Tenable Blog

How To Reduce DNS Infrastructure Risk To Secure Your Cloud Attack Surface

Tenable Blog
22 hours ago

Mismanaging your DNS infrastructure could put you at risk of destructive cyberattacks – especially as your cloud attack surface expands. Read on to learn about DNS vulnerabilities, the impact of DNS takeover attacks, and best practices for DNS security, including how new Tenable plugins can help you.

Many organizations overlook the security of their domain name system (DNS) infrastructure, a grave mistake, particularly if their cloud adoption is growing. Mismanaging your DNS records can allow attackers to take over any of your subdomains that are inactive and forgotten. Once hackers control one of your subdomains, they can craft a variety of devastating cyberattacks.

In this blog, we’ll unpack how the DNS protocol works; outline common DNS vulnerabilities and their impacts; and drill down into detection, prevention and mitigation best practices. We’ll also explain how newly-released Tenable Vulnerability Management, Tenable Web App Scanning and Tenable Attack Surface Management plugins can help you secure your DNS infrastructure.

Why cloud growth intensifies the importance of DNS security

Organizations increasingly want to integrate new cloud services and SaaS applications into their IT infrastructure to provide them to their users and customers. As part of this process, organizations often create a custom subdomain for their users or customers to access these third-party cloud applications. 

In order to do this, organizations need to create a new DNS record. It’s critical for organizations to keep track of these DNS records so that attackers don’t hijack the custom subdomains. Unfortunately, DNS infrastructure management is often overlooked, creating a blindspot for the organization’s security team. 

DNS resolution basics

The DNS protocol, historically a critical component of the internet infrastructure, translates numerical IP addresses into human-readable names.

DNS protocol provides various record types, including these four:

  • "A" records, which are the basic translation between a subdomain and an IPv4 address.
  • Canonical Name (CNAME) records, which allow organizations to have more than one domain alias pointing to a single domain name linked to one IP address. For instance, five domain aliases can point to example.com. If the IP address tied to example.com ever changes, its DNS record is the only one that needs to be updated. The CNAME aliases that point to example.com can remain as they are. CNAME records never point directly to an IP address – only to other domain names. The target domain name can be either in the aliases' same domain name or in a different one.
  • Mail Exchange (MX) records, which direct email traffic by specifying which mail servers are responsible for accepting incoming email messages for a domain.
  • Name Server (NS) records, which identify which DNS servers are authoritative on a given DNS zone. An authoritative DNS server contains the DNS zone with all the records.

To map a third-party service to an organization’s custom domain, the third-party vendor will request to configure one of these four record types. Once the process is completed, the organization’s traffic will be properly routed via the custom domain. 

The following diagram shows a basic example of how a DNS resolution mechanism works for a CNAME record that isn’t already in any cache of the DNS resolution chain:

Chart showing how a DNS resolution mechanism works for a CNAME record that isn't already in any cache of the DNS resolution chain

The overall flow is similar for other record types such as MX or NS records.

Understanding DNS takeover vulnerabilities

The risk of a DNS takeover emerges when a DNS record is left dangling – meaning that the DNS record points to a subdomain that is inactive or was deleted. This would allow anyone to claim this DNS record from the third-party cloud service. 

A common scenario at the origin of such vulnerabilities is:

  1. An organization’s business unit sets up a third-party cloud service for its internal users.
  2. This business unit then asks the IT department to create a DNS CNAME record for this service to make it look more legit with an “organization” owned domain.
  3. Later, the business unit decides to stop using this third-party cloud service but does not ask the IT department to remove the DNS CNAME record from the DNS zone.
  4. Any user, including an attacker, can claim the custom subdomain from the cloud service provider, and configure it to host malicious content under the victim organization’s domain.

As an example, let’s take an organization that wants to host a basic static website on an AWS S3 storage bucket for an event, such as a two-day conference, and map a subdomain it owns such as mysuperstaticwebsite.acme.corp. By following the official AWS documentation, the service is provisioned and available to all intended users.

After the event ends, the organization takes the website hosted on S3 offline but forgets to remove the custom subdomain’s DNS record. 

The website now displays a generic error showing that the S3 bucket does not exist:

However, an attacker who looks at the DNS record for mysuperstaticwebsite.acme.corp would see the following configuration: 

dig +short CNAME mysuperstaticwebsite.acme.corp mysuperstaticwebsite.s3-website.eu-west-3.amazonaws.com.

Using this information, the attacker could then log on to the AWS console, create an S3 bucket named mysuperstaticwebsite in the eu-west-3 region and attract people who think they’re visiting the legitimate https://mysuperstaticwebsite.acme.corp website.

This risky scenario isn’t limited to CNAME records. MX, NS or A records are also vulnerable. For example, for around 5 years, a Mastercard DNS error went unnoticed just because of a typography issue in one of the NS records set on its az.mastercard.com. The record, using akam.me, was indeed targeting a non-existing domain which was available for registration. 

DNS takeovers can also happen when a domain name expires and is not renewed in the allocated time by the organization that owned it. The domain name then can be purchased by anyone, including hackers, leaving the previous owner open to multiple attack scenarios.

One takeover, multiple impacts

Organizations are often unaware of the potential impacts a DNS takeover attack can have, beyond damage to its brand reputation and to its customer confidence. 

Depending on the type of the compromised DNS record and the organization’s usage of this record, many exploitation vectors could have an impact on an organization's security, including:

  • Phishing: Attackers can build realistic phishing websites hosted on a legitimate URL domain name to target the organization’s internal or external users.
  • Email interception: MX records are a critical part of email infrastructure. When one or several MX records are left dangling and target-DNS records become unavailable, an attacker could take over the DNS records and receive e-mails intended for previous users of this service. This can have a huge impact. It can allow attackers, for example, to perform password-reset operations and log into active services from the organization. 
  • Cookie tossing: Taking control of a subdomain could allow an attacker to set cookies for the parent domains and make them apply to other subdomains. Depending on how the cookies are handled on the other applications, this could help an attacker conduct further attacks.
  •  Bypassing client-side security:
    • Content-Security Policy (CSP) allows website admins to control which resources a browser can load. If a compromised subdomain is in a CSP allow list, an attacker could exploit this vulnerability to bypass the CSP security controls and launch client-side attacks such as cross-site scripting (XSS).
    • A Cross-Origin Resource Sharing (CORS) policy defines the vulnerable subdomain in the allowed origins. An origin is a combination of the URI scheme, the host name and the port number, and adding it to the CORS policy defines the sources allowed to perform cross-site requests on a given web application. An attacker could host malicious JavaScript and exploit the CORS configuration to access sensitive information or perform operations on behalf of legitimate users.
  • Cloud resources compromise: When the compromised target is, for example, a cloud resource such as a storage bucket or a database, it could have a broader impact on the rest of the infrastructure. For example, if a web application still refers to JavaScript static files on a storage bucket that has been taken over, an attacker could upload malicious JavaScript content and conduct stored XSS attacks on other internal or external web applications. 

The risks are even higher when the vulnerable record is an NS record. This type of record allows administrators to delegate the entire DNS zone management to a third-party server. If it is compromised, attackers can then create multiple other records in the delegated zone.

How to detect, prevent and mitigate

Mitigating DNS takeover vulnerabilities is not complex, and will mainly require following best practices for the lifecycle management of DNS records. 

For starters, you must have a well-established and documented process for provisioning external services so that you avoid these mistakes:

  • The DNS record is created but you haven’t yet deployed the third-party cloud service.
  • The DNS record is created and you’ve subscribed to the third-party cloud service, but you haven’t finalized the custom DNS configuration.
  • The third-party cloud service is terminated but the DNS record is not removed from your organization’s DNS zone.

Instead, you must ensure that the DNS record is created only after the third-party cloud service has been created and configured. Once the third-party cloud service is no longer needed, the DNS record must be removed before the external service configuration is eliminated. 

If you are developing a SaaS application as a service provider, you should request customers to verify their domain name's ownership before assigning it a custom DNS record and routing it to your infrastructure. Common security protection requires organizations to add TXT DNS records in the subdomain DNS zone to confirm that they own the subdomain. It is also possible to generate a random and unique CNAME record to be used by each customer, preventing an attacker from re-using a previous CNAME record and hijacking the subdomain.

When attackers analyze an organization’s attack surface, they will enumerate the DNS records related to this organization and check if any dangling records exist. To achieve this, they will look for three different issues:

  • Dangling services that provide an HTTP response. They will have a valid and resolvable DNS record, but will also provide a default HTTP response which can be used to fingerprint the vulnerable services.
  • Dangling services with DNS resolution failure which, most of the time, have CNAME records targeting DNS records that are not resolvable, and makes the DNS resolver return an NXDOMAIN error.
  • Dangling services targeting an IP address not allocated. Attackers can claim, for example, elastic IP addresses on public cloud infrastructures.

Tenable Vulnerability Management’s Attack Surface Management and Web App Scanning features let you comprehensively assess and remediate DNS security issues. By leveraging plugins 114146 (Subdomain Takeover) and 114572 (Danging DNS Record) in addition to Attack Surface Management capabilities, Web Application Scanning users can quickly check if their subdomain is targeting HTTP based dangling records and try fixing these issues before an attacker exploits them. 

Conclusion

Managing an organization’s attack surface requires solid DNS infrastructure management. While DNS records may seem like relics of early cloud adoption, the increasing complexity of modern architectures and rapid evolution of cloud services makes DNS infrastructure management more relevant than ever.

When attackers exploit DNS vulnerabilities, they can build an attack chain that can compromise user sessions, exfiltrate sensitive data or impersonate legacy services. That’s why organizations must embrace a proactive approach and adopt a solid DNS provisioning and management process.

Rémy Marot

Cybersecurity Snapshot: CISA Calls for Stamping Out Buffer Overflow Vulnerabilities, as Europol Tells Banks To Prep For Quantum Threat

Tenable Blog
5 days 22 hours ago

Check out best practices for preventing buffer overflow attacks. Plus, Europol offers best practices for banks to adopt quantum-resistant cryptography. Meanwhile, an informal Tenable poll looks at cloud security challenges. And get the latest on ransomware trends and on cybercrime legislation and prevention!

Dive into six things that are top of mind for the week ending Feb. 14.

1 - CISA, FBI offer buffer overflow prevention tips

The U.S. government is urging software makers to adopt secure application-development practices that help prevent buffer overflow attacks.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) called buffer overflow vulnerabilities “unforgivable defects” that put national and economic security at risk.

“CISA and FBI urge manufacturers to use proven prevention methods and mitigations to eliminate this class of defect while urging software customers to demand secure products from manufacturers that include these preventions,” the agencies wrote in a joint fact sheet. 

Buffer overflows happen when data written to a computer’s memory buffer exceeds the buffer’s capacity. This can lead to issues such as system crashes, data corruption and remote code execution.
 

 

These are some of the recommendations the agencies offered for preventing buffer overflows in the fact sheet titled “Malicious Cyber Actors Use Buffer Overflow Vulnerabilities to Compromise Software.

  • Use memory-safe languages when developing software.
  • Implement compile time and runtime protections using compiler flags.
  • Rigorously test your software products using static analysis, fuzzing and manual reviews throughout the development cycle.
  • Analyze the root cause of past buffer overflow vulnerabilities to detect trends and patterns.

CISA and the FBI also highlighted these buffer overflow vulnerabilities:

CVE-2025-21333
CVE-2025-0282
CVE-2024-49138
CVE-2024-38812
CVE-2023-6549
CVE-2022-0185

For more information about buffer overflow attacks and vulnerabilities:


VIDEOS

What is a Buffer Overflow Attack? (TechTarget) 

Buffer Overflow Attacks Explained (Tech Sky)

 

2 - Europol to banks: Prepare for quantum computing threat

Financial institutions in Europe must get ready to face the cyberthreat that quantum computers will pose to data security and data privacy when these powerful systems become widely available.

That’s the message from Europol’s new document “Quantum Safe Financial Forum - A call to action” which urges the European financial sector to prioritize adopting post-quantum cryptography.

Here’s the problem: Quantum computers will be able to decrypt data protected with existing public-key cryptographic algorithms, which is why post-quantum algorithms are being developed, with several already available for use. 

Estimates about when these quantum computers will be ready range anywhere from five years to 15 years from now. However, the process for organizations to transition towards quantum-resistant cryptography will be lengthy and complicated.
 


In addition to adopting post-quantum cryptography, banks and other financial institutions should take this opportunity to boost their cryptography management practices, according to Europol.

However, the financial sector won’t be able to go through this journey unassisted. “Achieving this complex goal requires immediate action and a coordinated effort involving industry peers, vendors, policymakers, and society,” the document reads.

Europol recommendations for adopting post-quantum cryptography include:

  • To prioritize the shift to quantum-resistant cryptography, banks should update how they manage cryptography; train IT teams on cryptography; and allocate the required resources.
  • To update cryptographic management, banks should, for example, integrate this practice into general IT asset management; inventory cryptographic assets; and implement policy compliance checks.
  • Banks, governments, vendors and law enforcement agencies must collaborate, coordinate their efforts and share knowledge towards the common goal of securing data against quantum attacks.
  • Regulators should refrain from creating new rules and instead focus on collaborating with the private sector on a set of common, consistent guidelines for quantum-safe cryptography.

For more information about the threat from quantum computing:

3 - A temperature check on cloud security challenges

During this week’s webinar “How does an industry leader like Tenable protect its own cloud environments?,” we asked attendees about their main cloud security challenges. Check out how they responded.

(Source: 138 webinar attendees polled by Tenable, February 2025)

Interested in learning how Tenable’s security team uses Tenable Cloud Security to safeguard our cloud environments? Watch the on-demand webinar, in which Phillip Hayes, Tenable’s Director of Information Security, and Michael Garman, Tenable’s Senior Manager of Technology Engineering, discuss a variety of cloud security best practices.

For more information about Tenable’s cybersecurity best practices, check out these Tenable blogs:

4 - Google: Curbing cybercrime requires international collaboration

Governments must understand that financially motivated cyberattacks impact not only their specific victims but also endanger national security, and as such merit heightened attention from the public sector.

That’s a key takeaway from “Cybercrime: A Multifaceted National Security Threat,” a report released this week by Google’s Threat Intelligence Group.

Although cybercrime accounts for a majority of malicious cyber activity, it gets short shrift from national security cyber defenders, who instead place most of their focus on state-backed groups, the report states.

“While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions,” the authors wrote.
 


“Financially motivated cyber intrusions, even those without any ties to state goals, harm national security. A single incident can be impactful enough on its own to have a severe consequence on the victim and disrupt citizens' access to critical goods and services,” the report reads.

