Tenable Blog

Crucial for applying Active Directory Group Policy Objects, client-side extensions (CSEs) are powerful but also present a significant, often overlooked, attack vector for persistent backdoors. Rather than cover well-documented common abuses of built-in CSEs, this article demonstrates how to create custom malicious ones. These are harder for defenders to identify than legitimate built-in CSEs used in malicious contexts, which have known globally unique identifiers.

Group Policy Objects (GPOs), a core feature of Active Directory (AD), allow administrators to centrally manage and configure operating systems, applications and user settings across all computers in a domain by configuring a set of rules and configurations.
 

(Source: Microsoft)

It is well-known that attackers with sufficient AD access can abuse GPOs for malicious actions like code execution, malware deployment, immediate scheduled tasks, privilege escalation, and stealthy persistence establishment; these techniques are generally well-documented.

Each GPO comprises two main parts:

• The groupPolicyContainer object (GPC) in AD’s LDAP, holding metadata such as display names and CSE lists
• The Group Policy Template (GPT) in AD’s SYSVOL share, containing the actual policy files and scripts

Have you ever wondered how the settings defined in a GPO actually get applied on a client computer? The magic behind this process lies in the CSEs.

CSEs are critical components that enable GPOs to apply specific settings such as software installation, registry edits, folder redirection, scheduled tasks, or Internet / power options and more to client machines.

While Group Policy defines and distributes configuration policies across the network, it’s the CSE on the client side that interprets and enforces these policies. Each CSE is essentially a dynamic link library (DLL) file on the client Windows machine responsible for processing a particular type of Group Policy setting. When a computer processes GPOs, its Group Policy engine reads the policies and invokes the relevant CSEs to effectively apply the settings.

The successful application of settings from a specific Group Policy area relies on the correct handling of CSEs. Even if a GPO is properly linked and the user/machine is included in the security filter, the settings it contains may fail to apply under two key conditions related to CSEs:

• The CSE is not installed and registered on the client machine.
• The CSE's GUID is not listed in the GPO's attributes.

Therefore, both the local CSE availability and its correct reference within the GPO’s attributes are mandatory.

Every CSE is uniquely identified by a Globally Unique Identifier (GUID). This GUID acts as the registration key and the link between the policy settings defined in the GPO and the processing logic (the DLL) on the client.

While official Microsoft documentation mentions some CSEs, the list is incomplete. A more complete list can be found online. Also, the following PowerShell command can be executed on your machine to list them:

CSEs are registered in the registry under the following path: 
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
 

On the left, under the GPExtensions key, you will find multiple subkeys, each named with the GUID of a specific CSE. The settings of each of them are defined on the right.

Here are some important settings to be aware of: 

• (Default): This is the name of the CSE.
• DllName: This the DLL corresponding to the CSE to be loaded by the GPO engine. The system searches for the DLL in the C:\Windows\System32 directory when a relative path is used. Alternatively, the full path to the DLL can be directly specified.
• NoGPOListChanges: If this value is 1, it indicates that it is not necessary to call the callback function (ProcessGroupPolicy) when there has been no change in the GPO.
• ProcessGroupPolicy: This is the name of the function exported by the library to be called by the GPO engine to apply the CSE settings.

For detailed information on other functionalities, please consult the official Microsoft documentation on Creating a Policy Callback Function.

When you configure settings within a specific GPO using the Group Policy Management Editor, the tool records which types of settings you've configured and the necessary CSEs. It does this by storing the GUIDs of these CSEs within attributes of the GPC object in AD.

Specifically, you need to look at these two attributes on the GPC object:

• gPCMachineExtensionNames: This attribute lists the GUIDs of the CSEs required to process settings configured in the Computer Configuration section of the GPO.
• gPCUserExtensionNames: This does the same for user configuration.

The expected format is the concatenation of the GUIDs: 
[<CSE GUID1><TOOL GUID1>][<CSE GUID2><TOOL GUID2>] etc.
 

For example, if we analyze the gPCMachineExtensionNames attribute of the “Default Domain Policy” shown above, we can see that the first part of each GUID-pair in the screenshot above can be identified as a CSE:

• 35378EAC-683F-11D2-A89A-00C04FBBCFA2: Registry/Administrative Template
• 827D319E-6EAC-11D2-A4EA-00C04F79F83A: Security
• B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A: EFS

Note: CSE GUIDs within Group Policy attributes, such as gPCMachineExtensionNames, must be sorted in case-insensitive ascending order. If this order is not maintained, CSEs risk being ignored during Group Policy processing.

The first GUID relates to the CSE function, and the second GUID in the pair is not important for today. For deeper GPO auditing insights, see Aurélien Bordes' 2019 SSTIC paper.

Articles discussing the malicious use of CSEs in AD often highlight two themes: the potential for red teams to abuse specific well-known CSEs, and the corresponding need for blue teams to track their execution. For instance:

• Scheduled Tasks {AADCED64-746C-4633-A97C-D61349046527}:
  • “GPOddity: exploiting Active Directory GPOs through NTLM relaying, and more!”, Synacktiv (Quentin Roland)
  • “Abusing GPO Permissions”, harmj0y (Will Schroeder)
• Files {7150F9BF-48AD-4DA4-A49C-29EF4A8369BA}:
  • “Weaponizing Group Policy Objects Access”, TrustedSec (Jason Lang)
• Various CSEs:
  • “A Red Teamer’s Guide to GPOs and OUs”, wald0 (Andy Robbins)

Surprisingly, public methods or articles explaining how to abuse custom CSEs for this persistence method seem absent, especially given that Microsoft explains the CSE creation process itself. This obscurity is valuable to an attacker, offering inherent discretion through an unknown CSE GUID, plus the benefit of SYSTEM code execution capability.

Let's proceed by creating a custom CSE to explore different ways attackers might leverage it for malicious purposes.

We will use Visual Studio to create a custom CSE DLL with the friendly name “Group Policy Shell Configuration” and filename advshcore.dll (using base advshcore to appear inconspicuous in the System32 Windows folder). Create a new DLL project, name it “RogueCSE,” and click “Create” to begin.

In your project, create advshcore.def and add this content:

In dllmain.cpp, now add the necessary includes, defines, and variables functions:

Implement the DllMain function as follows:

Next, two helper functions are created. The first, a simple logger, proves privileged SYSTEM code execution by writing to a file. Though this example is benign, attackers could substitute malicious code, such as for a reverse shell, C2 agent, or NTDS.dit exfiltration to a public share.

Next, a function logs the execution context:

We will now follow Microsoft's guidance for custom CSEs, implementing only the exported ProcessGroupPolicy function with minimal content for our test.

And that’s it, we have all the minimum requirements for our own CSE.

An extension can be registered here either manually or automatically:

• Manually: You can do this by creating all the required items, as we explained previously in the section “What do CSEs look like on a client machine?”
• Automatically: As described by Microsoft in the CSE documentation (and also in the Component Object Model -COM- documentation), the “DllRegisterServer” function can be implemented to allow self-registration using regsvr32.

The automatic method requires “DllRegisterServer” and “DllUnregisterServer” to manage the following registry keys:

• The key associated with our GUID under HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.
• (Default): “Group Policy Shell Configuration”.
• DllName: “advshcore.dll”.
• NoGPOListChanges: “0” to call the ProcessGroupPolicy function every time, even if there is no change in the GPO.
• ProcessGroupPolicy: We kept the suggested name here.

The Solution Explorer should now show the project like this:

Before building, change the Visual Studio solution configuration to Release (x64) from its Debug (x64) default using the toolbar's dropdown menu. Then:

1. Open the RogueCSE project properties (Right-click > Properties).
2. Verify that Configuration is Release and Platform is x64.
3. Under Configuration Properties > General:
   1. Set Target Name to “advshcore”.
4. Under Configuration Properties > C/C++ > Code Generation:
   1. Change Runtime Library to Multi-threaded (/MT).
5. Under Configuration Properties > Linker > Input:
   1. Enter “advshcore.def” for Module Definition File.
6. Click “Apply” and then “OK” to save these project settings.
7. Finally, build the solution by selecting Build > Build Solution from the main menu bar. Your custom DLL (“advshcore.dll”) is now ready to be registered as a new CSE.

Recall that this technique represents a novel persistence method, effectively creating a backdoor in the domain on targeted workstations and servers. For this example scenario, assume an attacker gains sufficient privileges (e.g., Domain Admins) to access and operate on a domain controller.

On the compromised domain controller, the attacker would then perform these steps:

1. Copy the previously created DLL file (“advshcore.dll”) to the C:\Windows\System32 folder.
2. Register the DLL by executing the following command:

A confirmation will be displayed indicating that the DLL registration succeeded.
 

You can verify in the registry that the custom CSE has been registered correctly.
 

As explained at the beginning of this article, a GPO only loads CSEs whose GUIDs are listed in its gPCMachineExtensionNames or gPCUserExtensionNames attributes. Therefore, to enable our custom CSE, we must now add its GUID to the gPCMachineExtensionNames attribute of the target GPO.

We can use the following PowerShell code to perform this update:

Next, either wait for the Group Policy refresh cycle, which typically takes about five minutes on domain controllers, or trigger an immediate update by running gpupdate /force on the test domain controller.

After the policy refresh, verify that the C:\RogueCSE.log file has been created with content like:
 

Note that the custom code within the CSE DLL runs in the Group Policy Client service context (GPSVC) and with highly privileged SYSTEM permissions.

Observing the log file over time confirms that the custom CSE code executes during each Group Policy refresh cycle. On the domain controller, this refresh occurs at the short interval mentioned earlier of around 5 minutes. This persistence method also works on member machines, although their default refresh interval is significantly longer – approximately 90 minutes, plus a random offset.

In summary, a custom CSE, advshcore.dll, was successfully deployed to a DC, demonstrating basic logging. This served as a proof-of-concept but also highlighted significant abuse potential. Adversaries could exploit Group Policy infrastructure for stealthy communication channels or persistent backdoors. Leveraging native OS features instead of external malicious tools makes this technique difficult to detect through forensic analysis or threat identification. This underscores the vital need for vigilant monitoring and strict security controls for GPOs and CSEs in AD environments.

With the fundamental steps covered, let's consider broader application. An attacker with domain privileges (e.g., Domain Admin) could propagate this CSE-based persistence across the network.

To distribute the payload, the attacker might place the DLL in an inconspicuous SYSVOL location like \\SYSVOL\<domain_name>\scripts\SecurityProviders, making it domain-accessible. We will now explore various approaches, analyzing their strengths and weaknesses.

To ensure reliable deployment, especially for intermittently connected endpoints, attackers might use Files Group Policy Preference to copy the custom CSE DLL locally, allowing its registry path to point to this local file. A GPO, often using a startup script, can then register this local CSE. Its gPCMachineExtensionNames attribute must also be updated with the GUIDs of any required built-in CSEs and the custom one.

Although robust, this deployment method increases detectability due to significant GPO changes and the typical use of known CSEs for payload delivery, a pattern often monitored. Detecting such activity can involve Windows Event Log analysis, including:

• Security Event ID 5145: Monitor this event to detect write access to the SYSVOL share. This can identify when the malicious DLL is written, or when files related to Group Policy settings for Files Preferences, Scheduled Tasks, or Startup Scripts are created or modified within SYSVOL.
  
   

   

• Security Event ID 4688 “A new process has been created”: Monitor this event, specifically its "Process Command Line" field, to detect specific types of process execution. This can identify when a startup script is run or a process is launched by an immediate scheduled task.

• Task Scheduler Operational Event ID 201: Monitor this event to identify the specifics of completed scheduled tasks. This can reveal the task name (e.g., "Test2") and the action it performed (e.g., running ‘cmd.exe’).
   

• gPCMachineExtensionNames attribute: Finally, monitor this critical attribute for unauthorized changes. These can be found via LDAP queries or Security Event ID 5136,which logs directory object modifications.
   

Note: The discussed large-scale deployment methods using common Group Policy features (Files GPP, Scripts, Scheduled Tasks) often trigger blue team alerts.

Alternatively, a custom CSE DLL can be hosted on a network share, instead of being copied locally, and loaded via its registered network path. For our straightforward example, SYSVOL will serve as this share, and the DLL's registered path will point there.
 

PowerShell cmdlets like New-ItemProperty offer an alternative to regsvr32.exe for CSE DLL registration, potentially bypassing common monitoring of regsvr32 (documented by the MITRE ATT&CK T1218.010). This remote-scriptable method lacks GPO-based persistence – the backdoor won't be reapplied by GPO if altered – but offers stealth: a GPO attribute having only a custom GUID might bypass certain defenses.

GUID hijacking is another stealthy approach: attackers redirect an unused legitimate CSE's registered DLL path to a malicious one. Adding this compromised but valid-looking GUID to a GPO can bypass defenses that only check GUIDs, not DLL paths.

These examples show custom malicious CSEs' covert potential.

Abusing custom CSEs can create stealthy backdoors into AD environments. Attackers can deploy custom DLLs and register them as CSEs, and then manipulate GPOs to load these malicious extensions. This technique leverages trusted Windows components, making it difficult to detect using standard security measures.

Traditional detections often focus on famously abused CSEs, such as those for Scheduled Tasks or Startup Scripts. However, registering and deploying a custom CSE can be achieved without these easily identifiable actions, bypassing common alerts. Techniques like hosting the DLL on a network share and directly modifying the registry can further reduce detectability, though these methods might trade off reliability. Alternatively, hijacking an unused built-in CSE GUID and altering its DLL path can be a particularly evasive strategy.

While the initial registration of a custom CSE can be detected, once the backdoor is configured within a GPO, identifying it becomes challenging. The CSE code runs with SYSTEM privileges during each Group Policy refresh cycle, offering persistent and potentially long-term control to an attacker. This highlights the importance of rigorously monitoring CSE registrations and GPO modifications, as well as examining event logs for unexpected activity related to Group Policy Client Service (GPSVC) and changes in the gPCMachineExtensionNames attribute. Regularly checking for custom CSEs as Tenable Identity Exposure does through the GPO Execution Sanity Indicator of Exposure is essential for securing Active Directory environments.
 

Frequently asked questions about “BadSuccessor,” a zero-day privilege escalation vulnerability in Active Directory domains with at least one Windows Server 2025 domain controller.

