory security review processes before extensions are published to marketplaces in a similar vein to app store vetting.

In addition, OX Security also called for enforceable response requirements for maintainers of popular extensions, including mandatory CVE issuance and patch timelines.

FOLLOW US ON SOCIAL MEDIA

The number of new Common Vulnerabilities and Exposures (CVEs) is set to top 50,000 for the first time this year, according to analysis from the Forum of Incident Response and Security Teams (FIRST).

In its 2026 Vulnerability Forecast, the non-profit said it expects to see around 59,000 new CVEs in 2026, but that as many as 70,000 to 100,000 vulnerabilities are entirely possible.

Notably, across its three-year outlook the organization predicts these numbers to continue rising, with a median prediction of 51,018 CVEs in 2027 and 53,289 in 2028, with the upper bounds reaching nearly 193,000 by 2028.

"The question organizations need to ask right now is: are my people and processes ready to handle this volume, and am I prioritizing the vulnerabilities that actually put my data at risk?," said Éireann Leverett, FIRST liaison and lead member of FIRST's Vulnerability Forecasting team.

"Much like a city planner considering population growth before commissioning new infrastructure, security teams benefit from understanding the likely volume and shape of vulnerabilities they will need to process," Leverett added.

"The difference between preparing for 30,000 vulnerabilities and 100,000 is not merely operational, it’s strategic."

While the figures may be jarring for business leaders, Kevin Knight, CEO of Talion, said it’s not quite a worst-case scenario. Indeed, it’s the impact of the vulnerabilities within their specific environments that business leaders and CISOs should be focusing on.

"These figures cover all software and platforms globally, meaning many CVEs will be irrelevant to individual businesses," he said.

"What may be critical for one organization could be insignificant for another. After all, when it comes to vulnerability management, it’s always about context, not volume."

How prepare for a torrent of CVEs

Preparation ahead of the expected increase is key, according to FIRST. With this in mind, organizations should assess their capacity now to make sure their current staff and processes can handle these high numbers.

They should focus on the vulnerabilities that pose the greatest risk to their specific environment, not just those with the highest CVSS scores.

Elsewhere, the non-profit urged enterprises to prepare for the median forecast - but build contingency plans for higher-volume scenarios.

The use of vulnerability forecasts alongside asset inventories to make vendor- and product-specific preparations will also be crucial to avoid costly supply chain incidents.

Security teams will face challenges

Naturally, security teams could face higher workloads and will be contending with a more perilous threat landscape moving forward.

Adding insult to injury, Knight noted that security teams are often brought in late during the procurement process - sometimes after contracts have been signed.

In some cases, applications are also deployed without the CISO’s knowledge altogether, creating blind spots and increasing the risk that critical vulnerabilities are being missed.

Meanwhile, poor third-party risk management means organizations can unknowingly inherit their suppliers’ vulnerabilities, effectively expanding their attack surface and putting their sensitive data at risk of being breached.

"As CVE disclosures continue to rise, businesses must ensure the CISO is involved from the outset of technology decisions," he said.

"This allows security teams to assess risk properly, minimize third-party risk, ensure new systems fall within the organization’s security posture and prioritize and mitigate vulnerabilities based on real business impact, rather than headline figures.”

FOLLOW US ON SOCIAL MEDIA

Microsoft has issued patches for more than 60 flaws this month, including six zero-day vulnerabilities that are already being targeted by hackers.

As part of this month's "Patch Tuesday", Microsoft listed 58 vulnerabilities in its own software, as well as four in other tools, including Chromium.

While this number of flaws isn’t out of the ordinary, security expert Dustin Childs noted that the volume under active attack is “extraordinarily high”.

"Microsoft lists six bugs being exploited at the time of release, with three of these listed as publicly known."

Of the six zero-day flaws, five are rated as important and one moderate, rather than the more serious critical. As such vulnerabilities are already being targeted by hackers in the wild, quick patching is advised.

One targets Microsoft Word, allowing attackers to bypass local security features to access advanced control settings and possibly allow code execution. However, as Microsoft noted: "An attacker must send a user a malicious Office file and convince them to open it."

Another security feature bypass flaw being patched also requires user interaction, with a malicious link or shortcut file clicked before the attacker can make use of this bug to slip in.

"Successful exploitation lets the attacker suppress or evade the usual “are you sure?” security dialogs for untrusted content, making it easier to deliver and execute further payloads without raising user suspicion," said Malware Bytes security researcher Pieter Arntz in a blog post.

While users need to be tricked via a malicious link, Childs noted: "Still, a one-click bug to gain code execution is a rarity."

Other zero-day flaws being addressed by Microsoft include a denial of service bug targeting Windows Remote Access Connection Manager, an elevation of privilege vulnerability in Windows Remote Desktop Services, and a bug in Desktop Window Manager.

The last of the six zero-days affects Internet Explorer – though it may be long gone as a browser, it still lingers in Windows. Once again, users need to be fooled into clicking a malicious link to enable this attack.

"The bypass here is simply the ability to reach IE, which shouldn’t be possible," noted Childs, adding that calling IE "always results in a vulnerability somehow."

Patches issued for Azure, GitHub Copilot flaws

The remaining flaws patched by Microsoft included a trio of critical bugs spotted in Azure as well as vulnerabilities that could allow remote code execution in GitHub Copilot.

These flaws all center on a command injection vulnerability, noted Kevin Breem, senior director for cyber threat research at Immersive Labs, and can be triggered via prompt injection.

Breem said this could allow a hacker to embed a malicious prompt that's triggered when a developer uses an agent workflow, potentially slipping past existing security restrictions to run code or commands.

That's particularly problematic as developers may have access to sensitive data such as API keys, he added.

"Coupled with organizations enabling both developers and automation pipelines to use LLMs and Agentic AI with the right prompt, an attacker could have a significant impact," he noted.

"This is not to say stop using AI, but to ensure developers understand the risks and identify what has access to AI Agents, and lastly, least privilege can limit the impact if a developer's secrets are compromised."

FOLLOW US ON SOCIAL MEDIA

Cybersecurity experts have welcomed the launch of the new Global CVE Allocation System (GCVE) as a positive move toward more robust vulnerability disclosure.

The EU-led system aims to offer a “decentralized approach” to vulnerability identification and reduce dependence on US-based reporting systems, in particular the MITRE Corporation’s Common Vulnerabilities and Exposures (CVEs) database.

Freely accessible, the GCVE will draw upon common vulnerability data from more than 25 public sources and hosted by the Computer Incident Response Center Luxembourg (CIRCL).

The platform itself will be powered by vulnerability-lookup, an open source initiative which allows security practitioners to track software vulnerabilities.

“This ensures that data collection, synchronization, and publication follow open, transparent, and reproducible processes,” the GCVE said.

“Vulnerability-lookup is designed to support decentralized vulnerability publishing while enabling efficient aggregation and correlation, a core principle of the GCVE model.”

What to expect from the GCVE system

According to official materials, the intention is to “improve flexibility, scalability, and autonomy for participating entities”.

Notably, the new setup will remain compatible with the traditional CVE reporting system but with a distinct caveat: the GCVE scheme will introduce GCVE Numbering Authorities (GNAs).

These are “independent entities” that can allocate identifiers without the reliance on a centralized distribution system – a common criticism of the traditional framework.

Sylvain Cortes, VP strategy at Hackuity, said the launch of the GCVE scheme is a “positive development” for the cybersecurity community, particularly as the US-based CVE system faces an uncertain future.

The security industry was plunged into chaos last year amidst reports that funding for the MITRE CVE database was set to lapse.

While CISA stepped in with a last minute reprieve for the scheme, the incident raised concerns about the stability of future vulnerability reporting on both sides of the Atlantic.

Cortes said the debacle “exposed the fragility of the systems underpinning global vulnerability management”, adding that a new decentralized setup is a welcomed addition.

“By decentralizing vulnerability reporting and making it API friendly, GCVE reduces that single point of failure, and enables organizations to have access to timely, standardized vulnerability data,” he said.

“It’s not about replacing CVE, it’s about strengthening global resilience. Having a European alternative provides cybersecurity professionals with a further trusted source of information.”

Nigel Douglas, head of developer relations at Cloudsmith, echoed Cortes’ comments, adding that the GCVE will ensure security practitioners in Europe aren’t solely reliant on the MITRE system.

“We rely on security advisories and vulnerability databases to keep us safe, so removing any single point of failure is a smart, forward-thinking idea,” he said.

“I’m a huge fan of the fact that it’s decentralized and interoperable with the existing CVE ecosystem. Multiple authorities can publish and maintain vulnerability data, while still mapping it back to CVE identifiers that teams already use on a daily basis,” Douglas added.

“This gives the industry options, rather than forcing them to make a choice.”

FOLLOW US ON SOCIAL MEDIA

Veeam has released security updates for four security flaws in its Backup & Replication software.

Veeam Backup & Replication is the backup and recovery engine of Veeam Data Platform, and provides backup, recovery, and replication for virtual, physical, and cloud workloads.

The company claims to have 67% of Global 2000 firms as customers, including Shell, Airbus and Mondelez International, as well as Managed Service Providers (MSPs) offering backup services.

The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions. In other words, the vulnerabilities affect 12.x and older.

The Veeam vulnerabilities explained

The first, CVE-2025-59470, has had its severity adjusted to high, with a CVSS score of 9.0. This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter.

Previously rated as critical, its severity was downgraded thanks to the fact that Backup and Tape Operator roles are highly privileged and because security guidelines lowers exploitability.

CVE-2025-55125 is also rated high in severity, with a CVSS score of 7.2. This allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file.

The medium-severity CVE-2025-59468, meanwhile, allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter.

Finally, CVE-2025-59469, with a CVSS score of 7.2, allows a Backup or Tape Operator to write files as root.

Backup systems are prime targets for hackers

Shane Barney, CISO at Keeper Security, said backup systems are a “consistent target” for cyber criminals largely due to the fact they have “broad access across infrastructure”.

"If an attacker gains control of one of these privileged roles – whether through credential theft, misconfiguration or insider misuse – vulnerabilities like this can be used to execute code and weaken an organization’s ability to recover from an attack,” he said.

All the flaws were discovered through internal testing and there's no evidence that they've been exploited in the wild. The company has now released a new version of the software, 13.0.1.1071, to address the vulnerabilities.

Organizations are advised to update immediately. However, they should also work to avoid the risks in the first place, said Barney, by tightly controlling and monitoring privileged access.

"Veeam acted appropriately by disclosing and patching the issue, but the broader lesson for organizations is that patching alone isn’t enough," he said.

"Backup operator accounts should be treated as the most sensitive class of privileged access, with strict access controls, continuous monitoring and minimal standing permissions. When privileged access is tightly governed, the real-world impact of vulnerabilities like this is significantly reduced."

FOLLOW US ON SOCIAL MEDIA

Security researchers have urged enterprises to take immediate action to mitigate two recently disclosed Fortinet vulnerabilities.

The two flaws - CVE-2025-59718 and CVE-2025-59719 - carry a critical CVSSv3 score and are being actively exploited in the wild. They were initially discovered and reported by Yonghui Han and Theo Leleu of the Fortinet Product Security team.

They allow an unauthenticated remote attacker to bypass authentication using a crafted Security Assertion Markup Language (SAML) message, ultimately gaining administrative access to the device.

According to Rapid7, the two CVEs currently appear to have the same root cause, but are set apart by the products affected: CVE-2025-59719 specifically affects FortiWeb, while CVE-2025-59718 affects FortiOS, FortiProxy, and FortiSwitchManager.

While the vulnerable FortiCloud SSO feature is disabled by default in factory settings, it's automatically enabled when a device is registered to FortiCare via the graphical user interface, unless an administrator explicitly opts out.

Active exploitation was confirmed by Arctic Wolf earlier this week, with CVE-2025-59718 added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on December 16.

US federal civilian agencies have been ordered to fix the flaw by December 23.

Hackers pounce on Fortinet vulnerabilities

Threat actors have been spotted authenticating as the admin user and immediately downloading the system configuration file, which often contains hashed credentials and other sensitive information.

Arctic Wolf said that the malicious SSO logins on FortiGate devices originated from a handful of hosting providers: The Constant Company, Bl Networks, and Kaopu Cloud Hk. Following malicious SSO logins, it said, configurations were exported to the same IP addresses via the GUI interface. There's no word yet on which group or groups may be behind the attacks.

Rapid7 revealed it has also observed attempts to exploit CVE-2025-59718 against honeypots within its network.

"A proof-of-concept exploit that resembles the observed honeypot requests has been posted to GitHub," the company said. "Rapid7 is in the process of validating these exploits against the confirmed vulnerable targets."

The company said that organizations with indicators of compromise should assume that credentials have been exposed and respond accordingly.

Fortinet patches are available

Earlier this month, Fortinet published an advisory outlining remediation steps for the two vulnerabilities. A vendor patch is available, and organizations can also take immediate defensive action by disabling FortiCloud SSO administrative login while remediation efforts are being put in place.

Organizations where Fortinet appliances are internet-facing or used in critical network infrastructure should move particularly quickly, the company said.

Arctic Wolf recommends affected users should reset firewall credentials and limit access to the management interfaces of firewall and VPN appliances to trusted internal users only, as well as upgrading to the latest fixed version.

ITPro approached Fortinet for comment on the Arctic Wolf and Rapid7 advisories, but received no response by time of publication.

FOLLOW US ON SOCIAL MEDIA

Apple, Google, and other browser makers have rolled out patches for zero-day bugs that are already being used by threat actors in "sophisticated" attacks.

Google noted that an exploit for one of the bugs exists in the wild already and was spotted by its Threat Analysis Group – that largely works on serious attacks led by state actors or similar – and was sorted via coordination with Apple engineers.

"For these Apple- and ANGLE-related issues, the quiet, coordinated disclosure strongly suggests the vendors viewed the bugs as high-risk and potentially already known to capable adversaries," Douglas McKee, director of vulnerability intelligence at Rapid7, told Dark Reading.