So how can governments more effectively tackle national-security cyberthreats from profit-seeking cybercriminals? Here are some of Google’s recommendations for government policymakers globally:

  • Raise cybercrime to a national security priority, including collecting and analyzing data on cybercrime groups; and boosting law enforcement’s capacity to fight cybercrime.
  • Promote adoption of strong cyber defenses across all industries by, for example, incentivizing organizations to adopt security best practices.
  • Deploy legal, technical and financial measures to dismantle the infrastructure supporting cybercrime operations.
  • Strengthen international collaboration by sharing cyberthreat information, conducting joint investigations and taking coordinated actions against cybercrime networks.
  • Enhance efforts to educate individuals and organizations about online safety, cyber best practices and cyber incident reporting.

For more information about cybercrime trends:

5 - Bipartisan U.S. bill seeks tougher punishments for cybercrimes

A bill introduced by two U.S. senators this week would update an existing computer crime law in order to dial up penalties for cybercrime conspiracies.

Currently, the U.S. government charges suspects accused of conspiracies to commit cybercrimes under a general statute, instead of under the Computer Fraud and Abuse Act (CFAA).

 

 

While the maximum penalty under the general conspiracy statute is five years in prison, the new conspiracy charge that would be added to the CFAA via the “Cyber Conspiracy Modernization Act” could result in jail time ranging between 10 years to life imprisonment.

“The ‘Cyber Conspiracy Modernization Act’ would amend the CFAA to create a specific penalty for the crime of conspiracy under the CFAA,” reads a statement from Sen. Mike Rounds (R-S.D.) who introduced the bill along with Sen. Kirsten Gillibrand (D-N.Y.)

6 - Report: Global ransomware attacks up in 2024

Ransomware attacks grew 15% worldwide last year, compared with 2023, as ransomware gangs showed a growing interest not just in encrypting data but in stealing it to further monetize it.

That’s according to NCC Group’s “Cyber Threat Intelligence Annual Report 2024,” which also found that the industrials sector was the hardest hit, suffering 27% of ransomware attacks, a sign of ransomware groups' focus on critical infrastructure organizations.
 


A trend that developed last year was the increasing interest among ransomware gangs on swiping data, not just locking it up in exchange for payment. Why? Stealing data is “faster, easier and more profitable,” according to NCC Group.

“Stolen information can be leveraged for extortion, fraud, identity theft, or even future breaches, making it a highly valuable commodity in the hands of cybercriminals,” reads the report.

The 5,263 ransomware attacks observed by NCC Group in 2024 were the most since it started monitoring them in 2021. Despite getting hit by law enforcement operations, LockBit ranked first among ransomware groups with 10% of all attacks, followed by RansomHub.

For more information about ransomware:

Juan Perez

Frequently Asked Questions About DeepSeek Large Language Model (LLM)

Tenable Blog
6 days 21 hours ago

The open-source LLM known as DeepSeek has attracted much attention in recent weeks with the release of DeepSeek V3 and DeepSeek R1, and in this blog, The Tenable Security Response Team answers some of the frequently asked questions (FAQ) about it.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding DeepSeek.

FAQ

What is DeepSeek?

DeepSeek typically refers to the large language model (LLM) produced by a Chinese company named DeepSeek, founded in 2023 by Liang Wenfeng.

What is a large language model?

A large language model, or LLM, is a machine-learning model that has been pre-trained on a large corpus of data, which enables it to respond to user inputs using natural, human-like responses.

Why is there so much interest in the DeepSeek LLM?

In January 2025, DeepSeek published two new LLMs: DeepSeek V3 and DeepSeek R1. The interest surrounding these models is two-fold: first, they are open-source, meaning anyone can download and run these LLMs on their local machines and, second, they were reportedly trained using less-powerful hardware, which was believed to be a breakthrough in this space as it revealed that such models could be developed at a lower cost.

What are the differences between DeepSeek V3 and DeepSeek R1?

DeepSeek V3 is an LLM that employs a technique called mixture-of-experts (MoE) which requires less compute power because it only loads the required “experts” to respond to a prompt. It also implements a new technique called multi-head latent attention (MLA), which significantly reduces the memory usage and performance during training and inference (the process of generating a response from user input).

In addition to MoE and MLA, DeepSeek R1 implements a multitoken prediction (MTP) architecture first introduced by Meta. Instead of just predicting the next word each time the model is executed, DeepSeek R1 predicts the next two tokens in parallel.

DeepSeek R1 is an advanced LLM that utilizes reasoning, which includes chain-of-thought (CoT), revealing to the end user how it responds to each prompt. According to DeepSeek, performance of its R1 model “rivals” OpenAI’s o1 model.

Example of DeepSeek’s chain-of-thought (CoT) reasoning model

What are the minimum requirements to run a DeepSeek model locally?

It depends. DeepSeek R1 has 671 billion parameters and requires multiple expensive high-end GPUs to run. There are distilled versions of the model starting at 1.5 billion parameters, going all the way up to 70 billion parameters. These distilled models are able to run on consumer-grade hardware. Here is the size on disk for each model:

DeepSeek R1 modelsSize on disk1.5b1.1 GB7b4.4 GB8b4.9 GB14b9.0 GB32b22 GB70b43 GB671b404 GB

Therefore, the lower the parameters, the less resources are required and the higher the parameters, the more resources are required.

The number of parameters also influences how the model will respond to prompts by the user. Most modern computers, including laptops that have 8 to 16 gigabytes of RAM, are capable of running distilled LLMs with 7 billion or 8 billion parameters.

What makes DeepSeek different from other LLMs?

Benchmark testing conducted by DeepSeek showed that its DeepSeek R1 model is on par with many of the existing models from OpenAI, Claude and Meta at the time of its release. Additionally, many of the companies in this space have not open-sourced their frontier LLMs, which gives DeepSeek a unique advantage.

Finally, its CoT approach is verbose, revealing more of the nuances involved in how LLMs respond to prompts compared to other reasoning models. The latest models from OpenAI (o3) and Google (Gemini 2.0 Flash Thinking) reveal additional reasoning to the end user, though in a less verbose fashion.

What is a frontier model?

A frontier model refers to the most advanced LLMs available that include complex reasoning and problem-solving capabilities. Currently, OpenAI’s o1 and o3 models along with DeepSeek R1 are the only frontier models available.

DeepSeek was created by a Chinese company. Is it safe to use?

It depends. Deploying the open-source version of DeepSeek on a system is likely safer to use versus DeepSeek’s website or mobile applications, since it doesn’t require a connection to the internet to function. However, there are genuine privacy and security concerns about using DeepSeek, specifically through its website and its mobile applications available on iOS and Android.

What are the concerns surrounding using DeepSeek’s website and mobile applications?

DeepSeek's data collection disclosure is outlined in its privacy policy, which specifies the types of data collected when using its website or mobile applications. It's important to note that data is stored on secure servers in the People's Republic of China, although the retention terms are unclear. Since DeepSeek operates in China, its terms of service are subject to Chinese law, meaning that consumer privacy protections, such as the EU’s GDPR and similar global regulations, do not apply. If you choose to download DeepSeek models and run them locally, you face a lower risk regarding data privacy.

Has DeepSeek been banned anywhere or is it being reviewed for a potential ban?

As of February 13, several countries have banned or are investigating DeepSeek for a potential ban, including Italy, Taiwan, South Korea and Australia, as well as several states in the U.S. have banned DeepSeek from government devices including Texas, New York, Virginia along with several entities of the U.S. federal government including the U.S. Department of Defense, U.S. Navy and the U.S. Congress. This list is likely to continue to grow in the coming weeks and months.

Is Tenable looking into safety and security concerns surrounding LLMs like DeepSeek?

Yes, Tenable Research is actively researching LLMs, including DeepSeek, and will be sharing more of our findings in future publications on the Tenable blog.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang, Nick Miles

Microsoft’s February 2025 Patch Tuesday Addresses 55 CVEs (CVE-2025-21418, CVE-2025-21391)

Tenable Blog
1 week 1 day ago
  1. 3Critical
  2. 52Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 55 CVEs with three rated critical and four zero-day vulnerabilities, including two that were exploited in the wild.

Microsoft patched 55 CVEs in its February 2025 Patch Tuesday release, with three rated critical and 52 rated as important. Our counts omitted one vulnerability reported by HackerOne.

This month’s update includes patches for:

  • Active Directory Domain Services
  • Azure Active Directory
  • Azure Firmware
  • Azure Network Watcher
  • Microsoft AutoUpdate (MAU)
  • Microsoft Digest Authentication
  • Microsoft High Performance Compute Pack (HPC) Linux Node Agent
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft PC Manager
  • Microsoft Streaming Service
  • Microsoft Surface
  • Microsoft Windows
  • Outlook for Android
  • Visual Studio
  • Visual Studio Code
  • Windows Ancillary Function Driver for WinSock
  • Windows CoreMessaging
  • Windows DHCP Client
  • Windows DHCP Server
  • Windows DWM Core Library
  • Windows Disk Cleanup Tool
  • Windows Installer
  • Windows Internet Connection Sharing (ICS)
  • Windows Kerberos
  • Windows Kernel
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows Message Queuing
  • Windows NTLM
  • Windows Remote Desktop Services
  • Windows Resilient File System (ReFS) Deduplication Service
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Setup Files Cleanup
  • Windows Storage
  • Windows Telephony Server
  • Windows Telephony Service
  • Windows Update Stack
  • Windows Win32 Kernel Subsystem

Remote code execution (RCE) vulnerabilities accounted for 38.2% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 34.5%.

ImportantCVE-2025-21418 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-21418 is an EoP vulnerability in the Ancillary Function Driver for WinSock for Microsoft Windows. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM level privileges.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been nine Ancillary Function Driver for WinSock EoP vulnerabilities patched across Patch Tuesday releases, including three in 2022, three in 2023, and three in 2024, including one that was exploited in the wild as a zero-day (CVE-2024-38193) by the North Korean APT known as the Lazarus Group to implant the FudModule rootkit.

ImportantCVE-2025-21391 | Windows Storage Elevation of Privilege Vulnerability

CVE-2025-21391 is an EoP vulnerability in Windows Storage. It was assigned a CVSSv3 score of 7.1 and is rated important. A local, authenticated attacker could exploit this vulnerability to delete files from a system. According to Microsoft, this vulnerability does not disclose confidential information to an attacker, rather, it only provides them with the capability to delete data, which may include data that could result in service disruption.

Microsoft notes this vulnerability was exploited in the wild as a zero-day. At the time this blog post was published, there was no other information about this exploitation.

Since 2022, there have been seven Windows Storage EoP vulnerabilities patched across Patch Tuesday releases, including two in 2022, one in 2023 and four in 2024. However, this is the first Windows Storage EoP vulnerability exploited in the wild.

ImportantCVE-2025-21194 | Microsoft Surface Security Feature Bypass Vulnerability

CVE-2025-21194 is a security feature bypass vulnerability affecting Microsoft Surface. This vulnerability was assigned a CVSSv3 score of 7.1 and was publicly disclosed prior to a patch being available from Microsoft. According to the advisory, exploitation requires multiple steps, including an attacker successfully gaining access to the same network as the device. Additionally, exploitation requires the attacker to convince the user to reboot their device. With multiple requirements for exploitation, this flaw was assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.

ImportantCVE-2025-21377 | NTLM Hash Disclosure Spoofing Vulnerability

CVE-2025-21377 is a New Technology LAN Manager (NTLM) Hash disclosure spoofing vulnerability that was publicly disclosed prior to a patch being made available. Despite the medium severity CVSSv3 score of 6.5, Microsoft assesses this vulnerability as “Exploitation More Likely.” Successful exploitation requires an attacker to convince a user to interact with a malicious file, such as inspecting the file or “performing an action other than opening or executing the file.” Exploitation would allow an attacker to obtain a user's NTLMv2 hash, which could then be used to authenticate as that user.

Microsoft’s advisory also notes that users that only install “Security Only” updates will also need to install Internet Explorer (IE) Cumulative updates in order to be fully protected against this vulnerability.

CriticalCVE-2025-21376 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

CVE-2025-21376 is a critical RCE vulnerability affecting Windows Lightweight Directory Access Protocol (LDAP). This vulnerability was assigned a CVSSv3 score of 8.1, rated as critical and assessed as “Exploitation More Likely" according to Microsoft. Successful exploitation requires winning a race condition via a specially crafted request necessary to exploit a buffer overflow. If successful, the attacker could achieve RCE on an affected host.

This is the first LDAP RCE in 2025, with three having been patched in the December 2024 Patch Tuesday release, each of which were also rated as critical.

ImportantCVE-2025-21400 | Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2025-21400 is a RCE vulnerability affecting Microsoft SharePoint Server. This vulnerability was assigned a CVSSv3 score of 8.0 and rated as important. Successful exploitation would grant an attacker the ability to execute arbitrary code. Exploitation requires an attacker to coerce the victim machine to first connect to a malicious server. This vulnerability was credited to cjm00n of Cyber Kunlun Lab and Zhiniang Peng.

ImportantCVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 | Windows Core Messaging Elevation of Privileges Vulnerability

CVE-2025-21184, CVE-2025-21358 and CVE-2025-21414 are EoP vulnerabilities affecting Windows Core Messaging. Two of the three vulnerabilities were assigned CVSSv3 scores of 7.0, while CVE-2025-21358 was assigned a CVSSv3 score of 7.8. Exploitation of these flaws could allow an attacker to elevate their privileges to SYSTEM.

According to Microsoft, exploitation for CVE-2025-21184 and CVE-2025-21414 requires an attacker to gather information about the target as well as take additional measures to prepare a target for exploitation. Despite the differing requirements necessary for exploitation, Microsoft assesses all three of these vulnerabilities as “Exploitation More Likely.”

Tenable Solutions

A list of all the plugins released for Microsoft’s February 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Cybersecurity Snapshot: Cyber Agencies Offer Best Practices for Network Edge Security, While OWASP Ranks Top Risks of Non-Human Identities

Tenable Blog
1 week 5 days ago

Check out recommendations from CISA and others on how to protect network edge devices and applications. Plus, OWASP has published the 10 risks associated with non-human identities. In addition, find out why ransomware payments plunged in 2024. And a new U.K. non-profit will categorize cyber incidents’ severity. And much more!

Dive into six things that are top of mind for the week ending Feb. 7.

1 - New cyber guides unpack how to secure network edge wares

Looking for insights and best practices for preventing and mitigating cyberattacks against network edge hardware and software devices, such as routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems? You might want to check out new guidance published by several cybersecurity agencies this week.

“Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems,” reads a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise,” the statement adds.
 


These are the new guides, jointly published by cyber agencies from various countries:

“As organizations scale their enterprises, even though securing all devices is important, prioritizing edge device security is vital to defend the many endpoints, critical services, and sensitive data they protect,” Eric Chudow, a U.S. National Security Agency cybersecurity vulnerability analyst, said in a statement.