Tenable’s Research Special Operations (RSO) and the Identity Content team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed zero-day in Active Directory called BadSuccessor.

What is BadSuccessor?

BadSuccessor is the name of a zero-day privilege escalation vulnerability in Active Directory that was discovered and disclosed by Yuval Gordon, a security researcher at Akamai.

According to Gordon, the flaw exists in delegated Managed Service Accounts (dMSAs), a service account type in Active Directory (AD) that was introduced in Windows Server 2025 to enable the migration of non-managed service accounts.

What are the vulnerabilities associated with BadSuccessor?

As of June 2, Microsoft had not assigned a CVE identifier for BadSuccessor. Microsoft is the CVE Numbering Authority (CNA) for its products. Since there are currently no patches available for BadSuccessor, no CVE has been assigned. If Microsoft does assign a CVE alongside patches for it, we will update this blog accordingly.

How is BadSuccessor exploited?

To exploit BadSuccessor, an attacker needs to be able to access a user account with specific permissions in AD, and at least one domain controller in the domain needs to be running Windows Server 2025.

Based on Akamai’s research, even if an AD domain is not using dMSAs, nor operates at the 2025 functional level, all that is required is that a targeted user has either the permission to:

• Create a new dMSA (msDS-DelegatedManagedServiceAccount object class) in any container or organizational unit (OU)
• Abuse an existing dMSA by modifying its msDS-ManagedAccountPrecededByLink attribute

When was BadSuccessor first disclosed?

On May 21, Akamai published a blog post about BadSuccessor, which included a detailed overview of the flaw, as well as detection and mitigation guidance.

How severe is BadSuccessor?

BadSuccessor has the potential to be very severe, as exploitation could allow an attacker to achieve full domain, and then forest, compromise in an Active Directory environment. However, one mitigating factor is that it only affects domains with at least one Windows Server 2025 domain controller.

How prevalent are AD domains with at least one Windows Server 2025 domain controller?

Based on a subset of Tenable’s telemetry data, we found just 0.7% of AD domains have at least one Windows Server 2025 domain controller. This appears to be lower than other statistics we’ve seen reported.

Was BadSuccessor exploited as a zero-day?

As of June 2, there have been no indications that BadSuccessor has been exploited in the wild.

Why is it called BadSuccessor?

According to Gordon, the name “BadSuccessor” is tied to the fact that the user account (or dMSA) becomes the nefarious “successor” by inheriting the elevated privileges of another identity in the AD environment.

6/ We named this attack BadSuccessor, because that's exactly what the dMSA becomes - the unintended heir to a high-privilege identity.
A successor, with all the right keys.

— Yuval Gordon (@YuG0rd) May 21, 2025

Is there a proof-of-concept (PoC) available for BadSuccessor?

Yes, there are several proofs-of-concept (PoCs) for BadSuccessor available on GitHub, including a.NET implementation called SharpSuccessor. It is also available in NetExec, the successor to the infamous CrackMapExec hack tool. It was also added to BloodyAD, the Active Directory privilege escalation framework.

Are patches or mitigations available for BadSuccessor?

As of June 2, there were no patches available for BadSuccessor. However, in the Akamai blog post from May 21, Microsoft indicated they would “fix this issue in the future.” If and when a patch becomes available, we will update this section.

Akamai’s blog post includes details on detecting BadSuccessor as well as mitigation suggestions.

Has Tenable released any product coverage for these vulnerabilities?

While Microsoft has not yet released patches for BadSuccessor, Tenable Identity Exposure customers can utilize our recently released (v3.95) Indicator of Exposure (IoE) for BadSuccessor.

Once Microsoft assigns a CVE and releases patches, we will update this section with additional Tenable coverage.

• BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable’s chief security officer Robert Huber looks at how exposure management can help you move beyond silos. You can read the entire Exposure Management Academy series here.

The way we use technology — in IT, cloud security, operational technology (OT), internet of things (IoT), AI and countless applications — has led to a corresponding array of specialized security tools. Think about all the tools you use: vulnerability assessment, identity security, endpoint detection and response (EDR), data loss prevention (DLP), cloud native application protection platforms (CNAPP), mail protection, cloud access security broker (CASB), mobile device management (MDM) and privilege access management (PAM). 

That’s a lot of tools — and a lot of silos. But it doesn’t end there. Each of those tools has a subset of capabilities that can result in even more silos across your security program. Of course, all of this reflects the issues we face and the way our organizations are structured. But, sadly, attackers don’t care about our org charts or toolsets. And thank goodness they haven’t figured out how to use pivot tables yet!

They just look for weaknesses, exploit them and move laterally across domains to achieve their goals. In fact, those silos we’ve built can inadvertently help them by hindering communication and context between teams, making it difficult to see our true exposures — or the risks that pose a real threat.

As a security leader myself, I know this pain firsthand. 

Before adopting a more unified approach, I constantly felt like I was buried in fragmented data from countless tools and teams. 

Much of my day was lost to context-switching, trying to manually piece together a coherent picture from disconnected silos. This makes communicating clear priorities incredibly difficult. 

You often can't compare apples-to-apples, leading to subjective decisions about which risk truly matters most. It’s an exhausting, inefficient cycle that makes it hard to confidently answer a key question: "What should we focus on right now?" It also makes it tough to report accurately on our risk posture.

This struggle highlights why distinguishing significant exposures from the background noise of all possible weaknesses is so critical for effective risk management. If you want to reduce your risk, you need to identify the problems that truly matter most to your organization. Key questions to ask yourself as you evaluate your organization’s exposures include:

• Is it preventable? Most breaches start with something that could have been fixed, such as a misconfiguration, a known vulnerability or unnecessary privileges.
• Is it exploitable? An attacker needs a way to actually use the weakness. This could be via a known exploit code, weak passwords or multi-factor authentication (MFA) identity compromise.
• Is it impactful? A weakness that results in lost revenue, data theft or operational downtime could significantly harm the organization's mission. Linking technical risk to potential business impact is key.

Too often, we approach security in fragments, unlike attackers who look for any viable path. This leaves us struggling to be strategic. Some of the common roadblocks include:

• Lack of a unified view: Different tools focus on specific domains or risk types, so no single platform provides a complete view of the attack surface.
• Inconsistent risk scoring: Each tool uses its own metrics, which makes it hard to compare relative risk across the environment or understand the cumulative risk associated with critical assets.
• Missing technical context: If you don’t connect the dots between assets, identities and their associated risks, it's impossible to understand the likely attack paths available to adversaries.
• Missing business context: Security data often lacks information about which assets support critical business functions, hindering the ability to prioritize based on potential business impact.

Historically, a significant portion of our security investments focused on detecting and responding to attacks already in progress. This makes sense because it’s where breaches cause obvious damage.

But regulations and best practices are changing. Rules from the U.S. Securities and Exchange Commission (SEC) (requiring reporting of material impact within four days for public companies) and the Cybersecurity and Infrastructure Security Agency (CISA) (requiring reporting of “substantial cyber incidents” within three days for critical infrastructure) mandate much faster transparency and accountability. The timeframe for understanding and disclosing significant incidents is shrinking dramatically.

This pressure, combined with the high cost of breaches, increases the strategic importance of finding and fixing significant exposures before they lead to reportable incidents and material impact. Investing proactively in understanding and reducing exposure is often far less costly and disruptive than managing the fallout of a major breach. Reduce risk and increase security ROI.

Understanding how breaches happen and the limitations of siloed security points to the need for a more integrated, exposure-focused strategy. This isn't about abandoning detection and response capabilities. On the contrary, it’s about augmenting those capabilities by strengthening preventative security to better understand and prioritize risks before they cause harm.

Solving this requires a structured approach. As my colleague Nathan Dyer wrote in Five Steps to Move to Exposure Management, the core principles involve:

• Gaining comprehensive visibility across the entire attack surface, including assets and identities
• Identifying all forms of preventable risk, such as vulnerabilities, misconfigurations and privilege issues with consistent, contextualized scoring
• Critically aligning technical risk with business context to understand potential impact and prioritizing remediation on the exposures and attack paths, including key choke points, that pose the greatest threat to critical functions
• Continuously measuring and communicating exposure to optimize security investments and report effectively to stakeholders, including the board

Exposure management platforms support this lifecycle, providing capabilities to aggregate disparate data, calculate risk scores (like asset exposure scores, vulnerability priority rating, asset criticality rating) that incorporate exploitability and criticality, map assets to business functions, visualize attack paths, identify choke points for efficient remediation, and provide dashboards for tracking and reporting exposure trends against internal goals or industry benchmarks.

Ultimately, by breaking down data silos and adopting an exposure management mindset, security leaders can gain a more holistic view of their attack surface and true business risk. This enables better resource allocation, more defensible prioritization, clearer communication about security posture and, ultimately, a more effective preventative security program aligned with organizational objectives.

Here’s my advice to security leaders fighting silos and looking to move to exposure management.

• Think like an attacker: Adversaries exploit seams between siloed views. Security strategy must strive for a unified understanding of the attack surface.
• Focus on material exposure: Prioritize risks that are preventable, exploitable and demonstrably impactful to critical business functions, not just technically severe in isolation.
• Drive strategic outcomes: Implementing an exposure management approach enables more effective resource allocation, clearer communication of risk posture to stakeholders (including the board) and ultimately, a more defensible and efficient security program.

We’re all ears. Share your question and maybe we’ll feature it in a future post.

Check out ETSI’s new global standard for securing AI systems and models. Plus, learn how CISOs and their teams add significant value to orgs’ major initiatives. In addition, discover what webinar attendees told Tenable about their cloud security challenges. And get the latest on properly decommissioning tech products; a cyber threat targeting law firms; and more!

Dive into six things that are top of mind for the week ending May 30.

What is the proper way to secure your artificial intelligence models and systems? Are you confused by all the different AI security recommendations and guidance? The European Telecommunications Standards Institute (ETSI) is trying to bring clarity to this issue.

ETSI, in collaboration with the U.K. National Cyber Security Center (NCSC) and the U.K. Department for Science, Innovation & Technology (DSIT), has published a global standard for AI security designed to cover the full lifecycle of an AI system.

Aimed at developers, vendors, operators, integrators, buyers and other AI stakeholders, ETSI’s “Securing Artificial Intelligence (SAI); Baseline Cyber Security Requirements for AI Models and Systems” technical specification outlines a set of foundational security principles for an AI system’s entire lifecycle.

Here's an overview of the five stages of an AI system and the 13 security principles that must be adopted:

• Secure design stage
  • Raise awareness about AI security threats and risks.
  • Design the AI system not only for security but also for functionality and performance.
  • Evaluate the threats and manage the risks to the AI system.
  • Make it possible for humans to oversee AI systems.
• Secure development stage
  • Identify, track and protect the assets.
  • Secure the infrastructure.
  • Secure the supply chain.
  • Document data, models and prompts.
  • Conduct appropriate testing and evaluation.
• Secure deployment stage
  • Communication and processes associated with end-user and affected entities.
• Secure maintenance stage
  • Maintain regular security updates, patches and mitigations.
  • Monitor system behavior.
• Secure end-of-life stage
  • Ensure proper data and model disposal.
     

Each one of the 13 security principles is further broken down into multiple provisions that detail more granular requirements. 

For example, in the secure maintenance stage, ETSI calls for developers to test and evaluate major AI system updates as they would a new version of an AI model. Also in this stage, system operators need to analyze system and user logs to detect security issues such as anomalies and breaches.

The 73-page companion technical report, “Securing Artificial Intelligence (SAI): Guide to Cyber Security for AI Models and Systems,” offers significantly more technical detail about each provision. 

Together the technical specification and the technical report “provide stakeholders in the AI supply chain with a robust set of baseline security requirements that help protect AI systems from evolving cyber threats,” reads an NCSC blog.

For more information about AI security, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Tenable Cloud AI Risk Report 2025” (report)
• “Who's Afraid of AI Risk in Cloud Environments?” (blog)
• “Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

Cybersecurity teams’ involvement in large-scale organizational initiatives yields significant monetary benefits – especially if CISOs are incorporated early into these efforts.

That’s a key finding from Ernst & Young’s “2025 EY Global Cybersecurity Leadership Insights Study,” which surveyed 550 C-suite and cybersecurity leaders globally from organizations with more than $1 billion in annual revenue.

Specifically, the study found that cybersecurity teams contribute a median of $36 million to every enterprise-wide initiative they’re involved in. That’s equivalent to between 11% and 20% of the value of each project.

“CISOs who are involved early in cross-function decision-making generate more value than those who were consulted late or not at all,” the report reads. 

“CEOs, CFOs and boards should take steps to more meaningfully integrate cybersecurity into transformations and other strategic initiatives,” it adds.
 

The finding points to how CISOs and their cybersecurity teams are expanding their scope from managing security, risk and compliance to becoming “key enablers of business growth.”

Unfortunately, over the past two years, cybersecurity budgets have shrunk as a percentage of annual revenue, and only 13% of surveyed CISOs said they get looped in early into critical business decisions.

Using a framework, the report concluded that cybersecurity adds considerable value to these six key types of initiatives:

• Adopting and building technology
• Strengthening brand trust and reputation
• Improving customer experience
• Transforming and innovating across the business
• Expanding to new markets
• Developing new products and services

For more information about how CISOs and their cyber teams add value to business ventures:

• “Better metrics can show how cybersecurity drives business success” (CSO)
• “Build CISO Strategic Impact and Visibility” (IANS Research)
• “Nearly half of CISOs now report to CEOs, showing their rising influence” (Help Net Security)
• “CISOs embrace rise in prominence — with broader business authority” (CSO)
• “How leading CISOs build business-critical cyber cultures” (CIO)

During our recent webinar “Confident in the Cloud: How to Overcome Complexity and Get AWS Security Right,” we asked attendees about their cloud security practices and challenges. Check out what they said.

(137 webinar attendees polled by Tenable, May 2025)

(60 webinar attendees polled by Tenable, May 2025)

Interested in learning about proven best practices for how to control and secure your AWS environment? Watch this webinar on-demand!

It’s important to properly dispose of software and hardware products after removing them from your IT environment.

To help organizations with this process, the U.K. National Cyber Security Centre (NCSC) has published guidance on how to securely retire obsolete technical wares.

“Decommissioning can be highly expensive and complex, with potentially severe repercussions if not executed properly,” the NCSC document reads. “Outdated or unsupported assets can pose an unacceptable risk to the organisation.”
 