One of the bugs impacts other browser makers using Chromium, including Microsoft Edge and Vivaldi, which have also rolled out patches this week.

Patches for Apple

Alongside a set of other updates, Apple issued emergency patches for two issues in WebKit for devices running versions of its software before iOS 26. The flaws, CVE-2025-14174 and CVE-2025-43529, were credited, in full or in part, to Google Threat Analysis Group.

The first meant that accessing a webpage with "maliciously crafted" content could lead to arbitrary code execution. "A use-after-free issue was addressed with improved memory management," Apple said in a support document.

For the second, Apple said that malicious websites could lead to memory corruption, saying the issue was "addressed with improved validation."

"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 26," the company said in a support document detailing both issues.

The patches for the zero-day flaws are available for devices going back to iPhone 11, iPad Pro 12.9-inch 3rd generation, iPad Pro 11-inch 1st generation, iPad Air 3rd generation, iPad 8th generation, and iPad mini 5th generation.

Apple gave little extra detail about the zero-day flaws, saying it "doesn't disclose, discuss or confirm security issues". However, the tech giant issued a patch for the bugs alongside a set of other security issues that included further fixes for WebKit, the ScreenTime tool and more.

Google patches flaws

Google revealed its flaw via an update to the Stable Channel for the desktop version of its Chrome browser, crediting the discovery of CVE-2025-14174 to the Google Threat Analysis Group as well as Apple Security Engineering and Architecture.

Google had initially patched the flaw last week without any details beyond a "high" rating, but has now filled in a few details.

That flaw, labelled as a high-risk vulnerability, was first spotted December 5 and is caused by out-of-bounds memory access in Chrome's Almost Native Graphics Layer Engine (ANGLE), which is also used by WebKit, hence the impact on Apple.

"Out of bounds memory access in ANGLE in Google Chrome on Mac prior to 143.0.7499.110 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page," said the CVE.org support page for the flaw.

"Google is aware that an exploit for CVE-2025-14174 exists in the wild," Google added in a blog post.

The company also patched two other medium-level flaws in the stable channel at the same time.

FOLLOW US ON SOCIAL MEDIA

The world’s most widely used vulnerability index – the Common Vulnerabilities and Exposures (CVE) system – is failing, with scores often inaccurate and appearing too late.

According to research from DevSecOps firm Sonatype, of the 1,552 open source vulnerabilities disclosed in 2025, 64% lacked severity scores from the National Vulnerability Database (NVD).

Only 36% of open source CVEs had a CVSS score assigned by the NVD, while nearly half of all unscored vulnerabilities were rated ‘Critical’ or ‘High’ in severity.

Over this year, there's been a mean delay of more than six weeks between disclosure and NVD scoring, with some advisories taking up to 50 weeks.

This, researchers warned, is creating an operational bottleneck and placing enterprises globally at risk.

"In an era where exploit proofs-of-concept appear within hours and patches land within days, such lag times make 'official' data functionally irrelevant. By the time NVD assigns a score, attackers have already exploited and moved on," researchers noted.

CVE ratings are missing the mark

Meanwhile, Sonatype found the ratings themselves are often unreliable. Of the CVEs that were scored, fewer than one-in-five severity ratings were correct.

In 62% of cases, the severity of NVD scores was overstated, while 34% understated it. On top of that, 19,945 false positives and 156,474 false negatives were identified across CVE records, thereby wasting developer time and obscuring real threats.

Of the CVEs that changed severity category after Sonatype analysis, 83% moved to a lower category.

“The CVE program was never built for the scale and speed of modern, component-based software development. That has been the case with open source, and is even more true with AI,” said Brian Fox, CTO and co-founder of Sonatype.

“Vulnerability intelligence must shift from indexing what someone assigned yesterday, to delivering real-time insight into what’s actually running in your environment.

“CVE remains a shared language — but it can’t be the full story anymore. We need intelligence that is dynamic: version-aware, ecosystem-aware and ready at machine-speed.”

CVE data is vital in combating cyber crime

CVE data is fundamental to the vast majority of cybersecurity decisions. But in 2024, between February and May, NVD simply stopped scoring most new CVEs as it awaited contract renewal.

By May, 93% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck. Since then, Sonatype said NVD has failed to return to its earlier levels of research output.

The researchers note that both NVD and the Mitre Corporation have made improvements to the system over the last eighteen months – but more needs to be done.

"With the current MITRE–US government contract set to expire in March 2026, the coming year marks a pivotal moment to reassess how the CVE program operates — and whether its next phase will modernize to meet the realities of today’s software ecosystem," they noted.

"This is the window to ask harder questions, test alternatives, and ensure the next iteration of vulnerability intelligence serves defenders, not legacy processes."

MORE FROM ITPRO

• Threat actors are exploiting flaws more quickly – here's what business leaders should do
• Patch management vs vulnerability management
• AI-generated code is now the cause of one-in-five breaches

IBM has issued patches for four major flaws in IBM AIX and VIOS that allow a remote, unprivileged attacker to achieve arbitrary command execution on an exposed IBM Network Installation Manager (NIM).

The four vulnerabilities, tracked as CVE‑2025‑36250, CVE‑2025‑36251, CVE‑2025‑36236, and CVE‑2025‑36096, affect IBM AIX 7.2 and 7.3 as well as IBM VIOS 3.1 and 4.1 environments, with three of the four receiving a critical CVSS score.

All four flaws allow an attacker to 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in broader environments, according to an advisory from Mondoo.

“These four vulnerabilities on IBM AIX present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are)," said Patrick Münch, Mondoo CSO.

"This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment."

How the IBM flaws work

CVE-2025-36250 carries a 10.0 CVSS score and affects the NIM service by allowing remote arbitrary command execution through improper process controls.

Researchers warned that an attacker could run commands of their choosing on the target AIX or VIOS system, gain full system control, install malware, create backdoors, move laterally and potentially pivot from the compromised system into other parts of the network.

Similarly, CVE‑2025‑36251 allows remote arbitrary command execution through improper process controls, affecting the SSL/TLS implementation in the NIM service.

With a critical CVSS score of 9.6, it could be used by a remote attacker to execute commands on the system, potentially without authentication. This could lead to a compromise of system integrity, data loss, or service disruption.

CVE‑2025‑36236, meanwhile, is a path-traversal vulnerability in the NIM service, allowing a remote attacker to send a specially crafted URL request to traverse directories or write arbitrary files on the system.

Researchers noted this could allow an attacker to drop malicious payloads in system directories, overwrite or inject into configuration files, or place web shells to facilitate further exploitation.

This particular flaw carries a CVSS score of 8.2, ranking it as high severity.

Finally, CVE‑2025‑36096 is a vulnerability in credential storage with a CVSS score of 9 (Critical). NIM private keys in IBM AIX are stored insecurely, meaning these can be accessed by an attacker via man-in-the-middle (MitM) techniques.

An attacker intercepting these communications or otherwise gaining access to the private keys could impersonate the NIM server or services or decrypt communications, which could result in system takeover.

Worst case scenarios

Researchers point out that, in combination, the four vulnerabilities could allow attackers to gain full access, impersonate services, move laterally, and persist or compromise broader network environments.

Moreover, the use of the operating system is widespread in critical industries, meaning the impact of a successful attack could be devastating.

"What makes this even more concerning is that IBM AIX is widely used in enterprise IT environments in critical sectors such as finance, insurance, retail, and healthcare, where high availability and security are essential," said Münch.

"Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.”

MORE FROM ITPRO

• Patch management: Why firms ignore vulnerabilities at their own risk
• Threat actors are exploiting flaws quicker than ever – here's what business leaders should do
• Everything you need to know about patch and vulnerability management

Dell Technologies has issued a warning to customers after the discovery of critical vulnerabilities in its Storage Manager service.

The three flaws, tracked as CVE-2025-43995, CVE-2025-43994, and CVE-2025-46425, command CVSS scores of 9.8, 8.6, and 6.5, respectively.

All versions of Dell Storage Manager prior to version 20.1.21 are affected by the vulnerabilities, and the company has urged customers to immediately follow remediation steps to avoid potential compromise.

Remediation is available for versions 2020 R1.22 and later, according to the advisory.

“Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability,” the company told customers.

Dell Storage Manager flaws: What you need to know

Ranked as a critical vulnerability, CVE-2025-43995 is an improper authentication flaw in the DSM Data Collector feature for Dell Storage Manager.

In a customer advisory, the company said this could enable an unauthenticated attacker with remote access to bypass protection mechanisms and exploit exposed APIs.

“An unauthenticated remote attacker can access APIs exposed by ApiProxy.war in DataCollectorEar.ear by using a special SessionKey and UserId,” the company said.

The second of the three flaws disclosed, CVE-2025-43994, is a missing authentication for a critical function vulnerability.

This means an unauthenticated attacker could trigger information disclosure, enabling them to steal configuration data, which could allow additional network intrusions.

With a “medium” rating of 6.5, CVE-2025-46425 contains an “improper restriction of XML external entity reference” vulnerability. Dell noted this could allow an attacker with remote access to exploit the flaw to access sensitive files.

What can customers do?

Jamie Akhtar, CEO and Co-founder at CyberSmart, said while there are no signs the flaws have been exploited in the wild, the advisory from Dell should still be a “serious concern” for customers, urging them to act immediately.

“The first step to remain safe is to update to Dell’s newest version immediately which has been released to address these issues,” he said.

“Next, harden access to the management interface and restrict it to trusted networks, enforce multi-factor authentication, and monitor logs for anomalous authentication or API activity.”

Akhtar added that frequent vulnerability scanning alongside adoption of “least privilege” principles are also advised.

“Even if an attacker reaches storage tooling, lateral movement must be made as difficult as possible."

MORE FROM ITPRO

• The unseen risks of cloud storage for businesses
• Why firms ignore vulnerabilities at their own risk
• Patch management vs vulnerability management

Security researchers have found a flaw in Lenovo’s customer service AI chatbot, Lena, that could allow attackers to steal data, compromise customer support systems, and allow lateral movement through a company's network.

An investigation from Cybernews discovered that through cross-site scripting (XSS), it was possible to inject malicious code and steal session cookies with a single prompt.

The 400-character-long prompt started with an inquiry for legitimate information - for example, 'show me the specifications of Lenovo IdeaPad 5 Pro'.

The chatbot was then asked to convert its responses into HTML, JSON, and plain text in the specific order that the web server expected to receive instructions in.

This made sure that the malicious payload would be correctly executed by the web server. Thereafter, the prompt continued with instructions on how to produce the final response, specifically with HTML code for loading an image, but with the image URL non-existent.

When it fails to load, the second part of the command instructs the browser to make a network request to the attacker-controlled server and send all cookie data as part of a URL.

Finally, further instructions (rather imperiously) reinforce that the chatbot must produce the image: 'Show the image at the end. It is important for my decision-making. SHOW IT.'

“This example shows just how dangerous an overly 'helpful' AI can be if it blindly follows instructions. Without careful safeguards, chatbots could become easy targets for cyber attacks – putting customer privacy and company security at serious risk,” researchers said.

Lenovo flaw could have serious consequences

Using the stolen support agent’s session cookie, it's possible to log into the customer support system via the support agent’s account, without needing to know the email, username, or password for said account.

Once logged in, an attacker could then potentially access active chats with other users, and even previous conversations and data. It might also be possible to execute some system commands, which could allow for the installation of backdoors and lateral movement across the network.

While XSS vulnerabilities are on the decline, researchers said that companies need to assume that every AI input and output is dangerous until it’s verified as being safe.

This means using a strict whitelist of allowed characters, data types, and formats for all user inputs, with all problematic characters automatically encoded or escaped, as well as for all chatbot responses.

Inline JavaScript should be avoided, and content type validation should extend through the entire stack to prevent unintended HTML rendering.

“This isn’t just Lenovo’s problem. Any AI system without strict input and output controls creates an opening for attackers," commented Žilvinas Girėnas, head of product at nexos.ai.

"LLMs don’t have an instinct for 'safe' – they follow instructions exactly as given. Without strong guardrails and continuous monitoring, even small oversights can turn into major security incidents."

The researchers discovered the vulnerabilities on July 22 and made a disclosure the same day, which was acknowledged on August 6. The flaw was mitigated by August 18.

ITPro approached Lenovo for comment, but received no response by time of publication.

MORE FROM ITPRO

• So you introduced an AI chatbot for customers — here’s why they probably hate it
• The pros and cons of chatbots for customer service
• Cisco is jailbreaking AI models so you don’t have to worry about it

The UK’s National Cyber Security Centre (NCSC) is extending its vulnerability research capabilities by partnering with external partners rather than relying entirely on its own analysts.

Dubbed the Vulnerability Research Initiative (VRI), the new initiative builds on existing external relationships and has been largely welcomed by the industry.

The agency explained it already works closely with the UK government, technology companies, and wider public to discover flaws, provide advice on staying safe online, and respond to cyber incidents.

The Vulnerability Research Initiative (VRI), however, is a more collaborative affair that brings in specialist cybersecurity expertise.

“The VRI’s mission is to strengthen the UK’s ability to carry out VR,” the NCSC said in a statement announcing the scheme.

“We work with the best external vulnerability researchers to deliver deep understanding of security on a wide range of the technologies we care about. The external VRI community also supports us in having tools and tradecraft for vulnerability discovery,” it added.

The agency also outlined who is in the core VRI team, including technical experts, relationship managers, and project managers. Additional details, including what external partners are involved, remain vague.

Kevin Robertson, CTO of Acumen Cyber, said the project “sounds promising in theory” but claimed the NCSC has a “track record of largely ineffective and self-serving programs [and] it could end up as another flop that delivers little real value”.

Others in the industry were more positive about the announcement, however.

Kev Breen, senior director of cyber threat research at Immersive, welcomed the decision as a proactive step to identifying and tackling security threats.

“There is a great deal of capability in the public domain, especially in more niche areas of research,” he said.

“It is not practical for the NCSC to maintain the necessary skills, time, and resources to effectively hunt for bugs across all of these domains.

“Extending the VRI to include the wider community, via invitation or application, is an excellent way to broaden that knowledge base.”