For more information about network edge vulnerabilities, check out these Tenable blogs:

2 - OWASP ranks top cyber risks of non-human identities

Recognizing the significant growth in non-human identities (NHIs), such as access keys and service accounts, OWASP has published a list of the 10 most critical risks associated with them.

The goal of the “OWASP Non-Human Identities Top 10” project is to make software developers and security pros aware of NHI risks and of the best practices to prevent and mitigate related threats.

“Non-human identities are prevalent in usage for facilitating creation of applications by developers, and the project is aimed at helping security professionals thoroughly understand their non-human attack surface, so they can better protect and manage it,” reads the project’s home page.

Here’s the OWASP list of the top 10 NHI risks:

“This comprehensive list highlights the most critical challenges in integrating NHIs into the development lifecycle, ranked based on exploitability, prevalence, detectability, and impact,” reads the project’s home page.

For more information about securely managing digital identities:

3 - Report: Ransomware payments dropped in 2024

If your organization suffers a ransomware attack, would it be less willing to pay the attackers than, say, it would have been a few years ago? If so, then you’d be part of a growing trend.

Last year, ransomware gangs collectively pocketed less money than in 2023, as victims refused to shell out ransom payments in more than half of 2024 incidents. 

That’s according to blockchain analytics firm Chainalysis, which this week said that although ransomware incidents grew in 2024, ransom payments shrunk significantly compared with 2023.

Another factor that disrupted ransomware activity was a variety of global law enforcement efforts that hobbled major ransomware players.

Specifically, ransomware groups collected about $814 million from victims last year, down 35% from $1.25 billion in 2023.

Interestingly, ransomware payments in the first half of 2024 were up about 2.4%, compared with the same period in 2023. However, payments then declined about 40% in 2024’s second half.

(Source: Chainalysis, February 2025)

Two large ransomware gangs whose activity plummeted in the second half of 2024 were LockBit, which was hit by law enforcement actions, and ALPHV/BlackCat.

Although lone actors and smaller new groups emerged, they weren’t able to fully fill the ransom-payment void left by disrupted larger groups, which also included Blacksuit and Silent/Luna Moth.

Ransomware in 2024 reflected shifts driven by law enforcement action, improved victim resilience, and emerging attack trends,” reads Chainalysis’ report.

For more information about recent ransomware trends and incidents:

4 - New non-profit will analyze and rate U.K. cyber incidents

The Cyber Monitoring Centre (CMC) went live this week with the charter of using a standard and uniform criteria for rating the severity of cybersecurity incidents that impact U.K. businesses.

An independent non-profit organization, the CMC hopes its work will help organizations more clearly grasp the consequences of cyber incidents so that they can improve their mitigaton and response.

“The CMC has the potential to help businesses and individuals better understand the implications of cyber events, mitigate their impact on people’s lives, and improve cyber resilience and response plans,” reads a CMC statement.

The CMC has developed a framework for assessing and analyzing cyber incidents that affect multiple companies and could potentially cause more than £100 million in losses. The CMC’s technical committee will gather cyber incident data and use the framework to analyze it.

“Measuring the severity of incidents has proved very challenging,” Ciaran Martin, the CMC’s technical committee chairman and a former head of the U.K. National Cyber Security Centre, said in the statement.

“I have no doubt the CMC will improve the way we tackle, learn from, and recover from cyber incidents,” he added. 

Once it has completed its analysis of an incident, the CMC will rate it between 1 (least severe) and 5, and create a free report available to any interested organization.

To get more details about the CMC, check out the announcement “Cyber Monitoring Centre officially starts categorising cyber events” and the organization’s “Event Categorisation Methodology.”

5 - CISA alerts healthcare orgs about backdoor in Contec tool

Here’s one security warning for hospitals, clinics and other healthcare facilities.

The product Contec CMS8000, used to monitor patients’ vital signs, has a backdoor that can allow data leakage, remote code execution and device modification, CISA has warned.

The Contec CMS8000’s embedded backdoor function with a hard-coded IP address is present in three versions of the product’s firmware, according to CISA’s factsheet.
 


Two CVEs have been assigned to the issue: CVE-2025-0626 and CVE-2025-0683

The Contec CMS8000 is also sold under different names, including Epsimed MN-120. The manufacturer, Contec Medical Systems, is based in Qinhuangdao, China.

To get more details about healthcare security, check out:

6 - E-marketplaces for cybercrime wares shut down

The U.S. Department of Justice and and Dutch National Police took down almost 40 domains and their servers that a Pakistan-based group had used for years to sell phishing toolkits, hacking wares and other cybercrime tools.

The group, known as Saim Raza and as HeartSender, had operated the now shuttered websites since at least 2020. Its customers were organized cybercrime groups that inflicted losses of more than $3 million on U.S. victims, mostly via business email compromise schemes.
 


“The seizure of these domains is intended to disrupt the ongoing activity of these groups and stop the proliferation of these tools within the cybercriminal community,” reads a DOJ statement.

In addition to selling cybercrime tools, Saim Raza also provided training via instructional videos posted on YouTube on how to use these products and on how to carry out cyber fraud operations.

For more information about cybercrime trends:

Juan Perez

Tenable Supercharges Exposure Management with Acquisition of Vulcan Cyber

Tenable Blog
1 week 5 days ago

Vulcan brings more than 100 additional third-party integrations and enhanced remediation workflows to the Tenable One Exposure Management Platform, enabling organizations to prioritize their security risk based on contextualized and enriched intelligence.

At our core, Tenable is dedicated to exposing and closing the security gaps that put businesses at risk. Today, we announce a significant advancement in that mission with the acquisition of Vulcan Cyber, whose capabilities will soon enhance the Tenable One Exposure Management Platform.

The role of exposure management

As the cyber attack surface expands exponentially, so does the number of security tools meant to manage it. Unfortunately, these scattered tools often overwhelm security teams with fragmented insights — resulting in endless alerts, isolated data and conflicting recommendations on how to address threats — making it nearly impossible to understand what matters most.

Exposure management addresses these challenges by shifting preventive security from securing technology silos to applying contextual risk intelligence to protect the business. Since the launch of the Tenable One Exposure Management Platform in 2022, we’ve helped customers:

  • Gain visibility and control across the entire attack surface
  • Prioritize exposure risk based on contextualized and enriched intelligence
  • Foster collaboration among security teams and remediation owners using automated workflows and remediation guidance
  • Remediate more critical findings and reduce mean time to remediate (MTTR)
Expanding Tenable One with Vulcan Cyber

By integrating Vulcan Cyber’s capabilities into Tenable One, we will expand our ecosystem of third-party data integrations across vulnerability assessment, endpoint, cloud and application security, which will provide our customers with even more visibility and control over their entire attack surface. Vulcan also introduces advanced tagging, intelligent ticketing and automated campaigns that will automatically route security issues to the appropriate teams, ensuring seamless collaboration between security teams and remediation owners.

This acquisition represents a powerful step forward in our vision to build the most advanced exposure management platform on the market — one that doesn’t just highlight weaknesses but actively helps businesses close their most critical security gaps. With Vulcan Cyber’s third-party integrations and automated remediation workflows, combined with Tenable One’s analysis of vulnerabilities and misconfigurations across IT, cloud, identity, internet of things (IoT) and operational technology (OT) systems, our customers have the ability to prioritize the most critical actions, automate remediation workflows to improve proactive security and manage everything within a single, user-friendly interface.

Stay tuned for more updates as we integrate Vulcan Cyber into the Tenable ecosystem.

Amir Hirsh

CISA Releases FOCAL Plan to Help Federal Agencies Reduce Cyber Risk

Tenable Blog
2 weeks 1 day ago

CISA’s FOCAL Plan, which aims to standardize the cybersecurity operations of federal civilian agencies, marks an important step in the federal government's efforts to strengthen cyber defenses and reduce agency risk. Learn how Tenable One for Government, which recently achieved FedRAMP Authorization, aligns to the FOCAL Plan key priorities. 

Each Federal Civilian Executive Branch (FCEB) agency has a unique role in supporting the mission of the U.S. federal government, from national security to healthcare to education. However, agencies’ approaches to managing cyber risk vary widely, with each agency operating independent networks with interconnected systems and varying degrees of cyber risk tolerance. This complexity makes managing exposures across the FCEB a complex challenge and drives the need for a coordinated cybersecurity strategy.

To address this issue, the Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled the “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan.” It’s designed to enhance cybersecurity across the FCEB by standardizing essential components of operational cybersecurity throughout the federal enterprise and enabling a collective defense approach. It provides actionable steps federal agencies can take, with their varied architectures and risk management strategies, to mitigate cyber risks and improve resilience through a unified approach to operational defense. And while it is not an exhaustive list of all the things agencies must do to secure their missions, it does provide a baseline for agencies to focus resources on those actions that substantially advance operational cybersecurity improvements and alignment goals. 

CISA’s FOCAL Plan priority areas

(Source: “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” CISA, September 2024.)

  1. Asset Management

To safeguard federal networks, agencies must have comprehensive visibility into their entire infrastructure, and continuously assess how those assets are interconnected. As the old saying goes: “You can’t protect what you can’t see.” This priority area aims to ensure agencies know what assets they have so they can be properly defended. 

It’s important to remember that assets span far beyond traditional IT assets. As recent mandates and CISA Binding Operational Directives (BOD) have stressed, agencies must have visibility into OT, IoT, cloud and identity assets. Look no further than the Office of Management and Budget (OMB)’s Memorandum M-24-04 which directed federal civilian departments and agencies to inventory their IoT and OT assets by the end of fiscal year 2024.

  1. Vulnerability Management

Getting an accurate inventory of your assets is a key first step, but it’s equally fundamental to understand the vulnerabilities on each of those assets so that you can proactively secure the attack surface. As the FOCAL Plan points out: “What constitutes an agency’s enterprise has evolved over the years, particularly as the attack surface has expanded and grown more complicated.” This has made vulnerability management more challenging. The FOCAL Plan focuses on proactive vulnerability management, so that agencies can understand their exposures by identifying, assessing and mitigating vulnerabilities across asset types, before an attacker can exploit them. 

  1. Defensible Architecture

Because attacks are inevitable and resilience is critical, this priority area focuses on building robust, defensible infrastructures with principles like segmentation, identity management and zero-trust security. With a focus on limiting an attacker's ability to access sensitive data when a compromise occurs, this priority aims to help agencies minimize impact and operational disruptions through the implementation of proper tools and controls. 

  1. Cyber Supply Chain Risk Management (C-SCRM)

FCEB agencies often rely on third-party vendors, which can introduce supply chain risk. This priority addresses the risk posed by external vendors and technologies by ensuring agencies can quickly identify, assess and mitigate vulnerable software and hardware from their suppliers and partners. 

Case in point: the critical Log4j vulnerability, known as Log4Shell, a critical remote code execution vulnerability in Apache’s Log4j software library. This vulnerability posed a massive risk due to the widespread use of the Apache Log4j open-source logging library in many enterprise applications and cloud services, and the ease with which the vulnerability could be exploited. In the days that followed, every agency and industry security practitioner had to detect all instances of Log4j in their environment. In many cases, versions of the offering were buried deep within third-party software packages or government off-the-shelf solutions. Agencies with a complete understanding of the software deployed across their environment were able to quickly respond to the threat, and meet or exceed the deadline established by the CISA Emergency Directive (ED) 22-02. Unfortunately, Log4Shell quickly became a crisis for security teams that did not have a complete understanding of their inventory.

  1. Incident Detection and Response 

This priority area is geared towards strengthening the ability of security operations centers (SOCs) to detect, respond to, and mitigate cyberattacks rapidly and effectively. As mentioned earlier, attacks are inevitable, so it’s critical to quickly detect and respond to an attack. Combining rapid detection and response with best practices such as segmentation and identity management will further disrupt an attacker's ability to access sensitive data.

Meeting CISA FOCAL Plan priorities with Tenable One

We’re excited to share that Tenable One is now FedRAMP authorized at the moderate impact level. Tenable One for Government is an exposure management platform designed to help agencies radically unify security visibility, insight and action across the attack surface to rapidly expose and close the gaps that put agencies at risk. 

Tenable One for Government helps agencies meet CISA FOCAL Plan priorities with:

  • Centralized visibility of all assets across the attack surface, from IT infrastructure to cloud environments to critical infrastructure, containers, identity systems, web applications and everywhere in between.
  • Vulnerability enumeration and prioritization so you can pinpoint priority weaknesses and focus on the actual exposures that matter to quickly reduce cyber risk.
  • A defensible architecture based on zero trust principles so you can quickly detect and respond to attacks in real time, map attack paths and surface all the possible steps that attackers could take to move laterally, escalate privileges and gain control of your infrastructure.
  • A deep understanding of overall cyber risk with risk metrics and exposure scores to easily identify problem areas across your agency infrastructure. You can then set precise, trackable KPIs and SLAs to hold teams accountable for managing risk.
Learn more:
Garrett Cook

Cybersecurity Snapshot: CSA Offers Tips for Deploying AI Securely, While Deloitte Says Cyber Teams’ GenAI Use Yields Top ROI

Tenable Blog
2 weeks 5 days ago

Check out the Cloud Security Alliance’s recommendations for rolling out AI apps securely. Meanwhile, a Deloitte survey found GenAI initiatives by cyber teams deliver the highest ROI to their orgs. Plus, the NSA urges orgs to combat GenAI deepfakes with content provenance tech. And get the latest on CISO trends; patch management; and data breach prevention.

Dive into six things that are top of mind for the week ending Jan. 31.

1 - CSA: Best practices for secure AI implementation

Looking for guidance on how to deploy AI systems securely? You might want to check out the Cloud Security Alliance’s new white paper “AI Organizational Responsibilities: AI Tools and Applications.

Published this week, the paper covers three key areas: the security of large language models and generative AI applications; supply chain management; and additional implementation elements, such as employee use of generative AI tools. 
 

 
Each of those three areas is analyzed according to six areas of responsibility for teams deploying AI systems:

  • Evaluation criteria: To assess AI risks, organizations need quantifiable metrics. That way, they’ll be able to measure elements such as model performance, data quality, algorithmic bias and vendor reliability.
  • RACI model: It’s key to be clear about who is responsible, accountable, consulted and informed (RACI) regarding AI decisions, selection of tools and vendor management.
  • High-level implementation strategies: Teams should outline the process for integrating AI tools and applications into existing workows, and particularly how they’ll address challenges such as data integration and model deployment.
  • Continuous monitoring and reporting: The paper recommends continuously monitoring elements such as AI tool performance and data drift, and regularly generating reports on AI system health and vendor compliance.
  • Access control: It’s critical to implement strong access-control mechanisms to protect algorithms, data and AI infrastructure.
  • Adherence to AI standards and best practices: Complying with AI standards, regulations and guidelines will help teams, for example, secure AI applications, conduct responsible AI development and mitigate supply chain risks.