For example, an improperly decommissioned IT product could allow unauthorized people to access confidential data and could be used to breach services and devices.

The NCSC guidance, titled “Decommissioning assets,” addresses topics including:

• How to plan the decommissioning process
• How to carry out the decommissioning of obsolete assets
• What to do after the decommissioning process is completed

For more information about properly disposing of obsolete hardware and software:

• “How to Decommission IT Hardware” (Techbuyer)
• “Why end-of-life IT is ruining innovation and how to fix it” (OliverWyman)
• “Cybersecurity guidance: Obsolete products (Canadian Centre for Cyber Security)
• “The Top 5 Risks of Using Obsolete and Unsupported Software” (IT Convergence)
• “Managing the risks of legacy IT” (Australian Cyber Security Centre)

Hacker group Silent Ransom is targeting law firms via phishing calls and emails aimed at tricking employees into granting it remote access to their computers. Once they gain remote access, the attackers steal confidential data and use it to extort the victims.

So said the U.S. Federal Bureau of Investigation (FBI) in an alert titled “Silent Ransom Group Targeting Law Firms.”

Silent Ransom, also known as Luna Moth, Chatty Spider and UNC3753, employs two different schemes:

• It emails its targets offering fake, inexpensive subscriptions, and when victims request that the subscription be cancelled, the attackers email them a link that downloads remote access software on their computers.
• A Silent Ransom attacker calls a law firm employee and, pretending to be a member of the IT department, asks the victim to join a remote access session.

Detecting a Silent Ransom attack is difficult. Its hackers don’t leave behind traditional attack indicators because they use legitimate remote-access and systems-management tools. Thus, to spot a Silent Ransom breach, the FBI recommends looking for:

• New, unauthorized downloads of systems-management and remote-access tools
• A WinSCP or Rclone connection made to an external IP address
• Anonymous emails or calls claiming data was stolen
• Emails regarding how to cancel a subscription service
• Unsolicited calls from individuals claiming to work in the law firm’s IT department

To mitigate the threat, FBI recommendations include:

• Train staff on recognizing and resisting phishing attempts.
• Establish and relay policies for when and how your law firm’s IT department will reach out to employees and prove their identities.
• Regularly back up company data.
• Adopt multi-factor authentication for all employees.

For more information about remote access attacks:

• “12 remote access security risks and how to prevent them” (TechTarget)
• “Guide to Securing Remote Access Software” (CISA)
• “Remote-access tools the intrusion point to blame for most ransomware attacks“ (Cybersecurity Dive)
• “Avoiding Ratting – Remote Access Trojans” (Get Safe Online)
• “RDP and Other Remote Login Attacks” (Ransomware.org)

The Center for Internet Security has updated its CIS Benchmarks for Kubernetes, Azure Kubernetes Service and Microsoft Intune, and has released a new CIS Benchmark for Red Hat Enterprise Linux Security Technical Implementation Guide (STIG).

These are the CIS Benchmarks updated in April:

• CIS Azure Kubernetes Service (AKS) Benchmark v1.7.0
• CIS Kubernetes Benchmark v1.11.1
• CIS Microsoft Intune for Windows 10 Benchmark v4.0.0
• CIS Microsoft Intune for Windows 11 Benchmark v4.0.0

Meanwhile, the brand new Benchmark is CIS Red Hat Enterprise Linux 9 STIG Benchmark v1.0.0.
 

Organizations can use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, there are more than 100 Benchmarks for 25-plus vendor product families in categories including: 

• cloud platforms
• databases
• desktop and server software
• mobile devices
• operating systems

To get more details, read the CIS blog “CIS Benchmarks May 2025 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

• “How to use CIS benchmarks to improve public cloud security” (TechTarget)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (HelpNet Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

CIS Benchmarks

The acquisition of Apex Security adds a powerful new layer of visibility, context and control to the Tenable One Exposure Management Platform to govern usage, enforce policy and control exposure across both the AI that organizations use and the AI they build.

Over the past 25 years, we’ve seen the attack surface shift dramatically — from traditional on-prem environments to cloud, to OT/IOT, and more. But the changes we’re seeing right now with AI feel different. Faster. More disruptive. And, frankly, more unpredictable.

That’s why I’m excited to share that Tenable has signed a definitive agreement to acquire Apex Security, a company we’ve been following for some time. They've built a powerful product that solves real problems in the emerging world of AI risk. Their focus is helping organizations secure both the AI they use and the AI they build — a problem that's becoming more critical every day.

It’s clear we’re in the early stages of a major shift. Developers are integrating large language models into products and internal tools. Employees are using generative tools in everyday workflows. AI is everywhere — but the tools to manage that risk at scale? Not so much.

Last year, we introduced AI Aware to help organizations get visibility into shadow AI. It’s been incredible to see how quickly customers adopted it — more than 6,400 customers in over 100 countries are using it today. But we also heard loud and clear: visibility isn’t enough. Security leaders want to govern usage, enforce policy, and prevent exposures before attackers take advantage. That’s exactly what Apex was built to do.

Their technology adds a powerful layer of visibility, context, and control to what we’re building with Tenable One - our exposure management platform for your entire enterprise. Once the deal closes, we will move quickly to integrate these capabilities into the platform.

This isn’t just about adding another feature — it’s about helping customers take action during a critical window of time. Most organizations haven’t yet experienced a large-scale AI-driven attack. That’s the point. We have a unique opportunity to get ahead of the threat — to define how AI is secured before attackers define it for us.

I’m proud of the team at Tenable for continuing to lead in Exposure Management, and I’m looking forward to welcoming our future teammates from Apex once the deal closes. This is how we stay in front of the attack surface — by seeing where it’s going, and building for it now.

More to come soon.

Meet the elite squad that’s hunting the next major cyberattack. With more than 150 years of combined research experience and expert analysis, the Tenable Research Special Operations team arms organizations with the critical and actionable intelligence necessary to proactively defend the modern attack surface. 

The digital battlefield is constantly shifting. It's no longer enough to just react. We need to anticipate. Massive data breaches leave consumers exposed to identity thieves, ransomware attacks cripple hospitals, and Nation State actors disrupt critical infrastructure. It's not just about vulnerable software anymore. In our hyper-connected world, from the smart devices in your home to the complex systems running our cities, everything is a potential target. 

The explosion of cloud services and AI is accelerating this risk, creating countless new windows for cybercriminals and hostile nations to exploit. From software and hardware vulnerabilities, to misconfigurations, compromised identities, overexposed and highly privileged environments, and publicly accessible databases, the threat landscape is everywhere, all at once. As of October 2024, over 240,000 Common Vulnerabilities and Exposures (CVEs) have been tracked through the MITRE CVE program, including many that have significantly impacted consumers, businesses and governments. The volume has historically been too much for security teams to keep up with. 

Beyond the sheer increase in the volume of traditional vulnerabilities, defenders are faced with an ever-expanding attack surface as enterprises have adopted remote work and new technologies like Generative AI that all contribute to increases in both the number and complexity of exposures that elevate the likelihood of business impacts.

But what if there was a team dedicated to seeing these threats coming, understanding the tactics being used by adversaries, and sending early warning signals for what might come next?

Introducing the Tenable Research Special Operations (RSO) Team – the next milestone in the evolution of the Research teams and capabilities that Tenable brings to bear, and designed to operate at the forefront of the fight.

Since 2018, Tenable’s Security Response Team (SRT) has monitored the cybersecurity landscape, aggregating and assessing insights from hundreds of sources daily to provide unique insights via Cyber Exposure Alerts and related advisory content. In that same year, we formalized our reverse engineering efforts, founding the Zero-Day Research team; that team’s research efforts have resulted in the discovery and disclosure of more than 500 zero-day vulnerabilities since its formation. In 2023, we launched the Decision Science Operations team to provide improved support for decision making through quantitative analysis techniques and the application of appropriate technologies augmenting human intelligence and analysis. 

Today, the RSO team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.

• Capability: What are the attackers able to do? What tools, resources, and strategies do they have?
• Opportunity: What weaknesses exist in our systems that attackers can exploit?

By analyzing both sides of this equation, the RSO team can predict potential attacks and pinpoint exactly where the biggest points of exposure reside. This isn't just theoretical; it's about providing real-time, actionable insights that can literally save businesses – and potentially, lives – from devastating cyberattacks.

The RSO team's research goes beyond generic warnings. Not every risk is created equal. We understand that what’s critical for a power grid isn’t the same as what’s critical for a retail chain. Threat context is key to determining risk levels. Our insights are tailored, helping organizations across different industries and regions prioritize the threats that matter most to their specific operations.

• Known and emergent exploits: Covering the vulnerabilities we already track and finding brand new ones before criminals can weaponize them.
• Nation-state and cybercriminal tactics: Uncovering the latest moves from sophisticated hacking groups and foreign governments.
• AI and emerging tech risks: Assessing the hidden dangers in the newest technologies, like advanced AI models (DeepSeek) and cutting-edge coding protocols (Model Context Protocol, Vibe Coding).
• "Old dog, new tricks" exploits: Discovering how hackers are re-purposing old vulnerabilities for devastating new attacks.
• The science of decision-making: Providing data-driven insights to help organizations make smarter security choices.

New and existing analysis and insights from Tenable RSO can be found on the Tenable Blog, the Tenable Research page and the Tenable Connect Community.

• CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
• CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
• Frequently Asked Questions about Vibe Coding
• MCP Prompt Injection: Not Just For Evil
• Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications
• DeepSeek Deep Dive Part 1: Creating Malware, Including Keyloggers and Ransomware
• Frequently Asked Questions About DeepSeek Large Language Model (LLM)
• Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
• Microsoft Patch Tuesday 2024 Year in Review
• Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. This week, we look back on some highlights from the first couple of months of posts, including the broad view exposure management provides, business impact and getting to a single pane of glass. You can read the entire Exposure Management Academy series here.

Since we started the Exposure Management Academy in March, we’ve covered a range of topics with contributions from many of Tenable’s industry experts. In this post, we look at a few of the highlights, focusing on the work of three Tenable thought leaders: information security engineer Arnie Cabral, CSO Robert Huber and CIO Patricia Grant.

If you’re wondering about exposure management, you should pay attention to Arnie Cabral. He’s on the front lines as we move to exposure management internally. Cabral wrote that Tenable’s shift began with a simple realization.

“We knew that, although it is critical to modern cybersecurity, vulnerability management alone doesn’t provide a complete picture of cyber risk,” he wrote. He added that traditional vulnerability management involves scanning assets for known vulnerabilities and remediating them based on severity scores. 

“However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility and real-time threat intelligence,” he wrote. 

To get going, he reframed existing policies to align with the new approach. This wasn’t just a matter of editing the text, he noted. 

“Instead, we redefined our objectives and transformed our policies to ensure alignment with emerging risk-based exposure management frameworks,” he wrote.

Read all of Arnie’s post: What it Takes to Start the Exposure Management Journey.

With a quarter century in cybersecurity, Robert Huber has the perspective it takes to separate the wheat from the chaff when it comes to risk prioritization.

Robert believes that, in the shift to exposure management, you need to start with the right data. “One of the big struggles for security professionals is context switching,” he wrote. “When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams.” 

He added that data is siloed, often incomplete and nearly impossible to compare. 

He noted that security professionals need to be able to give CEOs and other leaders a clear, coherent picture of the most acute exposures. But they often struggle to obtain an accurate picture.

So, when Tenable started moving to exposure management, Huber ensured that the first step was to assimilate the data. 

“And I mean all of it,” he wrote. “We combed through tools, platforms and teams for every scrap of data.”

He added that, until you bring all that data together, you can’t prioritize. 

Read all of Robert’s post: Turn to Exposure Management to Prioritize Risks Based on Business Impact.

Tenable CIO Patricia Grant has 30 years of experience leading technology transformation initiatives for both employees and customers.

She thinks that securing an enterprise is a responsibility that IT and security share. 

“While the CSO defines the strategy and risk posture, IT plays a critical role in execution — from patching systems and deploying controls to maintaining uptime and interpreting security signals,” she wrote.

As a result, she believes a tight alignment between IT and security is essential. 

“Ultimately, you can’t do exposure management the right way without a strong relationship between the CIO and the CSO,” she wrote. “We’re both accountable and responsible for protecting our employees, customers, partners and the company. And we both bring something essential to the table.”

She added that exposure management helps keep IT and security teams on track — and they gain a unified view across all assets. 

“I’m not a fan of ‘swivel-chair security,’” she wrote. “I don’t want my team jumping between tools trying to figure out what to fix first. Exposure management moves us toward a single pane of glass.” 

According to Patricia, it’s easier to understand what needs to be patched now and what can wait. 

“That kind of visibility is essential when your infrastructure spans everything from data centers and headquarters to home offices and digital nomads working from just about anywhere,” she wrote.

Read all of Patricia’s post: Exposure Management Works When the CIO and CSO Are in Sync

We’re all ears. Share your question and maybe we’ll feature it in a future post.

Check out expert recommendations for protecting your AI system data. Plus, boost your IT department’s cybersecurity skills with a new interactive framework. In addition, learn about a malware campaign targeting critical infrastructure orgs. And get the latest on Russian cyber espionage and on a NIST effort to enhance vulnerability prioritization.

Dive into five things that are top of mind for the week ending May 23.

With organizations gleefully deploying artificial intelligence (AI) tools to enhance their operations, cybersecurity teams face the critical task of securing AI data.

If your organization is looking for guidance on how to protect the data used in AI systems, check out new best practices released this week by cyber agencies from Australia, New Zealand, the U.K. and the U.S.

“This guidance is intended primarily for organizations using AI systems in their operations, with a focus on protecting sensitive, proprietary or mission-critical data,” reads the document titled “AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems.”

“The principles outlined in this information sheet provide a robust foundation for securing AI data and ensuring the reliability and accuracy of AI-driven outcomes,” it adds.
 

By drafting this guidance, the authoring agencies seek to accomplish three goals:

• Create awareness about data security risks involved in developing, testing and deploying AI systems.
• Offer best practices for securing data throughout the AI lifecycle.
• Promote the adoption of strong data-security techniques and of risk-mitigation strategies.