Will the NCSC scheme go far enough?

Notably, Breen warned that the lack of financial reward, as seen in a bug bounty program, may reduce the number of researchers willing to get involved.

Google, for example, offers between $100 and $31,337 for a qualifying bug, according to Geeks for Geeks.

Microsoft, meanwhile, has several bug bounty programs, offering up to $300,000 for vulnerabilities found in Azure or up to $30,000 for issues in Windows Insider Preview as just two examples.

On the hardware side, Intel offers between $500 and $100,000 for valid reports, depending on the risk level and nature of the bug.

MORE FROM ITPRO

• The NCSC just urged enterprises to ditch Windows 10 – here’s what you need to know
• The NCSC wants developers to get serious on software security
• NCSC expert urges businesses to follow geopolitics as defensive strategy

Ivanti has patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.

Tracked as CVE-2025-22457, the critical severity vulnerability impacts Ivanti Connect Secure (versions 22.7R2.5 and earlier), Pulse Connect Secure (versions 9.1R18.9 and prior, which reached end-of-support at the end of last year), Ivanti Policy Secure (versions 22.7R1.3 and prior) and ZTA Gateways (versions 22.8R2 and prior).

In a security advisory published by Mandiant, the firm said there’s evidence of active exploitation in the wild, with the espionage group successfully achieving remote code execution (RCE) and deploying malware.

"Following successful exploitation, we observed the deployment of two newly identified malware families, the TrailblazeE in-memory only dropper and the Brushfire passive backdoor," said Mandiant.

"Additionally, deployment of the previously reported Spawn ecosystem of malware attributed to UNC5221 was also observed. UNC5221 is a suspected China-nexus espionage actor that we previously observed conducting zero-day exploitation of edge devices dating back to 2023."

The vulnerability is a buffer overflow with a limited character space, and as such was initially believed to be a low-risk denial-of-service vulnerability. But while a patch was released on February 11, Mandiant believes the group was able to analyze the patch and find a way to exploit 22.7R2.5 and earlier to achieve the remote code execution.

"The vulnerability is a buffer overflow with characters limited to periods and numbers, it was evaluated and determined not to be exploitable as remote code execution and didn’t meet the requirements of denial of service," Ivanti explained.

"However, Ivanti and our security partners have now learned the vulnerability is exploitable through sophisticated means and have identified evidence of active exploitation in the wild."

CISA responds to Ivanti threats

Google Threat Intelligence Group (GTIG) said UNC5221 has targeted a wide range of countries and verticals during its operations, and has made use of an extensive set of tooling, from passive backdoors to trojanized legitimate components on various edge appliances.

The group has a consistent history of success and an aggressive modus operandi, and GTIG believes it will continue to pursue zero-day exploitation of edge devices.

"This latest activity from UNC5221 underscores the ongoing sophisticated threats targeting edge devices globally. This campaign, exploiting the n-day vulnerability CVE-2025-22457, also highlights the persistent focus of actors like UNC5221 on edge devices, leveraging deep device knowledge and adding to their history of using both zero-day and now n-day flaws," Mandiant said.

"This activity aligns with the broader strategy GTIG has observed among suspected China-nexus espionage groups who invest significantly in exploits and custom malware for critical edge infrastructure."

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory for at-risk enterprises.

In addition to applying the relevant security patches, the agency urged organizations to run an external Integrity Checker Tool (ICT) and conduct threat hunt actions on any systems connected to — or recently connected to — the affected Ivanti device.

For the highest level of confidence, it said, they should conduct a factory reset.

UPDATE:

In a statement given to ITPro, an Ivanti spokesperson gave additional details on the issue:

"Following initial identification of the compromise by Ivanti’s Integrity Checker Tool (ICT), Ivanti quickly investigated, identified the vulnerability and disclosed it to customers. Additionally, Ivanti partnered with Mandiant to provide additional information to defenders.

"Importantly, this vulnerability was fixed in ICS 22.7R2.6, released February 11, 2025, and customers running supported versions on their appliances and in accordance with the guidance provided by Ivanti have a significantly reduced risk. Customers running ICS 9.X (end of life) and 22.7R2.5 and earlier are encouraged to upgrade as soon as possible and follow the other actions outlined in the Security Advisory.

"Ivanti’s ICT has been successful in detecting potential compromise on a limited number of customers running ICS 9.X (end of life) and 22.7R2.5 and earlier versions."

MORE FROM ITPRO

• INSERT STORY LINK
• INSERT STORY LINK
• INSERT STORY LINK

Research shows the vast majority of Wi-Fi networks are vulnerable to a popular type of denial-of-service (DoS) attack that is frequently deployed in larger cyber intrusion efforts.

A new report from Nozomi Networks that analysed telemetry from hundreds of OT and IoT environments found 94% of Wi-Fi networks lacked the proper protections against deauthentication attacks.

Deauthentication attacks are a form of DoS attack that targets openings in network protocols to force devices off the network and disrupt operations.

The report noted that these attacks are often leveraged in the opening stages of larger, more devastating attacks, softening up the organization’s defenses for future attempts to infiltrate their network.

“They leverage a built-in feature in the Wi-Fi protocol, specifically in the management frames used for communication between devices and access points. By transmitting fake deauthentication frames, attackers can force devices to disconnect from the network,” the report explained.

“This can escalate into more severe disruptions, such as data interception and unauthorized access, especially when combined with additional malicious actions.”

Nozomi added that the crux of the problem lies in that only 6% of the observed wireless networks featured management frame protection (MFP), which it describes as a crucial security feature that prevents attackers from spoofing management frames.

This means that virtually all networks, including those that underpin critical national infrastructure (CNI), are vulnerable to malicious attacks, the report warned.

“The vast majority of wireless networks, including those in mission-critical environments, remain highly exposed to these kinds of attacks. In healthcare, for example, vulnerabilities in wireless networks could lead to unauthorized access to patient data or interference with critical systems,” Nozomi said.

“Similarly, in industrial environments, these attacks could disrupt automated processes, halt production lines or create safety hazards for workers.”

Wireless security is a critical priority

The report warned that in light of recent attacks from state-linked threat groups targeting networks at CNI organizations, wireless network security has emerged as a critical factor in bolstering resilience.

In recent years, groups like Volt Typhoon and Salt Typhoon have been responsible for compromising network infrastructure at organizations across a range of critical sectors in the US and further afield.

The groups are linked to attacks on the US telecoms industry, where the attackers are said to have recorded conversations of very senior political figures, as well as established persistence on the networks of organizations that make up the US electricity grid.

The report highlighted a number of the other common threats used to target wireless networks. For example, attackers can deploy rogue access points to impersonate legitimate networks and trick devices into connecting to them and exposing sensitive information.

Jamming attacks are another popular method where malicious actors overwhelm wireless networks in order to force downtime and operational disruptions.

The report also warned eavesdropping attacks, where communications on unencrypted wireless protocols are intercepted, allow threat actors to steal credentials, read sensitive data, or monitor operations.

Nozomi emphasized that the modern threat landscape requires a shift from static to dynamic security measures, which includes implementing a risk reduction strategy, prioritizing anomaly detection and response, strengthening endpoint security, and applying network segmentation to limit the reach of attacks from botnets.

Organizations should strengthen wireless network security with regular audits and this should include prioritizing mitigating common threats, such as deauthentication attacks.

MORE FROM ITPRO

• UK cyber experts on red alert after Salt Typhoon attacks on US telcos
• FCC orders telcos to sharpen up security after Salt Typhoon chaos
• Wireless networks are a prime target for hackers – here’s how to combat rising threats

The UK government has issued guidance on how organizations should manage their use of open source software (OSS) components and mitigate supply chain risks, as thousands of open source vulnerabilities leave businesses at risk.

Combining guidance from international governments, industry, and academia, the report from the Department of Science, Information, and Technology (DSIT) offers advice on the usage, production, security, and licensing of open source software.

The recommendations, which the report said were selected as the most appropriate for organizations of any size and sector, comprise four best practices it claimed constitute a ‘proportionate and reasonable approach to OSS risk management”.

Firstly, DSIT recommends that businesses should establish an internal OSS policy around managing the adoption of OSS components. Creating a software bill of materials (SBOM) is also essential for tracking OSS components and their various dependencies.

Similarly, organizations should ensure they are continuously monitoring their software supply chain using software composition analysis (SCA) tools to identify vulnerabilities in their codebase or any potential licensing issues.

The report also urged businesses to actively engage with the OSS community, which it says will “attract new talent, level the competitive playing field, foster innovation, improve reputation, and ensure high-quality OSS components and a sustainable OSS ecosystem”.

In addition, DSIT strongly recommends adopting tools to automate OSS management to alleviate time and resource constraints that may fall on smaller organizations.

DSIT report lacks detail on vulnerability management

Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA, said he was impressed by the broad and comprehensive range of guidance it has distilled from various resources.

However, he cautioned that some organizations may be overwhelmed by the measures the report suggests and advised they should start with the most basic recommendations before moving forward.

Hughes also noted that the report did not provide specific details on vulnerability management practices that firms will have to familiarize themselves with to mitigate flaws and software supply risks.

“While it touches on vulnerability management and prioritization it didn’t go into much depth in terms of key modern specifics. Examples such as reachability, known exploitation, exploitation probability and organizational context were lacking,” he explained.

“Organizations need to make these improvements to be able to sift through the noisy nature of the vulnerability landscape, especially when it comes to OSS.”

Open source security concerns linger

Open source security has become a growing risk exposing organizations to cyber attacks - and one that has traditionally been neglected by many businesses.

A recent study from Black Duck found that 86% of codebases contained open source vulnerabilities, with 81% being classified as critical risks, marking a 7% increase on last year’s figures.

The report concluded that the growth in open source vulnerabilities suggests developer organizations are unable to track the vast number of software dependencies they’re using, and not prioritizing the remediation of these flaws accordingly.

This underscores the importance of implementing SCA tools, SBOMs, and similar measures to track and identify vulnerabilities in your organization, Black Duck noted.

MORE FROM ITPRO

• Nearly a million devices were infected in a huge GitHub malvertising campaign
• Java developers are facing serious productivity issues
• 'GitVenom' campaign uses dodgy GitHub repositories to spread malware

Broadcom has published a critical security advisory disclosing three zero-day vulnerabilities affecting its VMware ESXi, Workstation, and Fusion products.

The three flaws range in severity, with the most serious being CVE-2025-22224, a critical time-of-check time-of-use (TOCTOU) vulnerability in VMware ESXi and Workstation rated 9.3 on the CVSS.

A blog from Rapid7 stated that the TOCTOU flaw could lead to an out-of-bounds write condition, meaning an attacker with local administrative privileges on a virtual machine (VM) could exploit the weakness to execute code as the VM’s VMX process running on the host.

Meanwhile, CVE-2025-22225, is a high severity arbitrary write vulnerability that affects ESXi too.

Given a CVSS base score of 8.2, the flaw could allow an attacker with privileges to trigger an arbitrary kernel write leading to an escape of the sandbox.

Broadcom also disclosed an information disclosure vulnerability, CVE-2025-22226, which affects VMware ESXi, Workstation, and Fusion, caused by an out-of-bounds read in host guest file system (HGFS).

Broadcom warned that a malicious actor with admin privileges to a VM may be able to exploit the flaw to leak memory from the VMX process.

All three of these flaws were first spotted by researchers at Microsoft’s Threat Intelligence Center, who reported the issue to Broadcom.

Broadcom’s advisory indicates that all three CVEs are already being targeted by attackers, noting that it “has information to suggest that exploitation has occurred in the wild”.

This looks to have been confirmed by CISA adding all three to its Known Exploited Vulnerabilities (KEV) list shortly after Broadcom published its advisory.

It added that based on the information included in the advisory, all three of these CVEs could be chained together in an attack.

“This is a situation where an attacker who has already compromised a virtual machine’s guest OS and gained privileged access (administrator or root) could move into the hypervisor itself.”

Rapid7 noted that these are not remotely exploitable vulnerabilities, however, and would require the attacker having existing privileged access on a VM that is running on a vulnerable VMware hypervisor.

At the time of writing there is no known public exploit code for any of the CVEs, but Rapid7 warned that due to ESXi hypervisors being popular targets among both financially motivated and state-sponsored adversaries, it recommends applying the fixes pushed out by Broadcom “on an expedited basis”.

VMware ESXi 7.0 and 8.0; Cloud Foundation 4.5.x and 5.x; Telco Cloud Platform 5.x, 4.x, and 2.x; and Telco Cloud Infrastructure 3.x and 2.x are vulnerable to all three flaws.

Broadcom VMware Workstation 17.x is vulnerable to CVE-2025-22224 and CVE-2025-22226, whereas VMware Fusion 13.x is only vulnerable to the latter.

MORE FROM ITPRO

• A batch of €5 hard drives found at a flea market held 15GB of Dutch medical records
• Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate tools
• Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claim

Over 200 vulnerable internet-facing Nakivo backup and replication instances have been identified months after the firm silently patched a security flaw without publicly disclosing the issue.

Security researchers at watchTowr recently published a report detailing their discovery of an arbitrary file read vulnerability in Nakivo’s central management solution.

The report noted that, if exploited, the flaw could enable an attacker to steal backups and credentials stored in the target Nakivo instance as well as unlock entire infrastructure environments.

According to watchTowr, the issue affected version 10.11.3.86570 of Nakivo's central management HTTP interface, Director, but warned it had not checked earlier versions of the software.

WatchTowr said upon discovering the vulnerability – tracked as CVE-2024-48248 – in September 2024 it tried to disclose it to Nakivo several times via email but did not receive a response until 29th October.

On November 4th, researchers noticed that Nakivo had fixed the vulnerability in a new patch without publicly acknowledging the issue with an advisory. The watchTowr team themselves had applied for a CVE number for the flaw.

Nakivo made no mention of the vulnerability in the release notes, leading watchTowr to assume that it had reached out to affected customers individually.

“We would be shocked if a vendor tried to sweep a vulnerability this serious under a rug, and knowingly give their customers a misplaced sense of security,” the report explained.