As AI technologies evolve and their adoption expands across industries, the need for strong governance, security protocols, and ethical considerations becomes increasingly critical,” Michael Roza, the paper’s lead author, said in a statement.

Some of the white paper’s key takeaways include:

  • AI security requires addressing both traditional and AI-specific cybersecurity concerns.
  • Effective third-party and supply chain management is critical. 
  • Organizations need clear policies and guidelines for employees’ AI use.
  • AI governance requires clear role definitions and specialized skills.

For more information about AI security, check out these Tenable blogs:

2 - Report: Cybersecurity use of GenAI produces highest ROI

As enterprises deploy generative AI across their business, cybersecurity initiatives are generating the highest return on investment (ROI).

Moreover, cybersecurity initiatives are more deeply integrated into work processes than initiatives from other departments, such as sales, research and development, and finance.

Those findings come from Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, based on a survey of about 2,770 directors and CxOs from organizations piloting or implementing generative AI.

“Relative to other types of advanced GenAI initiatives, those focused on cybersecurity are far more likely to be exceeding their ROI expectations,” reads the report from Deloitte, which polled respondents in 14 countries.

Specifically, the survey found that 44% of respondents' cybersecurity initiatives are delivering an ROI that is “somewhat or significantly above expectations.” 
 

(Source: Deloitte’s “The State of Generative AI in the Enterprise: Generating a new future” report, January 2025)

While these findings reflect positively on how cybersecurity departments are deploying generative AI, the technology still faces adoption challenges in enterprises in general, the report notes, including:

  • Regulatory uncertainty
  • Risk management
  • Data deficiencies
  • Workforce issues

Specifically, regulatory concerns have become the top barrier for generative AI adoption, while almost 70% of respondents estimate that it’ll take their organizations more than a year to fully implement a generative AI governance strategy.

The report’s recommendations for successful adoption of generative AI in enterprises include:

  • CxOs must ensure IT and business leaders work in tandem.
  • Ensure generative AI initiatives deliver measurable ROI by, for example, focusing on high-impact use cases; establishing centralized governance; and continuously iterating.
  • Plan for the eventual adoption of agentic AI systems, which can act with a high degree of autonomy, requiring little or no human intervention.

To get more details, check out the report’s announcement, the full report and this video of a panel discussion about the report:

For more information about using generative AI for cybersecurity:

3 - How content provenance tech helps flag AI deepfakes

Organizations must get acquainted with a key technology designed to track the origin of media files and that way verify if they have been maliciously created or modified to spread falsehoods and misinformation.

That’s the message from the Australian, Canadian, U.K. and U.S. governments, which this week jointly published the document “Content Credentials: Strengthening Multimedia Integrity in the Generative AI Era.

“Advanced tools that allow the easy creation, alteration, and dissemination of digital content are now more accessible and sophisticated than ever before,” the 25-page document reads.  
 


“This escalation threatens organizations’ security, with AI-generated media being used for impersonations, fraudulent communications, and brand damage. Therefore, restoring transparency has never been more urgent,” the document adds.

The technology in question is called Content Credentials, and, according to the document, it’s in the process of becoming global ISO standard 22144. It tracks the provenance of media files by logging their creation and subsequent changes, and storing that information as encrypted, tamper-evident metadata.

Co-authored by the U.S. National Security Agency, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security and the U.K. National Cyber Security Centre, the document seeks to:

  • Explain how Content Credentials can provide media-provenance transparency
  • Create awareness about how Content Credentials is being developed
  • Recommend best practices for how to preserve provenance data
  • Stress why broadly adopting Content Credentials is critical

The Content Credentials technical specification is developed and maintained by the Coalition for Content Provenance and Authenticity (C2PA) and implemented by the Content Authority Initiative (CPI)

For more information about Content Credentials:

VIDEO

Join the movement for content authenticity (Content Authenticity Initiative)

4 - Study: CISOs’ access to the board and CxOs is critical

Organizations where the CISO works closely with the board of directors and with fellow CxOs have stronger security programs than organizations where this collaboration is weaker.

In addition, CISOs with strong ties to their boards and CxOs tend to be happier at work and to earn more.

Those are two findings from the “State of the CISO 2025 Report” from IANS Research and Artico Search, based on a survey of 830 security executives.

“This report demonstrates that board engagement and C-suite access is critical in shaping the future of a security program and a CISO’s career,” Steve Martano, IANS Faculty and Executive Cyber Recruiter at Artico Search, said in a statement.

Yet, only 28% of survey respondents fell into the category of “Stragegic CISO,” defined as one with outstanding C-suite access and boardroom influence. 

The majority – 50% – were deemed as “Functional CISOs,” who despite having “significant influence” nonetheless lack consistent visibility with the board or CxOs.

The rest – 22% – were classified as “Tactical CISOs” because they focus mostly on technology and have minimal interaction with the C-suite and the board. 
 

(Source: “State of the CISO 2025 Report” from IANS Research and Artico Search,” January 2025)

Obviously, the recommendation is for all CISOs to rise to the category of “Strategic CISO,” as close communication and collaboration with the board and fellow CxOs -- including CFOs -- is essential to align the security program with the business strategy.

For CISOs to have optimal communication with board members and CxOs, the report recommends that they:

  • Volunteer for projects and committees to explain to fellow business leaders the security angle of these cross-functional initiatives.
  • Delegate tactical and operational tasks on team members so CISOs have more time for strategic work.
  • Instead of limiting themselves to technical topics, CISOs should address strategic governance issues and that way act as a partner to the other CxOs.

To get more details, check out:

5 - Tenable: What are your patch management challenges?

During our recent webinar “From Reactive to Proactive: Expert Guide to Effective Remediation Automation,” we polled attendees about their struggles with patch management. Check out what they said. 
 

(124 webinar attendees polled by Tenable, January 2025)

Check out the on-demand webinar to learn about actionable strategies and proven approaches for streamlining remediation, improving patching efficiency and reducing risk.

To learn more about patch management and vulnerability management, check out these Tenable resources:

VIDEO

Key Elements of Effective Exposure Response

6 - Data breach report: Many incidents preventable with standard cyber

Almost 200 data breaches that occurred in the U.S. last year -- including several of the largest ones -- could have been prevented via the use of well-known cybersecurity practices.

That’s one of the findings from the Identity Theft Resource Center’s “2024 Data Breach Report,” which was published this week and is the latest reminder of the importance of adopting foundational cybersecurity tools and procedures.

“A significant number of data compromises could have been avoided with basic cybersecurity,” ITRC President James E. Lee wrote in the report’s introduction.

Specifically, four of 2024’s “mega-breaches,” which collectively resulted in the issuance of 1.24 billion victim notices, were deemed preventable through cybersecurity processes and techniques, including:

  • multi-factor authentication (MFA) or passkeys
  • secure software software development
  • vulnerability patching
  • security awareness training


Here are other key findings from the report:

  • The 3,158 U.S. data compromises recorded in 2024 fell 1% compared with 2023. Most of the incidents – 90% – were categorized as data breaches.
  • Cyberattacks caused the majority – 80% – of data breaches. The rest were caused by system and human errors; physical attacks; and supply chain attacks.
  • Victim notices skyrocketed 312% to 1.72 billion, driven by 2024's six “mega-breaches,” each of which generated at least 100 million notices.
  • The hardest hit industry was financial services, followed by healthcare and professional services.

To get more information, check out the ITRC’s report announcement and the full report.

For more information about data security:

Juan Perez

What Makes This “Data Privacy Day” Different?

Tenable Blog
3 weeks 2 days ago

As we celebrate Data Privacy Day, Bernard Montel, Tenable’s EMEA Technical Director and Security Strategist, wants to remind us that we live in a digital world and that we need to protect it. With data breaches a daily occurrence, and AI changing the playing field, he urges everyone to “do better.”

Launched in April 2006 by the Council of Europe, Data Protection Day – or Data Privacy Day, as it’s known outside of Europe – is celebrated globally every year on January 28. Back in 2006, around 100 million records were compromised across various breaches in the U.S., according to data collated by Privacy Rights Clearing House. But in 2024, in just one data breach suffered by National Public Data (NPD), approximately 2.9 billion records were allegedly stolen.

Collectively, we have to do better. 

The lifeblood of the organization

Data is the essence of every company. It’s information about your customers, your employees, your intellectual property, your financial performance and more. Data also fuels innovation in the cloud. However, the volume and complexity in hybrid and multi-cloud environments make it increasingly complex to secure your business’s data. 

Externally, data breaches can lead to mistrust and brand damage, as well as to lawsuits, fines and lost business. Internally, they can – and should – trigger increased scrutiny from the board, which will justifiably question the strength of the organization’s security posture. 

When AI comes marching in

With data at the heart of everything, AI has completely changed the playing field this Data Privacy Day, adding a further layer of risk when it comes to protecting our information. 

Organizations face the complex task of controlling AI deployment usage while also identifying vulnerabilities within AI tools and AI development packages. The adoption of AI increases the volume and variety of cloud data. In tandem, as AI applications become more sophisticated, they require more training data to learn from and function effectively. Thus, protecting cloud data is paramount to maintaining the integrity and security of your business’s AI usage.

Externally, threat actors are also looking to supercharge their activity with AI. It has been well documented how attackers are leveraging AI to write more sophisticated and effective malware for ransomware attacks, as well as to enhance phishing scams and more. 

You can’t have privacy without security

To take advantage of the unique opportunities offered by the cloud and AI, you must address the full spectrum of security responsibilities that accompany collecting, storing, and using data. These responsibilities include automatically and continuously scanning data assets, discovering and monitoring sensitive data, and alerting on any potential risk.

Protecting data in public cloud environments starts with three steps:

  • Know your cloud resources. You must discover the compute, identity and data resources in your cloud and get contextualized visibility into how critical resources are accessed.
  • Expose critical cloud risks. It’s critical to gain the context you need to focus on the priority risks caused by the toxic combination of misconfigurations, excessive entitlements, vulnerabilities and sensitive data.
  • Close cloud exposures. It’s essential to reduce cloud risk by closing priority exposures with top speed and surgical precision – even if you only have five minutes to spare.

Let’s look at how the integration of data security posture management (DSPM) into a cloud native application protection plaform (CNAPP) can give you a comprehensive view of your cloud data and the risks associated with it. 

DSPM is a set of ongoing processes and technologies that provides visibility into where sensitive data is stored, who has access to it, and how it's being used across your systems, providing analysis of the overall security posture around data itself, rather than just the infrastructure hosting it. 

Meanwhile, CNAPP solutions replace a patchwork of siloed products that often cause more problems than they solve, such as multiple false positives and excessive alerts. Those individual products usually provide only partial coverage and often create overhead and friction with the products they’re supposed to work with. Most importantly, CNAPPs allow businesses to monitor the health of cloud native applications as a whole rather than individually monitoring cloud infrastructure and application security.

When DSPM is integrated into a CNAPP, it empowers the security team to obtain actionable data context that helps the team better prioritize risks and reduce the organization's exposure to customer data breaches and the compromise of AI resources and intellectual property. 

How Tenable can help

With Tenable Cloud Security, you can reduce risk by rapidly exposing and closing priority security gaps caused by misconfigurations, risky entitlements and vulnerabilities – in one powerful CNAPP. With integrated DSPM capabilities, Tenable Cloud Security continuously monitors your multi-cloud environment to discover and classify data types, assign sensitivity levels and prioritize data findings in the context of the entire cloud attack surface. 

At Tenable, we help you identify your weaknesses, detect your gaps and close your exposures quickly. This Data Privacy Day, do better by taking action to protect the data that your organization relies upon to function and that you’re trusted to protect, wherever it resides.

Learn more
Bernard Montel

How To Clean Up Your Cloud Environment Using Tenable Cloud Security

Tenable Blog
3 weeks 2 days ago

You must periodically review your cloud environments to remove old and unused resources because they can create security risks. But what is the right way to perform this task? Read on to learn about five best practices we employ internally to clean up our cloud accounts which we hope can help enhance your cloud security strategy.

Overview

At the start of the new year, it’s important to assess all of your cloud environments and see where you can remove old and unused resources. While your production accounts might have a few unused resources and services, accounts used for product testing and development typically contain a larger number of resources of varying ages and states. 

While there are tools for automatically deleting those resources, these solutions often arbitrarily remove resources that are still needed. In order to prevent that from happening, it’s better to use a solution that provides more comprehensive details on what’s active, what’s not in use, and what you might need to exclude. That way, your organization would be able to make more informed decisions. 

After launching our Cloud Security program, we used Tenable Cloud Security to review our cloud accounts for old and unused resources. Based on our experience, we identified five key best practices for cloud environment cleanup and created a process to carry out this task. In this blog, we’re sharing what we’ve learned, hoping that it will help your organization refine its cloud security strategy further.

The rationale behind account cleanup

Reviewing and cleaning up old and unused resources from cloud accounts is important for several reasons.

First, many resources can generate hourly charges, but terminating one resource may not stop all its costs. That’s because associated resources often have additional costs that may linger within your account. 

It’s also essential to monitor all public-facing instances and virtual machines that use Secure Shell (SSH) keys or that have local login credentials set up. These resources can be accessible to users long after they have left your organization, leading to increased security risks.

Moreover, reviewing data within public-facing Amazon S3 buckets, Amazon RDS instances, GCP storage buckets, and Azure storage accounts can help prevent the exposure of sensitive data such as personally identifiable information (PII), financial records, and other sensitive information. 

In addition, when cleaning up cloud accounts, reviewing access control is also important. Reviewing the status of all user identities and how they access your account can help improve account security. You may have active and inactive user accounts with access and permissions to resources that need to be removed. 

Below we explain how you can find these resources and why it’s important to review them for potential deletion. We also highlight additional security controls you should consider implementing in your cloud environment. You can apply these best practices selectively or comprehensively, regardless of your cloud platform or the account types that need to be reviewed.

Consideration 1: Age of resources

To determine the age of your resources, first select the account in-scope, then choose the service you want to review under the “Inventory” section of the console. You can review the existing resource counts to see if you need to focus your cleanup efforts on a specific service. 
 


Tenable Cloud Security provides several options to easily view when a resource was created. Using the “Created” column, you can filter results from oldest to newest, so you can see the older resources at the top of the list.
 


In the console, if you want to view the resources created more than 180 days ago, select the “Created” filter, then use the “Before the last” option to choose that filtering criteria. 
 


Results using this filter should give you an idea of the age of your resources and what might need to be deleted. We also recommend that you export results to a .csv file to get the complete list of resources within your account, so you can view all resources at-a-glance, including those that do not contain a “Created” date.

Consideration 2: Active vs inactive

Cloud accounts will contain a combination of both active and inactive resources. Checking a resource’s size may indicate whether it’s in use or not. Tenable Cloud Security lists the size of data resources such as buckets, databases, clusters, and snapshots, so you’re able to filter the resources list using that element. Results can show you resources with little to no data being stored. Depending on the “Last Modified” date or “Created” date listed, some of these resources may be a good candidate for deletion. 
 