Here’s a small sampling of recommended best practices in the 22-page document:

• Use trusted, reliable data source for training your AI models and adopt provenance-tracking to trace the training-data origins.
• Employ checksums and cryptographic hashes to maintain the AI data’s integrity during storage and transmission.
• Adopt digital signatures to prevent unauthorized third-parties from tampering with the AI data.

For more information about AI data security, check out these Tenable resources:

• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Tenable Cloud AI Risk Report 2025” (report)
• “Who's Afraid of AI Risk in Cloud Environments?” (blog)
• “Tenable Cloud AI Risk Report 2025: Helping You Build More Secure AI Models in the Cloud” (on-demand webinar)
• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)

Security skills must extend beyond an organization’s cyber team and across your IT department – but how?

It’s a question that the Linux Foundation and the Open Source Security Foundation have tried to answer with a new reference framework that maps required cyber skills across 14 IT department roles.

The new “Cybersecurity Skills Framework,” available via an interactive web interface, is meant to be a “starting point” for organizations to then adjust the framework’s guidance based on their specific needs and requirements.

“The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles,” the Linux Foundation and OpenSSF said in a statement.
 

“By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists,” the organizations added.

The required cyber skills are organized into three categories for each IT role: basic, intermediate and advanced. For example, for a web developer the framework lists nine basic cybersecurity skills, seven intermediate ones and five advanced ones. 

Cybersecurity skills for a web developer include:

• Basic: Adopt input validation and injection prevention techniques to prevent vulnerabilities like cross-site scripting and SQL injection.
• Intermediate: Implementing scanning and testing throughout the development lifecycle.
• Advanced: Deepen advanced cryptographic techniques such as digital signatures and hashing algorithms.

For more information about cybersecurity skills enterprises need today:

• “5 Essential Cybersecurity Skills Every IT Professional Should Master” (Ascend Education)
• “5 Cybersecurity Skills Every IT Professional Should Master” (WebAsha Technologies)
• “The Most In-Demand Cybersecurity Skills” (Dice)
• “10 must-have cybersecurity skills for career success in 2025” (TechTarget)
• “Why Cybersecurity Skills Are Essential for Entry-Level Tech Roles in 2025” (EC-Council)

Cyber attackers are deploying the LummaC2 malware in an attempt to breach the networks of U.S. critical infrastructure organizations and steal sensitive data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued the warning this week in a joint advisory that outlines attackers’ TTPs and indicators of compromise, along with recommended mitigations.

“LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors,” the advisory reads.
 

Cyber attackers use spearphishing methods to trick victims into downloading legit-looking apps that contain the LummaC2 malware, which has been available in cybercriminal forums since 2022. The malware’s obfuscation methods allow it to bypass standard cyber controls.

“Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection,” the advisory reads.

Mitigation recommendations include:

• Monitor and detect anomalous behavior, such as API calls that try to retrieve system information.
• Implement application controls, such as allowlisting remote access programs.
• Adopt phishing-resistant multi-factor authentication.
• Collect logs to regularly review registry changes and access logs that may signal a LummaC2 malware infection.
• Regularly update and patch software to remediate critical vulnerabilities.

For more information about OT systems cybersecurity, check out these Tenable resources: 

• “What is operational technology (OT)?” (guide)
• “Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)

Cyber attackers backed by Russia’s GRU military intelligence unit have unleashed an aggressive cyber espionage campaign targeting U.S. and European technology companies and logistics providers involved in delivering aid to Ukraine.

That’s according to the joint advisory “Russian GRU Targeting Western Logistics Entities and Technology Companies” published this week by cybersecurity and law enforcement agencies from 11 countries, including Australia, Canada, France, Germany, the U.K. and the U.S.

“This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide-scale targeting of IP cameras in Ukraine and bordering NATO nations,” the 33-page document reads.
 

The group carrying out the cyber espionage campaign, known by various names, including APT28 and Fancy Bear, uses multiple tactics, techniques and procedures (TTPs) to gain initial access to victims’ networks, including: 

• brute-force password attacks
• credential spearphishing
• malware delivery
• vulnerability exploitation
• attacks against VPNs

The advisory’s mitigation recommendations include:

• Segment networks, restrict network access and adopt a zero-trust architecture
• Automatically log network access and audit the logs to identify suspicious access requests
• Implement allowlisting for applications and scripts
• Adopt tools that check the safety of links in emails
• Use multi-factor authentication with passkeys or PKI smartcards
• Limit the number of administrative accounts 
• Change all default credentials

For more information about APT28 / Fancy Bear:

• “APT28” (MITRE ATT&CK)
• “Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network” (Dark Reading)
• "Fancy Bear (APT28)" (Bugcrowd)
• "Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks" (Publishers Weekly)
• "APT28" (Malpedia)

Knowing which vulnerabilities have been exploited in the wild is priceless information for a security team as it prioritizes which ones to patch first.

Now, the U.S. National Institute of Standards and Technology has come up with a set of calculations designed to determine a vulnerability’s exploitation chances.

“Only a small fraction of the tens of thousands of software and hardware vulnerabilities that are published every year will be exploited. Predicting which ones is important for the efficiency and cost effectiveness of enterprise vulnerability remediation efforts,” reads NIST’s white paper “Likely Exploited Vulnerabilities: A Proposed Metric for Vulnerability Exploitation Probability,” published this week.
 

NIST calls the metric LEV, which stands for “likely exploited vulnerabilities.” LEV, NIST says, may help augment both the Known Exploited Vulnerabilities Catalog (KEV) database and the 

Exploit Prediction Scoring System (EPSS) by adding entries to the former and enhancing the latter’s accuracy.

The LEV equation, which has been implemented using Python and uses data from the National Vulnerability Database (NVD), KEV and EPSS, is “mathematically sound” but its error margin is unknown, so it needs to be rigorously tested, according to NIST.

For more information about NIST’s LEV:

• “NIST's 'LEV' Equation to Determine Likelihood a Bug Was Exploited” (Dark Reading)
• “NIST Proposes Security Metric to Determine Likely Exploited Vulnerabilities” (Cybersecurity News)
• “Vulnerability Exploitation Probability Metric Proposed by NIST, CISA Researchers” (SecurityWeek)

While credential abuse is a primary initial access vector, identity compromise plays a key role in most stages of a cyber attack. Here’s what you need to know — and how Tenable can help.

Identity compromise plays a pivotal role in how attackers move laterally through an organization. Credential abuse is the top initial access vector, implicated in 22% of breaches, according to the 2025 Verizon Data Breach Investigations Report, followed closely by vulnerability exploitation (20%). But identity compromise doesn’t stop after initial access. It plays a key role in five stages of a cyber attack.

Understanding the following stages of an attack helps illuminate where identity becomes a threat vector:

1. Initial access
2. Reconnaissance
3. Lateral movement and privilege escalation
4. Persistence and detection evasion
5. Deployment

Below, we explore actions security teams can take to protect identities in each of these stages. While the guidance we share here is based on protecting on-premises Microsoft Active Directory environments, it’s worth considering how credential compromise can affect Microsoft Entra ID and hybrid identity infrastructure. We also discuss how Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, can be used at each stage to provide security teams with valuable insights to help them proactively reduce their exposure to cyber attacks.

Attackers need a foothold and credential abuse enables them to get one. To prevent credentials from being abused by attackers, organizations need to proactively make sure their users have a strong password accompanied with two-factor (2FA) or multi-factor authentication (MFA). This is done by enforcing policies for password complexity, length, reuse and change frequency to which an organization’s users have to adhere. Even so, having full visibility into identities can be challenging for the security teams tasked with enforcing these policies.

Tenable Identity Exposure provides the following indicators that security teams can use to gain visibility into areas where weaknesses may exist.

• Password Policy Weakness
• Cleartext Passwords in Use
• Detection of Password Weaknesses

Once attackers have access to an environment they need to understand what it looks like and how they can exploit configurations and/or vulnerabilities to move onto the next step of lateral movement and privilege escalation. There are a number of legitimate security tools available that attackers can use to gain visibility into the environment. When these are used against an environment maliciously, they give away key secrets that can then be leveraged for movement across the environment.

Tenable Identity Exposure provides indicators of attack to give security teams visibility into behavior that looks like these security tools are being run in your environment, which could be malicious if not expected. These indicators include:

• Massive Computer Enumeration
• Administrative Account Scanning

Once they’ve completed their reconnaissance, attackers will try to use their findings to move between your environment objects to gain access to the privileged assets required to further their attack. How do they do this? Exploitation of relationships. To do so, they may try to access a system that is caching privileged user credentials, or they may try to reset the password on another identity in the environment. To protect against such activity you need to enforce policies restricting who is allowed to log onto certain system types, prevent password caching where possible and remove unnecessary relationships between objects. Tenable Identity Exposure provides indicators that can help security teams manage restrictions and spot inconsistencies, including:

• Administrative Logon Restrictions
• Domain Controller Access Inconsistencies

Tenable is also able to provide graphical representations of relationships between identity objects in the attack paths.

Another key goal of lateral movement is for attackers to get themselves in a position where they can gain persistent access to the environment and avoid being detected. Given the complexity and requirements of identity solutions like Active Directory there are a number of backdooring techniques that can be utilized. One of the lesser-known of these is the exploitation of the AdminSDHolder container. Once an identity is added to this container, which is hidden by default in Active Directory, it will then periodically be granted access to highly privileged groups such as domain administrators. This access is granted through the SDProp process that, by default, is scheduled to run every 60 minutes. So even when the access is removed directly from the privileged groups, it is re-granted one hour later through the SDProp process when AdminSDHolder access is granted. Tenable Identity Exposure has the following indicator providing continuous visibility into AdminSDHolder membership:

• Ensure SDProp Consistency

There are a number of security tools on the market that can run point-in-time assessments to show weaknesses that need to be addressed; this data is often provided in a single report with no filterable history. Given the dynamic nature of identities, point-in-time assessments leave gaps in visibility for security teams. Attackers can take advantage of these gaps by making the changes in the environment to facilitate their activities and then undoing them before the next point-in-time assessment is performed, leaving security teams none the wiser. To be most effective, identity configuration monitoring should be continuous and have a filterable and referenceable record of all changes.

Tenable Identity Exposure continually monitors Active Directory and the indicator below provides a trail flow for this very purpose:

• Trail Flow

Finally, we have the deployment of the payload, such as malicious code, malware or ransomware. Chances are an attacker will need to run some sort of script or installer — such as PowerShell scripts — to achieve this. Putting a restriction in place through security policies to prevent these running can dramatically reduce risk.

Tenable Identity Exposure provides the following indicator, specifically related to ransomware, to help security teams gain visibility into those places in the environment where the ability to run PowerShell scripts and access AppLocker could be restricted:.

• Insufficient Hardening Against Ransomware

In summary, we can see how identity is at the heart of each of these five stages of a cyber attack. While the above examples are focused around on-prem Active Directory, hybrid environments are also a target for attackers, such as the 2024 attack by Storm-0501. Tenable Identity Exposure, available in the Tenable One Exposure Management Platform, provides visibility into both Active Directory and Entra ID. Tenable Cloud Security also provides a comprehensive view into identity entitlement within public cloud providers and identity providers (IdPs), such as Ping Identity and Okta.

Identity security is fundamental to a proactive exposure management program. To achieve effective exposure management, organizations need a comprehensive view of their entire attack surface. This means pulling together all available data from across their security tools, including those for identity, applications, cloud, operational technology (OT), endpoint, asset inventories, configuration management data bases (CMDBs), threat intelligence feeds and more. By combining insights from these diverse data sources, security teams can see the bigger picture, connecting the dots between assets, vulnerabilities, misconfigurations and existing compensating controls across multiple environments. The Tenable One Exposure Management Platform gives you a single, prioritized view of risk. By breaking down data silos and integrating insights from multiple security tools, organizations can reduce the likelihood of a breach and minimize risk exposure across the attack surface. Instead of viewing risks in isolation, security teams can connect the dots — understanding how attackers see their environment and taking smarter, more proactive action to reduce exposure.

• 2024 Gartner® Prioritize IAM Hygiene for Robust Identity-First Security Report
• From Managing Vulnerabilities to Managing Exposure: The Critical Shift You Can’t Ignore
• A Unified Approach to Exposure Management: Introducing Tenable One Connectors and Customized Risk Dashboards

In this fourth installment of Tenable’s “Stronger Cloud Security in Five” blog series, we turn our attention to securing cloud data, a complex endeavor as data grows exponentially and threats become more sophisticated. Check out five DSPM best practices to sharpen your cloud data security and compliance.

As the volume of data stored and processed in your cloud environments grows, so does the complexity of protecting it from cyber thieves and of complying with strict regulations.

While on-premises data centers offer a more controlled environment, data generated in the cloud can be less structured and is often stored in a more diverse array of repositories, increasing the risk that it will be improperly secured.

As GigaOm Analyst Paul Stringfellow tells us, cloud repositories are often deployed outside of normal controls due to their ease of use and their perceived low cost.

“Often, they are used for specific tasks and then discarded and forgotten by original project owners,” he writes. “This leads to shadow data repositories that exist outside of established data storage and security controls.”

The solution? Data security posture management (DSPM) systems, which offer unified visibility of all your cloud data — even if your organization uses multiple cloud service providers (CSPs) — along with other data protection capabilities.

“A key element of data resilience is understanding where sensitive data stores are located and what is inside them. You can't secure something you don't know about, and DSPM helps identify and categorize data stores,” Enterprise Strategy Group Analyst Todd Thiemann indicates.

At Tenable, we believe a key element for securing your cloud data is to have your DSPM tool integrated as part of a comprehensive cloud native application protection platform (CNAPP). 

Combining DSPM functionality with other CNAPP components gives you holistic cloud security that also includes protection for workloads, identities and more, as Tenable Senior Product Marketing Managers Diane Benjuya and Lior Zatlavi explain. 

“In light of the massive increase in data-related breaches – and their cost – integrating DSPM in CNAPP is essential to reduce risk. It also simplifies security efforts, improves compliance and ensures that data security is an integral part of your overall security strategy,” they write.

Below we unpack five DSPM best practices that are key for securing your data across your multi-cloud environment.

You need to have full, continuously updated visibility into all your data — including AI models, cloud workloads and storage buckets. It’s particularly important to detect unknown “shadow data” that is generated and stored without the knowledge of the IT and security teams. In fact, IBM’s “Cost of a Data Breach Report 2024” found that “shadow data” stored in unmanaged data sources were involved in 35% of all data breaches. 

