Security Boulevard

via the comic humor & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Chemical Formulas’ appeared first on Security Boulevard.

A zero-day vulnerability in SonicWall’s Secure Mobile Access (SMA) 1000 was reportedly exploited in the wild according to researchers.

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

View Change Log

Background

On January 22, SonicWall published a security advisory (SNWLID-2025-0002) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution.

CVE Description CVSSv3 CVE-2025-23006 SonicWall SMA 1000 Deserialization of Untrusted Data Vulnerability 9.8 Analysis

CVE-2025-23006 is a deserialization of untrusted data vulnerability in the appliance management console (AMC) and central management console (CMC) of the SonicWall SMA 1000. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable device. Successful exploitation would grant the attacker arbitrary command execution on the device. The advisory specifies that “specific conditions” could allow for OS command execution, though it’s unclear from the information provided by SonicWall what those conditions might be.

Possible active exploitation in the wild

According to SonicWall’s Product Security Incident Response Team (PSIRT), there are reports of “possible active exploitation” of this flaw “by threat actors.” While specific details are not known at this time, the vulnerability was reported to SonicWall by researchers at Microsoft Threat Intelligence Center (MSTIC).

In a knowledge base article, SonicWall explicitly said that CVE-2025-23006 "has been confirmed as being actively exploited in the wild" and that the vulnerability should "be treated with the utmost severity."

Historical exploitation of SonicWall SMA vulnerabilities

SonicWall products have been a frequent target for attackers over the years. Specifically, the SMA product line has been targeted in the past by ransomware groups, as well as being featured in the Top Routinely Exploited Vulnerabilities list co-authored by multiple United States and International Agencies. The following are a list of known SMA vulnerabilities that have been exploited in the wild:

CVE Description Tenable Blog Links Year CVE-2019-7481 SonicWall SMA100 SQL Injection Vulnerability 1 2019 CVE-2019-7483 SonicWall SMA100 Directory Traversal Vulnerability - 2019 CVE-2021-20016 SonicWall SSLVPN SMA100 SQL Injection Vulnerability 1, 2, 3, 4, 5 2021 CVE-2021-20038 SonicWall SMA100 Stack-based Buffer Overflow Vulnerability 1, 2, 3 2021 Proof of concept

At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-23006. If and when a public PoC exploit becomes available for CVE-2025-23006, we anticipate a variety of attackers will attempt to leverage this flaw as part of their attacks.

Solution

SonicWall has released version 12.4.3-02854 to address this vulnerability, which impacts version 12.4.3-02804 and earlier. According to SonicWall, SMA 100 series and SonicWall Firewall devices are not impacted.

The advisory also provides a workaround to reduce potential impact. This involves restricting access to the AMC and CMC to trusted sources. The advisory also notes to review the best practices guide on securing SonicWall appliances.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-23006 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Tenable Attack Surface Management customers are able to identify these assets using a filtered search for SMA devices:

 

Get more information

• SonicWall SNWLID-2025-0002 Security Advisory
• Product Notice: Urgent Security Notification - SMA 1000 (CVE-2025-23006)

Change Log

Update January 23: The Analysis and Identifying affected systems sections have been updated to include confirmation of exploitation from SonicWall and how to identify assets using Tenable Attack Surface Management.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post CVE-2025-23006: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Reportedly Exploited appeared first on Security Boulevard.

Articles related to cyber risk quantification, cyber risk management, and cyber resilience.

The post An Overview​​ of Cyber Risk Modeling | Kovrr appeared first on Security Boulevard.

Learn to bypass EDR detection using NtContinue for hardware breakpoints without triggering ETW Threat Intelligence. This technical blog explores kernel debugging, debug registers, and EDR evasion with code examples.

The post ETW Threat Intelligence and Hardware Breakpoints appeared first on Praetorian.

The post ETW Threat Intelligence and Hardware Breakpoints appeared first on Security Boulevard.

Author/Presenter: Kevin Mitchell

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Bluetooth Blues: Unmasking CVE 2023-52709 – The TI BLE5-Stack Attack appeared first on Security Boulevard.

Secrets buried in container registries pose a silent risk. Learn about their hidden vulnerabilities and what steps you can take to safeguard your infrastructure.

The post Protecting the Backbone of Modern Development: Scanning Secrets in Container Registries appeared first on Security Boulevard.

The modern enterprise is fluid, dynamic and distributed. The old network perimeter is gone. And threat actors bypass corporate defenses with ease—often simply using stolen or cracked credentials. This is the world that Zero Trust was designed for. A cybersecurity approach with a history dating back over a decade, it’s now finding favor among global organizations thanks to US government mandates. At its heart, it’s about protecting critical systems, and the data flowing through, them from compromise.

The post The Future of Data Security is Zero Trust: Here’s Why appeared first on Security Boulevard.

In the past year, 68% of data breaches involved the human element, according to Verizon.