To quickly find inactive identities within the Tenable Cloud Security console, select the “Inactive” label. You'll get a list of inactive identities that are overprivileged permissions, require key rotation, or have unused access keys and passwords that must be addressed.
 


When reviewing other services to see if they are active, it’s important to remember that not all cloud services will provide details on when the resource was last active. The Amazon EC2 service, for example, supports the “Launch Time” filter, which indicates when an instance was last rebooted. However, other services like Amazon S3 only provide a “Created” date. The S3 service does not provide direct information on when a bucket is being actively used or when it was last modified. 

Consideration 3: Access to accounts

When reviewing access to accounts, it’s important to determine how your team members are accessing them, what resources are being used, and when they were last active. If you have set up in Tenable Cloud Security an “Identity Providers” integration such as Okta, Microsoft Entra ID, or Google Workspace for example, you can view the status of your “Users”, when they last signed-in, and how long ago they were active.
 


Another important aspect to consider is how team members are accessing the account. For AWS accounts, the list of questions below can help you determine where you need to focus your efforts.

  1. If you are using AWS Identity and Access Management (IAM) users to log into your account, do they employ access keys, passwords, or both? 
  2. If AWS IAM roles are used to log into the account, and IAM users are also required, should permissions be restricted using access keys only?
  3. Are there any inactive IAM user accounts that need to be disabled?
  4. Are there any team members with access to an active IAM user account that may have recently left your company? 

From this list, you can determine if you need to take additional steps such as deactivating an identity, removing access, or updating how users are accessing your account. Lastly, you may need to consider implementing additional security controls like organizational policies or IAM permissions to prevent the creation of those resources. 

Consideration 4: Public resources

While it’s important to check on all identities, it’s also critical to review what type of public-facing resources you have in your account. Many non-production accounts often include resources such as public instances or public buckets. These resources may allow public access to known ports, provide public access to web applications, and grant remote access to these instances. It’s also important to check for running public instances and virtual machines that use SSH keys. Public instances with SSH keys could contain local user accounts and credentials that were set up, but need to be disabled.
 


If you plan to retain any public-facing resources, we also recommend reviewing public buckets or storage accounts for any sensitive data that might be stored. Using Tenable Cloud Security’s Data Protection feature, you can find scanned buckets and managed databases containing sensitive data. Within the “Data” section, you can select the “Public” labels filter to view resources with sensitive data being stored on publicly accessible resources. 
 


Scanned results will include the specific files or location within the resource under the Details column that should be reviewed.
 


We recommend that you review all public resources and data within your account, as a data breach could have a significant financial impact on your organization. These results can also be used to determine if data obfuscation and anonymization practices need to be improved. 

Consideration 5: Resource types and costs

In your cloud account, it’s critical that you review what resource types are running, what region it’s operating in, and the data being accessed.

Tenable Cloud Security allows you to easily filter your resources by “Region”, “Instance Type” and “Instance Class.” Running instances and virtual machines generate hourly costs, and can vary depending on the size of the resource and operating region. You can use those filters to find instance variants, instance family size, or specific types to help you find high-cost resources that could be scaled down or removed. 
 


Even if your instance is stopped or terminated, you can still incur additional costs for associated snapshots, backups, storage, and IP addresses. To avoid additional cloud costs, we recommend deleting all associated resources that are not in use.

Regarding cleanup efforts, it's crucial to evaluate whether additional security controls need to be implemented. You can optionally set up IAM policy restrictions to specific regions or permit only certain instance types within your account. Additionally, organizational policies can also be applied for more comprehensive coverage.

Other things to keep in mind

Before starting any cleanup efforts, it’s important to factor in any resources that need to be excluded from future deletion. Resources managed through infrastructure as code (IaC) are a good example of resources that can remain out of scope. To detect your IaC-managed resources, we recommend setting up Tenable Cloud Security’s IaC Security feature that will scan your IaC pipeline and highlight where your resources are managed in code. Once scanned, you should see the “IaC” label applied to that resource within the console.
 


Even if you don’t have IaC-managed resources in your account, using Labels provides a great option to easily identify resources managed by a specific team that need to remain out of scope. If you have resources with consistent tag key and value pairs applied, we recommend creating automatic labels for those resources. This feature will automatically label resources regardless of whether they need to be excluded. 

You can also apply manual labels to resources that may not have consistent tagging applied. For services that do not support tags, you can use this option to identify which team manages resources like Azure Roles or Okta Groups.

Determine what will be deleted

Once you have determined what you have, you can review what resources are in scope for deletion. Within the Tenable Cloud Security console, we recommend that you filter on the account and resources in scope and export those resources to a .csv file. This step will provide a compliance list of resources regardless of whether they have a “Created” date or not. 

If you have many resources that are in scope for deletion, you can optionally perform cleanup efforts in phases. Within the console, if you find that you have many EC2 instances and Lambda functions, for example, you can export that list to review those resources within each service.

In cases where all of your resources have a “Created” date listed, we recommend using the “Created” filter to highlight those resources created before a specified date. Some of the examples below provide different filter options you can use to identify those resources you want to target for deletion.
 

Filter NameFilter ValueResultsCreatedBefore the last 6 months Lists all resources created more than 6 months agoCreatedBefore January 1st Lists all resources created before January 1stSize0 BIncludes supported resources with zero bytes or no data storedLabelsPublicIncludes publicly accessible resourcesLabels IaC Includes resources identified as managed within IaC Labels InactiveList all IAM / Identities reporting as inactiveInstance Type16xlargeLists all Amazon EC2 instances types ending with *.16xlarge


When determining whether a resource is active, be aware of a few things. Not all services support filters such as “Last Modified,” “Updated,” “Last Sign-In,” or “Last Activity” that highlight when a resource was last updated or when a user was last active.

Services like Amazon S3 do not support any information on whether the bucket is actively in use. There may be additional options available in AWS to determine that status through logs and enabling associated services. We highly recommend that you communicate this information to team members so they can check and confirm that nothing important is deleted. 

Lastly, if you determine that any retained resources need to be consolidated or reduced in size, you can implement security controls to retain data for a specific amount of time and then delete it. You can also resize or scale down the resource type to help reduce costs. 

Communicate cleanup efforts

Before you implement cleanup efforts, it’s important to communicate these changes to all team members. We recommend sharing the details listed below with those users who have access to your account. You can also use this list if you plan to perform future cleanup efforts within your account, either randomly or on a schedule.

  1. Include the account(s) in scope.
  2. Communicate why resources are being deleted.
  3. Include the date when resources will be deleted.
  4. Include the services and filter criteria in scope. Examples can include:
    • All virtual machine instances created more than 90 days ago
    • All SQL databases larger than 500GB
    • All resources with no “Created” date listed
    • All resources whose size is zero Bytes
    • All EC2 instances running *16xlarge instance types
  5. If applicable, include what’s out of scope. Examples can include:
    • Resources managed through your CI/CD pipeline with the “IaC” label attached
  6. If applicable, include important information that users should review or can request. Examples can include:
    • Ask users to review S3 buckets to confirm activity
    • Provide options for users to scale down resources
    • Explain how users can request exclusions

If team members already have access to review those resources within Tenable Cloud Security, we recommend including that information in your initial e-mail as a reminder. We’ve found that if you provide direct access to Tenable Cloud Security, teams can be more autonomous in managing resources within their account. You can also create an inventory report that can be e-mailed to team members who might not have access.

We also recommend notifying team members by e-mail at least 2-4 weeks in advance before any cleanup efforts are started. Also, send out a final reminder at least one week in advance to remind users that once resources are deleted, they cannot be restored. 
 

Conclusion

To maintain an efficient and secure cloud environment, it's important to run cleanup efforts quarterly or twice yearly, depending on the number of resources in your account. Start by determining what you plan to delete and when, and consider addressing specific cloud services in phases. Additionally, implement extra security controls and scale down resources to only what’s necessary. Be sure to include which resources or services are out-of-scope for your cleanup efforts.  

Stephanie Dunn

Cybersecurity Snapshot: WEF Offers AI Security Best Practices, as DORA Regulation Places Strict Cyber Rules on Banks

Tenable Blog
3 weeks 5 days ago

Check out tips for adopting AI securely from the World Economic Forum. Plus, the EU’s DORA cyber rules for banks go into effect. Meanwhile, a report warns about overprivileged cloud accounts. And get the latest on ransomware trends; CIS Benchmarks; and data privacy.

Dive into six things that are top of mind for the week ending Jan. 24.

1 - WEF: Best practices to adopt AI securely

As businesses scramble to adopt artificial intelligence to boost their competitiveness, they’re also grappling with how to deploy AI systems securely and in line with policies and regulations.

If your organization is among the many that are looking for guidance on secure AI adoption, now you have have one more resource.

The latest guidance for adopting AI securely comes from the World Economic Forum, whose new “Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards” report seeks to explain how organizations can benefit from AI while reducing their cybersecurity risks.

“By prioritizing cybersecurity and mitigating risks, organizations can safeguard their investments in AI and support responsible innovation,” the 28-page report reads.

Among the report’s recommended best practices are:

  • Apply a risk-based approach to AI adoption, and create a cross-disciplinary risk-management team with members from departments including legal, human resources, cybersecurity, compliance and IT.
  • Maintain an updated inventory of AI applications.
  • Invest in essential cybersecurity controls for protecting AI systems both before and after they’re deployed, and for responding to and recovering from cyber incidents.
  • Pay attention to information governance, such as what data will be exposed to AI systems and how it will be protected.
     


The report also suggests questions for cybersecurity leaders to ask in order to frame their AI adoption strategy, including:

  • Have we established our AI risk tolerance and do all stakeholders understand it?
  • Do we have a process to govern and track AI deployments?
  • Do we weigh risks against rewards when considering new AI projects?
  • Are we clear on who must be involved in assessing and mitigating AI adoption cyber risks?

“By assessing and mitigating cyber risks, leaders can align AI adoption with organizational goals and resilience needs,” reads the companion WEF article “Securing innovation: A leader’s guide to managing cyber risks from AI adoption.

For more information about AI security, check out these Tenable blogs:

2 - DORA cyber regulation for banks and their tech providers goes into effect

Financial services companies doing business in the European Union, as well as their technology and communications vendors, now must comply with the Digital Operational Resilience Act (DORA). 

DORA establishes strict cybersecurity requirements for financial firms including banks, insurance companies and investment firms, as well as for third-parties that provide information and communications technology (ICT) products and services to financial sector organizations.

After entering into force in January 2023, the DORA regulation became applicable last week. It covers ICT security areas including:

  • Risk management, including the risk posed by third parties
  • Resilience testing of digital operations
  • Reporting of significant cybersecurity incidents
  • Sharing of information about cyberthreats and vulnerabilities


DORA will strengthen the ability of financial firms to withstand cyber‑related disruptions and threats and ensure a swift recovery if incidents do occur,” reads a statement from the European Commission. 

“The framework also includes an oversight mechanism of critical third‑party providers of ICT services to financial entities, such as cloud service providers,” the statement adds.

To find out how Tenable can help with DORA compliance, read the “Tenable Cyber Exposure Study: DORA” document.

For more information about the EU’s DORA cybersecurity regulation for the financial sector:

VIDEOS

Understanding the Digital Operational Resilience Act (Deloitte)

DORA compliance for ICT Providers - What Do You Need to Do? (IT Governance)

3 - Google: Hackers shift sights to overprivileged cloud accounts

Cloud accounts that have more privileges than they should are increasingly attracting the attention of hackers.

That’s because taking over these overprivileged service accounts makes it easier for cyber crooks to move laterally within a breached cloud environment, according to Google Cloud’s “H1 2025 Threat Horizons Report.”

Cloud Risk Alerts Detected in H2 2024

(Source: Google Cloud’s “H1 2025 Threat Horizons Report,” January 2025)

Meanwhile, weak or no credentials (45.7%) and misconfigurations (34.3%) ranked as the top two initial access vectors to cloud environments during the second half of last year.

Once in, attackers most often attempt to move laterally (62.2%). They also go looking for insecure private keys (13.7%) and attempt to manipulate access tokens (11.3%).

For more information about cloud security, check out these Tenable resources:

4 - Report: Ransomware attacks uncharacteristically jumped in December

Apparently, ransomware groups didn’t take a break during the holidays, as they normally do.

NCC Group, which has been tracking ransomware activity since 2021, said it tallied the most attacks ever during December, which is usually a quieter month for ransomware attacks.

Funksec, a new cyber extortion gang, ranked first with 18% of all attacks – followed by CL0P, Akira and RansomHub, according to NCC Group’s December 2024 Monthly Threat Pulse report.

Funksec uses double extortion—encrypting and exfiltrating victims’ files—and operates a Tor-based data leak site. There, it posts breach announcements and offers a free DDoS tool.

NCC Group calls the December data a “wake-up call.”
 


As newer, more aggressive ransomware gangs emerge, cybersecurity teams may encounter a more challenging threat landscape in 2025, with attacks occurring more frequently and broadly. A proactive cybersecurity approach is key.

“Companies need to double down on their cybersecurity measures and ensure that their teams are trained and prepared to evolve with the changing nature of ransomware threats,” Ian Usher, NCC Group Associate Director of Threat Intelligence Operations, said in a statement.

This is especially true for the industrials sector, which includes critical infrastructure organizations and was the most targeted, receiving 24% of all December attacks.

For more information about ransomware trends:

5 - Survey: Practicing “privacy by design” makes a difference

Want to boost your organization’s privacy practices? A new ISACA report recommends practicing “privacy by design,” which is the process of integrating privacy considerations into the organization’s entire engineering process.

ISACA’s “State of Privacy 2025” report found that organizations that always use a “privacy by design” approach when building new applications and services do better than organizations that use it less frequently or not at all.
 


According to the report, based on a global survey of about 1,600 cybersecurity and privacy professionals, organizations that always use “privacy by design” tend to have more support and resources, and are more likely to have:

  • A board of directors that adequately prioritizes privacy
  • An appropriately funded enterprise privacy budget
  • An appropriately staffed technical privacy team
  • A privacy strategy aligned with organizational objectives
  • Confidence in their ability to ensure data privacy and comply with privacy regulations

Other recommendations for having strong enterprise privacy programs include:

  • Have one person who is primarily responsible for privacy
  • Work closely with the legal and compliance teams to ensure privacy compliance
  • Address privacy with documented policies, processes and standards
  • Use AI to help manage and classify collected data, and to identify personal information
  • Offer privacy awareness training to employees
6 - CIS updates Benchmarks for Apple, Microsoft products

Apple macOS and Microsoft Windows Server were two CIS Benchmarks updated in December by the Center for Internet Security.