All data assets must be assigned risk-severity levels based on their sensitivity, as well as be organized into categories, such as confidential company data and customer personal information.

When this data visibility is combined with other CNAPP functions, such as cloud security posture management (CSPM), organizations can pinpoint security gaps, toxic combinations and potential breach impacts, as well as prioritize necessary prevention and mitigation measures.

It’s critical to leverage advanced analytics and flag suspicious activity that could lead to data breaches. With these actionable insights and recommendations, your team is empowered to stay a step ahead of attackers by proactively investigating and addressing these risk scenarios.

For example, integrating DSPM with your CNAPP’s cloud infrastructure entitlements management (CIEM) alerts you to anomalous behavior from human or machine identities that might endanger the security of sensitive cloud data. With these insights, you can take the appropriate corrective action and block a potential attack path by, say, reducing or entirely revoking a suspicious identity’s data access.

The number of data privacy and data security laws, regulations, industry mandates, internal policies and voluntary frameworks increases with each passing year, making compliance a daunting challenge.

To stay on top of all these data-protection rules and requirements, you need to continuously assess your data-security compliance posture by automating the processes of: 

• discovering and classifying cloud data; 
• enforcing your data-protection policies;
• addressing violations like unauthorized access with step-by-step remediation guidance;
• and generating detailed, audit-ready compliance reports.

Here again, a CNAPP-integrated DSPM not only automates these processes but also offers invaluable insights with rich-context on the threats to your cloud data that put you at risk of non-compliance, including vulnerabilities, misconfigurations and overprivileged identities. 

If a data breach happens, time is of the essence. You need to respond quickly and decisively. With the context-rich analytics provided by your DSPM, your security team is better able to: 

• Assess the scope of the breach
• Pinpoint its cause
• Flag the compromised data
• Prioritize remediation
• Contain the breach

To get this expansive visibility and understanding of a data breach, it’s key for your DSPM to perform a comprehensive analysis – leveraging its CNAPP integration – that takes into account the full context of the incident, since your data protection posture can’t be assessed in a vacuum. As we learned from Verizon’s “2025 Data Breach Investigations Report” (DBIR), data thieves use a variety of attack methods — particularly their preferred ones: compromising credentials and exploiting vulnerabilities.

As your multi-cloud deployment inevitably grows, data security and compliance must be at the heart of your environment’s expansion. In this growth scenario, a CNAPP-integrated DSPM empowers your security team to build data-protection organically into these efforts in a number of key ways, including by:

• Having complete, continuously updated visibility of cloud data and its risks
• Providing context-rich insights into the data security posture of the mapped data stores, including configurations and identity permissions
• Categorizing data assets’ sensitivity
• Identifying which human and machine identities have access to cloud data
• Helping prioritize issues and prescribing actionable, concrete remediation steps 

Find out how you can take action to boost your cloud security in just five minutes.

• "Stronger Cloud Security in Five: The Importance of Cloud Configuration Security"
• "Stronger Cloud Security in Five: How To Protect Your Cloud Workloads"
• "Stronger Cloud Security in Five: Securing Your Cloud Identities"

State and local governments must grapple with resource constraints even as they face increased demand for cybersecurity vigilance to protect critical infrastructure and essential services. Here’s how exposure management can help.

State and local governments play a crucial role in the daily lives of communities, including managing the critical infrastructure we rely on every day, such as water systems, transportation networks, power grids, and emergency services. These institutions are on the front lines of delivering and safeguarding these essential services. A successful cyber attack on even a small municipality can disrupt daily operations, compromise sensitive data and threaten public safety.

As digital threats grow more advanced and persistent, protecting state and local systems is no longer just a technical issue, it is a fundamental part of securing the nation’s most vital functions. To address this growing challenge, state and local governments need comprehensive statewide cybersecurity strategies aligned with recognized cybersecurity best practices and standards, sustainable funding and coordinated support to defend against ever evolving threats.

As frontline operators of critical infrastructure, state and local governments face an increasingly complex and evolving cyber threat landscape. For example, in 2023, Volt Typhoon, a state-sponsored threat actor backed by the People’s Republic of China (PRC), launched a prolonged cyber attack against the Littleton Electric Light and Water Departments (LELWD) in Massachusetts. This marked the first known strike on a U.S. power utility by the group. The group targeted the utility’s operational technology (OT) infrastructure in an attempt to exfiltrate sensitive data. While LELWD was able to detect and contain the breach, the incident underscored the increasing sophistication of nation-state cyber threats and the serious risks they pose to essential services. This attack was not an isolated incident but part of a broader pattern of cyber espionage and disruption orchestrated by Volt Typhoon, which continues to target U.S. critical infrastructure.

Additionally, in July 2024, the City of Columbus, Ohio, experienced a significant ransomware attack attributed to the Rhysida group, a foreign threat actor. This breach compromised the personal and financial data of 500,000 residents, including Social Security numbers, bank account details, and other sensitive information. The incident disrupted city services and prompted the city to offer two years of free credit monitoring to affected individuals.

In February 2023, the City of Oakland, California, suffered a ransomware attack by the Play group, which disrupted essential city services and exposed sensitive personnel records, including those of police officers and firefighters. The breach prompted a state of emergency and raised serious concerns about the city's cybersecurity preparedness.

“This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments. Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.”

 — Mark Weatherford, former Deputy Undersecretary for Cybersecurity, U.S. Department of Homeland Security

These incidents are part of a broader and accelerating pattern of cyberattacks targeting municipal governments, highlighting the urgent need for enhanced cybersecurity measures at the local level. 

“This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments,” wrote Mark Weatherford, former Deputy Undersecretary for Cybersecurity, U.S. Department of Homeland Security, in a guest blog post for Tenable in November 2024. “Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.”

In March, the Office of the Director of National Intelligence (ODNI) released its Annual Threat Assessment of the U.S. Intelligence Community, referencing Volt Typhoon and other nation-state cyber threats against critical infrastructure, reinforcing the need for heightened vigilance at the state and local levels.

On March 19, 2025, President Trump released Executive Order (EO) 14239: Achieving Efficiency Through State and Local Preparedness. The goal of the EO is to improve national disaster preparedness and resilience by empowering state and local governments to take a leading role in securing critical infrastructure, including from cyber attacks, while also streamlining and modernizing federal policies to support them more effectively.

The order also emphasizes a shift from a broad "all-hazards" approach to a risk-informed strategy, encouraging smarter investments in infrastructure and calls for the creation of a National Resilience Strategy and a National Risk Register.

While we await guidance and implementation details for Executive Order 14239 on how state and local governments should take a more active role in cyber attack preparedness, there are proactive steps that can be taken now. These include conducting regular risk assessments, adopting basic cyber hygiene practices and implementing a proactive exposure management strategy. By taking action now, even amid uncertainty, state and local entities can begin building the foundation for a more resilient and secure infrastructure.

Despite being on the front lines of managing critical infrastructure, many state and local governments face significant challenges, including limited resources and legacy infrastructure, making it difficult to detect and respond to cyber threats.

As state and local governments take on more responsibility for national disaster preparedness and resilience, including protection against cyber attacks, support from programs like the State and Local Cybersecurity Grant Program (SLCGP) are more vital than ever. SLCGP provides funding to help state, local, tribal and territorial governments develop and implement effective cybersecurity strategies. By funding key initiatives such as mutli-factor authentication, vulnerability management and threat prioritization, SLCGP plays a vital role in strengthening the cybersecurity posture of these governments.

In my testimony before the House Homeland Security Committee’s Cybersecurity and Infrastructure Protection Subcommittee in April, I emphasized the need to continue the SLCGP program and the importance of adopting an exposure management strategy to tackle these threats. During the April 1 hearing, “Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program,” I provided analysis on threats facing state and local governments, the impact of SLCGP, improvements that could be made to the program, and how a risk-informed approach is needed to protect state infrastructure, including critical infrastructure, from cyber attacks.

Exposure management is aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 and supports a more strategic risk-informed approach to cybersecurity, continuously assessing the accessibility, exploitability and criticality of all digital assets, including the operational technology used in critical infrastructure. By implementing an exposure management strategy, state and local governments will be better equipped to secure their environments in the face of constant cyber threats and campaigns from nation-state attackers. This proactive approach helps state and local governments improve operational efficiency, reduce costs, protect against emerging threats and ensure that critical systems and services remain secure and uninterrupted.

An exposure management strategy relies on a technology platform that enables the discovery and aggregation of asset data across your entire external and internal attack surface. Seemingly elusive assets in cloud, IT, operational technology (OT), internet of things (IoT), identities and applications will show up in a holistic view of the attack surface. An exposure management platform will detect the three preventable forms of risk attackers use to gain initial access and move laterally: vulnerabilities, misconfigurations and excessive privileges. The platform will aggregate findings by asset then normalize them to calculate an overall risk score that enables security teams to quickly identify the assets that pose the greatest potential risk to your organization. An exposure management platform shares the detailed asset, identity and risk relationship information it discovers and maintains in its asset inventory. You’ll be able to see high-risk assets and, more importantly, you’ll be able to see all related attack paths that lead to that asset.

State and local governments are under pressure to improve efficiency, reduce costs and do more with less, while securing essential systems against cyber attacks. Tenable One enables you to take a proactive, risk-informed approach, prioritizing the most critical cyber risks to avoid costly incidents and keep services running. Here are three ways the Tenable One Exposure Management Platform can help.

1. Protect critical infrastructure. Tenable One provides complete visibility into both your IT and OT environments so your agency can protect essential systems like water, energy, and transportation. From real-time threat detection to prioritized remediation, Tenable helps your security team quickly identify and respond to risks before they disrupt public services or compromise safety.
2. Increase efficiency and effectiveness. Tenable One helps your team work smarter by unifying visibility across your entire environment, including cloud, on-prem, identity and OT/IoT systems, eliminating silos and reducing manual effort. With automated asset discovery, risk-based prioritization and machine learning-driven insights, your team can cut through the noise, focus on what matters most and proactively reduce the attack surface.
3. Reduce costs. With Tenable One, you can consolidate security tools into a single platform, cutting down on unnecessary spending and complexity. By proactively identifying and closing high-risk exposures, you can mitigate the financial and operational consequences of data breaches, system outages and compliance violations.

For more information on how Tenable One can help state and local governments:

• Review Securing critical infrastructure: Enhancing cyber resilience with a risk-based approach for state and local governments

Watch our on-demand webinar How State and Local Governments Can Boost Cyber Resilience with Exposure Management

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this Exposure Management Academy FAQ, we help CISOs understand exposure management, look at how advanced you might be and outline how to structure a program. You can read the entire Exposure Management Academy series here.

Since we started the Exposure Management Academy in March, we’ve received lots of questions. To provide answers, we launched an exposure management FAQ series in April and we’re following that with a few more questions and answers. 

Do you have a question about exposure management? If so, fill out the form at the bottom of this page and we’ll address your question in a future post.

This is a fundamental question we hear from many CISOs. In short, exposure management offers CISOs a unified view of the most significant cyber exposures across their organization’s entire attack surface. 

Toxic combinations of preventable weaknesses — including vulnerabilities, misconfigurations and excessive permissions — can lead to substantial business exposure if they’re exploited. To effectively practice exposure management, you need to be able to identify these toxic risk combinations that create attack paths leading to your most valuable assets or administrative privileges. 

Implementing an exposure management program can help you streamline prioritization and remediation efforts, making it easier for your security teams to be proactive about reducing your exploitable attack surface. 

Exposure management helps unify the data produced by disparate proactive security functions, including vulnerability management, web application scanning, cloud security, identity security, OT security and attack surface management.

Ultimately, exposure management improves both security and business results. By delivering comprehensive visibility, a unified view of security data and enriched context regarding asset and identity interdependencies and potential impact, exposure management initiatives enhance productivity and efficiency while decreasing overall costs and exposure.

Want to learn more? Browse the posts in the Exposure Management Academy archive. Every week, we release a new post that focuses on how you can make the most of exposure management.

Exposure management includes a lot of things your security team is already doing, like vulnerability management, web application security and attack surface management. Based on the work we’ve done to help organizations implement exposure management, Tenable developed an exposure management maturity model that identifies five stages of exposure management maturity:

This initial stage is characterized by tools and processes, with significant visibility gaps and reactive response..

At this stage, you have basic tools, processes and frameworks, with siloed visibility and response..

With mature tools and processes, you’re beginning to unify data and add business context.

You have unified visibility, with rich business context and some technical context.

Your organization has aligned views of exposure, with consistent metrics, reporting, prioritization and workflows.

Which stage fits your current situation? If you’re in the early stages, you’re like most organizations. You can use our maturity assessment to see where you stand. If you’ve moved beyond the early stages, we’d love to hear from you — fill out the form below and tell us your story. 

These are the four fundamental components of exposure management:

• Strategy: Define the problems exposure management can help you solve and the objectives you want to achieve by implementing an exposure management program or platform. Consider the risks you’re trying to mitigate and the cyber threats that are most relevant to your organization. Then evaluate your team's current exposure management maturity (see above) and identify any gaps in capabilities you’ll need to fill.
• Visibility: You’ll need to enhance your ability to identify all preventable risks (i.e., vulnerabilities, misconfigurations and excessive permissions) and discover all assets, identities and applications across your entire attack surface, including cloud, OT, and IoT environments. A key here is using a central inventory to consolidate and standardize all asset and risk data.
• Insight: A consistent scoring methodology across all risk types and attack surfaces is a critical replacement for the disparate scoring you get with individual tools. You’ll enhance your exposure data with technical and business context so you can prioritize remediation based on the potential business impact of exploitation.
• Action: Defining necessary roles and allocating cross-functional resources is a central element of the exposure management journey. Here, you’ll integrate, streamline and activate processes and workflows that will help you identify, prioritize and remediate exposures. Plus, you’ll be able to optimize workflows and track program effectiveness through cross-domain analytics and reporting.

We’re all ears. Share your question and maybe we’ll feature it in a future post.

MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);

Check out a study that outlines the risks and benefits of open-source AI tools. Meanwhile, the NCSC unpacks use cases for new, alternative encryption technologies. Plus, ISACA urges orgs to begin their post-quantum cryptography migration. And get the latest on assessing software products’ security; cyber attacks against critical infrastructure; and more!