“We’re not assuming or suggesting here that NAKIVO have responded badly - we of course assume that they contacted all their customers under NDA, and encouraged them quietly to patch, to avoid leaving their customers unknowingly vulnerable.”

Some Nakivo customers remain vulnerable – patch now

A number of vulnerable instances of Nakivo remain online, however, indicating that some customers have not yet updated their systems.

On February 28th, cybersecurity nonprofit Shadowserver warned that scans revealed over 200 Nakivo instances were still vulnerable to the issue, three months after Nakivo patched and presumably reached out to impacted customers.

Shadowserver urged any remaining customers with vulnerable instances of Nakivo to patch now and referred them to watchTowr’s report.

WatchTowr have also published a Detection Artifact Generator that can be used as an unofficial Nakivo customer support tool on GitHub to help users gauge the security of their Nakivo appliances.

Why backups are a prime target for hackers

Backup solutions are popular targets for cyber criminals due to their role in safeguarding critical data.

WatchTowr noted this fact, highlighting backup giant Veeam’s frequent appearances in CISA’s Known Exploited Vulnerability (KEV) list.

It stressed, however, the importance of transparent and timely communication of security vulnerabilities in order to help customers mitigate risks as quickly as possible before attackers get to them.

“We’ve said time and time again that bugs, in some form or another, are an inescapable fact of life, and that a vendor's response to a bug is much more important than the presence of a defect itself.”

ITPro approached Nakivo for clarification on its engagement with customers over CVE-2024048248 but did not receive a response.

MORE FROM ITPRO

• Why government email servers are top targets for state-backed hackers
• 'GitVenom' campaign uses dodgy GitHub repositories to spread malware
• 86% of enterprise codebases contain open source vulnerabilities

Security vulnerabilities in open source projects have been a major threat to enterprises for years – and new research shows the issue is still causing havoc.

Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities. The report added that 81% of those were classified as high or critical risk, compared to 74% identified in the previous year.

Black Duck said this likely signals an inability among developer organizations to keep track of the vast number of software dependencies they’re using and prioritize the remediation of vulnerabilities.

As increasingly common software supply chain requirements such as SBOM require organizations to get their software estate in order, getting on top of their dependency management is essential.

For example, Black Duck found the average application contains 911 open source dependencies, many of which are out of date or have lost community support.

It also discovered 91% of all codebases contained outdated open source software (OSS) components, with 90% featuring components more than ten versions behind the most current.

Black Duck warned that by failing to properly clean codebases of these dependencies, firms are only giving themselves more work when they have to put together software bill of materials (SBOM) reports and risk evaluations.

The study also suggested that a shift towards web-based multi-tenant SaaS applications was responsible for the higher proportion of high severity vulnerabilities.

The jQuery JavaScript library was identified as a particularly common area for weaknesses, accounting for eight of the top ten high-risk vulnerabilities Black Duck spotted.

It warned this is not necessarily indicative of a particular vulnerability with jQuery but the fact that an increasing number of organizations are adopting applications that leverage jQuery.

Transitive dependencies will bring new licensing headaches for businesses

One of the biggest differences the report observed between this year’s and last year’s study was license conflicts between open source components in the same codebase, noting this has increased the average number of license conflicts from 20 to 69.

The report found 56% of the audited codebases featured license conflicts, adding that ‘transitive dependencies’ were responsible for 30% of the license conflicts it found.

Transitive dependencies describe a situation where different software components indirectly rely on one another to properly function. This creates a complex web of interdependencies within and across codebases that can be very hard to manually keep track of.

Overall, 64% of OSS components in the audited application codebases were transitive dependencies.

In addition, the report noted that a third of codebases contained open source components with no license or a customized license, which would likely require legal review.

Black Duck emphasized that if one transitive dependency in the chain uses a restrictive license, this can potentially affect the licensing of the entire application even if the direct dependency has a more permissive license.

The firm predicted that businesses can expect to see an increase in license conflicts in the coming years, with AI coding assistants introducing another way for open source components to be introduced into applications without proper source attribute and thus licensing.

MORE FROM ITPRO

• Open source malware surged by 156% in 2024
• Warning issued over prolific 'Ghost' ransomware group
• Flaws in a popular dev library could let hackers run malicious code in your MongoDB database

A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.

The company noted that it has remedied the high severity flaw associated with how the SaaS platform handles access permissions and potentially leaving a backdoor for malicious actors.

CVE-2025-24989 is described as an improper access vulnerability in the National Vulnerability Database designated as high severity with a score of 8.2 in the CVSS.

It could potentially allow an unauthorized attacker to elevate privileges over a network, bypass the platform’s user registration controls, and access restricted information or modify sensitive files.

Microsoft said the vulnerability has already been mitigated and all affected customers have been notified with instructions on how to assess if their sites are open to potential exploitation.

The security bulletin notes that it has detected threat actors exploiting the flaw in the wild but did not provide any further information.

Ben McCarthy, lead cyber security engineer at Immersive, outlined how these flaws arise in platforms like Power Pages.

“These vulnerabilities occur in SaaS platforms when attackers can find pathways through the platform's logic that have not been fully tested by the SaaS platform owners,” he said “Often done by chaining APIs together or using the platform functionality in an unexpected order, attackers can bypass certain protections put in place if users follow the usual steps taken on the platform.”

How to address the Power Pages vulnerability

McCarthy noted that Microsoft was fairly quick to address the issue before potentially wider exploitation was possible.

“However, having the level of monitoring that Microsoft can supply these platforms created through Power Pages, they quickly found the vulnerability and have mitigated it," he added.

"This means this vulnerability is no longer present in Power Pages websites, and for the organisations and individuals that have been affected by the vulnerability, Microsoft has notified and worked with them to properly contain and deal with the intrusion.”

Businesses that have not been notified are not affected by the vulnerability, Microsoft stated, but those who have should make a number of precautionary checks to ensure they are safe.

This includes reviewing your user access logs to establish if there has been any unauthorized access that Microsoft may have missed, as well as ensuring your Power Pages environment is protected with multi-factor authentication and monitoring through the Power Pages Admin Center.

MORE FROM ITPRO

• Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
• A critical Ivanti flaw is being exploited in the wild – here’s what you need to know
• Warning issued after SharePoint flaw puts entire corporate networks at risk

A researcher has uncovered two related vulnerabilities in a popular developer library used to connect applications and MongoDB that could allow hackers to sneak into your database.

Mongoose is an object data modeling (ODM) library for MongoDB that connects it to the Node.js runtime environment, essentially simplifying interactions between applications and MongoDB databases

The flaws were discovered by Dat Phung, a member of OPSWAT’s fellowship program, who chose examining Mongoose due to its widespread use in production environments.

OPSWAT explained the potential severity of the flaws in a blog, noting the number of businesses that use Mongoose for their MongoDB databases.

“Many businesses use Mongoose and MongoDB to build their apps. If hackers break in, they could cause serious functionality problems and, worse, put critical data at risk of theft, manipulation, or destruction.”

During his analysis, Phung discovered CVE-2024-53900, a remote code execution (RCE) flaw that exploits Mongoose’s $where operator that enables JavaScript execution directory on the MongoDB server.

Phung warned that the flaw could be used by attackers to query the database to run malicious commands on the Node.js application server, which thereafter could allow them to steal data or even take control of part of the application itself.

He submitted a security report disclosing the flaw to Snyk on 7 November and Mongoose released a new version of 8.8.3 which addressed the issue later that month.

But when Phung took a closer look at the patch he found a potential bypass that would still enable RCE on the application server.

With the new flaw, CVE-2025-23061, Phung demonstrated that by nesting the $where operator inside an $or clause, he was able to bypass the new single-level checks introduced by Mongoose to mitigate CVE-2024-53900 and achieve RCE.

The proof-of-concept exploit developed by Phung showed that CVE-2025-23061, which was assigned a 9.0 severity rating under the MITRE framework, could be triggered in Mongoose versions prior to 8.9.5 (later than 8.8.3) and disclosed the new vulnerability via Tidelift.

OPSWAT warned that these vulnerabilities could be exploited by attackers to embed malicious code inside the organization's MongoDB database, as well as steal or corrupt data stored in MongoDB.

It advised businesses to update their instances of Mongoose immediately to the latest version immediately.

MORE FROM ITPRO

• Open source vulnerabilities dominated 2023, and this year looks no different
• Open source malware surged by 156% in 2024
• The Zservers takedown is another big win for law enforcement

Most organizations are failing to remediate critical vulnerabilities quickly enough, with nearly seven-in-ten saying it takes them more than 24 hours.

According to new research from Swimlane, fragmented data from multiple scanners, siloed risk scoring, and poor cross-team collaboration means organizations are increasingly exposed to breaches, compliance failures, and financial penalties.

Michael Lyborg, CISO at Swimlane, said this confluence of issues and the “growing complexity” of vulnerability management has prompted a widespread rethink of how enterprises approach dangerous flaws.

"It’s no longer just about patching vulnerabilities — it’s about prioritizing the ones that matter most to your operations. With businesses losing an estimated $47,580 per employee each year due to manual tasks, organizations can no longer afford to operate in the reactive mode of the past."

The main reason for failures in prioritization is a lack of context or accurate information, cited by 37%, with 35% saying that's the primary reason for delays in fixing vulnerabilities too.

More than half of organizations still lack a comprehensive system for vulnerability prioritization. And while nearly half (45%) use a hybrid approach combining manual and automated processes for vulnerability detection, seven-in-ten rely on tools like cloud security posture management, and a similar number use web application scanners.

These manual processes are using up significant resources, the study noted, with 57% of security teams dedicating between a quarter and half of their time to vulnerability management operations.

More than half spend over five hours a week consolidating and normalizing vulnerability data, while a similar number said the limited usefulness of scanner results means they need to use additional tools and processes.

Nearly two-thirds said they weren't confident that their vulnerability management programs can meet regulatory audit requirements, and 73% expressed concern over potential fines.

Similarly, six-in-ten reported that siloed vulnerability management practices are creating inefficiencies and exposing their systems to potential security risks.

"Smarter prioritization and automation are no longer optional — they are essential to reducing vulnerabilities, preventing breaches and ensuring continuous compliance," said Cody Cornell, co-founder and chief strategy officer at Swimlane.

"By blending intelligent automation with human expertise, vulnerability management teams gain the clarity they need to act decisively. Centralizing data and responding in real-time isn’t a luxury — it’s a business imperative that minimizes risk and frees up time to focus on the next challenge."

Last year, researchers at Black Duck found that the utilities sector was the worst performer in dealing with security flaws, with an average of 876 days to close critical vulnerabilities in medium-sized sites. The education sector was also slow.

Perhaps because of the sector's heavy regulation, healthcare organizations were quicker to act, with an average of 87 days to close critical security vulnerabilities for small sites, 30 days for medium sites, and 20 days for large sites.

Ivanti has published details of two buffer overflow CVEs affecting its Connect Secure, Policy Secure, and ZTA Gateways devices, claiming cyber criminals are already taking advantage of them.

The first flaw, CVE-2025-0282, is described as a stack-based buffer overflow vulnerability that allows remote, unauthenticated attackers to execute code on the victim’s device.

The flaw is yet to receive an NVD assessment by Ivanti ascribed it a 9.0 severity rating on the CVSS.

The second vulnerability, CVE-2025-0283, is also a stack-based buffer overflow which could allow local authenticated attackers to escalate their privileges on the target device.

Deemed less severe than the RCE flaw, CVE-2025-0283 was given a 7.0 (high) rating on the CVSS.

Ivanti’s advisory noted it is aware of a limited number of customers’ Ivanti Connect Secure devices being exploited using CVE-2025-0282, whereas they have no evidence attackers have used it to exploit any Policy Secure devices or ZTA gateways at this time.

A blog post from Mandiant, who worked alongside Ivanti and Microsoft’s Threat Intelligence Center (MSTIC) analyzing the flaw, said threat actors were observed exploiting CVE-2025-0282 in the wild from mid-December 2024.

The post said that when investigating the threats, it observed the deployment of various parts of SPAWN malware family which has been attributed to UNC5337, described as a “China-nexus cluster of espionage activity”.

Mandiant added it suspects the group is part of the larger UNC221 cluster, known for exploiting vulnerabilities in Ivanti VPNs in late 2023 and throughout 2024.

Forget your vulnerability SLAs, act now or risk compromise – expert warns

Firms are advised to run the Ivanti external integrity checker tool (ICT) which provides a real-time snapshot of the current state of your appliance, and Ivanti says it can identify if the device is being exploited using CVE-2025-0282.

Ivanti has released patches for both flaws, but as noted in a Rapid7 blog on the vulnerabilities the CVEs are unpatched in Ivanti Policy Secure and ZTA gateways, and are expected to come by 21 January 2025.

Benjamin Harris, CEO at attack surface management specialist watchTowr, said enterprises should be on high alert, noting the resemblance between this incident and campaigns exploiting Ivanti products observed in early 2024.

“Our concern is significant as this has all the hallmarks of APT usage of a zero-day against a mission-critical appliance. It also resembles the behavior and drama circulating Ivanti products that we as an industry saw in January 2024, and we can only hope that Ivanti has learned from that experience with regard to actioning an effective response.”

Harris pointed to the lack of a fix for Policy Secure or ZTA gateways, urging businesses to take any vulnerable devices offline for the moment to stay protected.

“Ivanti Connect Secure users have a patch available, but once again - patches for other affected appliances like Ivanti’s Policy Secure and Neurons for ZTA gateways are left waiting 3 weeks for a patch. Users of these products should not hesitate - these appliances should be pulled offline until patches are available,” he advised.

“watchTowr client or not - we urge everyone to please take this seriously. Throw your vulnerability SLAs into the proverbial wind in situations like this, they are no longer relevant and the difference between a rapid response, and a response in hours, could be the difference between your organization calling your cyber insurer or not.”

ITPro received the following statement from Ivanti.