Specifically, these CIS Benchmarks were updated:

 


The CIS Benchmarks’ secure-configuration guidelines are intended to help you harden products against attacks. Currently, CIS offers more than 100 Benchmarks for 25-plus vendor product families. There are CIS Benchmarks for cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks January 2025 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

Juan Perez

CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited

Tenable Blog
3 weeks 6 days ago

A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild according to researchers.

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

View Change Log

Background

On January 22, SonicWall published a security advisory (SNWLID-2025-0002) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.

CVEDescriptionCVSSv3CVE-2025-23006SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability9.8Analysis

CVE-2025-23006 is a deserialization of untrusted data vulnerability in the appliance management console (AMC) and central management console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable device. Successful exploitation would grant the attacker arbitrary command execution on the device. The advisory specifies that “specific conditions” could allow for OS command execution, though it’s unclear from the information provided by SonicWall what those conditions might be.

Possible active exploitation in the wild

According to SonicWall’s Product Security Incident Response Team (PSIRT), there are reports of “possible active exploitation” of this flaw “by threat actors.” While specific details are not known at this time, the vulnerability was reported to SonicWall by researchers at Microsoft Threat Intelligence Center (MSTIC).

In a knowledge base article, SonicWall explicitly said that CVE-2025-23006 "has been confirmed as being actively exploited in the wild" and that the vulnerability should "be treated with the utmost severity."

Historical exploitation of SonicWall SMA vulnerabilities

SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. The following are a list of known SMA vulnerabilities that have been exploited in the wild:

CVEDescriptionTenable Blog LinksYearCVE-2019-7481SonicWall SMA100 SQL Injection Vulnerability12019CVE-2019-7483SonicWall SMA100 Directory Traversal Vulnerability-2019CVE-2021-20016SonicWall SSLVPN SMA100 SQL Injection Vulnerability1, 2, 3, 4, 52021CVE-2021-20038SonicWall SMA100 Stack-based Buffer Overflow Vulnerability1, 2, 32021Proof of concept

At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-23006. If and when a public PoC exploit becomes available for CVE-2025-23006, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.

Solution

SonicWall has released version 12.4.3-02854 to address this vulnerability, which impacts version 12.4.3-02804 and earlier. According to SonicWall, SMA 100 series and SonicWall Firewall devices are not impacted.

The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC and CMC to trusted sources. The advisory also notes to review the best practices guide on securing SonicWall appliances.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-23006 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SMA devices:

 

Get more informationChange Log

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza, Satnam Narang

Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor

Tenable Blog
3 weeks 6 days ago

Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.

Background

Throughout 2024, attacks from sophisticated advanced persistent threat (APT) actors associated with the People’s Republic of China (PRC) were a major focus for U.S. government organizations, including the Cybersecurity and Infrastructure Security Agency (CISA). In a previous blog post, we examined Volt Typhoon, a PRC state-sponsored actor known to target critical infrastructure. However in September, the Wall Street Journal reported on another PRC actor, Salt Typhoon, citing anonymous sources who said that the group had breached multiple U.S. telecommunications providers. While several outlets reported on speculation of the report, in early October, CISA and the Federal Bureau of Investigation (FBI) offered official confirmation of the attacks when they released a joint statement that “the U.S. Government is investigating the unauthorized access to commercial telecommunications infrastructure by actors affiliated with the People’s Republic of China.” By December, a White House press call confirmed that at least eight U.S. telecommunications providers had been breached, with that figure increasing to at least nine telecommunications companies by December 27. As new details emerge on Salt Typhoon and its targets, this Tenable Research blog examines the tactics, techniques and procedures (TTPs) employed, including the exploitation of known vulnerabilities associated with this threat actor.

Analysis

Salt Typhoon is a sophisticated threat group whose targets include the telecommunications, government and technology sectors. The group is tracked under several monikers, including FamousSparrow, GhostEmperor, Earth Estries and UNC2286. This APT has most recently been in the news for breaching multiple U.S. telecommunications providers; however it’s believed that its targets in this sector span the globe. In the U.S, government officials claimed that Salt Typhoon’s targets include government officials primarily involved in “political activity,” sparking CISA and joint partners to release guidance on visibility and security hardening of communications infrastructure as well prompting the White House to issue the Executive Order titled “Strengthening and Promoting Innovation in the Nation’s Cybersecurity.” Based on various reports on Salt Typhoon, its primary objective appears to be espionage.

In mid-December, CISA released the document “Mobile Communications Best Practice Guidance,” with an emphasis on using end-to-end encryption for secure communications. While it’s unclear what information may have been accessed by Salt Typhoon, CISA and other government agencies, including the Federal Communications Commission (FCC) have been actively helping and providing security guidance to the impacted organizations, as communications infrastructure is a matter of national security.

Known CVEs commonly exploited by Salt Typhoon

Salt Typhoon typically gains initial access to its victim networks by targeting external-facing assets using known vulnerabilities. While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Salt Typhoon.

CVEDescriptionCVSSv3 ScoreVPRCVE-2021-26855Microsoft Exchange Server Server-Side Request Forgery Vulnerability (ProxyLogon)9.89.8CVE-2022-3236Sophos Firewall Code Injection Vulnerability9.87.4CVE-2023-48788FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability9.89.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.19.8CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability8.26.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on January 23 and reflects VPR at that time.

Several of these vulnerabilities have been routinely exploited by APT and ransomware groups alike, including CVE-2021-26855, also known as ProxyLogon, and related Microsoft Exchange vulnerabilities including CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Ivanti Connect Secure/Policy Secure and Fortinet FortiClientEMS have each been the subject of Tenable Research blog posts and CVE-2022-3236, the SQL injection flaw in Sophos Firewall, was featured in our “2022 Threat Landscape Report.”

Of these five CVEs, four of them were exploited in the wild as zero-day vulnerabilities. While it’s unknown if Salt Typhoon exploited any of these flaws as zero-days, the level of sophistication from the group does suggest it has the technical ability to develop and exploit zero-day flaws in its attacks.

Despite these CVEs having had patches available, an analysis of anonymized Tenable scan data reveals that of nearly 30,000 instances impacted by ProxyLogon, a staggering 91% remain unpatched. In a stark contrast, an analysis of over 20,000 devices impacted by both Ivanti vulnerabilities (CVE-2023-46805 and CVE-2024-21887), our data found that these devices were fully remediated in over 92% of cases.

As part of CISA’s guidance for enhanced visibility and hardening, the agency mentioned Cisco network equipment. While CISA didn’t mention specific Cisco device models or vulnerabilities, its guidance does note that PRC-affiliated actors have targeted Cisco-specific devices and as such, care should be taken to ensure organizations in the communications sector and beyond are properly securing and hardening their Cisco network devices. CISA’s recommendations include disabling Cisco’s Smart Install service, which is often abused by attackers and should be properly configured or disabled to prevent abuse.

Post-Compromise Activity

Salt Typhoon is known for maintaining a stealthy presence on victim networks and remaining undetected for a significant time period. It maintains persistence by utilizing custom malware including GhostSpider, SnappyBee and the Masol remote access trojan (RAT).

It’s been reported that the group has been active for several years and may have breached and maintained access at telecommunications providers for months before being detected. In a recent blog by outgoing CISA Director Jen Easterly, she revealed that “CISA threat hunters previously detected the same actors in U.S. government networks.”

The “eyes” of the various “Typhoons”

Each suspected state-sponsored PRC actor includes the family name of “Typhoon.” In recent months, CISA and security vendors have issued several warnings regarding the various “Typhoon” groups, including Volt Typhoon, Flax Typhoon, and Salt Typhoon. Volt Typhoon’s focus is persistence and stealth, targeting critical infrastructure while Flax Typhoon’s focus is on attack infrastructure, building botnets from compromised Internet of Things (IoT) devices.

While each group’s targets and activities are unique, the “eye” of each of these typhoons is they target unpatched and often well-known vulnerabilities for initial access, targeting public-facing servers. Despite the persistence of these threat actors, it's vital that organizations routinely patch public-facing devices and quickly mitigate known and exploited vulnerabilities. This is underscored in commentary from the Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel:

In light of the vulnerabilities exposed by Salt Typhoon, we need to take action to secure our networks. Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed. The time to take this action is now. We do not have the luxury of waiting.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as to identify systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend using the Tenable One Exposure Management Platform. Tenable One extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-26855, CVE-2022-3236, CVE-2023-48788, CVE-2024-21887 and CVE-2023-46805. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network.

Tenable Attack Path Analysis techniques

The following are a list of attack paths associated with Salt Typhoon and the associated Tenable Attack Path Analysis techniques:

MITRE ATT&CK IDDescriptionTenable Attack Path techniquesT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1021Remote ServicesT1021.002_WindowsT1047Windows Management InstrumentationT1047_WindowsT1053.005Create or Modify System Process: Windows ServiceT1053.005_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1078Valid Accounts

T1078.001_ICS

T1078.003_Windows

T1078.004_Azure

T1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1082System Information DiscoveryT1082T1087Account Discovery

T1087.004_Azure

T1087.004_AWS

T1134Access Token ManipulationT1134.005_WindowsT1190Exploit Public-Facing Application

T1190_Aws

T1190_WAS

T1203Exploitation for Client ExecutionT1203_WindowsT1482Domain Trust DiscoveryT1482_WindowsT1547Boot or Logon Autostart Execution

T1547.002_Windows

T1547.005_Windows

T1574Hijack execution flow

T1574.007_Windows

T1574.009_Windows

T1574.010_Windows

T1574.011_Windows

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

The following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:

MITRE ATT&CK IDDescriptionIndicatorsT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1021Remote Services

C-LAPS-UNSECURE-CONFIG

C-AAD-PRIV-SYNC

C-USERS-REVER-PWDS

T1036MasqueradingC-CONFLICTED-OBJECTST1055.001Process Injection: Dynamic-link Library InjectionI-DnsAdminsT1068Exploitation for Privilege EscalationI-SamNameImpersonationT1078Valid Accounts

MISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNT

C-PASSWORD-DONT-EXPIRE

C-USER-PASSWORD

C-PRIV-ACCOUNTS-SPN

C-NATIVE-ADM-GROUP-MEMBERS

C-AAD-SSO-PASSWORD

C-MSA-COMPLIANCE

C-PASSWORD-POLICY

C-REVER-PWD-GPO

C-CLEARTEXT-PASSWORD

C-DC-ACCESS-CONSISTENCY

C-PROP-SET-SANITY

C-SLEEPING-ACCOUNTS

C-KERBEROS-CONFIG-ACCOUNT

HIGH-NUMBER-OF-ADMINISTRATORS

MISSING-MFA-FOR-PRIVILEGED-ACCOUNT

C-AUTH-SILO

C-KRBTGT-PASSWORD

C-AAD-PRIV-SYNC

C-SERVICE-ACCOUNT

C-PASSWORD-NOT-REQUIRED

C-ADMIN-RESTRICT-AUTH

C-ADMINCOUNT-ACCOUNT-PROPS

C-DANGEROUS-SENSITIVE-PRIVILEGES

C-PKI-DANG-ACCESS

C-EXCHANGE-MEMBERS

C-PASSWORD-HASHES-ANALYSIS

C-ADM-ACC-USAGE

C-DANG-PRIMGROUPID

C-DSHEURISTICS

T1134Access Token ManipulationC-ACCOUNTS-DANG-SID-HISTORYT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONT1203Exploitation for Client ExecutionC-OBSOLETE-SYSTEMS

Tenable Web App Scanning

MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza

Oracle January 2025 Critical Patch Update Addresses 186 CVEs

Tenable Blog
4 weeks ago

Oracle addresses 186 CVEs in its first quarterly update of 2025 with 318 patches, including 30 critical updates.

Background

On January 21, Oracle released its Critical Patch Update (CPU) for January 2025, the first quarterly update of the year. This CPU contains fixes for 186 CVEs in 318 security updates across 27 Oracle product families. Out of the 318 security updates published this quarter, 9.4% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 56.6%, followed by high severity patches at 32.4%.

This quarter’s update includes 30 critical patches across 18 CVEs.

SeverityIssues PatchedCVEsCritical3018High10355Medium180109Low54Total318186Analysis

This quarter, the Oracle REST Data Services product family contained the highest number of patches at 85, accounting for 26.7% of the total patches, followed by Oracle Health Sciences Applications at 39 patches, which accounted for 12.3% of the total patches.

A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.

Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle REST Data Services8559Oracle Health Sciences Applications394Oracle Communications Applications3124Oracle Graph Server and Client2815Oracle Construction and Engineering2621Oracle Analytics2314Oracle Communications2218Oracle Hospitality Applications166Oracle Java SE63Oracle MySQL64Oracle Database Server52Oracle Secure Backup41Oracle TimesTen In-Memory Database41Oracle Commerce33Oracle Big Data Spatial and Graph20Oracle E-Business Suite21Oracle Financial Services Applications20Oracle Fusion Middleware21Oracle Hyperion22Oracle Insurance Applications21Oracle PeopleSoft20Oracle Application Express10Oracle Blockchain Platform11Oracle Essbase11Oracle GoldenGate11Oracle Enterprise Manager11Oracle JD Edwards10Solution

Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2025 advisory for full details.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza

Cybersecurity Snapshot: CISA Lists Security Features OT Products Should Have and Publishes AI Collaboration Playbook

Tenable Blog
1 month ago

Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.

Dive into six things that are top of mind for the week ending Jan. 17.

1 - How to choose cybersecure OT products

Is your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.

The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:

  • Support for controlling and tracking modifications to configuration settings
  • Logging of all actions using open-standard logging formats
  • Rigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updates
  • Strong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized access
  • Protection of the integrity and confidentiality of data at rest and in transit


According to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. 

In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.

“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.

For more information about OT systems cybersecurity, check out these Tenable resources: 

2 - JCDC publishes playbook to collect AI security info 

A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.

The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.

“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.

AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.


By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:

  • Sharing information to improve detection and prevention of AI threats
  • Exposing attackers’ tactics and infrastructure
  • Identifying and notifying victims
  • Generating threat advisories and intelligence reports
  • Offering tailored recommendations, vulnerability management strategies and cyber defense best practices

The playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.

In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”

For more information about industry efforts for collaborating on AI security:

3 - New White House cybersecurity EO includes AI requirements

The Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.

The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.

“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.



Among the executive order’s requirements for AI are:

  • Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:
    • vulnerability detection
    • automatic patch management
    • identification and categorization of anomalous and malicious activity across IT or OT systems
  • The Secretary of Defense must establish a program to use advanced AI models for cyberdefense.
  • The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”
  • The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.

These AI-related actions all must be completed at various dates during 2025.

The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.

4 - CISA publishes secure software development best practices

Software makers interested in improving the security of their development process and of their products have fresh guidance to peruse.

As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.