Dive into six things that are top of mind for the week ending May 16.

As organizations increasingly adopt open-source artificial intelligence (AI) technologies, they also worry about facing higher risks than those posed by proprietary AI products.

That’s according to the report “Open source technology in the age of AI” from McKinsey Co., the Patrick J. McGovern Foundation and Mozilla, based on a global survey of 700-plus technology leaders and senior developers.

Specifically, while respondents cite benefits like lower costs and ease of use, they consider open source AI tools to be riskier in areas like cybersecurity, compliance and intellectual property.

If your organization is looking at or already adopting open source AI products, here are risk mitigation recommendations from the report:

• Implement strong guardrails, such as automated content filtering, input / output validation and human oversight.
• Use standardized benchmarks to conduct regular risk assessments.
• Run AI models in trusted execution environments.
• Protect model repositories with strong access controls.
• Segment the networks of training and inference servers.
• Confirm models come from trusted repositories by using cryptographic hash verification.

For more information about AI security, check out these Tenable resources:

• “Securing the AI Attack Surface: Separating the Unknown from the Well Understood” (blog)
• “Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)
• “Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)
• “Tenable Cloud AI Risk Report 2025” (research report)
• “Never Trust User Inputs -- And AI Isn't an Exception: A Security-First Approach” (blog)

Organizations mulling the use of emerging cryptographic techniques may find a new white paper from the U.K. National Cyber Security Centre (NCSC) helpful.

Titled “Advanced Cryptography: Deciding when to use Advanced Cryptography to protect your data,” the document seeks to educate organizations about new, advanced cryptography options so that they can make informed decisions about how and whether to use them.

“These emerging techniques, collectively called Advanced Cryptography, can be used in scenarios where traditional cryptography may be insufficient,” the white paper reads. 

Specifically, the NCSC defines advanced cryptography as “a range of techniques that use cryptographic methods to provide data-processing functionality” that goes beyond what’s possible with traditional cryptographic methods.

“Our white paper considers the new forms of cryptography that are emerging in academia (and are being developed by industry) to tackle problems that can’t be solved simply by encrypting, decrypting, signing, and verifying information,” an NCSC blog reads.
 

However, because advanced cryptography techniques are newer, their security isn’t as well understood, and they may be slower and more expensive, according to the NCSC.

“When deciding whether to use Advanced Cryptography, start with a clear articulation of the problem, and use that to guide the development of an appropriate solution,” the document says.

For example, advanced cryptography techniques might be an appropriate option for securing data processing if the scenario involves all or most of these elements:

• Multiple parties must collaborate to accomplish the desired result.
• No trusted third party can perform the operation.
• The organization can accept a spike in computation costs, communications bandwidth or other performance overhead.
• Some participating parties may be unreliable or dishonest.

Advanced cryptography techniques discussed in the white paper include:

• Homomorphic encryption
• Multiparty computation
• Zero-knowledge proofs
• Attribute-based encryption

For more information about new, emerging forms of cryptography:

• “Understanding the Differences Between Fully Homomorphic Encryption and Confidential Computing” (Cloud Security Alliance)
• “What is Secure Multiparty Computation?” (Geeks for Geeks)
• “A Survey on the Applications of Zero-Knowledge Proofs” (University of Southern California)
• “Introduction to Zero-Knowledge Proofs” (Chainalysis)
• “Multi-authority Registered Attribute-Based Encryption” (University of Texas at Austin)

Most organizations remain woefully unprepared for tackling the future threat that quantum computers will pose to the data they store and handle – and the clock is ticking.

That’s the key finding from ISACA’s “2025 Quantum Computing Pulse Poll,” which surveyed almost 2,700 cybersecurity, audit, risk and data-privacy professionals globally.

Specifically, 95% of respondent organizations haven’t drafted a roadmap for transitioning to post-quantum cryptography. Only 5% consider the quantum threat a high business priority today.

Here’s the issue: Quantum computers, expected to become available sometime between 2030 and 2040, will be able to decrypt data protected with today’s public-key cryptographic algorithms.
 

Thus, the consensus is that organizations need to start migrating now to post-quantum cryptography – also known as quantum-resistant cryptography – because the process is complex and requires careful planning and deployment.

To help organizations get started, ISACA is offering a roadmap template for adopting quantum-resistant cryptography, with specific actions to take now, including:

• Educate and raise awareness among stakeholders about quantum computing’s opportunities and threats; explain the risks of compromised data; and underscore the importance of adopting quantum-resistant encryption.
• Draft a post-quantum encryption strategy for both new and existing data, including updating compliance policies; and integrating quantum threats into existing risk assessments and security frameworks.
• Regularly assess and audit quantum security risks; test cryptographic resilience and update encryption practices accordingly; and monitor industry innovations and regulatory guidance.

In short, ISACA recommends that organizations plan to encrypt all new data using post-quantum cryptography; re-encrypt all existing data; and make this transition a priority today.

In March, NIST picked its fifth algorithm for post-quantum encryption, which it expects will be widely available for use in 2027. NIST released three quantum-resistant algorithm standards last year and expects to release a fourth one in 2026.

Other resources for helping organizations plan their migration to quantum-resistant cryptography include NIST’s draft white paper “Considerations for Achieving Crypto Agility,” and the U.K. National Cyber Security Centre’s “Timelines for migration to post-quantum (PQC) cryptography.” 

To get more details about the ISACA survey, check out these resources:

• The survey’s announcement “Despite Rising Concerns, 95% of Organizations Lack a Quantum Computing Roadmap, ISACA Finds”
• A complementary infographic
• The roadmap for shifting to post-quantum cryptography
• The blog “Post-Quantum Cryptography: A Call to Action”

For more information about how to protect your organization against the quantum computing cyberthreat:

• “How to prepare for a secure post-quantum future” (TechTarget)
• “Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)
• “Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)
• “US unveils new tools to withstand encryption-breaking quantum. Here's what experts are saying” (World Economic Forum)
• “Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)
• “Quantum and the Threat to Encryption” (SecurityWeek)

In an attempt to prompt software makers to build safer products, the U.K.’s National Cyber Security Centre (NCSC) has published a voluntary “Software Code of Practice” that outlines a baseline of cybersecurity, resilience and privacy features and controls that software should offer.

“It signals – to both software vendors and their customers – what can reasonably be expected from software suppliers and defines the minimum set of actions that should be in place to ensure products and services are resilient to a cyber attack from a commodity threat,” reads an NCSC blog.
 

The Software Code of Practice outlines 14 principles grouped into four core areas:

• Secure design and development
  • Follow the practices and guidelines of a secure development framework.
  • Understand the software product’s components, and assess the risk of third-party components.
  • Establish a process for testing the software product and its updates.
  • Apply secure-by-design principles across the product’s software development lifecycle.
• Security of the build environment
  • Prevent unauthorized access to the build environment.
  • Control and log changes.
• Secure deployment and maintenance
  • Secure the software distribution process.
  • Adopt and disclose a vulnerability disclosure policy.
  • Establish processes for detecting and managing software component vulnerabilities, and for prioritizing their remediation.
  • Report vulnerabilities to all relevant stakeholders.
  • Offer security updates, patches and notifications promptly to customers.
• Customer communications
  • Inform customers about the level of support and maintenance for the software product.
  • Give customers at least one year in advance that a software product will no longer be supported.
  • Notify customers about significant incidents that may impact their organizations.

For more information about how to assess the security of commercial software products:

• “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” (CISA)
• “Choosing secure and verifiable technologies” (Australian Cyber Security Centre)
• “Secure software procurement in 2025: A call for accountability” (ComputerWeekly)
• “Vet Technologies Before Adding Them to Your Network” (CISA)
• “Vet software security as part of enterprise procurement, NIST says” (Cybersecurity Dive)

Inexperienced hackers are successfully targeting operational technology (OT) systems of critical infrastructure organizations using simple attack methods that exploit weak cyber hygiene.

That’s the warning from CISA, which is urging critical infrastructure organizations to implement basic, foundational cybersecurity measures that’ll help them fend off these unsophisticated attackers.

“Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats,” reads a CISA statement.

Specifically, these “low-hanging fruit” breaches can open the door for website defacements, configuration changes, operational disruptions and physical damage.
 

In a new fact sheet titled “Primary Mitigations to Reduce Cyber Threats to Operational Technology,” CISA offers mitigation recommendations, including:

• Unplug OT devices from the public internet because their authentication and authorization methods fall short against modern attacks.
• Replace default passwords with complex, unique ones, especially in devices exposed to the internet that can control OT systems and processes.
• Harden remote access to OT assets by, for example, switching them to a private IP network connection using virtual private networks with multifactor authentication.
• Segment IT and OT networks.
• Ensure you can operate OT systems manually in the event of a cyber attack.

For more information about OT security, check out these Tenable resources:

• “Mind the Gap: A Roadmap to IT/OT Alignment” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Fortifying Your OT Environment: Vulnerability and Risk Mitigation Strategies” (on-demand webinar)

For the seventh straight quarter, SocGholish, which powers fake-software update attacks, has ranked as the most prevalent malware variant, a sign that this type of attack remains a top moneymaker for hackers. 

That’s according to the Center for Internet Security’s “Top 10 Malware Q1 2025” list of the malware variants responsible for the most infections.

Specifically, SocGholish accounted for 48% of all malware infections during 2025’s first quarter.

In a fake software-update attack, the victim is tricked into installing what appears as a legitimate update for, say, their preferred browser. In reality, the downloaded software is laced with malware.
 

(Source: Center for Internet Security, May 2025)

Here’s the full list of the most prevalent malware variants in the first quarter of 2025, in descending order:

• SocGholish, a downloader distributed through malicious websites that tricks users into downloading it by offering fake software updates 
• ZPHP, a JavaScript downloader that’s distributed via fake browser updates
• CoinMiner, a cryptocurrency miner that spreads using Windows Management Instrumentation (WMI)
• Agent Tesla, a remote access trojan (RAT) that captures credentials, keystrokes and screenshots
• TeleGrab, an infostealer that swipes data such as chat histories and contacts from Telegram’s desktop and web versions
• Arechclient2, also known as SectopRAT, is a .NET remote access trojan (RAT) whose capabilities include multiple stealth functions
• LandUpdate808, a JavaScript downloader distributed through malicious or compromised websites via fake browser updates
• VenomRAT, an open-source malware with multiple versions whose features include keylogging, data exfiltration and screen capturing
• DarkGate, a downloader and keylogger that steals financial data and personally identifiable information (PII), and delivers other malware
• Ratenjay, a RAT that executes commands remotely and features keylogging capabilities

To get more information, check out the CIS blog “Top 10 Malware Q1 2025,” where you’ll find more details, context and indicators of compromise for each malware strain.

For details on fake update attacks:

• “The Fake Browser Update Scam Gets a Makeover” (Krebs on Security)
• “Watch Out: Attackers Are Hiding Malware in 'Browser Updates'” (Dark Reading)
• “Hackers Use Fake Browser Updates for AMOS Malware Attacks Targeting Mac Users” (MSSP Alert)
• “Malware crooks find an in with fake browser updates, in case real ones weren't bad enough” (The Register)
• “Hackers have been spreading malware via fake Chrome updates” (TechRadar)

VIDEOS

Fake Chrome Update Malware (The PC Security Channel)

Beware Google Chrome fake update browser pop ups that bring malware (Windows, Computers and Technology)

Unified visibility and context are the keys to an effective exposure management program. Learn how the new Tenable One connectors and unified dashboards give you a comprehensive view of your attack surface, help you streamline decision-making and empower your teams to uncover hidden risks, prioritize critical exposures and respond to threats with confidence.

In 2022, we unveiled a vision of how proactive cybersecurity processes needed to evolve. Legacy approaches relied on siloed tools and disconnected teams to deliver patchwork security across IT, cloud, application and OT environments. The problem, back then as it still is today, was that attackers don’t work in silos, and many exploited this limitation by finding entry points and escalating privileges in the cracks between various tools. Our goal was to enable organizations to secure all attack surfaces, leveraging context to more effectively prioritize critical risks and collaborate more efficiently with remediation stakeholders to address issues faster. We called this new discipline Exposure Management and launched one of the industry's first Exposure Management platforms, Tenable One.

Since then, we’ve been hard at work to make this vision a reality for our customers, releasing numerous enhancements to help you unify visibility, insight and action to reduce cyber risk. And we’re excited to announce a new milestone in our exposure management journey: the ability to connect your cybersecurity tool data — alongside your Tenable data — into Tenable One for a truly unified view of assets and exposures and a holistic view of risk. The need to integrate data from your security stack is no longer just a nice-to-have option — it’s an essential component of exposure management so you can understand your organization’s exposure in full context.

Tenable is turning the page to a new chapter in exposure management — one in which fragmented visibility doesn’t hold teams back. The new Tenable One connectors make it easy to bring in data from across your security ecosystem — including vulnerability management, cloud security, endpoint security, OT/IoT security, application security, CMDBs, and more — alongside your native Tenable findings.

This isn’t just about collecting more data. It’s about unlocking a truly unified, contextual view of your entire attack surface.

With Tenable One connectors, you can:

• Manage risk from one place — Eliminate tool sprawl and operational silos with a single, unified platform.
• Detect toxic risk combinations — Spot where unpatched vulnerabilities, misconfigurations and excessive permissions come together to create critical exposure points.
• Prioritize critical exposures — Use cross-domain prioritization to zero in on the highest-impact risks, instead of trying to tackle every issue
• Maximize ROI — Streamline processes, cut costs and maximize the value of existing security investments by ensuring tools work together for better outcomes.

These third-party insights enhance every part of the Tenable One platform:

• A single, unified Inventory of asset and risk data across the attack surface

  Source: Tenable, May 2025

• Richer context in Exposure Signals to support smarter, cross-domain prioritization

  Source: Tenable, May 2025

• Consolidated Exposure Cards that bring all your risk data together for a comprehensive view of your risk posture.

  Source: Tenable, May 2025

And we didn’t stop there. Another critical piece of the exposure management puzzle is how teams analyze and report on risk. Until now, doing so meant bouncing between tools, exporting reports and stitching together dashboards from fragmented data sources.

No more.

With unified dashboards in Tenable One, security teams can finally get a holistic view of their attack surface — all in one place.