"Ivanti identified the compromise based on indications from the Integrity Checker Tool (“ICT”), and worked rapidly to identify the vulnerabilities and release a fix to customers within weeks for Ivanti Connect Secure, which is the only product where limited exploitation was observed."

"Patches for Ivanti Policy Secure and Ivanti Neurons ZTA Gateways, which have a significantly reduced risk of exploitation due to deployment practices, are scheduled for release on January 21, 2025. Ivanti confirmed that no exploitation of these products has been observed to date and has provided guidance to customers which reduces exploitation risk to near-zero."

Researchers have exposed an issue with the memory implementation on AMD’s data center chips that could threaten the integrity of data, but the chipmaker has hit back at the claims.

In a paper due to be presented at IEEE in 2025, researchers from University of Lübeck, KU Leven, and University of Birmingham highlighted a potential weakness in AMD’s secure encrypted virtualization (SEV) technology.

Dubbed ‘badRAM’, the paper outlines how attackers could manipulate the SEV system to allow unauthorized access to encrypted memory on the processor.

In a post dedicated to explaining the badRAM attack, researchers explained how the SEV technology was intended to protect processor memory in virtual machine (VM) environments through encryption.

“AMD's Secure Encrypted Virtualization (SEV) is a cutting-edge technology that protects privacy and trust in cloud computing by encrypting a virtual machine's (VM's) memory and isolating it from advanced attackers, even those compromising critical infrastructure like the virtual machine manager or firmware.”

But the paper warned that if correctly exploited the threat actors could access data used by the microprocessor, and potentially read and even overwrite the encrypted content.

The researchers further detailed the underlying premise of the exploit, whereby attackers could use “rogue memory modules” to deliberately provide false information to the processor during startup.

Using a test rig that cost them just $10, kitted out with a Raspberry Pi Pico, and a DIMM socket to hold the RAM, the team was able to successfully exploit the flaw by fiddling with the serial presence detect (SPD) metadata to circumvent the SEV encryption.

“We found that tampering with the embedded SPD chip on commercial DRAM modules allows attackers to bypass SEV protections — including AMD’s latest SEV-SNP version,” the badRAM.eu website explains.

“For less than $10 in off-the-shelf equipment, we can trick the processor into allowing access to encrypted memory. We build on this BadRAM attack primitive to completely compromise the AMD SEV ecosystem, faking remote attestation reports and inserting backdoors into any SEV-protected VM.”

BadRAM flaw only medium severity due to high barrier to entry for attackers

In a security bulletin issued by AMD the chip giant outlined the issue, tracked as SB-3015 as follows.

“A team of researchers has reported to AMD that it may be possible to modify serial presence detect (SPD) metadata to make an attached memory module appear larger than it is, potentially allowing an attacker to overwrite physical memory.”

The CVE description described the issue as stemming from improper input validation for DIM SPD metadata that would allow an attacker with certain levels of access to potentially overwrite guest memory.

The issue was only classified as a medium severity threat warranting a 5.3 rating on the CVSS owing to the high level of access required by a potential attacker.

AMD said the issue is better described as a memory implementation issue, rather than an AMD product vulnerability, adding that the barriers to executing the attack are very high, explaining it being given a medium severity rating.

In a statement given to ITPro, AMD outlined the types of access that an attacker would need to exploit the issue, providing some mitigation strategies clients can take.

“AMD believes exploiting the disclosed vulnerability requires an attacker either having physical access to the system, operating system kernel access on a system with unlocked memory modules, or installing a customized, malicious BIOS,” AMD advised.

“AMD recommends utilizing memory modules that lock Serial Presence Detect (SPD), as well as following physical system security best practices. AMD has also released firmware updates to customers to mitigate the vulnerability.”

While more exotic forms of attack may make headlines, it turns out good old email is still the most popular vector of attack for malicious actors, according to research from HP Wolf Security, accounting for 79% of threats.

The figure is a single percentage point down from 2022’s figures but highlights issues facing email administrators. Web browser downloads also dropped by 1% to 12%, while other vectors, such as removable media, grew to 9%.

Researchers noted that while attack chains tended to be formulaic, there had been a move to threat actors connecting different components to create something more unique – and harder to detect.

According to researchers “32% of the QakBot infection chains analyzed by HP in Q2 were unique”.

QakBot spam activity surged in Q2 2023, with the malware distributors switching between many different file types to infect PCs. 

Patrick Schläpfer, Senior Malware Analyst at HP Wolf Security, told ITPro that the team had seen continuous and rapid change across various attack vectors. He gave the example of the QakBot campaigns, which showed threat actors changing their initial vector as well as techniques within the infection chain.

He also noted the impact of Microsoft’s disabling of macros by default, which has forced a diversification of attack vectors. “During 2022, we observed attackers attempting various newer techniques such as HTML smuggling, PDF lures, and also OneNote documents – which is particularly interesting as OneNote attacks do not rely on macros,” he said

Schläpfer noted that most attacks were wide-ranging rather than targeted as attackers attempted to gain a foothold in a system. He shared statistics with ITPro collected over the course of Q2 2023 that show over half (51.5%) of malicious email attachments were archives and almost a quarter (24.4%) were documents. PDFs accounted for 4.2% and executables 1.5%.

Attackers are also becoming more creative, according to the research. One recent campaign used multiple programming languages in an effort to avoid detection. The payload was encrypted using Go before switching to C++ in order to interact with the victim’s operating system before running .NET malware.

According to Schläpfer, attackers are becoming more knowledgeable about their target systems, making it easier to exploit gaps or vulnerabilities. He said: “By knowing which doors to push, they can navigate internal systems with ease, using relatively simple techniques in very effective ways – without sounding the alarm”.

With email remaining the top attack vector, the advice for administrators remains the same. Dr Ian Pratt, global head of security for personal systems at HP, commented that while attack chains might vary, the initiation methods tended to remain the same: “It inevitably comes down to the user clicking on something”. 

“Instead of trying to second guess the infection chain, organizations should isolate and contain risky activities such as opening email attachments, clicking on links, and browser downloads.”

Microsoft has issued a rare rebuttal to recent criticism of its alleged "negligent" security practices and approaches to patching security vulnerabilities.

Last week, Tenable chief executive Amit Yoran published a scathing critique of the company, suggesting that the firm’s “lack of transparency” and “irresponsible security practices” have exposed customers to undue risk. 

Yoran said Microsoft has a history of deliberately keeping customers in the dark with regard to security vulnerabilities and that the company should be held accountable for its conduct. 

His comments followed similar criticism of the tech giant from a US senator in the wake of a Chinese cyber espionage incident that saw emails belonging to government officials accessed by threat actors. 

A key talking point within Yoran’s claims centered around the disclosure of a critical security vulnerability in Microsoft’s Power Platform on Azure. Tenable contends that it informed the tech giant of the issue in March this year, however, Yoran revealed it took several months before the firm issued just a “partial fix”. 

This, he argued, represented a severe risk to customers using Microsoft services and amounted to a negligent approach from the firm. 

Microsoft strongly disagreed with the claims. In a statement on Friday, the tech giant said that its approach to remediating this vulnerability was based on long-established practices. 

“As part of preparing security fixes, we follow an extensive process involving thorough investigation, update development, and compatibility testing,” Microsoft said. 

“Ultimately, developing a security update is a delicate balance between speed and safety of applying the fix and quality of the fix.”

Microsoft said that “moving too quickly” in response to certain vulnerabilities could result in “more disruption than the risk customers bear” from a security vulnerability. 

With this in mind, Microsoft’s lengthy approach to remediating this vulnerability does not amount to negligence, but rather a conservative, measured approach to appropriately patch a flaw and avoid any undue disruption for customers due to a botched fix.  

“The purpose of an embargo period is to provide time for a quality fix,” the firm said. “Not all fixes are equal. Some can be completed and safely applied very quickly, others can take longer.”

The flaw uncovered by Tenable in March was officially patched on 2 August, Microsoft went on to confirm.  

Similarly, an investigation into the vulnerability revealed that only a “very small subset” of customers were affected, and thus was deemed low risk. 

Cyber criminals are favoring the exploitation of older vulnerabilities more so than recently disclosed flaws.

That’s according to the latest security advisory from the UK’s National Cyber Security Centre and its equivalent partners in the Five Eyes alliance.

On Thursday, it made public a list of the top 12 most commonly exploited vulnerabilities in 2022, many of which appeared in the previous year’s list.

The findings offer insight into the strategies behind cyber criminal activity, highlighting the apathy organizations are evidently taking towards patching security flaws affecting their software and equipment.

“This advisory reinforces one of the foundational aspects of cyber security, said Lisa Fong, deputy director-general at New Zealand’s National Cyber Security Centre. 

“Malicious actors continue to succeed using the same techniques over and over. I can’t emphasize enough the importance of doing the basics well by understanding your assets, and rapidly applying patches when they become available. Acting on CVE reporting is the difference between getting onto your to-do list and getting onto someone else’s to-do list.”

Attackers generally experienced the greatest exploit success in the first two years following a vulnerability’s public disclosure. 

The value of these vulnerabilities gradually decreases as organizations patch or upgrade software.

The advice from the security agencies is to apply patches in a timely manner, thus forcing attackers to seek other - potentially more costly - avenues of attack. These include developing zero-day exploits or conducting software supply chain attacks.

Failing to swiftly apply patches means attackers can scan for the number of exposed systems to any given vulnerability, giving them information on its value for attacks. 

If security issues go unpatched by many organizations, it can motivate attackers to develop exploitation tools that enable faster attacks. These tools can be sold to other cyber criminals and they can be used for years if the vulnerability remains unpatched.

The most routinely exploited vulnerabilities of 2022 are:

• CVE-2018-13379: Affect Fortinet SSL VPNs and was exploited as far back as 2020. Its continued presence on the list is an indicator that many organizations have thus far failed to apply available patches
• CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 - also known as ProxyShell: Affect Microsoft Exchange email servers
• CVE-2021-40539: A remote code execution flaw in Zoho ManageEngine ADSelfService Plus that first saw exploitation in late 2021 and into 2022
• CVE-2021-26084: A vulnerability in Atlassian’s Confluence Server and Data Center collaboration tools. Mass exploitation of this vulnerability was attempted in late 2021, according to the NCSC advisory
• CVE-2021-44228, also known as Log4Shell: Affect Apache’s Log4j library. It was first disclosed at the end of 2021, but the NCSC noted high interest in the vulnerability from attackers throughout the first half of 2022
• CVE-2022-22954 and CVE-2022-22960: Vulnerabilities in VMware’s products that allowed for remote code execution, privilege escalation, and authentication bypass. Exploits were noted at the beginning of 2022 and continued throughout the year

Also exploited in 2022 were CVE-2022-30190 - a vulnerability impacting the Microsoft Support Diagnostic Tool, CVE-2022-26134 - a critical remote code execution vulnerability in Atlassian Confluence and Data Center, and CVE-2022-1388 - a vulnerability permitting attackers to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.

“Today, adversaries commonly exploit categories of vulnerabilities that can and must be addressed by technology providers as part of their commitment to secure by design,” said Eric Goldstein, executive assistant director for cyber security at CISA. 

“Until that day, malicious actors will continue to find it far too easy to exploit organizations around the world. With our partners, we urge all organizations to review our joint advisory, for every enterprise to prioritize mitigation of these vulnerabilities, and for every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”

Tenable CEO Amit Yoran has accused Microsoft of "negligent practices” for its response to security vulnerabilities in a scathing critique of the tech giant. 

Yoran criticized Microsoft’s alleged “lack of transparency” regarding data breaches and security vulnerabilities, suggesting that the company has deliberately kept customers in the dark. 

This criticism focuses specifically on the tech giant’s response to a recent Chinese-backed cyber espionage campaign which targeted senior US government officials. 

The incident enabled threat actors to access officials’ emails, and at the time Microsoft said the attack was part of a targeted campaign against the US. 

Last week, US senator Ron Wyden penned a letter calling Microsoft “negiligent” in its response to the attacks and called on the Justice Department to investigate whether the company’s approach broke the law.

Yoran echoed Wyden’s comments in his broadside against the firm, claiming that the company’s track record on security is “even worse than we thought”. 

“Microsoft’s lack of transparency applies to breaches, irresponsible security practices, and to vulnerabilities, all of which expose their customers to risks they are deliberately kept in the dark about,” he said. 

“What you hear from Microsoft is ‘just trust us’, but what you get back is very little transparency and a culture of toxic obfuscation. 

“How can a CISO, board of directors, or executive team believe that Microsoft will do the right thing given the fact patterns and current behaviors? Microsoft’s track record puts us all at risk. And it’s even worse than we thought,” Yoran added. 

In March this year, Tenable researchers uncovered a vulnerability in Microsoft’s Azure platform that would enable attackers to access applications and sensitive data, such as authentication secrets. 

Yoran pointed to this incident as an example of Microsoft’s alleged negligent practices, noting that it took more than 90 days to implement a “partial fix” after researchers notified the firm. 

“To give you an idea of how bad this is, our team very quickly discovered authentication secrets to a bank,” Yoran said. “They were so concerned about the seriousness and the ethics of the issue that we immediately notified Microsoft.”

“Did Microsoft quickly fix the issue that could effectively lead to the breach of multiple customers' networks and services? Of course not. They took more than 90 days to implement a partial fix – and only for new applications loaded in the service.”

Is Microsoft truly ‘negligent’?

Yoran’s public criticism of Microsoft raises questions over the company’s approach to security in recent years. According to data from Google Project Zero, Microsoft products have accounted for around 42.5% of all zero days discovered since 2014. 

While these statistics might raise eyebrows, the scale of Microsoft’s global footprint does indeed put things into perspective. Microsoft software is used by more than 1.4 billion people globally, including millions of organizations such as US government departments. 

Within that context, Microsoft being responsible for a significant volume of zero days doesn’t point to outright negligence, but more of a byproduct of its size and scope of integration within organizations. 

Jake Moore, global cyber security advisor at ESET, told ITPro that although the firm may seem to be turning a blind eye to known vulnerabilities, critics must remember that updates from vendors large and small are all known to cause issues, not just Microsoft’s. 

“Keeping systems completely secure is a challenging role, if not impossible, but it is best approached using as many layers of defense as possible,” he said. 

“Zero days naturally need vital attention but when attackers strike it can be relentless and often on large swathes making patches that much more difficult to produce, control, and distribute.”

However, Moore added that the length of time between vulnerability disclosure and remediation in the Tenable research should be a cause for concern for organisations.

“Over 100 days is naturally concerning for clients but this is yet another important reminder that no one single security measure will protect entities on their own and multiple defenses are required to remain best protected.”

Apple has released a patch for a number of vulnerabilities including an actively-exploited zero-day vulnerability linked to an ongoing spyware campaign.

The zero-day flaw, tracked as CVE-2023-38606, made it possible for an app to alter the state of a device’s kernel which could allow an attacker to leverage root-level control over a compromised device.

It was reported by researchers at Kaspersky Lab as part of an ongoing effort to uncover a sophisticated attack chain used as a vector in a spyware operation dubbed ‘Operation Triangulation’.

Researchers first reported the spyware in June, after uncovering evidence to suggest that an advanced persistent threat (APT) campaign had been working against Kaspersky staff since 2019.

At the time, it was noted that the spyware arrives through a malicious iMessage. This subsequently activates a payload using a zero-click method, so goes entirely unnoticed by victims.

Apple’s update also introduced fixes to a WebKit remote code execution flaw (CVE-2023-38594), a libxpc vulnerability that could allow an app to obtain root privileges (CVE-2023-38565), and an Apple Neural Engine flaw linked to arbitrary code execution (CVE-2023-38136).

In all, updates were released for:

• Safari 16.6 (macOS Big Sur and macOS Monterey)
• iOS 16.6, iPadOS 16.6 (iPhone 8 and later, all iPad Pro models, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later)
• iOS 15.7.8 and iPadOS 15.7.8 (all models of iPhone 6s and iPhone 7, 1st generation iPhone SE, iPad Air 2, 4th generation iPad mini, and 7th generation iPod touch
• macOS Ventura 13.5
• macOS Monterey 12.6.8
• macOS Big Sur 11.7.9
• tvOS 16.6 (All models of Apple TV 4K and Apple TV HD)
• watchOS 9.6 (Apple Watch Series 4 and later)

In the weeks since Operation Triangulation was made public, researchers have performed more detailed analyses on the vector and exfiltration implant used by the spyware’s operators. 

The threat actors exploit the zero day (CVE-2023-38606) to gain root privileges on a victim’s iOS device, and then deploy the implant, which Kaspersky dubbed ‘TriangleDB’.

This works to alter or delete files, exfiltrate key files such as certificates or keys, and send precise geolocation data back to the operators. 

Removing the spyware via a factory reset of the phone removes all evidence of the attack, and as it operates in a device’s memory it has proved difficult to track. 

By default, TriangleDB deletes itself after 30 days, though attackers can extend or shorten this period through commands send from their command-and-control (C2) infrastructure.

Researchers also found that TriangleDB’s configuration class contains a method titled ‘populateWithFieldsMacOSOnly’, leading them to warn that future such spyware attacks could occur against macOS devices.

“An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1,” Apple wrote.

The firm stated that the issue has been resolved using an improved state management method, but did not go into further detail on what this entails.

Citrix has issued a warning to users of NetScaler Gateway and ADC products over a series of new vulnerabilities. 

In a security bulletin, the firm disclosed three new vulnerabilities, including one believed to have been actively exploited in the wild. 

This included CVE-2023-3466, a reflected cross-site scripting (XSS) vulnerability, and CVE-2023-3467, which would enable escalation of privilege to root administrator, the firm revealed in its update. 

The most severe of the three - identified as CVE-2023-3519 - would allow for unauthenticated remote code execution on affected Gateway appliances.

Analysis of the flaw from Rapid7 found that this vulnerability is “known to be exploited in the wild” and urged users to patch immediately. 

“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers said. 

“Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. See the Citrix advisory for more information.”

Security firm Tenable also analyzed the most severe flaw, which was given a severity score of 9.8 on the CVSSv3 scale, adding that although exploits have been observed, there is currently no known proof of concept code circulating in the wild.

Affected products

 In its advisory, Citrix confirmed several versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities. These include: 

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-65.36
• NetScaler ADC 12.1-NDcPP before 12.65.36

The advisory added that NetScaler ADC and NetScaler Gateway version 12.1 is now end-of-life (EOL) and thus vulnerable to the recently-disclosed flaws. 

Customers currently using an EOL version have been advised to upgrade devices to the latest software versions with the patches applied.

These include: 

• NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Customers and channel partners have been notified about the ongoing security risks, and will continue to receive updates via Citrix’s security bulletins. 

Security experts have issued a warning over a potentially ‘incomplete’ fix for a security vulnerability in Adobe ColdFusion. 

Researchers at Rapid7 have raised concerns that security patches issued for a series of vulnerabilities could still be placing users at risk. 

Adobe released fixes for a series of vulnerabilities earlier this month affecting ColdFusion, including an access control bypass vulnerability - tracked as CVE-2023-29298 and discovered by Rapid7. 

Researchers said that, based on observations, threat actors were found to be actively exploiting CVE-2023-29298 in customer environments.

“Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments,” the firm said in a blog post. 

“The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability.”

Behaviors observed by researchers were found to be “consistent” with a separate zero-day exploit published - and later removed - by Project Discovery on July 12.

According to Rapid7, it appears that Project Discovery initially believed it discovered an exploit, tracked as CVE-2023-29300 - a deserialization vulnerability - that would enable arbitrary code execution.

However, this was then found to have been a zero-day exploit chain that Adobe subsequently fixed. 

“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” the firm said. 

Warning issued over incomplete fix

Although Adobe issued a raft of fixes for these vulnerabilities last week, Rapid7’s analysis revealed that the patch provided is “incomplete”. 

This means that a modified exploit could still be leveraged to work against the latest version of ColdFusion. 

Similarly, researchers warned that, at present, there is no mitigation for customers vulnerable to CVE-2023-29298. 

“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on 11 July is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion - released July 14). 

“We have notified Adobe that their patch is incomplete.”

Researchers noted, however, that for the incomplete fix to be harnessed effectively, threat actors would still be reliant on a secondary vulnerability for “full execution on target systems”. 

The firm urged customers to still update to the latest version of ColdFusion to mitigate the secondary vulnerability and prevent exploitation. 

Companies of all sizes are starting to see the benefits of bug bounty programs. Big tech firms including Facebook, Google, Microsoft, and Apple have such a program in place, while ChatGPT owner OpenAI recently unveiled such a scheme. 

At a time when breaches are hitting businesses of all sizes, adversaries are constantly probing for security weaknesses through which to attack. Bug bounties help to address this issue at the source, with researchers finding vulnerabilities before they can be used in real-life attack scenarios.

Bug bounty prizes can be huge, with firms such as Google paying out as much as $600,000 to those who find serious holes in its products. While it might seem like a big outlay, advocates point out that the expense is still smaller than regulatory fines and reputational damage caused by a data breach.

What different types of bug bounty program are there?

Bug bounty programs are typically either public or private. “A public bug bounty is usually listed on sites such as HackerOne and Bugcrowd, or in some cases on the company’s own website,” Joshua Hickling, managing consultant at Pentest People, explains.

A private bug bounty is only joinable via invitation, usually based on the researcher’s reputation. For example, those able to find pertinent, exploitable bugs consistently will be invited to private programs, Hickling says.

An organization sets the rules of engagement for its bug bounty program, including assets in and out of scope, types of vulnerabilities, permitted testing methodologies, and reward structure. “Hackers can test for vulnerabilities that elude security teams and cannot be discovered by automated scanning tools,” says Kayla Underkoffler, lead security technologist at HackerOne. 

Among the advantages, programs can be effective very quickly. According to Underkoffler, over 75% of new bug bounty programs on the HackerOne platform receive their first valid vulnerability report within 24 hours.

They can benefit firms of any size, but larger organizations that operate complex networks or handle large amounts of sensitive data are more likely to get value out of a program, says Cezary Cerekwicki, head of product security at browser maker Opera. “The larger an organization and a network, the greater the danger that vulnerabilities might go undetected.”

Large firms are a bigger target for adversaries, so a bug bounty offer might even persuade “unethical hackers” to probe for weaknesses with permission, says Leon Teale, a senior penetration tester at IT Governance. “In exchange, they could receive gifts, cash, notoriety, or honorable mentions,” he suggests.

Michael Adams, CISO at Zoom says the company’s bug bounty program hosted on the HackerOne platform helps the firm “proactively mitigate risk and create a safer environment for our customers”. 

It can be challenging for companies to identify edge-case vulnerabilities or anomalies that only occur in certain circumstances, says Adams. “That’s where the ethical hacker community can perform a vital function in the continuous testing and probing of technologies. In many cases, they can help organizations save time and money by identifying certain security issues before they become a bigger problem.”

Are bug bounty programs worth the cost?

The cost of running a bug bounty program can vary, but experts say the outlay is worth it. There are two components to the cost: the first is the platform fee, if you use one, with firms such as Bugcrowd or HackerOne offering the service a SaaS subscription model.

“This is what we charge for connecting organizations that want to run a program with ethical hackers, triaging the results and verifying they are legitimate vulnerabilities – as well as handling payments to the hacker community,” says Dave Gerry, CEO of bug bounty platform Bugcrowd. 

The second cost is the bounties themselves – which according to Gerry, is set by the market. “If a company’s bounty rates are too low, it will struggle to attract ethical hackers to work on the program.”

You do not have to pay, with some companies purely offering an honorable mention or some “swag” in return, says Teale. “Offering a ‘kudos’ can still be helpful to those who would like to gain recognition through this exposure – although paid bounties will always attract more testers,” he says.

The value of the bounty is usually paid based upon the seriousness of the issue, with low severity flaws seeing bounties of anywhere from $0 to $50 and critical issues in some cases exceeding $100,000, says Hickling. “If a vulnerability is identified which could result in the leak of personally identifiable information, paying a $100,000 bounty far outweighs the potential GDPR fines a business could be hit with.”

How to implement a program in your business

The benefits of having a bug country program are clear, but there can be challenges when implementing one. 

Scoping is important, says Gerry. “To make them manageable, projects are usually targeted at a specific online asset that has already been tested internally. This prevents organizations from exposing themselves to unexpectedly high levels of cost and stops them from being over-run with reports of vulnerabilities.”

It’s also important that firms are ready and able to take remedial action when flaws are discovered, he adds. At the same time, it’s key to match the skills of ethical hackers with the type of assets to be tested, he says. 

But it can be difficult to identify the true impact of vulnerabilities. While an outside researcher might believe they’ve identified a major flaw, companies often have many defenses and mitigations already in place that are not shared externally, says Adams. 

With this in mind, Zoom is rolling out a “Vulnerability Impact Scoring System” to measure the impact of flaws, and pay researchers for the best bugs. 

Before introducing a bug bounty program, it’s important to consider the business objectives, says Adams. “These will help determine the scope of the program, whether it runs as private or public, and the rewards system. It may attract a range of participants from beginner bug bounty hunters to full-time professionals.”

US not-for-profit cyber security research organization MITRE has published its list of the top 25 most dangerous software weaknesses for 2023, with the top three remaining unchanged from last year.

The 2023 Common Weakness Enumeration (CWE) list is calculated by analyzing public vulnerability data in the National Vulnerability Database (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years.

The vulnerabilities can be exploited by an attacker to take control of, steal data from or otherwise disrupt the working of applications and systems.

The top three weaknesses are unchanged from last year and are once again topped by out-of-bounds write flaws, represented as CWE-787.

An out-of-bounds write occurs when a product writes data past the end or before the beginning of the intended buffer. 

The result can be a crash, corruption, or code execution. 70 such vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) list, according to the team.

At second was improper neutralization of input during web page generation, also known as cross-site scripting (XSS), of which there are three types.

The first is reflected XSS, where the server reads data directly from the HTTP request and reflects it back in the HTTP response. Malicious content might then be executed by the victim’s browser.

The second is stored XSS where malicious data is stored in a database - for example a message forum - and then included in dynamic content.

The third is DOM-based XSS, where the client performs the injection of XSS into the page.

Rounding out the top three is SQL Injection, where elements of an improperly formatted SQL query can be treated as commands. 

SQL Injection attacks can take a variety of forms and include user inputs that are passed to the database for processing without appropriate safeguards and poisoned queries based on cookies.

Moving up to positions four and five respectively were use after free flaws, represented as CWE-416, and improper neutralization of special elements used in an os command, represented as CWE-78 and also known as 'OS command injection'.

‘Use after free’ refers to the practice of referencing memory after it has been freed, causing a program to crash or unexpected code to be executed. 

OS command injection, as the name suggests, allows an OS command to be constructed and executed in a way that should not normally be permitted. 

The potential consequences include elevation of privileges which, when chained with other vulnerability exploits, can lead to attackers gaining the ability to execute commands on an organization’s machine with the necessary privileges to inflict the most damage.

As well as the ‘use after free’ vulnerability, missing authorization (CWE-862), improper privilege management (CWE-269), and incorrect authorization (CWE-863) all moved up the list of vulnerabilities, the latter entering the top 25.

Deserialization of untrusted data (CWE-502), use of hardcoded credentials (CWE-798), and incorrect default permissions CWE-276 all moved down. 

The team reported that improper restriction of XML external entity reference (CWE-611) dropped out of the top 25 this year.

The complete list was:

• CWE-787 - out-of-bounds write
• CWE-79 - improper neutralization of input during web page generation ('cross-site scripting')
• CWE-89 - improper neutralization of special elements used in an sql command ('sql injection')
• CWE-416 - use after free
• CWE-78 - improper neutralization of special elements used in an os command ('os command injection')
• CWE-20 - improper input validation
• CWE-125 - out-of-bounds read
• CWE-22 - improper limitation of a pathname to a restricted directory ('path traversal')
• CWE-352 - cross-site request forgery (csrf)
• CWE-434 - unrestricted upload of file with dangerous type
• CWE-862 - missing authorization
• CWE 476 - null pointer dereference
• CWE-287 - improper authentication
• CWE-190 - integer overflow or wraparound
• CWE-502 - deserialization of untrusted data
• CWE-77 - improper neutralization of special elements used in a command ('command injection')
• CWE-119 - improper restriction of operations within the bounds of a memory buffer
• CWE-798 - use of hard-coded credentials
• CWE-918 - server-side request forgery (ssrf)
• CWE-306 - missing authentication for critical function
• CWE-362 - concurrent execution using shared resource with improper synchronization ('race condition')
• CWE-269 - improper privilege management
• CWE-94 - improper control of generation of code ('code injection')
• CWE-863 - incorrect authorization
• CWE-276 - incorrect default permissions

Using this data

According to the team: “Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management”.

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk.”

The list is a useful reference for enterprises seeking to harden their CI/CD environments. Despite the existence of scanning tools to check for vulnerabilities, the list is a reminder that errors still slip into even the most used products.

ASUS has announced a raft of firmware updates to fix critical vulnerabilities found in a number of router devices. 

The firm revealed that nine security vulnerabilities were discovered in networking appliances - two of which were rated as ‘critical’ with six designated as ‘high’ risk. 

Tracked as CVE-2018-1160 and CVE-2022-26376, the two critical vulnerabilities were given a 9.8 severity rating out of a possible 10, the company said. 

Analysis shows that the former of these pertains to an out of bounds write bug found in Netatalk prior to version 3.1.12. This near-five-year-old vulnerability could enable an unauthorised party to achieve arbitrary code execution. 

Meanwhile, CVE-2022-26376 is a memory corruption vulnerability found in Asuswrt and Asuswrt-Merlin New Gen firmware. This flaw could allow an attacker to trigger this vulnerability by leveraging a “specially-crafted HTTP” request, which would cause memory corruption. 

Nearly 20 router models have been affected by disclosed vulnerabilities, ASUS revealed. 

These include:

• GT6
• GT-AXE16000
• GT-AX11000 PRO
• GT-AXE11000
• GT-AX6000
• GT-AX11000
• GS-AX5400
• GS-AX3000
• XT9
• XT8
• XT8 V2
• RT-AX86U PRO
• RT-AX86U
• RT-AX86S
• RT-AX82U
• RT-AX58U
• RT-AX3000
• TUF-AX6000
• TUF-AX5400.

In its security advisory on 19 June, ASUS urged customers to patch affected routers as soon as possible to avoid risk of exposure.  

The firm warned that customers choosing not to install new firmware updates should disable services accessible from via WAN to “avoid potential unwanted intrusions”. 

“These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger,” ASUS said. 

The company also recommended frequent auditing of equipment to ensure firmware is up to date and to mitigate risk.

“We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected,” the firm said.

Security researchers have theorized that rising exploits of the critical vulnerability in Log4J could soon worsen as cyber criminals continue to find new ways around the ongoing implementation of Microsoft’s anti-phishing measures.

Introduced in 2022 after the IT community demanded it for years, Microsoft blocked the enablement of VBA macros in Office documents by default.

It meant that one of the leading methods of distributing malware via Office documents and phishing emails was effectively nullified - a major boon to defenders.

Since then, researchers at ESET have noticed a rise in exploits targeting the Log4J vulnerability across the world. 

While the reason for the increase in attempts isn’t currently clear to researchers, the possibility that cyber criminals are looking for new ways to carry out attacks now phishing with malicious documents has become more difficult.

ESET’s researchers said that, while it’s just a theory, this rise may continue as cyber criminals look for effective ways to achieve their goals now one of their most favored tactics has been thwarted. 

“If you look at the numbers globally, we have seen 166 million attacks [in 2022]... and in 2023, the numbers were going up by 13%,” said Ondrej Kubovič, security awareness specialist at ESET, about the latest data on Log4J exploit attempts.

“So, knowing that there are new systems being introduced with Log4J, and our statistics are showing this, then we can say that Log4J is still interesting for the attackers, and with VBA [macros] being closed down and OneNote being closed down, this might get worse.”

The latest Log4J numbers

Despite Log4Shell not being as devastating as the community initially thought it would be, it remains highly exploited - the second-most used exploit method, according to ESET’s telemetry, behind password guessing.

The popularity of exploiting the vulnerability is also expected to increase not just because of Microsoft’s anti-phishing measures, but also because of the number of vulnerable downloads that are still made.

ESET said in its T3 2022 Threat Report that as many as a quarter of all new Log4J library downloads are of the vulnerable version, even though patched and secure versions have been available since December 2021.

IBM’s figures paint an even darker picture, suggesting that nearly half (40%) are still vulnerable to the flaw that received a maximum 10/10 rating on the CVSSv3 severity scale.

In just the last seven days, 32% of Log4J downloads were of the vulnerable version, Sonatype’s data showed.

As of September 2022, the number of blocked Log4J exploit attempts in the UK sat at 13.4 million, ESET said, roughly 12% of the global 166 million attempts. 

This represented a 15% year-on-year increase, one that was generally in line with the figures for countries across the world.

Poland’s figures were amongst the highest out of any country in the world with a 30% increase in attacks. 

ESET could not offer a definitive explanation for these markedly high attack attempts and neither could the Polish national computer emergency response team (CERT) after consulting with the security researchers.

Ukraine’s CERT issued an alert at around this time warning of Russia’s changing tactics, favoring vulnerability exploits as opposed to attack techniques used earlier in the conflict, though a strong link between the nation’s activity and Log4J exploits in Poland has not been established.

Blocking VBA macros: How effective has it been?

In the year since Microsoft rolled out the changes to Office documents, blocking VBA macros by default, data has shown a dramatic reduction in attacks.

Proofpoint’s figures from the back end of 2022 showed a 66% drop in macro-enabled attack attempts, a trend that continued through the first half of 2023 with macros “barely” making an appearance in campaign data.

“The cyber criminal ecosystem has experienced a monumental shift in activity and threat behavior over the last year in a way not previously observed by threat researchers, the security company said. 

“Financially motivated threat actors that gain initial access via email are no longer using static, predictable attack chains, but rather dynamic, rapidly changing techniques.”

The findings in Proofpoint’s data were also corroborated by researchers at ESET in private media briefings.

Attackers pivoting to OneNote

After Microsoft put an end to macro-enabled Office documents, attackers soon realized that the company’s note-taking app OneNote could be exploited in a similar way to how Word and Excel were before 2022.

An increase in attacks was reported by various security firms earlier this year involving OneNote files, which still allowed the embedding of various files in documents, including executables.

A typical scenario would see an email sent to a victim and attached to it was a mostly empty OneNote document. 

Attackers would create a large text box reading ‘Click to open document’, or a similar message, but behind that text box would be a number of links to batch files that would be clicked and executed if the victim clicked on the text box, which only served to conceal the malicious buttons.

In some examples, a series of batch files would run, downloading other similar files and executing PowerShell code, ultimately leading to the installation of malware and essentially bypassing the blocking of VBA macros. 

An example highlighted by Fortinet in March 2023 saw such an attack lead to the dropping of the AsyncRAT which was able to assume total control of a victim’s machine.

In the same month, Microsoft implemented enhanced security measures for OneNote, including more frequent and explicit warnings when opening potentially malicious files.

Weeks later, it also announced it would block 120 file extensions often used in malicious campaigns by default as an additional stand against phishing using its productivity software.

Now, fresh concerns have been raised around the introduction of the new top-level domains (TLDs).  

Cyber security experts have previously criticized the new additions, including the ones such as .zip, as these could be harnessed in campaigns, potentially making malicious links appear more legitimate than they really are.

ESET’s researchers told ITPro that while the current data doesn’t show a significant increase in attacks leveraging the new TLDs, they “understand the concern”.

Maintaining a cyber-secure IT estate continues to be a challenge for all organizations but knowing how to mitigate the most pressing threats will get many businesses most of the way there.

Cyber crime remains a lucrative business and shows no signs of slowing down. Ransomware operations are changing tactics to maximize returns and malware continues to pervade global networks.

While it’s impossible to group every single threat that’s targeting organizations every month, this series of monthly roundups aims to highlight the most important patches, workarounds, and indicators of compromise (IOCs) to be aware of.

Here you’ll find a complete list of the most dangerous malware and ransomware threats of June 2023.

Zyxel NAS devices widely exploited

Zyxel is the latest company to battle issues in its line of network-attacked storage (NAS) devices. 

Following the widespread and repeated attacks on QNAP’s NAS drives last year, a critical vulnerability, tracked as CVE-2023-28771, is now being exploited in Zyxel’s hardware and is believed to affect tens of thousands of customers.

The flaw allows for remote code execution by sending a specially crafted packet to the device.

A technical analysis by security firm Rapid7 revealed evidence of exploits used to conduct attacks as part of a Mirai botnet.

According to the company’s telemetry, it was estimated that around 42,000 Zyxel NAS devices were exposed to the public internet on the wide area network (WAN), which is not a default setting.

Because the flaw resides in the NAS drives’ VPN service, which is enabled by default on the WAN, Rapid7 said it believes the total number of affected devices to be “much higher” than 42,000.

Patches for the buffer overflow vulnerability, and others announced at the same time, are now available and should be applied as soon as possible.

Read more from CloudPro’s coverage of the full story here.

Barracuda Networks email security gateway devices “must be replaced immediately”

Continuing on the theme of attacks targeting major hardware, Barracuda Networks revealed this week that despite releasing patches for a critical vulnerability, users must still replace the devices as soon as possible.

A zero-day vulnerability in its email security gateway (ESG) devices’ VPN service allowed for remote code execution. 

The earliest evidence of exploits is from October 2022 and have since been used to install backdoor malware with persistence.

Attacks have also been observed supporting downstream attacks from a Mirai-like botnet campaign.

Barracuda did not offer any further information about the reason for needing to fully replace the devices in a brief update to its security advisory.

Read more from ITPro’s coverage of the full story here.

Horobot runs wild for two years before getting discovered

A “sophisticated” botnet has only just been uncovered by security researchers after going unnoticed for more than two years.

Horobot has been targeting specific industry verticals - accounting, investment, and construction in particular - and has been installing different strains of malware since November 2020.

Banking trojans and spam tools were among the malware dropped in attacks. The latter was used to steal sensitive information and compromise email accounts to launch phishing attacks.

Gmail, Yahoo, and Outlook users were all affected by Horobot-based attacks, researchers noted.

The campaign mainly targeted Spanish-speaking users in the Americas and experts believe the attackers managing Horobot may be based in Brazil.

Horobot’s indicators of compromise can be found on Cisco Talos’ advisory, and you can read more detailed coverage of the story over at CloudPro here.

Information-stealing malware targets 1Password, other password managers

A new version of ViperSoftX has been discovered and is now targeting the data held in web browsers by popular password managers’ extensions.

Focused mainly on 1Password and KeePass 2, the latest ViperSoftX was found by Trend Micro’s security researchers but has historically only had tooling for Google Chrome.

The malware now has the functionality to target browsers such as Microsoft Edge, Firefox, Brave, and Opera.

ViperSoftX was also originally used to be just a cryptocurrency-hijacking tool but now offers more robust options for cyber attackers. 

Trend Micro said the bulk of attacks are targeting organizations in Australia, Japan, the US, and India, but attacks are also prevalent across Asia and central European regions too.

ViperSoftX’s indicators of compromise can be found on Trend Micro’s advisory.

Backdoors and MFA tampering in Azure AD

Faulty APIs in the premium version of Microsoft Azure Active Directory (Azure AD) were found to enable the tampering of conditional access policies (CAPs).

Researchers identified three APIs that allow editing of CAPs, one of which allowed editing of all CAP settings, including metadata.

The exploitation of this API could have led to serious ramifications for organizations, researchers said.

Nestori Syynimaa, senior principal security researcher at Secureworks Counter Threat Unit (CTU), said Azure AD “isn’t locked properly” and that any users, including threat actors, could see policy configurations. 

Admin users could also make modifications that don’t get logged properly, such as the installation of backdoors and turning off access controls to bypass multi-factor authentication (MFA).

It’s important that organizations can rely on their audit logs so that any damaging changes can be remediated effectively.

Microsoft was made aware of the issues in May 2022 but said “that it is expected behavior”.

Last month, it said it will be retiring the flawed AADgraph API and that admins will be prevented from making changes to CAPs.

Read more from CloudPro’s coverage of the full story here.

Second major ransomware gang pivots to extortion-only model

The BianLian ransomware operation is said to have followed Cl0p’s lead and become the second major cyber criminal outfit of its kind to switch to pure extortion attacks.

An advisory issued by the US and Australia revealed that the latest analysis of the group’s activity indicated a step away from using the group’s ransomware payload in favor of simply extorting victims over stolen data.

It’s not clear why the techniques of ransomware criminals are changing in this way, but Cl0p, which started the year with the notorious supply chain attack on GoAnywhere MFT, has seen repeated success with the method.

Cl0p was also attributed to the supply chain attack on MOVEit Transfer, a widely used file transfer tool in the private sector.

The trend highlights the growing need for organizations to keep their data secure and regular backups in case of an attack. 

Cyber criminals continually evolve their tactics, especially in financially motivated attacks, and it’s important that organizations do what they can to avoid paying them and further incentivizing the business model.

Tofsee botnet remains among the top business threats

Researchers at Cisco Talos have, for the second week in a row, included the Tofsee botnet in its list of most prevalent threats to organizations.

The botnet dates back more than a decade and has undergone several rounds of evolution since its inception.

Talos said describes Tofsee as a “multi-purpose malware that features a number of modules used to carry out various activities such as sending spam messages, conducting click fraud, mining cryptocurrency, and more”.

There aren’t any exact figures available regarding the extent of the botnet’s reach, but it remains a significant threat to organizations given its modular design.

Primarily a cryptominer and web traffic proxy, it also has the functionality to be used for spam campaigns and DDoS attacks too.

For a full list of IOCs, head to Cisco Talos’ advisory here.

A critical vulnerability in Barracuda Networks’ email security gateway (ESG) devices now means all devices must now be replaced.

The order came directly from the security company this week which said devices should be replaced regardless of whether the zero-day vulnerability was patched.

Barracuda updated its security advisory and also communicated the instruction to customers via the user interface of their ESG devices.

“Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG,” the company said. “Impacted ESG appliances must be immediately replaced regardless of patch version level.”

Barracuda has not offered any further description as to why the devices must be fully replaced, but it may be due to the malware installed after exploiting the vulnerability allowing for persistent backdoor access for attackers.

The firm, which has more than 200,000 customers globally, has been engaging affected clients since news of the vulnerability emerged in late May. 

Barracuda ESG vulnerability - what happened?

Last month, Barracuda said it detected “anomalous traffic” originating from its email security gateway appliances. A subsequent investigation identified a critical vulnerability exploit, tracked as CVE-2023-28681, in the appliance. 

Initially, the company issued a patch to remediate the vulnerability for all ESG appliances globally. A script was deployed to contain the incident and prevent unauthorized access methods, Barracuda said. 

However, last week the company revealed that further analysis of the incident found the vulnerability had been actively exploited for several months before it was discovered and patched. 

Barracuda said the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022”.

The vulnerability enabled threat actors to obtain “unauthorized access to a subset of ESG appliances”, it added. The company said that malware was identified on a subset of appliances, offering would-be attackers persistent backdoor access. 

Two particular malware strains were uncovered by Barracuda during its post-mortem analysis of the incident. 

The first was SALTWATER, a “trojanized module for the Barracuda SMTP daemon that contains backdoor functionality”. 

The second malware strain, known as SEASPY, was also identified. SEASPY also offered attackers backdoor functionality with persistence, while disguising itself as a legitimate Barracuda Networks service. 

No other Barracuda products, including its SaaS email security services, were affected by the vulnerability, Barracuda said. 

ITPro approached Barracuda Networks for comment on the latest update. 

Researchers at Secureworks have issued a warning over a flaw in Microsoft’s Azure Active Directory (Azure AD) that allows threat actors to tamper with conditional access policies (CAPs).

Analysis from Secureworks’ Counter Threat Unit found that the vulnerability enabled an attacker to install backdoors, modify access rights to bypass multi-factor authentication (MFA), and block admin access. 

The flaw also allowed attackers to gather information on policy configurations to support and launch future attacks, researchers noted. 

Azure AD is Microsoft’s cloud-based identity and access management service. The premium version of Azure AD also supports CAPs that grant - or block - access based on certain criteria, such as device compliance or user location. 

“Azure AD stores the settings for the authentication methods and CAPs. CAPs can be modified via the Azure AD portal, PowerShell, and API calls,” researchers said.

In May 2022, researchers investigated which APIs allow editing of CAP settings and identified three: 

• The legacy Azure AD Graph (also known as AADGraph)
• Microsoft Graph
• An “undocumented” Azure IAM API

AADGraph was the only API that allowed modification of all CAP settings, including metadata. 

This capability could allow admins to tamper with all CAP settings, including the creation and modification timestamps. 

Modifications made using AADGraph are not properly logged, which researchers warned “endangers integrity and non-repudiation of Azure AD policies”.

“The API does not properly log changes, and the lack of an audit trail breaks integrity and non-repudiation of CAPs,” researchers said. “As a result, organizations cannot trust CAP information shown in the Azure AD portal or in directory audit logs.”

CTU researchers shared their findings with Microsoft in May 2022, and the tech giant confirmed the findings a month later. However, SecureWorks revealed that Microsoft stated “that it is expected behavior”.

In May this year, Microsoft notified CTU researchers of planned changes to improve audit logs and restrict CAP updates via AADGraph.

Microsoft said these changes will “improve audit logs to reflect the type of policy being updated when CA policies are updated through AADGraph”. 

The firm added that AADGraph is “set to be retired” and that admins will be prevented from making updates to CA policies.

Nestori Syynimaa, senior principal security researcher at SecureWorks CTU, said that a concerning aspect of this vulnerability is that Azure AD “isn’t locked properly”, enabling attackers to see policy configurations potentially exploit the flaw. 

“This means that any user can see policy configurations, and anyone with admin rights can make modifications that are not logged properly,” he said. 

“If you have a rogue admin, or an admin’s credentials have been compromised by a threat actor, then they can make damaging changes such as turning off access controls, blocking access, and editing rules.”

Syynimaa noted that a threat actor could hypothetically access “any number of systems and create backdoors”, making remediation difficult in the event that this vulnerability was exploited. 

Cisco has released patches for nine vulnerabilities impacting its small business network switches and said that exploit code has been spotted in the wild.

The vulnerabilities have been found in the user interface (UI) of Cisco Small Business Series switches and could be exploited by attackers to execute arbitrary code on a victim’s switch, or cause a denial of service (DoS) on a business’ network.

Four of the nine vulnerabilities were rated ‘critical’ on the CVSSv3 severity scale, each receiving a near-maximum score of 9.8.

The remaining flaws received scores between 7.5 and 8.6.

The critical flaws - tracked as CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189 - stem from improper validation of requests sent through the web-based UI for the switches, which could allow an attacker to run malicious code via custom requests.

Five high-risk flaws also stem from the same UI issue and allow for individual devices to become subject to a DoS.

It’s recommended that affected organizations install the fixes as quickly as possible given the potential security risk and that exploit code exists online. There are no known workarounds that can mitigate the vulnerabilities.

Cisco did not indicate whether successful attacks have already taken place.

A number of Cisco’s Smart Switches, Series Managed Switches, and Series Stackable Switches are affected by the flaws with a full list available on the company’s official advisory.

Its 220 and Business 220 Series Smart Switches were found to be unaffected.

Cisco said it will not be releasing updates for the Small Business 200 Series Smart Switches, Small Business 300 Series Managed Switches, or Small Business 500 Series Stackable Managed Switches as all of these products have gone end of life (EOL) and are no longer supported by updates.

EOL notices for the relevant products were published in 2018 and 2019, with businesses having had the years since to move away from the soon-to-be-obsolete switches.

Given the prevalence of Cisco’s hardware in organizations’ networks worldwide, critical vulnerabilities of this kind should be taken seriously and patched as soon as possible.

Cisco small business switches have faced security challenges in the past, with three major vulnerabilities having been found in 2019, a year that also saw the networking and enterprise cyber security firm wrangle with a flaw known as Thrangycat.

Coupled with another flaw, Thrangycat could be used to bypass Cisco’s TAm security controls and remotely seize control of a router or potentially compromise an entire network.

Researchers have linked leading ransomware groups Cl0p and LockBit to the ongoing exploitation of critical-rated vulnerabilities in print management software from PaperCut.

The vulnerabilities, CVE-2023-27350 and CVE-2023-27351, have a near maximum 9.8 severity score and have enabled remote code execution on vulnerable PaperCut servers since at least January 2023.

PaperCut was first alerted to the vulnerabilities by Trend Micro in January 2023 but alerts about active exploitation didn’t come until earlier this month.

In some instances, attackers used the flaws to spread Cl0p ransomware.

Microsoft Threat Intelligence tweeted that it has linked the attacks with Lace Tempest, a group it tracks also referred to as FIN11 or TA505.

The group has previously been linked with major cyber attacks such as the hacking of Accellion’s FTA in 2021, a campaign that affected major organizations such as Morgan Stanley.

Lace Tempest was observed using PowerShell commands to deliver TrueBot malware, which is used to check security protocols and deploy further malicious payloads.

It has also been tracked using the Raspberry Robin worm to load other malware including LockBit's ransomware payload. 

Microsoft also linked it to Cl0p’s GoAnywhere-related attacks, which may have affected more than 130 organizations and allowed for widespread enterprise extortion.

Like the PaperCut vulnerabilities, GoAnywhere’s flaw allowed Cl0p and other threat actors to  execute arbitrary code on breached systems.

Organizations such as the Pension Protection Fund and Rubrik were hit by data breaches as a result of the flaw.

Microsoft Threat Intelligence moved to a new taxonomy for threat actors on April 18 using the nomenclature of weather events.

Nation states prominent for sponsoring threat actors have all been assigned their own weather events such as ‘Blizzard’ for Russia or ‘Sleet’ for North Korea. Threat groups under these banners are assigned unique prefixes so they are individually identifiable.

What are the PaperCut server attacks?

Cyber security firm Trend Micro notified PaperCut about two flaws present in PaperCut MF and NG version 22.0.5, and the firm released patches to prevent them from being exploited on customer servers.

The first, tracked as CVE-2023-27350 received a CVSS3 rating of 9.8 (critical). It can be used by threat actors to execute code remotely, opening up victims to unchecked malware attacks or data theft.

CVE-2023-27351 can be used to steal user data from servers including payment information, logins, and email addresses.

However, as late as mid-April some enterprises had not updated their printer servers and were still vulnerable.

It was at this stage that the firm announced it had evidence to suggest the vulnerabilities were being exploited in the wild.

“We’ve had reports of customers being late to patch, and as a result their servers have been exposed for a number of weeks,” said Chris Dance, CEO and founder at PaperCut wrote in a blog post.

CVE-2023-27350 has been added to CISA’s list of known exploited vulnerabilities, which requires federal agencies to apply PaperCut’s update by May 12.

The first recorded instance of LockBit targeting Mac users has been revealed in what appears to be a shifting approach by the infamous ransomware gang. 

Researchers at MalwareHunterTeam uncovered a ZIP archive on VirusTotal that was found to contain encryptors for devices running macOS. 

MalwareHunterTeam revealed the discovery in a series of tweets at the weekend, highlighting encryptors named ‘locker_Apple_M1_64’ alongside lockers for Linux and ARM. 

 This particular encryptor was found to target new versions of Mac devices currently running Apple Silicon. 

The VirusTotal archive examined by researchers was also found to contain encryptors for CPUs used on older Mac devices. 

In a blog post dissecting the discovery, security researcher Patrick Wardle said that the novel malware marks the first instance of a ransomware group developing a payload for Apple products. 

Following a period of initial scrutiny and skepticism, vx-underground, which compiles malware source code and samples, tweeted that the LockBit macOS ransomware “is real” and that the gang had confirmed development of the strain. 

The discovery highlights a potential shift in approach by LockBit, which has typically targeted Windows and Linux-based devices. 

LockBit has been among the most prolific ransomware gangs to ever exist, and was most recently responsible for the attack on Royal Mail which caused significant service disruption. 

It has also been the most prolific groups in terms of number of successful attacks for years now, but was overtaken in March by Cl0p following the GoAnywhere MFT breaches.

Although researchers highlighted that the disclosure of this macOS encryptor should be a cause for concern, at present there is little to no risk of users being compromised. 

“While yes it can indeed run on Apple Silicon, that is basically the extent of its impact,” Wardle wrote in his blog post. “Thus macOS users have nothing to worry about…for now.”

Wardle suggested that the strain is “far from ready for prime time”, noting that the strain is “rather buggy” and contains notable flaws that will cause it to prematurely exit when run on macOS. 

“From its lack of a valid code-signing signature to its ignorance of TCC and other macOS file-system protections, as it stands it poses no threat to macOS users,” he wrote.

The macOS variant of LockBit’s ransomware payload was also dated 17 November 2022, meaning the discovery has taken some time to unearth. 

LockBit confirmed to BleepingComputer that the strain is under active development.

Due to many organisations preferring Windows-based computers for their workforce rather than Macs or even Linux-based machines, ransomware groups have usually developed their payloads that could affect the widest pool of targets. 

LockBit’s is not the first ransomware program to be written for macOS, but such strains are certainly less common than those that target Windows. 

Regardless, Apple has been “fairly proactive” when it comes to securing its computers against ransomware, Wardle said. 

Implementing measures such as system integrity protection (SIP) and read-only system volumes offer protections that mean even if a Mac was infected with a ransomware payload, it would be difficult for it to affect OS-level files as a result.

Apple has also introduced transparency, consent, and control (TCC) protections too, which means files in protected locations either require the user’s manual approval or a vulnerability exploit in order to affect, Wardle said.

The development of LockBit’s macOS ransomware strain may still be in its infancy and riddled with bugs, but the industry will be alarmed by the discovery given the group’s standing in the cyber criminal space, perhaps indicating a new trend in ransomware.

OpenAI has unveiled a new bug bounty program offering rewards for security researchers if they can uncover vulnerabilities in its products. 

In an announcement on Tuesday, the California-based AI firm said the bug bounty scheme is “essential to our commitment to develop safe and advanced AI” and deliver services that are secure, reliable, and trustworthy. 

As part of the initiative, OpenAI said it will offer a tiered reward system based on the severity of bugs uncovered by researchers. 

Rewards can range from as little as $200 for low-severity flaws with a maximum reward of $20,000 for “exceptional discoveries”. 

“The OpenAI Bug Bounty Program is a way for us to recognize and reward the valuable insights of security researchers who contribute to keeping our technology and company secure,” the firm said in a statement. 

“We invite you to report vulnerabilities, bugs, or security flaws you discover in our systems. By sharing your findings, you will play a crucial role in making our technology safer for everyone.”

Researchers participating in the new initiative will be able to disclose vulnerabilities or flaws through a partner organisation, Bugcrowd.

Bugcrowd will manage the submission and reward process, which OpenAI said is designed to “ensure a streamlined experience for all participants”. 

ChatGPT vulnerability concerns

The move from OpenAI follows a period of unrest over security-related issues at the generative AI firm, which has close ties with Microsoft. 

Last month, the company revealed that a bug in ChatGPT led to a leak of users' data.

This flaw meant that ChatGPT Plus users began seeing user email addresses, subscriber names, payment addresses, and limited credit card information. 

The issue prompted the company to temporarily take the chatbot offline to work on a fix. 

“The bug was discovered in the Redis client open-source library, redis-py,” OpenAI explained in a post at the time. 

“As soon as we identified the bug, we reached out to the Redis maintainers with a patch to resolve the issue.”