The best practices are organized into two categories — Software development process goals; and Product design goals — and include:

  • Software development process goals:
    • Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.
    • Separate all software development environments, including development, build and test, to reduce the lateral movement risk.
    • Enforce multi-factor authentication across all software development environments.
    • Securely store and transmit credentials.
  • Product design goals
    • Reduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.
    • Provide timely security patches to customers.
    • Don’t use default password in your products.
    • Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.

The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.

To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.

For more information about secure software development:

5 - U.S. gov’t launches security label for IoT products

To encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.

Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.


“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.

IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. 

IoT products that earn the label will also have a QR code that’ll link consumers to information such as:

  • How to change default passwords
  • How to configure the device securely
  • How to access software updates and patches if they’re not delivered automatically
  • The end date of the product’s support period

Participation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.

To get more details, visit the U.S. Cyber Trust Mark home page.

For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO)

6 - U.S. gov’t seeks tougher cybersecurity rules for health providers

Doctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.

That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).


The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:

  • Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.
  • Make risk analysis more specific by submitting written assessments that include:
    • A review of the technology asset inventory and network map
    • Reasonably anticipated threats to ePHI’s confidentiality, availability and integrity
    • Potential vulnerabilities to the organization’s electronic information systems
    • A risk-level assessment of identified threats and vulnerabilities
  • Strengthen contingency planning and security incident response with steps including:
    • Draft written plans to restore certain electronic information systems and data within 72 hours.
    • Prioritize restoration by analyzing criticality of systems and tech assets.
    • Outline in writing how employees and the organization will respond to known or suspected security incidents.
  • Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.
  • With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.
  • Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.

For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.

Juan Perez

New Cybersecurity Executive Order: What It Means for Federal Agencies

Tenable Blog
1 month ago

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provisions and offer guidance on how federal agencies can prepare.

On Jan. 16, the Biden Administration released the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In an era of escalating threats, it is important for the U.S. government to take steps toward a more secure digital infrastructure. The EO is being released in the wake of cyberattacks, such as Salt Typhoon, from China-based threat groups supported by the People’s Republic of China, which, as recently as last week, breached the U.S. Department of the Treasury.

The EO is intended to build off President Joseph R. Biden’s previous EO 14028 and focuses on the nation’s ability to address key threats and defend against continued cyber campaigns targeting the United States and Americans, as well as ensuring the security of the services and capabilities most vital to the digital domain.

As the Biden Administration comes to a close and President Donald J. Trump is sworn in on Jan. 20, it’s important to remember that cybersecurity is not a partisan issue, but a national security concern. Similar to our collaboration during the first Trump Administration, Tenable stands ready to engage with the incoming team to assess and defend critical networks in government and throughout enterprise to protect Americans and ensure the resilience of our critical infrastructure.

While the EO is aimed at government agencies, many of the principles behind it are equally relevant to private sector organizations looking to improve their security posture. It includes guidance on third-party management practices, adopting proven security practices to gain visibility of security threats across networks and cloud infrastructure, and securing communications networks. It also provides recommendations on combating cybercrime and fraud, promoting security with artificial intelligence (AI) and aligning policy to practice.

Below we highlight six key provisions of the EO and offer recommendations on how to prepare to meet the requirements.

6 key provisions of the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity1. Operationalizing transparency and security in third-party software supply chains

The EO mandates federal agencies adopt more rigorous third-party risk management practices to ensure the safety and security of the software providers operating within the federal government. It calls for:

  • Software providers to submit secure software development attestations and high-level artifacts to validate the attestations to the Cybersecurity and Infrastructure Security Agency (CISA).
  • The establishment of National Institute of Standards and Technology (NIST) guidelines and security practices for safe and secure software procurement, which will be incorporated into the Secure Software Development Framework (SSDF) and ultimately the White House Office of Management and Budget Memorandum M-22-18. It will include practices, procedures, controls and implementation examples.
  • Federal agencies to comply with the guidance in NIST Special Publication 800-161 Revision 1 to integrate cybersecurity supply chain risk management programs into broader risk management activities.
  • CISA and the General Services Administration to issue recommendations to agencies on the management of open source software.

How to prepare: Start with an inventory of all third-party providers working with your agency. How much visibility do you have into the level of risk these providers present? Is their software integral to your agency’s ability to function? Can it access sensitive data, such as personally identifiable information (PII)? Does it offer an opportunity for an attacker to gain entry or move laterally within your infrastructure?

2. Improving the cybersecurity of federal systems

This section of the EO focuses on adopting proven security practices in order to gain visibility of security threats across networks and strengthen cloud security. Key call-outs in this section include:

  • Identity and access management (IAM): Identity and access management practices are critical and should be implemented into an agency's broader security strategy.
  • Cloud security: In order to secure federal data in the cloud, The EO requires cloud services providers in the FedRAMP marketplace to produce baselines with specifications and recommendations for agency configurations of cloud-based systems.
  • Space security: The security of space systems must be enhanced to adapt to evolving threats. The EO mandates that agencies take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions like continuous assessments, testing, exercise and modeling and simulation.

How to prepare: Audit your identity and access management systems. Are you considering user privileges in your overall risk profile? Consider how much access and visibility your security team has into your cloud infrastructure. Does your agency have continuous processes to manage identity and privileges across cloud environments? At what stage is security brought into your cloud deployments? It should be incorporated into the entire process, from ideation to system development and deployment. Are you performing continuous monitoring of IAM, cloud and space systems (if applicable)? Many third-party contracts pre-date supply chain risk-management reviews. Do your contracts account for security requirements and support?

3. Securing federal communications

The EO emphasizes the importance of securing our communication networks from cyberattacks and sets forth guidelines and procedures to ensure the security of federal communications. Key points include:

  • Strong identity authentication and encryption must be implemented.
  • Encrypting DNS traffic is critical.
  • Email messages, as well as modern communications such as voice and video conferencing and instant messaging, must be encrypted in transport and where practical use end-to-end encryption.
  • Quantum computers pose significant risk to national security. Agencies should require post-quantum cryptography in applicable product categories as defined by CISA.
  • The federal government should protect and audit access to cryptographic keys with extended lifecycles. Guidelines will be developed by NIST and FedRAMP requirements will be updated to incorporate those guidelines.

How to prepare: Evaluate your identity authentication and encryption capabilities for all forms of communication, from DNS to email systems. Are you following NIST SP 800-63 Digital Identity Guidelines? Are there gaps in your systems that need to be addressed? Are there product categories within your systems that would require post-quantum cryptography? Non-quantum compliant cyphers will increasingly pose risk as quantum technologies radically redefine encryption.

4. Solutions to combat cybercrime and fraud

With the growing demand for digital services, it is essential for agencies to adopt digital identity verification solutions that ensure secure access, enhance accessibility and prevent fraud. This section of the EO encourages the safe and secure use of digital identity documents to access public benefits programs that require identity verification. It states that NIST will issue implementation guidance and the Treasury will develop a pilot program to notify individuals when their identity information is used to request a payment from a public benefits program.

How to prepare: Evaluate your digital identity verification strategy. How are you preventing digital identity fraud? What key performance indicators (KPIs) do you use to track the effectiveness of your program? Have you considered a more rigorous verification strategy that verifies identities at the front end? Are you using a holistic identity verification approach that validates multiple aspects of someone’s identity?

5. Promoting security with and in artificial intelligence (AI)

AI is emerging as a game changer in the ongoing battle for federal cybersecurity. As such, the EO calls on the federal government to accelerate the development and deployment of AI, specifically as it relates to improving the cybersecurity of critical infrastructure. The EO further establishes a pilot program on the use of AI to enhance cyber defenses of critical infrastructure and accelerates research at the intersection of AI and cybersecurity.

How to prepare: Evaluate how AI can be implemented in your security strategy in order to reduce risk. Do you have guidelines for using AI in your agency? Have you experimented with AI security tools? Are there ways you can leverage AI to reduce the pressure on your security teams?

6. Aligning policy to practice

This section of the EO focuses on modernizing federal IT infrastructure and networks to better defend against cyberattacks and reduce cyber risk. It focuses on developing guidance to help agencies share and exchange cybersecurity information, obtain enterprise-wide visibility, and prepare to be held accountable for enterprise-wide cybersecurity programs. It further focuses on promoting the adoption of evolving cybersecurity practices, such as the migration to zero trust and ensuring agencies can identify, assess and respond to risk presented by IT vendor concentration.

How to prepare: Assess how much visibility you currently have into your IT infrastructure. Are you able to continuously assess vulnerabilities and misconfigurations in your on-premises and cloud environments with the added context of identity and access privileges so you always have an up-to-date view of your risk? Do you have a way to quickly generate reports that you can share with other agencies?

Conclusion

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity addresses some of the most pressing concerns in cybersecurity, including the safety of the software supply chain, the need for improved visibility across systems such as identity and access management and cloud infrastructure, the need to protect communications with end-to-end encryption, and the promise of AI to aid in cybersecurity efforts. The provisions it provides offer a blueprint for improving cybersecurity for government agencies while providing sound guidance for private-sector organizations to consider in their efforts to reduce cyber risk.

Robert Huber

5 Things Government Agencies Need to Know About Zero Trust

Tenable Blog
1 month ago

Zero trust as a concept is simple to grasp. Implementing a zero trust architecture, on the other hand, is complex because it involves addressing a unique mix of process, procedure, technology and user education. Here are some considerations to keep in mind as you begin your journey.

Draft guidance on implementing a zero trust architecture, released by the National Institute of Standards and Technology (NIST) on Dec. 4, 2024, gives government agencies and private sector organizations a solid blueprint to follow. There are a number of additional considerations to keep in mind as you begin your journey.

First and foremost, zero trust is an alternative way of thinking about information security that treats trust as a vulnerability. It removes trust entirely from digital systems and is built upon the idea that security must become ubiquitous throughout the infrastructure. The concepts of zero trust are simple:

  • All resources are accessed in a secure manner, regardless of location.
  • Access control is on a "need-to-know" basis and is strictly enforced.
  • All traffic is inspected and logged.
  • The network is designed from the inside out.
  • The network is designed to verify everything and trust nothing.

A zero trust architecture can be implemented using commercial off-the-shelf technology. It's built upon current cybersecurity best practices and dovetails with a robust exposure management program. In fact, exposure management and zero trust go hand-in-hand.

5 things to keep in mind about zero trust

Here are five considerations as you begin your zero trust journey:

  1. Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.
  2. Zero trust requires a foundation of strong exposure management. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can't build a zero trust strategy without first having accurate visibility into all of the organization's assets — including IT, cloud, operational technology (OT) and internet of things (IoT). An exposure management program can provide you with that level of visibility as well as the ability to act on findings in real time.
  3. User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Identity and access management capabilities such as Entra ID and Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date.
  4. No one is trusted — no exceptions. This may not please senior leaders, who can sometimes behave as if the rules don't apply to them. Brushing up on your diplomatic skills is advised. Ultimately, though, a zero trust architecture can be implemented without creating significant friction for end users.
  5. Zero trust requires thoughtful communication. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren't engaged in the zero trust buildout from day one.

Zero trust as a concept is simple to grasp. What makes zero trust complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of processes, procedures and technology found in your IT infrastructure, as well as the need for significant user education. It's best to start small and roll out from there, rather than trying to boil the ocean.

For cybersecurity leaders in government agencies, preparing for a zero trust architecture is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:

  • What is your agency’s core mission or value proposition?
  • What are the workflows required to fulfill that mission?
  • Who owns those workflows?
  • How does data flow in the organization?
  • Which are your high-value assets, the so-called "keys to the kingdom"?
  • How does the organization determine who is granted access to these high-value assets?
  • How often does the organization audit user permissions once they are set?
  • What building blocks do you already have in place to support a zero trust strategy?

Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things (IoT) and operational technology (OT) assets, and the ability to assess the criticality of each asset to deliver on your organization's core mission. No zero trust journey can begin without first addressing these fundamentals of exposure management.

How zero trust and exposure management go hand-in-hand

Exposure management transcends the limitations of siloed security programs. Built on the foundations of risk-based vulnerability management, exposure management takes a broader view across your modern attack surface, applying both technical and business context to more precisely identify and more accurately communicate cyber risk, enabling better business outcomes.

An exposure management program combines technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and patch management to help an organization understand the full breadth and depth of its exposures and take the actions needed to reduce them through remediation and incident response workflows. Exposure management gives security teams a full, dynamic and accurate picture of the attack surface at any point in time, aiding in the implementation of zero trust policies and architecture.

Learn more
Robert Huber

CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild

Tenable Blog
1 month ago

Fortinet patched a zero day authentication bypass vulnerability in FortiOS and FortiProxy that has been actively exploited in the wild as a zero-day since November 2024.

Background

On January 14, Fortinet released a security advisory (FG-IR-24-535) addressing a critical severity vulnerability impacting FortiOS and FortiProxy.

CVEDescriptionCVSSv3CVE-2024-55591FortiOS and FortiProxy Authentication Bypass Vulnerability9.6Analysis

CVE-2024-55591 is an authentication bypass vulnerability in FortiOS and FortiProxy. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a Node.js websocket module. Successful exploitation may grant an attacker super-admin privileges on a vulnerable device. According to the Fortinet advisory, this vulnerability has been exploited in the wild.

Zero Day Campaign May Have Been Active Since November

Researchers at Arctic Wolf published a blog post on January 10 detailing a campaign first observed in mid-November 2024 of suspicious activity related to the exploitation of a zero-day vulnerability, which is presumed to be CVE-2024-55591. Arctic Wolf Labs details four distinct phases of the campaign that were observed against Fortinet FortiGate firewall devices; scanning, reconnaissance, SSL VPN configuration and lateral movement. For more information on the observations of this campaign, we recommend reviewing its blog post.

At the time this blog was published, the Fortinet advisory did not credit Arctic Wolf with the discovery of CVE-2024-55591. However, the indicators of compromise (IoCs) listed in the Fortinet advisory overlap with the report from Arctic Wolf.

Historical exploitation of Fortinet FortiOS and FortiProxy

Fortinet FortiOS and FortiProxy have been targeted by threat actors previously, including targeting by advanced persistent threat (APT) actors. We’ve written about several noteworthy Fortinet flaws since 2019, including flaws impacting SSL VPNs from Fortinet and other vendors:

CVEDescriptionPatchedTenable BlogCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022

CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyCVE-2020-12812FortiOS Improper Authentication VulnerabilityJuly 2020CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2019-5591FortiOS Default Configuration VulnerabilityJuly 2019CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT ActorsCVE-2018-13379FortiOS Path Traversal/Arbitrary File Read VulnerabilityAugust 2019CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the WildProof of concept

At the time this blog post was published, there were no public proof-of-concept exploits for CVE-2024-55591.

Solution

Fortinet published its security advisory (FG-IR-24-535) on January 14 to address this vulnerability. The advisory also contains IoCs and workaround steps that can be utilized if immediate patching is not feasible. Fortinet has released the following patches for FortiOS and FortiProxy.