Tenable One Dashboards allow teams to:

• Leverage pre-built dashboards — Access best-practice dashboards for quick, actionable insights into common security use cases.
• Create custom dashboards — Use a library of over 40 customizable widgets to build dashboards tailored to any use case or audience.
• Design custom widgets — Develop bespoke widgets that highlight specific data points and metrics that are most relevant to your security needs.
• Dive deeper with powerful filters — Apply customizable filters, slice data, and choose from various chart types to drill into the details and analyze trends with precision.
• Share and collaborate — Make dashboards private or share them across teams and easily export them in multiple formats for better collaboration.

Whether you’re reporting to your CISO or digging deep into root causes, Tenable One Dashboards bring clarity and focus to your risk management efforts.

Experience Tenable One connectors and dashboards in action. Explore our guided demo to see how these new capabilities come to life in Tenable One: 

Not a customer yet? Book a demo now to discover how Tenable One can enhance your exposure management program.

• Read the connectors one-pager to understand the value each connector category can bring to your exposure management program.
• Visit our new connectors web page to explore all available connectors in Tenable One.

Fortinet has observed threat actors exploiting CVE-2025-32756, a critical zero-day arbitrary code execution vulnerability which affects multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera.

On May 13th, Fortinet published a security advisory (FG-IR-25-254) for CVE-2025-32756, a critical arbitrary code execution vulnerability affecting multiple Fortinet products.

CVE-2025-32756 is an arbitrary code execution vulnerability affecting multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera. A remote unauthenticated attacker can send crafted HTTP requests in order to create a stack-based overflow condition which would allow for the execution of arbitrary code. This vulnerability was discovered by the Fortinet Product Security Team who observed threat activity involving a device running FortiVoice.

According to Fortinet, the threat actors operations included scanning the network, erasing system crashlogs and enabling ‘fcgi debugging’ which is used to log authentication attempts, including SSH logins. The ‘fcgi debugging’ option is not enabled by default and the Fortinet advisory recommends reviewing the setting as one possible indicator of compromise (IoC).

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, and CVE-2025-32756 is the eighteenth Fortinet vulnerability to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

At the time of writing this, no proof-of-concept (PoC) has been published for CVE-2025-32756. When a PoC is released, we expect attackers will incorporate this vulnerability in their attacks as Fortinet devices have been exploited by threat actors, including nation-state actors in the past.

Fortinet has provided a list of IoCs based on their observations of CVE-2025-32756. We recommend reviewing the list of IoCs and steps recommended by Fortinet to determine if your device may have been impacted.

The following table details the affected and fixed versions of Fortinet devices affected by CVE-2025-32756:

For users that are not able to immediately upgrade, Fortinet has provided a mitigation step; disabling the HTTP/HTTPS administrative interface. We recommend reviewing the Fortinet advisory for the latest information on workarounds and patched versions.

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32756 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

• Fortinet FG-IR-25-254 Advisory

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

On May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).

CVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.

CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.

An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.

Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.

Ivanti has credited the CERT-EU with reporting these vulnerabilities.

At the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.

The following table details the affected and fixed versions of Ivanti EPMM for both CVE-2025-4427 and CVE-2025-4428:

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-4427, and CVE-2025-4428 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti EPMM by using the following filters:

• Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

1. 5Critical
2. 66Important
3. 0Moderate
4. 0Low

Microsoft addresses 71 CVEs including seven zero-days, five of which were exploited in the wild.

Microsoft patched 71 CVEs in its May 2025 Patch Tuesday release, with five rated critical and 66 rated as important.

This month’s update includes patches for:

• .NET, Visual Studio, and Build Tools for Visual Studio
• Active Directory Certificate Services (AD CS)
• Azure
• Azure Automation
• Azure DevOps
• Azure File Sync
• Azure Storage Resource Provider
• Microsoft Brokering File System
• Microsoft Dataverse
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Edge (Chromium-based)
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft PC Manager
• Microsoft Power Apps
• Microsoft Scripting Engine
• Remote Desktop Gateway Service
• Role: Windows Hyper-V
• Universal Print Management Service
• UrlMon
• Visual Studio
• Visual Studio Code
• Web Threat Defense (WTD.sys)
• Windows Ancillary Function Driver for WinSock
• Windows Common Log File System Driver
• Windows Deployment Services
• Windows Drivers
• Windows DWM
• Windows File Server
• Windows Fundamentals
• Windows Hardware Lab Kit
• Windows Installer
• Windows Kernel
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Media
• Windows NTFS
• Windows Remote Desktop
• Windows Routing and Remote Access Service (RRAS)
• Windows Secure Kernel Mode
• Windows SMB
• Windows Trusted Runtime Interface Driver
• Windows Virtual Machine Bus
• Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 39.4% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.4%.

CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Prior to this month's release, Microsoft has patched two other EoP vulnerabilities in the Windows CLFS driver in 2025, including CVE-2025-29824, exploited as a zero-day vulnerability in the April 2025 Patch Tuesday release. In 2024, there were eight CLFS vulnerabilities patched, including one zero-day vulnerability in the CLFS driver that was exploited (CVE-2024-49138) and patched in the December 2024 Patch Tuesday release. Windows CLFS continues to be a popular attack vector for attackers and has been exploited by ransomware gangs.

CVE-2025-30400 is an EoP vulnerability in the Windows Desktop Windows Manager (DWM) Core library. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft notes that it was exploited as a zero-day. Successful exploitation would allow an attacker to elevate their privileges by exploiting a use after free flaw.

This is the seventh EoP vulnerability in DWM Core Library patched this year. Eight DWM vulnerabilities were patched in 2024, including one zero-day vulnerability that was actively exploited (CVE-2024-30051) and patched in the May 2024 Patch Tuesday release.

CVE-2025-30397 is a memory corruption vulnerability in Microsoft Scripting Engine that can be exploited to achieve arbitrary code execution on a target machine. It was assigned a CVSSv3 score of 7.5 and is rated as Important. The attack complexity is rated as high, and Microsoft notes the target must first be running Microsoft Edge in Internet Explorer mode. Successful exploitation requires the user to click on a crafted URL. This vulnerability was reportedly exploited in the wild as a zero-day.

CVE-2025-26685 is a spoofing vulnerability in Microsoft Defender for Identity. It was assigned a CVSSv3 score of 6.5 and is rated as Important. This vulnerability allows an unauthenticated attacker with Local Area Network (LAN) access to perform a spoofing attack. According to Microsoft, this vulnerability was disclosed prior to patches being made available.

CVE-2025-32709 is a EoP vulnerability in the Windows Ancillary Function Driver for WinSock. It was assigned a CVSSv3 score of 7.8 and rated as Important. An authenticated attacker can leverage this vulnerability to elevate their privileges to administrator by exploiting a user after free condition. Microsoft notes that this vulnerability was exploited in the wild as a zero-day, the second to be exploited in 2025, preceded by CVE-2025-21418 which was addressed in February’s Patch Tuesday release.

CVE-2025-32702 is a RCE vulnerability in Visual Studio. It was assigned a CVSSv3 score of 7.8 and rated as Important. Microsoft notes that the attack vector for this vulnerability is local, and that an unauthenticated attacker could exploit this flaw in order to execute code. This is the third RCE vulnerability in Visual Studio that was patched in 2025.

A list of all the plugins released for Microsoft’s May 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's May 2025 Security Updates
• Tenable plugins for Microsoft May 2025 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Following up on last year’s LOLDriver plugin, Tenable Research is releasing detection plugins for the top Remote Monitoring and Management (RMM) tools that attackers have been more frequently leveraging in victim environments.

In August 2024, Tenable Research released a detection plugin for Nessus, Tenable Security Center and Tenable Vulnerability Management to help customers identify risky third-party Windows drivers utilized by attackers for privilege escalation on victim hosts. As part of our continued research into living off the land (LOTL) tooling utilized by attackers, we’re releasing new detection plugins for popular Remote Monitoring and Management (RMM) applications.

IT operations and information security staff often need to remotely connect to machines dozens, perhaps even hundreds, of times per day to troubleshoot a problem or make a system function well. An administrator or support technician must reach a terminal on a server in a datacenter a continent away, or a user’s workstation in their home. As the role of the remote worker has dramatically expanded across organizations over the last 20 years, it has led to the introduction of RMM products in enterprise environments.

The architecture of these products is fairly straightforward: a listener on the user’s machine, often referred to as an agent, host, or server, and an application to connect to, and control, the machine, often referred to as a viewer or client. In many cases this connection is facilitated by a proxy system, which maintains an inventory of the available machines in the environment, allowing an administrator to select one from a list, use stored credentials and track the health of the listeners. This proxy system might be on-premises, in the cloud, or hosted by the RMM vendor as a SaaS application.

While these tools may sound handy, attackers also know that these tools are present. They can use them for direct graphical control of a victim’s machines, often at a privilege level that is elevated by design. So, how do attackers get their hands on such a valuable resource?

There are several ways an attacker can obtain access to an organization’s RMM tools:

• Credential reuse. The attacker steals credentials belonging to a privileged user, either through social engineering, theft from the user’s workstation or control of an identity service. These credentials are used to authenticate to the RMM central service or to simply connect directly to a listener.
• Exploitation of a vulnerability in the RMM product. Many RMM applications have highly publicized vulnerabilities that allow elevation of privilege or remote code execution.
• Elevation of privilege. An attacker may gain control of a workstation or server used by an administrator and launch the RMM client application from there using the legitimate access of that administrator.

And, of course, attackers with sufficient privileges can simply deploy a RMM tool of their choice on a compromised asset, allowing them to achieve persistence and remote command and control. The nature of modern RMM tool design allows attackers, in some cases, to do monitor and control an asset without formally installing a software package, which might trigger an alert to the organization’s security team.

A mature security program will update the organization’s protective, monitoring and response approach to address the risk presented by RMM tools. Some of these strategies include:

• Selecting an authorized RMM product or suite for the organization. This will allow security teams that inventory software on their assets to quickly spot the use of unauthorized RMM tools, which might have been introduced by an attacker.
• Auditing the use of the authorized RMM product. Have administrators that use the tools regularly review reports of sessions performed to ensure no unauthorized activity has occurred. Investigate these unauthorized sessions as soon as possible after detection.
• Reviewing network traffic between assets (especially remote assets) and the internet. Identify connections to known RMM tool websites, e.g., downloading of the tools or access to a proxy or management site.
• Scanning the environment to look for listening services. This strategy can be used to identify services belonging to RMM tools.

Tenable has several existing plugins that can detect several different varieties of RMM tools. These include:

• Intelligent Platform Management Interface (IPMI) tools like iDRAC, iLO, ILOM and CIMC, as well as broader detection for any service running the IPMI protocol
• Systems management suites like Microsoft Configuration Manager, BigFix, Altiris, Tanium, LanDesk / Ivanti EM, Workspace ONE UEM / AirWatch, ManageEngine Endpoint Central and JAMF.
• Collaboration tools (yes, attackers use these, too) like Zoom, Teams and WebEx.

Tenable is also releasing a number of Nessus plugins to detect many commonly used commercial and open source RMM or Remote Access Tool products:

There are also Nessus Web App Scanning plugins for many of these applications, which can help detect the applications’ web UI when detecting the service locally isn’t an option.

A new scan template, Remote Monitoring and Management, has been created in Tenable Nessus to check for this set of RMM products. Customers can use the scan template to ensure that the instances they find are authorized for use in the organization. It is strongly recommended to scan with credentials, so that more exhaustive searches for these products can be performed.

IT operations and support teams will continue to rely on RMM tools for productivity benefits even as attackers increasingly exploit them. Tenable anticipates that new RMM solutions will emerge and major systems management suites will further integrate remote-control capabilities directly into their platforms.

Meanwhile, vulnerability and threat intelligence researchers will keep their focus on the tools, identifying weaknesses and opportunities for exploitation as well as attacker-usage of such tools. As additional vulnerabilities are discovered and new threat intelligence reports reveal usage of new and existing tools, Tenable plans to publish detection and vulnerability plugins to find them. Given this growing space, organizations must remain vigilant, ensuring continuous monitoring, timely patching and strong security practices around RMM tools.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, the second of two parts, we look closely at six ways exposure management can help you tame security tool sprawl. You can read part one here and the entire Exposure Management Academy series here.

If you’re managing cyber risk, you know there’s one fundamental question you have to answer: Where are we most exposed? On the surface, that might seem like a simple ask. Are you at risk or not? Like many things, in practice it’s a bit tougher to answer — even though you installed all those security tools to keep your organization safe. But those tools might be a big part of the problem. Most enterprises now struggle with taming all the tools and corralling the data they produce. So getting a clear, consistent and comprehensive answer can be a real challenge. 

Enter exposure management, which gives you the processes and technologies you need to continuously assess the accessibility, exploitability and criticality of digital assets across all systems, applications, devices, resources and identities. As a result, it helps you tame security tool sprawl and works to bind all of that fragmented data together to provide a unified view. Rather than scrambling madly to find the right data when you get a question from your executive team or board, you’ll be able to answer them easily. 

Last week, we shared how exposure management solutions can ease the three challenges that come with security tool sprawl. This week, we dig a bit deeper and explore six ways exposure management can help you work more effectively with all those tools. 

With workloads spanning on-premises, cloud and hybrid environments, today’s IT environments are complex. Users interact with systems using a mix of devices, identities and access points. Security tools, many of which you probably acquired over time to solve specific problems, are often fragmented and don’t communicate beyond their individual siloes. The result: A blurred picture that doesn’t show you how all those pieces fit together or, critically, where the real threats are.

An exposure management platform helps you solve this problem with a foundation built on unified data, with a carefully considered design approach that supports:

• Cross-domain mapping: An exposure management platform must link assets across tools and environments. For example, a single human identity might possess elevated privileges in Amazon Web Services (AWS), Microsoft Azure, Okta and multiple software as a service (SaaS) platforms. So exposure management should track that person as one entity.
• Normalization: Every security vendor has its own nomenclature and vocabulary. Tool A might describe risks in one way while Tool B might use different terminology. An exposure management platform can normalize terminology and build a common language and risk model so you can evaluate findings consistently.
• Correlation and scoring: An exposure management platform should evaluate relationships and assign risk based on interconnected factors such as device vulnerabilities, user privileges, poor hygiene, misconfigurations and external accessibility — not just static severity scores.

Must have: With an exposure management platform, you can consolidate risk data and insights into a single platform. This helps you streamline management and enables your teams to take more efficient, informed actions.