From disgruntled employees committing sabotage to innocent mistakes, humans are one of your organization's greatest information security risks. In fact, a shocking amount of high-profile data breaches in recent years have occurred because of employee behaviors. 

While it's crucial for information security pros to understand human vulnerabilities, the root cause of data breaches isn't always as simple as human action. In many cases, a combination of technical, policy, and human failures can contribute to an incident with data loss.

The post 9 Internal Data Breach Examples to Learn From appeared first on Security Boulevard.

The new SonarQube Server LTA release is as value-packed as ever. Look forward to high-impact AI capabilities, more secure code at every angle, supercharged developer productivity, and even better enterprise and operational capabilities. As always, there's something for everyone with the LTA!

The post SonarQube Server 2025.1 LTA Release Announcement appeared first on Security Boulevard.

Last month, Henry Farrell and I convened the Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) at Johns Hopkins University’s Bloomberg Center in Washington DC. This is a small, invitational workshop on the future of democracy. As with the previous two workshops, the goal was to bring together a diverse set of political scientists, law professors, philosophers, AI researchers and other industry practitioners, political activists, and creative types (including science fiction writers) to discuss how democracy might be reimagined in the current century...

The post Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) appeared first on Security Boulevard.

An increase in compliance activities such as the creation of software bills of materials (SBOMs), performing software composition analysis (SCA) scans on code repositories, and securing the attack surface created by artificial intelligence (AI) applications are among the key software security trends highlighted in the latest edition of the Building Security in Maturity Model (BSIMM) report.

The post BSIMM15 highlights compliance and AI security: Why modern tooling is key appeared first on Security Boulevard.

Fall was a busy conference season for Tidal Cyber. My colleagues and I participated in events including Black Hat, FutureCon, Health-ISAC, FS-ISAC, ATT&CKCon, and numerous regional Cybersecurity Summits. As we spoke with attendees, one of the big takeaways was that organizations are trying to understand their risk associated with using AI. Rick Gordon and I had the opportunity to dig into this in more detail at the ACSC 2024 Annual Member Conference. The theme was “Developing AI Governance and Security Practice”, and several discussions focused on how organizations can assess the risk versus the reward of bringing AI into their organization as a business tool. 

The post Operationalizing MITRE ATLAS to Defend Against Attacks on AI appeared first on Security Boulevard.

New York, NY, 23rd January 2025, CyberNewsWire

The post Memcyco Announces Next-Gen, AI Solution to Combat Fraud and Impersonation Attacks in Real Time appeared first on Security Boulevard.

President Trump has made sweeping changes in his first days in office, but as of yet, he's kept intact much of the government's cybersecurity structure and policies, including the two executives orders President Biden issued at the beginning and end of his term.

The post Trump Has Had a Light Touch on Cybersecurity – So Far appeared first on Security Boulevard.

The recent cyber breach at the U.S. Treasury Department, linked to state-sponsored Chinese hackers, has set off alarm bells in the public sector. As the investigation continues, this incident reveals a pressing issue that all government agencies must confront: securing their APIs (Application Programming Interfaces).

APIs are essential connections within our digital infrastructure, facilitating communication and data sharing between systems. However, with their increasing usage comes a greater risk of them being exploited as attack points. This breach, believed to originate from a weakness in a third-party software vendor, specifically BeyondTrust, underscores the interconnectedness of today's IT networks and highlights the necessity for a robust, layered security strategy.

The Mechanics of a Breach: API Vulnerabilities Under Attack

While comprehensive details are still emerging, attackers capitalized on a vulnerability within BeyondTrust's software to infiltrate the Treasury's systems. This tactic of supply chain attacks is becoming more prevalent, as malicious actors often target the weakest links to achieve their goals.  In this case, the attackers exploited BeyondTrust's privileged remote access product, which Treasury employees used. Once inside, attackers might have used compromised API keys or taken advantage of other API flaws to access sensitive information.

Salt Security: Stopping Future Treasury Department Breaches

This event highlights the urgent need for strong API security solutions that instantly recognize and thwart attacks. At Salt Security, our API Protection Platform is specifically built to tackle these issues directly. Here's how Salt could have helped to prevent or lessen the impact of this breach:

Comprehensive API Visibility: Salt offers complete visibility into all API traffic, including shadow APIs and those controlled by third-party vendors like BeyondTrust. This enables organizations to pinpoint and rectify potential vulnerabilities before exploiting them. This capability is vital in complex settings like the Treasury Department, where many interconnected systems depend on APIs for communication.

Stolen API Key Detection: Our platform specializes in detecting compromised API keys. Here's how:

• SIEM Alerts and Attacker Dashboard: Salt generates alerts in your SIEM and our Attacker Dashboard, clearly marking the compromised API key as the source of malicious actions. This facilitates immediate correlation of related events, regardless of the attacker's attempts to disguise their origin.
• Robust Correlation: The compromised API key is the primary identifier, linking all the attacker's actions, even if they use proxies or VPNs to hide their IP address. This provides a clear and thorough understanding of the attack’s progression.
• Geolocation Data: If the attacker makes mistakes, Salt can utilize geolocation data to track unusual foreign connections tied to the compromised key, which is especially significant in a case involving a U.S. federal agency.

Real-time Threat Identification: Salt Security detects suspicious and malicious activities in real-time, such as:

• Parameter Tampering: Identifying unauthorized alterations to API parameters, signaling attempts to manipulate data or exploit vulnerabilities.
• Abnormal Responses: Recognizing unusual or unexpected responses from the API, potentially indicating an attacker probing for weaknesses.
• Injection Exploits: Detecting and blocking attempts to inject malicious code, such as SQL injection or cross-site scripting, without depending on known CVEs (Common Vulnerabilities and Exposures). This proactive strategy ensures protection against zero-day exploits.
• OWASP Attacks: Recognizing and addressing a broad range of attacks documented in the OWASP (Open Web Application Security Project) API Security Top 10, including broken authentication, sensitive data exposure, and security misconfigurations.

Advanced Threat Detection: In addition to fundamental security protocols, Salt employs AI-driven behavioral analytics to identify complex attacks that may evade traditional security measures. This encompasses spotting anomalies in API usage patterns, recognizing malicious behavior, and proactively blocking attacks before they inflict harm.

Key Lessons: Fortifying API Security Across the Public Sector

The breach at the Treasury Department is a critical lesson for the public sector as a whole. Here are essential takeaways for government agencies:

• Emphasize API Security: APIs are vital to government operations and are prime targets for cybercriminals. Agencies must focus on API security and enforce strong protective measures.
• Implement a Zero Trust Framework: Treat every API call as potentially harmful. Enforce rigorous authentication and authorization methods, and continuously surveil API traffic for signs of suspicious activity.
• Bolster Supply Chain Security: Diligently vet third-party vendors like BeyondTrust and confirm they maintain rigorous security standards. Don't just rely on vendor assurances; contractually obligate them to use approved API security tools for their software. Regular evaluations and monitoring of the security status of your entire supply chain are crucial.

Salt Security: Your Partner in API Protection

The increasing reliance on APIs across all industries underscores the urgent need for robust API security. Whether you're in government, finance, healthcare, e-commerce, or any other sector that leverages APIs to connect applications and data, Salt Security can help you safeguard your critical assets.

Our API Protection Platform provides the comprehensive visibility, posture governance, advanced threat detection, and real-time response capabilities needed to stay ahead of the curve in today's ever-evolving threat landscape.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture governance, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Treasury Department Breach: A Crucial Reminder for API Security in the Public Sector appeared first on Security Boulevard.

Santa Clara, Calif. January 23, 2025  – NSFOCUS, a global provider of intelligent hybrid security solutions, today announced that it has received two security service licenses from the National Cyber Security Agency (NACSA) of Malaysia, being one of the first licensed companies that can provide two crucial services in Malaysia: Managed SOC (Security Operations Center) […]

The post NSFOCUS Licensed for SOC and Pentest Service in Malaysia in Accordance with Cyber Security Act 2024 appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post NSFOCUS Licensed for SOC and Pentest Service in Malaysia in Accordance with Cyber Security Act 2024 appeared first on Security Boulevard.

Why is IAM Vital in Preventing Data Breaches? Identity and Access Management (IAM) stands at the forefront of effective cybersecurity strategies. Implementing advanced IAM holds the key to data breach prevention, providing a formidable line of defense against unauthorized access and sophisticated cyber threats. One essential aspect of IAM is the management of Non-Human Identities […]

The post Prevent Data Breaches with Advanced IAM appeared first on Entro.

The post Prevent Data Breaches with Advanced IAM appeared first on Security Boulevard.

Is Automation Compromising Your Data Security? In modern business environments, how secure is your automation process? Alarmingly, many companies are unknowingly exposing critical data due to inadequate Non-Human Identity (NHI) and Secrets Management practices. This emerging field is crucial to maintaining data integrity and has become a high-priority concern for many CISOs, IT professionals, and […]

The post Is Your Automation Exposing Critical Data? appeared first on Entro.

The post Is Your Automation Exposing Critical Data? appeared first on Security Boulevard.

Why is Secure API Management Essential for Team Empowerment? Is API management a critical aspect of your organization’s cybersecurity strategy? It should be. APIs, or Application Programming Interfaces, are the engines that power today’s digital ecosystem. They enable systems to communicate, allowing for streamlined operations and improved productivity. However, incorrectly managed APIs expose businesses to […]

The post Empowering Teams with Secure API Management appeared first on Entro.

The post Empowering Teams with Secure API Management appeared first on Security Boulevard.

Use the data and analysis in this report to prioritize your 2025 AppSec efforts.

The post Announcing the 2025 State of Application Risk Report appeared first on Security Boulevard.