Affected ProductAffected VersionFixed VersionFortiOS 7.07.0.0 through 7.0.16Upgrade to 7.0.17 or aboveFortiProxy 7.07.0.0 through 7.0.19Upgrade to 7.0.20 or aboveFortiProxy 7.27.2.0 through 7.2.12Upgrade to 7.2.13 or above

Fortinet also released several additional security advisories on January 14 for vulnerabilities affecting FortiOS and FortiProxy:

Affected Product(s)Vulnerability DescriptionSecurity AdvisoryCVSSv3/SeverityFortiOS, FortiProxy, FortiMail, FortiSwitch, FortiVoiceEnterprise, FortiNDR, FortiWLC, FortiADC, FortiAuthenticator, FortiRecorder, FortiDDoS-F, FortiDDoS, FortiSOAR and FortiTesterAn externally controlled reference to a resource may allow an unauthenticated attacker to poison web caches between an affected device and an attacker using crafted HTTP requestsFG-IR-23-4944.1 / MediumFortiAnalyzer, FortiAnalyzer Cloud, FortiAuthenticator, FortiManager, FortiManager Cloud, FortiOS, FortiProxy, FortiSASEAn unauthenticated attacker with access to the Security Fabric protocol may be able to brute force an affected product to bypass authentication.FG-IR-24-2218.0 / HighFortiOSAn authenticated, remote attacker may be able to prevent access to the GUI using specially crafted requests and causing a denial of service (DoS) condition.FG-IR-24-2504.8 / MediumFortiOSAn authenticated attacker may be able to cause a DoS condition due to a NULL pointer dereference vulnerability in the SSLVPN web portal.FG-IR-23-4736.2 / MediumFortiManager, FortiOS, FortiProxy, FortiRecorder, FortiSASE, FortiVoice and FortiWebA path traversal vulnerability may be exploited by a remote attacker with access to the security fabric interface, allowing the attacker to access and modify arbitrary files.FG-IR-24-2597.1 / HighFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds write vulnerability to cause a DoS condition.FG-IR-24-3733.5 / LowFortiOSAn unauthenticated attacker may be able to exploit an out-of-bounds read vulnerability to cause a DoS condition.FG-IR-24-2667.5 / HighFortiOSAn authenticated attacker with low privileges may be able to cause a DoS condition due to two NULL pointer dereference vulnerabilities.FG-IR-23-2936.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a resource allocation vulnerability to cause a DoS condition using multiple large file uploads.FG-IR-24-2197.1 / HighFortiOSAn authenticated attacker may be able to exploit an integer overflow vulnerability to cause a DoS condition.FG-IR-24-2673.2 / LowFortiOSAn authenticated attacker may be able to exploit an improper access control vulnerability.FG-IR-23-4074.7 / MediumFortiOS, FortiProxy and FortiSASEAn unauthenticated attacker may be able to exploit a http response splitting vulnerability in FortiOS, FortiProxy and FortiSASEFG-IR-24-2826.4 / MediumFortiOSAn unauthenticated attacker may be able to exploit a man-in-the-middle vulnerability to intercept sensitive information.FG-IR-24-3263.5 / LowIdentifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-55591 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing Fortinet assets:

 Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza

Microsoft’s January 2025 Patch Tuesday Addresses 157 CVEs (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335)

Tenable Blog
1 month ago
  1. 10Critical
  2. 147Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 157 CVEs in the first Patch Tuesday release of 2025 and the largest Patch Tuesday update ever with three CVEs exploited in the wild, and five CVEs publicly disclosed prior to patches being made available.

Microsoft patched 157 CVEs in its January 2025 Patch Tuesday release, with 10 rated critical and 147 rated as important. Our counts omitted two vulnerabilities, one reported by GitHub and another reported by CERT/CC. To date, the January 2025 Patch Tuesday release is the largest ever from Microsoft.

This month’s update includes patches for:

  • .NET
  • .NET and Visual Studio
  • .NET,.NET Framework, Visual Studio
  • Active Directory Domain Services
  • Active Directory Federation Services
  • Azure Marketplace SaaS Resources
  • BranchCache
  • IP Helper
  • Internet Explorer
  • Line Printer Daemon Service (LPD)
  • Microsoft AutoUpdate (MAU)
  • Microsoft Azure Gateway Manager
  • Microsoft Brokering File System
  • Microsoft Digest Authentication
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office OneNote
  • Microsoft Office Outlook
  • Microsoft Office Outlook for Mac
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Office Word
  • Microsoft Purview
  • Microsoft Windows Search Component
  • Power Automate
  • Reliable Multicast Transport Driver (RMCAST)
  • Visual Studio
  • Windows BitLocker
  • Windows Boot Loader
  • Windows Boot Manager
  • Windows COM
  • Windows Client-Side Caching (CSC) Service
  • Windows Cloud Files Mini Filter Driver
  • Windows Connected Devices Platform Service
  • Windows Cryptographic Services
  • Windows DWM Core Library
  • Windows Digital Media
  • Windows Direct Show
  • Windows Event Tracing
  • Windows Geolocation Service
  • Windows Hello
  • Windows Hyper-V NT Kernel Integration VSP
  • Windows Installer
  • Windows Kerberos
  • Windows Kernel Memory
  • Windows MapUrlToZone
  • Windows Mark of the Web (MOTW)
  • Windows Message Queuing
  • Windows NTLM
  • Windows OLE
  • Windows PrintWorkflowUserSvc
  • Windows Recovery Environment Agent
  • Windows Remote Desktop Services
  • Windows SPNEGO Extended Negotiation
  • Windows Security Account Manager
  • Windows Smart Card
  • Windows SmartScreen
  • Windows Telephony Service
  • Windows Themes
  • Windows UPnP Device Host
  • Windows Virtual Trusted Platform Module
  • Windows Virtualization-Based Security (VBS) Enclave
  • Windows WLAN Auto Config Service
  • Windows Web Threat Defense User Service
  • Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 36.9% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.5%.

ImportantCVE-2025-21333, CVE-2025-21334, CVE-2025-21335 | Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerabilities

CVE-2025-21333, CVE-2025-21334 and CVE-2025-21335 are EoP vulnerabilities in the Windows Hyper-V NT Kernel Integration Virtualization Service Provider (VSP). All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. An authenticated, local attacker could exploit this vulnerability to elevate privileges to SYSTEM. Two of the three vulnerabilities were unattributed, with CVE-2025-21333 being attributed to an Anonymous researcher.

According to Microsoft all three vulnerabilities were exploited in the wild as zero-days. No specific details about the in-the-wild exploitation were public at the time this blog post was released.

ImportantCVE-2025-21186, CVE-2025-21366, CVE-2025-21395 | Microsoft Access Remote Code Execution Vulnerability

CVE-2025-21186, CVE-2025-21366 and CVE-2025-21395 are RCE vulnerabilities in Microsoft Access, a database management system. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and rated important. A remote, unauthenticated attacker could exploit this vulnerability by convincing a target through social engineering to download and open a malicious file. Successful exploitation would grant an attacker arbitrary code execution privileges on the vulnerable system. This update “blocks potentially malicious extensions from being sent in an email.”

According to Microsoft, these three vulnerabilities were publicly disclosed prior to a patch being available (zero-days). They are attributed to Unpatched.ai, which uses artificial intelligence (AI) to “help find and analyze” vulnerabilities.

ImportantCVE-2025-21308 | Windows Themes Spoofing Vulnerability

CVE-2025-21308 is a spoofing vulnerability affecting Windows Themes. This vulnerability received a CVSSv3 score of 6.5 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to convince a user to load a malicious file, then convince the user to “manipulate the specially crafted file.” Microsoft has provided a list of mitigations including disabling New Technology LAN Manager (NTLM) or using group policy to block NTLM hashes. For more information on the mitigation guidance, please refer to the Microsoft advisory.

ImportantCVE-2025-21275 | Windows App Package Installer Elevation of Privilege Vulnerability

CVE-2025-21275 is an EoP vulnerability in the Microsoft Windows App Package Installer. It was assigned a CVSSv3 score of 7.8 and is rated important. A local, authenticated attacker could exploit this vulnerability to obtain SYSTEM privileges. These types of flaws are often associated with post-compromise activity, after an attacker has breached a system through other means.

According to Microsoft, this vulnerability was publicly disclosed prior to a patch being available. It is attributed to an Anonymous researcher.

CriticalCVE-2025-21297, CVE-2025-21309 | Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2025-21297 and CVE-2025-21309 are critical RCE vulnerabilities affecting Windows Remote Desktop Services. Both of these vulnerabilities were assigned CVSSv3 scores of 8.1, however CVE-2025-21309 was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index, while CVE-2025-21297 was assessed as “Exploitation Less Likely.”

According to Microsoft, successful exploitation of these flaws requires an attacker to connect to a system with the Remote Desktop Gateway role and trigger a race-condition that creates a use-after-free scenario which can be leveraged to execute arbitrary code.

CriticalCVE-2025-21298 | Windows OLE Remote Code Execution Vulnerability

CVE-2025-21298 is a RCE vulnerability in Microsoft Windows Object Linking and Embedding (OLE). It was assigned a CVSSv3 score of 9.8 and is rated critical. It has been assessed as “Exploitation More Likely.” An attacker could exploit this vulnerability by sending a specially crafted email to a target. Successful exploitation would lead to remote code execution on the target system if the target opens this email using a vulnerable version of Microsoft Outlook or if their software is able to preview the email through a preview pane.

Microsoft’s advisory for this vulnerability recommends configuring Microsoft Outlook to read email messages “in plain text format” instead of a rich format that will display other types of content, such as photos, animations or specialized fonts. To configure Outlook in this way, please refer to the following article, Read email messages in plain text.

Tenable Solutions

A list of all the plugins released for Microsoft’s January 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

CVE-2025-0282: Ivanti Connect Secure Zero-Day Vulnerability Exploited In The Wild

Tenable Blog
1 month 1 week ago

Ivanti disclosed two vulnerabilities in its Connect Secure, Policy Secure and Neurons for ZTA gateway devices, including one flaw that was exploited in the wild as a zero-day.

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

View Change Log

Background

On January 8, Ivanti published a security advisory for two vulnerabilities affecting multiple products including Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for Zero Trust Access (ZTA) gateways:

CVEDescriptionCVSSv3CVE-2025-0282Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways Stack-based Buffer Overflow Vulnerability9.0CVE-2025-0283Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways Stack-based Buffer Overflow Vulnerability7.0Analysis

CVE-2025-0282 is a stack-based buffer overflow vulnerability in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. An unauthenticated, remote attacker that successfully exploits this flaw would obtain remote code execution on a vulnerable device.

CVE-2025-0283 is also a stack-based buffer overflow in Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways. Unlike CVE-2025-0282, a local, authenticated attacker that successfully exploits this flaw would be able to elevate privileges on a vulnerable device.

In-the-wild exploitation observed for CVE-2025-0282

In a blog post, Ivanti confirmed that they have observed in-the-wild exploitation of CVE-2025-0282 in “a limited number of customers” of Ivanti Connect Secure devices. They reiterate that they have not observed exploitation against Ivanti Policy Secure or Neurons for ZTA gateways.

On-going investigation reveals preliminary insight into malicious activity

On January 8, researchers at Google Mandiant published a blog post outlining their preliminary findings related to the in-the-wild exploitation of CVE-2025-0282. While the researchers have yet to link the attacks to any particular advanced persistent threat (APT) group or cluster, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware (e.g. SPAWNANT, SPAWNMOLE and PAWNSNAIL) as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM. For more information, please visit the Google Mandiant blog.

Historical exploitation of Ivanti Connect Secure

Ivanti Connect Secure, formerly known as Pulse Connect Secure, has been frequently targeted by attackers of all types, including advanced persistent threat (APT) groups as well as ransomware affiliates and opportunistic cybercriminals.

CVEDescriptionTenable PublicationsYearCVE-2019-11510Ivanti Pulse Connect Secure Arbitrary File Read Vulnerability1, 2, 3, 4, 52019CVE-2019-11539Ivanti Pulse Connect Secure and Policy Secure Command Injection Vulnerability1, 2, 3, 42019CVE-2020-8218Ivanti Pulse Connect Secure Code Injection VulnerabilityTenable 2020 Threat Landscape Retrospective2020CVE-2020-8243Ivanti Pulse Connect Secure Code Injection Vulnerability1, 22020CVE-2020-8260Ivanti Pulse Connect Secure Unrestricted File Upload Vulnerability1, 22020CVE-2021-22893Ivanti Pulse Connect Secure Authentication Bypass Vulnerability1, 22021CVE-2021-22894Ivanti Pulse Connect Secure Buffer Overflow VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2021-22899Ivanti Pulse Connect Secure Command Injection VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2021-22900Ivanti Pulse Connect Secure Multiple Unrestricted Uploads VulnerabilityCVE-2021-22893: Zero-Day Vulnerability in Pulse Connect Secure Exploited in the Wild2021CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability1, 22024CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability1, 22024CVE-2024-21893Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) VulnerabilityCVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways2024

Because of the historical exploitation of these devices, customers are strongly advised to apply the available patch for these flaws as soon as possible.

Proof of concept

On January 16, researchers at watchTowr released a public proof-of-concept (PoC) exploit for CVE-2025-0282 on GitHub. The GitHub repository notes that the PoC is "broken in non-trivial ways" adding that it will "require effort to work." It also points to watchTowr's technical write-up, Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) on its blog.

Solution

Ivanti has released the following patches for Connect Secure, Policy Secure and Neurons for ZTA Gateways.

Affected ProductAffected Versions (CVE-2025-0282)Affected Versions (CVE-2025-0283)Fixed VersionIvanti Connect Secure22.7R2 through 22.7R2.422.7R2.4 and below
9.1R18.9 and below22.7R2.5Ivanti Policy Secure22.7R1 through 22.7R1.222.7R1.2 and belowUnavailable until January 21Ivanti Neurons for ZTA gateways22.7R2 through 22.7R2.322.7R2.3 and below22.7R2.5 (Unavailable until January 21)

Ivanti customers can utilize its Integrity Checker Tool (ICT) to identify exploitation of CVE-2025-0282.

For Connect Secure customers, Ivanti recommends performing a factory reset of devices prior to upgrading to version 22.7R2.5 “out of an abundance of caution” for those with clean ICT scan results and to “ensure any malware is removed” where ICT results “show signs of compromise.”

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-0282 and CVE-2025-0283 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to quickly identify these assets by leveraging the built in subscription labeled Ivanti Connect Secure (ICS) - v1.

 Get more informationChange Log

Update January 16: The Proof-of-concept section has been updated to highlight the availability of a public proof-of-concept exploit for CVE-2025-0282.

Update January 9: The Analysis section has been updated to include preliminary details from Mandiant's on-going investigation into these attacks.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang
Checked
1 hour ago
URL
https://www.tenable.com/
Tenable Blog feed

Managed ad