With a mix of cloud services, SaaS platforms, contractors, suppliers and external development teams, 21st century digital enterprises are highly interconnected. Those connections drive your productivity and keep you flexible. The problem is, they also expand the attack surface to previously unimagined breadth and depth. Once an attacker gains a foothold, the interconnected nature of your business systems make it possible for them to find a path to move laterally in pursuit of your most business-critical and sensitive systems and data. 

Plus, not all of these assets and resources — even though they are yours — are under your direct control because they sit outside the traditional IT perimeter. 

Without access to data about those assets, you have a blind spot in your cybersecurity landscape. So you put security tools in place to help you monitor and safeguard these assets, each of which is constantly churning out alerts and data. With the largest companies often using as many as 140 tools, security teams struggle to keep up. And you have no way to contextually analyze all this output so you can grasp where your organization is most exposed. 

Must have: Attackers can connect exposures across your environment so they can move laterally and compromise critical assets. An exposure management platform helps you identify exposures across your environment in context, employing cyber asset attack surface management (CAASM) so you can see how they connect and strategically address the ones that represent the greatest risk. 

Toxic combination of exposures lurking in your organization remain a top cause of breaches. In fact, according to Verizon’s 2025 Data Breach Investigations Report, attackers increasingly relied on exploiting vulnerabilities for initial entry and subsequent breaches, marking a 34% jump from the previous year. 

Even if you have strong security policies in place, it’s easy to overlook certain weaknesses in your environment, such as open ports or a lack of multi-factor authentication (MFA). When combined, these factors form toxic combinations that can make it easier for an attacker to move laterally. 

Weaknesses leading to a toxic combination include: 

• Open ports
• A lack of multifactor authentication
• Unencrypted data and unauthorized or out-of-band changes 
• Privileged access to a business-critical application
• Unpatched vulnerabilities on their device
• A device not covered by endpoint detection and response (EDR)

Must have: An exposure management platform can help you identify specific weaknesses that lead to toxic combinations. The contextual view exposure management provides allows you to map these weaknesses across security vendors and technologies.

Choke points are a critical tactic in cybersecurity — they represent assets or exposures where multiple attack paths intersect. Devices that function as network choke points (e.g., firewalls, routers with ACLs, VPN concentrators, critical servers and API gateways) are often targeted by attackers as they look to move laterally in your environment. If an attacker can compromise a choke point, they can gain access to your entire network segments or critical data flows.

So mapping potential attack paths — including the sequences of vulnerabilities and misconfigurations an attacker could exploit to move through your network and reach critical assets — is a crucial step. An exposure management platform can help you manage choke points in three ways:

• Mapping: It can analyze MITRE ATT&CK techniques and help you map all attack paths.
• Analysis: It needs to identify which exposures are enabling the highest number of critical attack paths that could disrupt business operations or cause a breach.
• Mitigation: It provides strategies to eliminate attack paths and improve your overall security posture.

Must have: Exposure management software helps you identify and focus on the exposures that will most effectively reduce business risk, so you and your teams don’t get overwhelmed trying to address every single issue. It can also help you identify vulnerabilities on your choke point assets so you can prioritize them for remediation. If you remediate or use compensating control on one issue, you can eliminate dozens (or even hundreds) of potential attack paths. That's the power of focusing on choke points.

You’ve got too many dashboards to check, too many tools to manage and too much data to comb through. And chances are you’re trying to track and analyze all this using spreadsheets. The result? It’s easy to miss critical exposures. You need a unified dashboard you can use to track, analyze, and communicate risk from all your security data sources.

But what does unified data really mean? Lumping everything together in one dashboard is a decent start. But exposure management goes further. It aggregates, normalizes and correlates relevant data from across your environment, including domains, tools, clouds and identities. Then it evaluates it all holistically.

An exposure management platform can bring together the key data you need, including:

• Asset data from cloud security platforms, endpoint agents and configuration management databases
• Configuration data from cloud security posture management systems and infrastructure-as-code scans
• Vulnerability data from multiple vulnerability management providers, external intelligence feeds and exploit frameworks
• Identity data from identity and access management (IAM) systems, Active Directory, single sign-on (SSO) providers and SaaS apps
• Application security data from dynamic application security testing (DAST), static application security testing (SAST) and software composition analysis (SCA)

Must have: With aggregated information, an exposure management platform can map relationships across systems, perform attack path analysis and prioritize exposures for action based on how issues intersect. 

You’ve invested a lot in your current security tools. But when you add more point solutions for individual areas, you’ll often see diminishing returns because you lack the necessary technical and business context across different systems. 

You’ll definitely see data noise, staff churn, hidden vulnerabilities and, ultimately, poor ROI. 

So, to get the most out of your security investments, you need a unified strategy that integrates visibility with context across the entire attack surface. This will increase productivity and efficiency, enable you to demonstrate how you’ve reduced risks, lower your costs and significantly boost the ROI of all your security investments.

Must Have: An exposure management platform centralizes all the security data coming from your security tools, helping you streamline processes, cut costs and extract the most from your existing security investments. 

You have a lot riding on all those security tools — the future of your organization and the success of your career. But, often, it’s hard to understand how those tools are performing. So it's important to find a way to view the data from these tools in a unified, contextual manner that correlates exposures across your attack surface. 

Exposure management gives you the ability to start managing risk from one place, with data and insights available in a single platform. 

Your organization will be able to make clear-eyed decisions about how to handle your riskiest exposures and take action to eliminate them before they’re exploited.

We’re all ears. Share your question and maybe we’ll feature it in a future post.

In this special edition of the Cybersecurity Snapshot, we bring you some of the most valuable guidance offered by the U.K. National Cyber Security Centre (NCSC) in the past 18 months. Check out best practices, recommendations and insights on protecting your AI systems, APIs and mobile devices, as well as on how to prep for post-quantum cryptography, and more.

In case you missed it, here are six NCSC recommendations to help your organization fine-tune its cybersecurity strategy and operations.

Is your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out the NCSC’s “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.

“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog.
 

At a high-level, the NCSC proposes these three key milestones:

• By 2028
  • Define the organization’s migration goals.
  • Assess which services and infrastructure need to have their cryptography upgraded to PQC.
  • Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.
• By 2031
  • Execute the first, most important PQC migration steps.
  • Refine the PQC migration plan to ensure the roadmap will be fulfilled.
  • Ensure your infrastructure is ready to support PQC.
• By 2035
  • Complete your PQC migration.

Organizations need to migrate to PQC because quantum computers will be able to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.

The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced in March of this year, should be available in 2027.

For more information about how to protect your organization against the quantum computing cyber threat:

• “How to prepare for a secure post-quantum future” (TechTarget)
• “Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)
• “Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)
• “US unveils new tools to withstand encryption-breaking quantum. Here's what experts are saying” (World Economic Forum)
• “Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)
• “Quantum and the Threat to Encryption” (SecurityWeek)

After several high profile application programming interface (API) breaches, the NCSC published the guide “Securing HTTP-based APIs,” which urges organizations to update their methods for securing their APIs, including by using stronger authentication.

“Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity,” reads a companion NCSC blog titled “New guidance on securing HTTP-based APIs.”
 

Unfortunately, many organizations rely on outdated API-security practices, including:

• Use of basic authentication
• Lack of rate-limiting and user-throttling capabilities
• Unprotected endpoints
• Code-stored credentials
• Use of URLs to transmit sensitive data
• Lax input validation
• Unencrypted API traffic via HTTPs
• Weak logging and monitoring

NCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:

• Development practices
• Authentication and authorization
• Protection of in-transit data
• Input validation
• Denial-of-service attack mitigation
• Logging and monitoring
• Exposure limitation

For example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.

Another recommendation is to develop APIs’ applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.

For more information about API security:

• “OWASP API Security Project” (OWASP)
• “13 API security best practices to protect your business” (TechTarget)
• “4 Main API Security Risks Organizations Need to Address” (Dark Reading)
• “API security maturity model to assess API security posture” (TechTarget)
• “99% of Organizations Report API-Related Security Issues” (Infosecurity Magazine)

The NCSC joined other cyber agencies to issue a warning about a spyware campaign aimed at infecting mobile devices of individuals and groups tied to causes that the Chinese government opposes. 

However, all mobile users should take heed because the campaign is global and aggressive, meaning anyone could become a victim, according to the NCSC and cyber agencies from Australia, Canada, Germany, New Zealand and the U.S. 

“The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims,” reads the NCSC advisory. 

Attackers are targeting supporters of various China-related movements with the BadBazaar and Moonshine spyware variants. Those targeted include journalists, non-governmental organizations, businesses and representatives of groups associated with:

• Taiwanese independence
• Tibetan rights
• Uyghur Muslims
• Hong Kong democracy advocacy
• Falun Gong movement
   

Moonshine and BadBazaar are two types of trojan malware, meaning attackers hide them in legit-looking mobile applications that users voluntarily download. In this particular campaign, attackers are embedding Moonshine and BadBazaar in applications designed to appeal to the intended victims, such as a Uyghur keyboard app and a Tibet-related app.

Once a user inadvertently installs a malicious app, attackers use it to obtain the mobile device’s location data in real-time; access its microphone and camera; retrieve stored messages and photos; and more.

 Mitigation recommendations include:

• Don’t root or jailbreak your mobile device, as this leaves it more vulnerable to cyber attacks.
• Only download apps from trusted app stores like those from Google and Apple.
• Periodically review your installed apps and their permissions, deleting apps you no longer use and restricting excessive permissions.
• Be careful with links, files and apps shared on social media sites, online forums and messaging tools. Scan links with a URL reputation service before clicking on them, and upload suspicious files or apps to a malware analyzer.

To get more information, check out these NCSC resources:

• The announcement “NCSC and partners share guidance for communities at high risk of digital surveillance”
• The advisory “BadBazaar and Moonshine: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors”
• The technical advisory “BadBazaar and Moonshine: Technical analysis and mitigations”

For more information about protecting mobile devices against spyware attacks:

• “How to find and remove spyware from your phone” (ZDNet)
• “Did you know a VPN can protect you from spyware? Here's how” (Yahoo Tech)
• “Your Android phone could have stalkerware — here’s how to remove it” (TechCrunch)
• “Apple: Mercenary spyware attacks target iPhone users in 92 countries” (BleepingComputer)
• “Why rebooting your phone daily is your best defense against zero-click attacks” (ZDNet)

With cybersecurity governance now one of their main responsibilities, boards of directors need strong cybersecurity knowledge — but many are lacking in this area. That’s why the NCSC published a package of cyber governance resources for board members.

“From my experience of working with senior leaders across private and public sectors, I know that strong cyber governance is key to resilience, growth, and long-term success. Board members play a vital role in making this happen,” NCSC CEO Richard Horne wrote in a blog.
 

The NCSC cyber governance resources for board members include:

• The “Cyber Governance Code of Practice,” which outlines the board’s responsibilities in these five key governance areas:
   
  • Risk management
  • Strategy
  • People
  • Incident planning, response and recovery
  • Assurance and oversight
     
• The “Cyber Governance Training” document, which provides five interactive training modules, each focusing on one of the “Code of Practice” principles
   
• The “Cyber Security Toolkit for Boards,” which explains how to implement the five key cyber governance areas

For example, the risk management the toolkit unpacks how to identify the organization’s critical assets and how to collaborate with its supply chain partners. In the strategy area, it goes into how to embed cybersecurity into the organization and what cybersecurity regulations are relevant to boards.

For more information about cyber governance guidance for boards of directors:

• “Principles for Board Governance of Cyber Risk” (Harvard Law School)
• “NACD Director's Handbook on Cyber-Risk Oversight” (National Association of Corporate Directors)
• “A cybersecurity guide for board directors” (Corporate Governance Institute)
• “How boards can effectively oversee AI to drive value and responsible use” (PwC)
• “Guidelines on the Corporate Governance of Cybersecurity” (Board Foundation)

The volume and impact of cyber attacks, including ransomware, will grow as malicious actors of all stripes incorporate AI into their toolboxes. 

Still, how the bad guys use AI and what benefits they get from it will depend on their level of skill and knowledge, the NCSC said in its January 2024 report “The near-term impact of AI on the cyber threat.”

Here’s a table with a nice breakdown of how the NCSC projects that AI will supercharge the cyber attack capabilities of cyber criminals with different levels of sophistication by the end of 2025.
 

(Source: NCSC’s “The near-term impact of AI on the cyber threat” report, January 2024)

In a companion statement, the NCSC highlighted how AI will likely heighten the already critical threat from ransomware by making it easier in particular for unskilled hackers to launch more effective cyberattacks.

“This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years,” the NCSC statement reads.

For more information about how to address AI-powered cyberattacks:

• “Skilling up the security team for the AI-dominated era” (CSO Online)
• “How Zero Trust Can Protect Systems Against Generative AI Agents” (Dark Reading)
• “How to combat AI-produced phishing attacks” (SC Magazine)

The NCSC recently joined fellow cyber agencies to provide insights and best practices for preventing and mitigating cyber attacks against network edge hardware and software devices, which have become a major target in recent months.

“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” NCSC Technical Director Ollie Whitehouse said in a statement.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber attacks but also provide investigative capabilities require post intrusion,” Whitehouse added.

Devices at risk include routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems.
 

These are the new guides:

• Security Considerations for Edge Devices, led by the Canadian Centre for Cyber Security (CCCS), includes:
  • A description of common threats to edge devices, such as misconfigurations and mismanagement; vulnerability exploitation; and denial of service attacks
  • Examples of edge device compromises
  • Recommendations for mitigating threats to edge devices
• Digital Forensics Monitoring Specifications for Products of Network Devices and Applications, led by the U.K.’s National Cyber Security Centre (NCSC), explains why and how edge devices should support event logging and forensic data acquisition.
• Mitigation Strategies for Edge Devices: Executive Guidance and Mitigation Strategies for Edge Devices: Practitioner Guidance, two guides led by the Australian Cyber Security Centre (ACSC), focus on threat mitigation and are aimed, respectively, at executives responsible for enterprise network security; and at operational, cybersecurity and procurement staff for edge devices.

For more information about network edge vulnerabilities, check out these Tenable blogs:

• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers”
• “Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends”
• “Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors”
• “CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild”
• “CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability”
• “CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild”