Tenable Blog

CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild

Tenable Blog
1 day 1 hour ago

Fortinet has observed threat actors exploiting CVE-2025-32756, a critical zero-day arbitrary code execution vulnerability which affects multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera.

Background

On May 13th, Fortinet published a security advisory (FG-IR-25-254) for CVE-2025-32756, a critical arbitrary code execution vulnerability affecting multiple Fortinet products.

CVEDescriptionCVSSv3CVE-2025-32756An arbitrary code execution vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera9.6Analysis

CVE-2025-32756 is an arbitrary code execution vulnerability affecting multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera. A remote unauthenticated attacker can send crafted HTTP requests in order to create a stack-based overflow condition which would allow for the execution of arbitrary code. This vulnerability was discovered by the Fortinet Product Security Team who observed threat activity involving a device running FortiVoice.

According to Fortinet, the threat actors operations included scanning the network, erasing system crashlogs and enabling ‘fcgi debugging’ which is used to log authentication attempts, including SSH logins. The ‘fcgi debugging’ option is not enabled by default and the Fortinet advisory recommends reviewing the setting as one possible indicator of compromise (IoC).

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, and CVE-2025-32756 is the eighteenth Fortinet vulnerability to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.

CVEDescriptionPatchedTenable BlogCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of concept

At the time of writing this, no proof-of-concept (PoC) has been published for CVE-2025-32756. When a PoC is released, we expect attackers will incorporate this vulnerability in their attacks as Fortinet devices have been exploited by threat actors, including nation-state actors in the past.

Vendor response

Fortinet has provided a list of IoCs based on their observations of CVE-2025-32756. We recommend reviewing the list of IoCs and steps recommended by Fortinet to determine if your device may have been impacted.

Solution

The following table details the affected and fixed versions of Fortinet devices affected by CVE-2025-32756:

ProductAffected VersionFixed VersionFortiCamera 2.12.1.0 through 2.1.32.1.4 or aboveFortiCamera 2.02.0 all versionsMigrate to a fixed releaseFortiCamera 1.11.1 all versionsMigrate to a fixed releaseFortiMail 7.67.6.0 through 7.6.27.6.3 or aboveFortiMail 7.47.4.0 through 7.4.47.4.5 or aboveFortiMail 7.27.2.0 through 7.2.77.2.8 or aboveFortiMail 7.07.0.0 through 7.0.87.0.9 or aboveFortiNDR 7.67.6.07.6.1 or aboveFortiNDR 7.47.4.0 through 7.4.77.4.8 or aboveFortiNDR 7.27.2.0 through 7.2.47.2.5 or aboveFortiNDR 7.17.1 all versionsMigrate to a fixed releaseFortiNDR 7.07.0.0 through 7.0.67.0.7 or aboveFortiNDR 1.51.5 all versionsMigrate to a fixed releaseFortiNDR 1.41.4 all versionsMigrate to a fixed releaseFortiNDR 1.31.3 all versionsMigrate to a fixed releaseFortiNDR 1.21.2 all versionsMigrate to a fixed releaseFortiNDR 1.11.1 all versionsMigrate to a fixed releaseFortiRecorder 7.27.2.0 through 7.2.37.2.4 or aboveFortiRecorder 7.07.0.0 through 7.0.57.0.6 or aboveFortiRecorder 6.46.4.0 through 6.4.56.4.6 or aboveFortiVoice 7.27.2.07.2.1 or aboveFortiVoice 7.07.0.0 through 7.0.67.0.7 or aboveFortiVoice 6.46.4.0 through 6.4.106.4.11 or above

For users that are not able to immediately upgrade, Fortinet has provided a mitigation step; disabling the HTTP/HTTPS administrative interface. We recommend reviewing the Fortinet advisory for the latest information on workarounds and patched versions.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32756 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Russell Brown

CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution

Tenable Blog
1 day 18 hours ago

Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

Background

On May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).

CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2Analysis

CVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.

CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.

An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.

Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.

Ivanti has credited the CERT-EU with reporting these vulnerabilities.

Proof of concept

At the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.

Solution

The following table details the affected and fixed versions of Ivanti EPMM for both CVE-2025-4427 and CVE-2025-4428:

Affected VersionFixed Version11.12.0.4 and prior11.12.0.512.3.0.1 and prior12.3.0.212.4.0.1 and prior12.4.0.212.5.0.0 and prior12.5.0.1Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-4427, and CVE-2025-4428 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti EPMM by using the following filters:

 Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Ben Smith

Microsoft’s May 2025 Patch Tuesday Addresses 71 CVEs (CVE-2025-32701, CVE-2025-32706, CVE-2025-30400)

Tenable Blog
1 day 21 hours ago
  1. 5Critical
  2. 66Important
  3. 0Moderate
  4. 0Low

Microsoft addresses 71 CVEs including seven zero-days, five of which were exploited in the wild.

Microsoft patched 71 CVEs in its May 2025 Patch Tuesday release, with five rated critical and 66 rated as important.

This month’s update includes patches for:

  • .NET, Visual Studio, and Build Tools for Visual Studio
  • Active Directory Certificate Services (AD CS)
  • Azure
  • Azure Automation
  • Azure DevOps
  • Azure File Sync
  • Azure Storage Resource Provider
  • Microsoft Brokering File System
  • Microsoft Dataverse
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Edge (Chromium-based)
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office Outlook
  • Microsoft Office PowerPoint
  • Microsoft Office SharePoint
  • Microsoft PC Manager
  • Microsoft Power Apps
  • Microsoft Scripting Engine
  • Remote Desktop Gateway Service
  • Role: Windows Hyper-V
  • Universal Print Management Service
  • UrlMon
  • Visual Studio
  • Visual Studio Code
  • Web Threat Defense (WTD.sys)
  • Windows Ancillary Function Driver for WinSock
  • Windows Common Log File System Driver
  • Windows Deployment Services
  • Windows Drivers
  • Windows DWM
  • Windows File Server
  • Windows Fundamentals
  • Windows Hardware Lab Kit
  • Windows Installer
  • Windows Kernel
  • Windows LDAP - Lightweight Directory Access Protocol
  • Windows Media
  • Windows NTFS
  • Windows Remote Desktop
  • Windows Routing and Remote Access Service (RRAS)
  • Windows Secure Kernel Mode
  • Windows SMB
  • Windows Trusted Runtime Interface Driver
  • Windows Virtual Machine Bus
  • Windows Win32K - GRFX

Remote code execution (RCE) vulnerabilities accounted for 39.4% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.4%.

ImportantCVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege Vulnerabilities

CVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Prior to this month's release, Microsoft has patched two other EoP vulnerabilities in the Windows CLFS driver in 2025, including CVE-2025-29824, exploited as a zero-day vulnerability in the April 2025 Patch Tuesday release. In 2024, there were eight CLFS vulnerabilities patched, including one zero-day vulnerability in the CLFS driver that was exploited (CVE-2024-49138) and patched in the December 2024 Patch Tuesday release. Windows CLFS continues to be a popular attack vector for attackers and has been exploited by ransomware gangs.

ImportantCVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege Vulnerability

CVE-2025-30400 is an EoP vulnerability in the Windows Desktop Windows Manager (DWM) Core library. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft notes that it was exploited as a zero-day. Successful exploitation would allow an attacker to elevate their privileges by exploiting a use after free flaw.

This is the seventh EoP vulnerability in DWM Core Library patched this year. Eight DWM vulnerabilities were patched in 2024, including one zero-day vulnerability that was actively exploited (CVE-2024-30051) and patched in the May 2024 Patch Tuesday release.

ImportantCVE-2025-30397 | Scripting Engine Memory Corruption Vulnerability

CVE-2025-30397 is a memory corruption vulnerability in Microsoft Scripting Engine that can be exploited to achieve arbitrary code execution on a target machine. It was assigned a CVSSv3 score of 7.5 and is rated as Important. The attack complexity is rated as high, and Microsoft notes the target must first be running Microsoft Edge in Internet Explorer mode. Successful exploitation requires the user to click on a crafted URL. This vulnerability was reportedly exploited in the wild as a zero-day.

ImportantCVE-2025-26685 | Microsoft Defender for Identity Spoofing Vulnerability

CVE-2025-26685 is a spoofing vulnerability in Microsoft Defender for Identity. It was assigned a CVSSv3 score of 6.5 and is rated as Important. This vulnerability allows an unauthenticated attacker with Local Area Network (LAN) access to perform a spoofing attack. According to Microsoft, this vulnerability was disclosed prior to patches being made available.

ImportantCVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

CVE-2025-32709 is a EoP vulnerability in the Windows Ancillary Function Driver for WinSock. It was assigned a CVSSv3 score of 7.8 and rated as Important. An authenticated attacker can leverage this vulnerability to elevate their privileges to administrator by exploiting a user after free condition. Microsoft notes that this vulnerability was exploited in the wild as a zero-day, the second to be exploited in 2025, preceded by CVE-2025-21418 which was addressed in February’s Patch Tuesday release.

ImportantCVE-2025-32702 | Visual Studio Remote Code Execution Vulnerability

CVE-2025-32702 is a RCE vulnerability in Visual Studio. It was assigned a CVSSv3 score of 7.8 and rated as Important. Microsoft notes that the attack vector for this vulnerability is local, and that an unauthenticated attacker could exploit this flaw in order to execute code. This is the third RCE vulnerability in Visual Studio that was patched in 2025.

Tenable Solutions

A list of all the plugins released for Microsoft’s May 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable Security Response Team

Detecting Remote Monitoring and Management Tools Used by Attackers

Tenable Blog
3 days 1 hour ago

Following up on last year’s LOLDriver plugin, Tenable Research is releasing detection plugins for the top Remote Monitoring and Management (RMM) tools that attackers have been more frequently leveraging in victim environments.

Background

In August 2024, Tenable Research released a detection plugin for Nessus, Tenable Security Center and Tenable Vulnerability Management to help customers identify risky third-party Windows drivers utilized by attackers for privilege escalation on victim hosts. As part of our continued research into living off the land (LOTL) tooling utilized by attackers, we’re releasing new detection plugins for popular Remote Monitoring and Management (RMM) applications.

Increased risk from RMM tools

IT operations and information security staff often need to remotely connect to machines dozens, perhaps even hundreds, of times per day to troubleshoot a problem or make a system function well. An administrator or support technician must reach a terminal on a server in a datacenter a continent away, or a user’s workstation in their home. As the role of the remote worker has dramatically expanded across organizations over the last 20 years, it has led to the introduction of RMM products in enterprise environments.

The architecture of these products is fairly straightforward: a listener on the user’s machine, often referred to as an agent, host, or server, and an application to connect to, and control, the machine, often referred to as a viewer or client. In many cases this connection is facilitated by a proxy system, which maintains an inventory of the available machines in the environment, allowing an administrator to select one from a list, use stored credentials and track the health of the listeners. This proxy system might be on-premises, in the cloud, or hosted by the RMM vendor as a SaaS application.

Source: Tenable, May 2025

While these tools may sound handy, attackers also know that these tools are present. They can use them for direct graphical control of a victim’s machines, often at a privilege level that is elevated by design. So, how do attackers get their hands on such a valuable resource?

Attack scenarios for RMM tools

There are several ways an attacker can obtain access to an organization’s RMM tools:

  • Credential reuse. The attacker steals credentials belonging to a privileged user, either through social engineering, theft from the user’s workstation or control of an identity service. These credentials are used to authenticate to the RMM central service or to simply connect directly to a listener.
  • Exploitation of a vulnerability in the RMM product. Many RMM applications have highly publicized vulnerabilities that allow elevation of privilege or remote code execution.
  • Elevation of privilege. An attacker may gain control of a workstation or server used by an administrator and launch the RMM client application from there using the legitimate access of that administrator.

And, of course, attackers with sufficient privileges can simply deploy a RMM tool of their choice on a compromised asset, allowing them to achieve persistence and remote command and control. The nature of modern RMM tool design allows attackers, in some cases, to do monitor and control an asset without formally installing a software package, which might trigger an alert to the organization’s security team.

Defensive strategies for unauthorized RMM tool use

A mature security program will update the organization’s protective, monitoring and response approach to address the risk presented by RMM tools. Some of these strategies include:

  • Selecting an authorized RMM product or suite for the organization. This will allow security teams that inventory software on their assets to quickly spot the use of unauthorized RMM tools, which might have been introduced by an attacker.
  • Auditing the use of the authorized RMM product. Have administrators that use the tools regularly review reports of sessions performed to ensure no unauthorized activity has occurred. Investigate these unauthorized sessions as soon as possible after detection.
  • Reviewing network traffic between assets (especially remote assets) and the internet. Identify connections to known RMM tool websites, e.g., downloading of the tools or access to a proxy or management site.
  • Scanning the environment to look for listening services. This strategy can be used to identify services belonging to RMM tools.
How can Tenable customers mitigate the risk of RMM tools?

Tenable has several existing plugins that can detect several different varieties of RMM tools. These include:

Tenable is also releasing a number of Nessus plugins to detect many commonly used commercial and open source RMM or Remote Access Tool products:

ProductPluginsTeamViewer52715, 206009 105111,121245RemotePC232745, 232746, 232747Pritunl232836, 232837, 232838, 232839Google Chrome Remote Desktop232692, 232693, 232694Duet Display232296, 232295Connectwise ScreenConnect192391, 190883, 190894Apache Guacamole232291JumpDesktop232297, 232298TSplus Remote Access232591AnyViewer232316, 232315Parsec Remote Access232649, 232651, 232650,VNC Connect232582, 232580, 232581Termius232292, 232293, 232294LogMeIn232654, 122754GoodAccess233552, 233553, 233554ISL Light232853, 232854, 232855OpenVPN154346, 191048, 125356, 56022, 107073, 232856, 232857NoMachine Remote Access233323, 233324, 233325RustDesk Remote Desktop233292, 233291, 233288, 233289, 233290Remote Utilities233555, 233556, 233557WinGate234718AirDroid233774, 233775, 233776AnyDesk189953, 189955, 189973

There are also Nessus Web App Scanning plugins for many of these applications, which can help detect the applications’ web UI when detecting the service locally isn’t an option.

A new scan template, Remote Monitoring and Management, has been created in Tenable Nessus to check for this set of RMM products. Customers can use the scan template to ensure that the instances they find are authorized for use in the organization. It is strongly recommended to scan with credentials, so that more exhaustive searches for these products can be performed.

Future development

IT operations and support teams will continue to rely on RMM tools for productivity benefits even as attackers increasingly exploit them. Tenable anticipates that new RMM solutions will emerge and major systems management suites will further integrate remote-control capabilities directly into their platforms.

Meanwhile, vulnerability and threat intelligence researchers will keep their focus on the tools, identifying weaknesses and opportunities for exploitation as well as attacker-usage of such tools. As additional vulnerabilities are discovered and new threat intelligence reports reveal usage of new and existing tools, Tenable plans to publish detection and vulnerability plugins to find them. Given this growing space, organizations must remain vigilant, ensuring continuous monitoring, timely patching and strong security practices around RMM tools.

Tenable Research

Six Ways Exposure Management Helps You Get Your Arms Around Your Security Tools

Tenable Blog
3 days 3 hours ago

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, the second of two parts, we look closely at six ways exposure management can help you tame security tool sprawl. You can read part one here and the entire Exposure Management Academy series here.

If you’re managing cyber risk, you know there’s one fundamental question you have to answer: Where are we most exposed? On the surface, that might seem like a simple ask. Are you at risk or not? Like many things, in practice it’s a bit tougher to answer — even though you installed all those security tools to keep your organization safe. But those tools might be a big part of the problem. Most enterprises now struggle with taming all the tools and corralling the data they produce. So getting a clear, consistent and comprehensive answer can be a real challenge. 

Enter exposure management, which gives you the processes and technologies you need to continuously assess the accessibility, exploitability and criticality of digital assets across all systems, applications, devices, resources and identities. As a result, it helps you tame security tool sprawl and works to bind all of that fragmented data together to provide a unified view. Rather than scrambling madly to find the right data when you get a question from your executive team or board, you’ll be able to answer them easily. 

Last week, we shared how exposure management solutions can ease the three challenges that come with security tool sprawl. This week, we dig a bit deeper and explore six ways exposure management can help you work more effectively with all those tools. 

1. Understanding everything your security tools tell you 

With workloads spanning on-premises, cloud and hybrid environments, today’s IT environments are complex. Users interact with systems using a mix of devices, identities and access points. Security tools, many of which you probably acquired over time to solve specific problems, are often fragmented and don’t communicate beyond their individual siloes. The result: A blurred picture that doesn’t show you how all those pieces fit together or, critically, where the real threats are.

An exposure management platform helps you solve this problem with a foundation built on unified data, with a carefully considered design approach that supports:

  • Cross-domain mapping: An exposure management platform must link assets across tools and environments. For example, a single human identity might possess elevated privileges in Amazon Web Services (AWS), Microsoft Azure, Okta and multiple software as a service (SaaS) platforms. So exposure management should track that person as one entity.
  • Normalization: Every security vendor has its own nomenclature and vocabulary. Tool A might describe risks in one way while Tool B might use different terminology. An exposure management platform can normalize terminology and build a common language and risk model so you can evaluate findings consistently.
  • Correlation and scoring: An exposure management platform should evaluate relationships and assign risk based on interconnected factors such as device vulnerabilities, user privileges, poor hygiene, misconfigurations and external accessibility — not just static severity scores.

Must have: With an exposure management platform, you can consolidate risk data and insights into a single platform. This helps you streamline management and enables your teams to take more efficient, informed actions.

2. Figuring out how to prevent attackers from moving laterally in your organization

With a mix of cloud services, SaaS platforms, contractors, suppliers and external development teams, 21st century digital enterprises are highly interconnected. Those connections drive your productivity and keep you flexible. The problem is, they also expand the attack surface to previously unimagined breadth and depth. Once an attacker gains a foothold, the interconnected nature of your business systems make it possible for them to find a path to move laterally in pursuit of your most business-critical and sensitive systems and data. 

Plus, not all of these assets and resources — even though they are yours — are under your direct control because they sit outside the traditional IT perimeter. 

Without access to data about those assets, you have a blind spot in your cybersecurity landscape. So you put security tools in place to help you monitor and safeguard these assets, each of which is constantly churning out alerts and data. With the largest companies often using as many as 140 tools, security teams struggle to keep up. And you have no way to contextually analyze all this output so you can grasp where your organization is most exposed. 

Must have: Attackers can connect exposures across your environment so they can move laterally and compromise critical assets. An exposure management platform helps you identify exposures across your environment in context, employing cyber asset attack surface management (CAASM) so you can see how they connect and strategically address the ones that represent the greatest risk. 

3. Uncovering weaknesses in your systems

Toxic combination of exposures lurking in your organization remain a top cause of breaches. In fact, according to Verizon’s 2025 Data Breach Investigations Report, attackers increasingly relied on exploiting vulnerabilities for initial entry and subsequent breaches, marking a 34% jump from the previous year. 

Even if you have strong security policies in place, it’s easy to overlook certain weaknesses in your environment, such as open ports or a lack of multi-factor authentication (MFA). When combined, these factors form toxic combinations that can make it easier for an attacker to move laterally. 

Weaknesses leading to a toxic combination include: 

  • Open ports
  • A lack of multifactor authentication
  • Unencrypted data and unauthorized or out-of-band changes 
  • Privileged access to a business-critical application
  • Unpatched vulnerabilities on their device
  • A device not covered by endpoint detection and response (EDR)

Must have: An exposure management platform can help you identify specific weaknesses that lead to toxic combinations. The contextual view exposure management provides allows you to map these weaknesses across security vendors and technologies.

4. Protecting your critical choke points

Choke points are a critical tactic in cybersecurity — they represent assets or exposures where multiple attack paths intersect. Devices that function as network choke points (e.g., firewalls, routers with ACLs, VPN concentrators, critical servers and API gateways) are often targeted by attackers as they look to move laterally in your environment. If an attacker can compromise a choke point, they can gain access to your entire network segments or critical data flows.

So mapping potential attack paths — including the sequences of vulnerabilities and misconfigurations an attacker could exploit to move through your network and reach critical assets — is a crucial step. An exposure management platform can help you manage choke points in three ways:

  • Mapping: It can analyze MITRE ATT&CK techniques and help you map all attack paths.
  • Analysis: It needs to identify which exposures are enabling the highest number of critical attack paths that could disrupt business operations or cause a breach.
  • Mitigation: It provides strategies to eliminate attack paths and improve your overall security posture.

Must have: Exposure management software helps you identify and focus on the exposures that will most effectively reduce business risk, so you and your teams don’t get overwhelmed trying to address every single issue. It can also help you identify vulnerabilities on your choke point assets so you can prioritize them for remediation. If you remediate or use compensating control on one issue, you can eliminate dozens (or even hundreds) of potential attack paths. That's the power of focusing on choke points.

5. Free yourself from spreadsheet sprawl 

You’ve got too many dashboards to check, too many tools to manage and too much data to comb through. And chances are you’re trying to track and analyze all this using spreadsheets. The result? It’s easy to miss critical exposures. You need a unified dashboard you can use to track, analyze, and communicate risk from all your security data sources.

But what does unified data really mean? Lumping everything together in one dashboard is a decent start. But exposure management goes further. It aggregates, normalizes and correlates relevant data from across your environment, including domains, tools, clouds and identities. Then it evaluates it all holistically.

An exposure management platform can bring together the key data you need, including:

Must have: With aggregated information, an exposure management platform can map relationships across systems, perform attack path analysis and prioritize exposures for action based on how issues intersect. 

6. Maximizing ROI from all your security tools

You’ve invested a lot in your current security tools. But when you add more point solutions for individual areas, you’ll often see diminishing returns because you lack the necessary technical and business context across different systems. 

You’ll definitely see data noise, staff churn, hidden vulnerabilities and, ultimately, poor ROI. 

So, to get the most out of your security investments, you need a unified strategy that integrates visibility with context across the entire attack surface. This will increase productivity and efficiency, enable you to demonstrate how you’ve reduced risks, lower your costs and significantly boost the ROI of all your security investments.

Must Have: An exposure management platform centralizes all the security data coming from your security tools, helping you streamline processes, cut costs and extract the most from your existing security investments. 

Takeaways

You have a lot riding on all those security tools — the future of your organization and the success of your career. But, often, it’s hard to understand how those tools are performing. So it's important to find a way to view the data from these tools in a unified, contextual manner that correlates exposures across your attack surface. 

Exposure management gives you the ability to start managing risk from one place, with data and insights available in a single platform. 

Your organization will be able to make clear-eyed decisions about how to handle your riskiest exposures and take action to eliminate them before they’re exploited.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.

 MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);
Nathan Dyer

Cybersecurity Snapshot: U.K. NCSC’s Best Cyber Advice on AI Security, the Quantum Threat, API Risks, Mobile Malware and More

Tenable Blog
6 days 3 hours ago

In this special edition of the Cybersecurity Snapshot, we bring you some of the most valuable guidance offered by the U.K. National Cyber Security Centre (NCSC) in the past 18 months. Check out best practices, recommendations and insights on protecting your AI systems, APIs and mobile devices, as well as on how to prep for post-quantum cryptography, and more.

In case you missed it, here are six NCSC recommendations to help your organization fine-tune its cybersecurity strategy and operations.

1 - How to migrate to quantum-resistant cryptography

Is your organization planning to adopt cryptography that can resist attacks from future quantum computers? If so, you might want to check out the NCSC’s “Timelines for migration to post-quantum (PQC) cryptography,” a white paper aimed at helping organizations plan their migration to quantum-resistant cryptography.

“Migration to PQC can be viewed as any large technology transition. In the guidance, we describe the key steps in such a transition, and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme,” reads a companion blog.
 


At a high-level, the NCSC proposes these three key milestones:

  • By 2028
    • Define the organization’s migration goals.
    • Assess which services and infrastructure need to have their cryptography upgraded to PQC.
    • Draft an initial migration plan that includes, for example, the highest priority migration steps; the necessary investment; and what you’ll need from your suppliers.
  • By 2031
    • Execute the first, most important PQC migration steps.
    • Refine the PQC migration plan to ensure the roadmap will be fulfilled.
    • Ensure your infrastructure is ready to support PQC.
  • By 2035
    • Complete your PQC migration.

Organizations need to migrate to PQC because quantum computers will be able to decrypt data protected with today’s public-key cryptographic algorithms. These powerful quantum computers are expected to become generally available at some point between 2030 and 2040.

The U.S. National Institute of Standards and Technology (NIST) last year released three quantum-resistant algorithm standards that are ready to be adopted. A fourth one is slated for release next year, and a fifth one, announced in March of this year, should be available in 2027.

For more information about how to protect your organization against the quantum computing cyber threat:

2 - Why hardening your API security is key

After several high profile application programming interface (API) breaches, the NCSC published the guide “Securing HTTP-based APIs,” which urges organizations to update their methods for securing their APIs, including by using stronger authentication.

Strengthening API security should not simply be seen as a protective measure; it can also enable organisations to enhance agility, simplicity and productivity,” reads a companion NCSC blog titled “New guidance on securing HTTP-based APIs.”
 


Unfortunately, many organizations rely on outdated API-security practices, including:

  • Use of basic authentication
  • Lack of rate-limiting and user-throttling capabilities
  • Unprotected endpoints
  • Code-stored credentials
  • Use of URLs to transmit sensitive data
  • Lax input validation
  • Unencrypted API traffic via HTTPs
  • Weak logging and monitoring

NCSC offers detailed recommendations to boost the security of your HTTP-based APIs in areas including:

  • Development practices
  • Authentication and authorization
  • Protection of in-transit data
  • Input validation
  • Denial-of-service attack mitigation
  • Logging and monitoring
  • Exposure limitation

For example, NCSC recommends adopting strong authentication frameworks like OAuth 2.0 or token-based authentication. It also suggests doing a threat modeling analysis of your API design.

Another recommendation is to develop APIs’ applications in a secure development and delivery environment; and to use secure standards, such as JSON for data exchange and TLS cryptography for in-transit data.

For more information about API security:

3 - Beware of global spyware campaign targeting mobile devices

The NCSC joined other cyber agencies to issue a warning about a spyware campaign aimed at infecting mobile devices of individuals and groups tied to causes that the Chinese government opposes. 

However, all mobile users should take heed because the campaign is global and aggressive, meaning anyone could become a victim, according to the NCSC and cyber agencies from Australia, Canada, Germany, New Zealand and the U.S. 

“The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims,” reads the NCSC advisory. 

Attackers are targeting supporters of various China-related movements with the BadBazaar and Moonshine spyware variants. Those targeted include journalists, non-governmental organizations, businesses and representatives of groups associated with:

  • Taiwanese independence
  • Tibetan rights
  • Uyghur Muslims
  • Hong Kong democracy advocacy
  • Falun Gong movement
     


Moonshine and BadBazaar are two types of trojan malware, meaning attackers hide them in legit-looking mobile applications that users voluntarily download. In this particular campaign, attackers are embedding Moonshine and BadBazaar in applications designed to appeal to the intended victims, such as a Uyghur keyboard app and a Tibet-related app.

Once a user inadvertently installs a malicious app, attackers use it to obtain the mobile device’s location data in real-time; access its microphone and camera; retrieve stored messages and photos; and more.

 Mitigation recommendations include:

  • Don’t root or jailbreak your mobile device, as this leaves it more vulnerable to cyber attacks.
  • Only download apps from trusted app stores like those from Google and Apple.
  • Periodically review your installed apps and their permissions, deleting apps you no longer use and restricting excessive permissions.
  • Be careful with links, files and apps shared on social media sites, online forums and messaging tools. Scan links with a URL reputation service before clicking on them, and upload suspicious files or apps to a malware analyzer.

To get more information, check out these NCSC resources:

For more information about protecting mobile devices against spyware attacks:

4 - How corporate boards can boost their cyber governance

With cybersecurity governance now one of their main responsibilities, boards of directors need strong cybersecurity knowledge — but many are lacking in this area. That’s why the NCSC published a package of cyber governance resources for board members.

“From my experience of working with senior leaders across private and public sectors, I know that strong cyber governance is key to resilience, growth, and long-term success. Board members play a vital role in making this happen,” NCSC CEO Richard Horne wrote in a blog.
 


The NCSC cyber governance resources for board members include:

  • The “Cyber Governance Code of Practice,” which outlines the board’s responsibilities in these five key governance areas:
     
    • Risk management
    • Strategy
    • People
    • Incident planning, response and recovery
    • Assurance and oversight
       
  • The “Cyber Governance Training” document, which provides five interactive training modules, each focusing on one of the “Code of Practice” principles
     
  • The “Cyber Security Toolkit for Boards,” which explains how to implement the five key cyber governance areas

For example, the risk management the toolkit unpacks how to identify the organization’s critical assets and how to collaborate with its supply chain partners. In the strategy area, it goes into how to embed cybersecurity into the organization and what cybersecurity regulations are relevant to boards.

For more information about cyber governance guidance for boards of directors:

5 - Why AI will boost the quantity and intensity of cyber attacks

The volume and impact of cyber attacks, including ransomware, will grow as malicious actors of all stripes incorporate AI into their toolboxes. 

Still, how the bad guys use AI and what benefits they get from it will depend on their level of skill and knowledge, the NCSC said in its January 2024 report “The near-term impact of AI on the cyber threat.”

Here’s a table with a nice breakdown of how the NCSC projects that AI will supercharge the cyber attack capabilities of cyber criminals with different levels of sophistication by the end of 2025.
 

(Source: NCSC’s “The near-term impact of AI on the cyber threat” report, January 2024)

In a companion statement, the NCSC highlighted how AI will likely heighten the already critical threat from ransomware by making it easier in particular for unskilled hackers to launch more effective cyberattacks.

“This enhanced access, combined with the improved targeting of victims afforded by AI, will contribute to the global ransomware threat in the next two years,” the NCSC statement reads.

For more information about how to address AI-powered cyberattacks:

6 - How to secure network edge devices

The NCSC recently joined fellow cyber agencies to provide insights and best practices for preventing and mitigating cyber attacks against network edge hardware and software devices, which have become a major target in recent months.

“In the face of a relentless wave of intrusions involving network devices globally our new guidance sets what we collectively see as the standard required to meet the contemporary threat,” NCSC Technical Director Ollie Whitehouse said in a statement.

“In doing so we are giving manufacturers and their customers the tools to ensure products not only defend against cyber attacks but also provide investigative capabilities require post intrusion,” Whitehouse added.

Devices at risk include routers, VPN gateways, IoT devices, web servers and internet-facing operational technology (OT) systems.
 


These are the new guides:

For more information about network edge vulnerabilities, check out these Tenable blogs:

Juan Perez

From Managing Vulnerabilities to Managing Exposure: The Critical Shift You Can’t Ignore

Tenable Blog
1 week ago

Vulnerability management remains core to reducing cyber risk — but as the attack surface grows, teams need a risk-driven strategy that looks beyond vulnerabilities to see the bigger picture. Discover how exposure management unifies data and prioritizes real exposures — keeping teams proactive and ahead of cyber threats.

The limits of siloed security

Over the years, the attack surface has grown significantly with the rise of cloud computing, software as a service (SaaS), internet of things (IoT), operational technology (OT), AI and other emerging technologies. The COVID-19 pandemic accelerated this shift, with many companies adopting hybrid, remote-office models, even as many, in recent years, have instituted return-to-office policies.

As digital infrastructure expanded, security teams added more tools to combat emerging cyber threats, leading to tool sprawl. Now, many organizations juggle dozens of different security tools, resulting in inefficiencies, especially when managing risk data and coordinating remediation efforts.

On the data side, cybersecurity teams are stuck with siloed, disorganized and often duplicate risk data. Without context, prioritization becomes a guessing game, making it hard to identify the most critical risks to address. At the same time, security leaders struggle to answer basic questions like, “How exposed are we to an attack?”

The operational challenge is equally concerning. Domain-specific practices remain manual and coordination between IT, DevOps, SecOps and CloudOps is hindered by fragmented tools and misaligned priorities. This fragmented approach leaves critical issues unaddressed for weeks or even months, significantly increasing exposure.

This is the reality of security operations today — fragmented data, inefficient workflows and a lack of comprehensive context leave security teams not only struggling to mitigate risks but also to fully understand their true level of exposure.

Source: Tenable, May 2025 The evolution to exposure management

For years, vulnerability management has been key to cybersecurity, providing crucial visibility into weaknesses across IT environments. It’s the first and most essential step in securing digital assets — helping security teams identify and catalog vulnerabilities across systems, applications and networks. However, as enterprise ecosystems expand and interconnect, vulnerabilities represent just one piece of a much broader risk landscape.

Today, risk spans every corner of the attack surface — from misconfigurations in cloud environments to excessive permissions and exposed identities. These risks often create greater exposure than vulnerabilities alone, underscoring the need for a more holistic, contextual approach to managing cyber risk.

When it comes to exposure management vs. vulnerability management, the difference is clear: vulnerability management tells you where security gaps exist — exposure management helps you understand the risk and prioritize action. By shifting from a reactive, vulnerability-centric approach to a broader, risk-driven strategy, organizations can focus on the exposures that truly matter, making their security programs more efficient than ever.

To effectively reduce exposure, security teams need more than just a list of vulnerabilities; they need context to understand which exposures truly matter in their unique environment, how they connect and their potential impact on the business. This is where exposure management comes in.

Exposure management vs. vulnerability management

Exposure management builds on vulnerability management, but takes it a step further by breaking down silos and adding context for a complete view of risk across the attack surface.

When it comes to exposure management vs. vulnerability management, the difference is clear: vulnerability management tells you where security gaps exist — exposure management helps you understand the risk and prioritize action. By shifting from a reactive, vulnerability-centric approach to a broader, risk-driven strategy, organizations can focus on the exposures that truly matter, making their security programs more efficient than ever.

Unified visibility is the foundation for exposure management

To achieve effective exposure management, organizations need a comprehensive view of their entire attack surface. This means pulling together all available data from across their security tools, including those for applications, cloud, identity, OT, endpoint, asset inventories, CMDBs, threat intelligence feeds and more.

By combining insights from these diverse data sources, security teams can see the bigger picture, connecting the dots between assets, vulnerabilities, misconfigurations and existing compensating controls across multiple environments.

Consolidating security data from siloed tools facilitates a unified, holistic view of risk. This approach enables organizations to:

✔ Manage risk from one place: Break down silos and gain unified visibility across the entire attack surface.

✔Prioritize real exposure: Uncover attack paths and toxic risk combinations across all security data for effective cross-domain prioritization.

✔ Remediate with context: Identify choke points and pinpoint the most effective remediation strategies to address critical risks across the entire security landscape.

✔ Create holistic reports: Achieve a single source of truth for holistic reporting on risks and exposure findings across all environments.

By breaking down data silos and integrating insights from multiple security tools, organizations can reduce the likelihood of a breach and minimize risk exposure across the attack surface. Instead of viewing risks in isolation, security teams can connect the dots — understanding how attackers see their environment and taking smarter, more proactive action to reduce exposure.

Source: Tenable, May 2025 Bringing exposure management to life

Now that we’ve covered the fundamentals of exposure management, let’s explore how to put this approach into practice and build an effective program that drives real security outcomes.

  • Leave no blind spots — Continuously scan your entire attack surface to uncover all potential risks and ensure full visibility.
  • Break down data silos — Unify security data from all sources into a single, consolidated view to understand your organization’s true risk exposure.
  • Incorporate relevant context — Enrich raw scan data with business context and threat intelligence to understand which exposures matter most.
  • Focus on what matters — Prioritize risks based on real business impact, so teams can address the most dangerous weaknesses first.
  • Streamline collaboration — Ensure IT and development teams can take swift action by integrating exposure insights directly into their workflows.
  • Continuously measure and improve — Track progress, refine processes and optimize security efforts to stay ahead of evolving threats.

By following these best practices, organizations can move beyond reactive security and take a proactive approach — one that not only identifies risk but actively reduces exposure, strengthening their overall cyber resilience.

Learn more
Hadar Landau

Stronger Cloud Security in Five: Securing Your Cloud Identities

Tenable Blog
1 week 1 day ago

After covering cloud security posture management (CSPM) and cloud workload protection (CWP) in the first two installments of Tenable’s “Stronger Cloud Security in Five” blog series, today we focus on securing your cloud identities. Protecting them is a tall order, but it’s critical because identities are your cloud security perimeter. Read on to learn more about how to secure them.

Cloud environments are dizzyingly dynamic and can have tens of thousands of human and service identities, each with its own access rights and identity risks – making your cloud identity security landscape highly complex.

In fact, identity and access management (IAM) ranked as the second most critical threat to cloud environments in the Cloud Security Alliance’s “Top Threats to Cloud Computing 2024” report.

“As cyber threats become more sophisticated, securing sensitive information against unauthorized access becomes increasingly daunting, making the robust implementation and continual refinement of IAM strategies indispensable to fortifying cybersecurity defenses,” the CSA tells us.

As Tenable Senior Manager of Security Engineering Christopher Edson explains in a blog: “Almost everything in the cloud is one excess privilege or misconfiguration away from exposure.”

If your organization — like most — uses multiple cloud security providers (CSPs), your identity challenges will multiply, as each CSP has its own set of configurations, identity tools and access management structure.

Yet, all CSPs agree on this: In infrastructure-as-a-service and platform-as-a-service environments, it’s the customer’s responsibility to secure identities. One such example is AWS’s shared responsibility model.

So how do you manage the access permissions of myriad identities across your ever-changing multi-cloud environment? How do you ensure that your identities’ access levels comply with the least-privilege principle and support your zero-trust architecture?

To tackle this challenge, it’s key to have a unified cloud native application protection platform (CNAPP) with a strong cloud infrastructure entitlements management (CIEM) solution. With centralized control over all identities, you’ll always know who has access to which cloud resources and what your top permissions risks are.

A unified CNAPP with CIEM can help your organization implement these five best practices for managing and securing your cloud identities.

1 - Obtain end-to-end multi-cloud visibility

You need continuous and detailed visibility into all your cloud identities – both native and federated – as well as into their resource access permissions and security policies. It’s also critical to have a consistent, unified view of identities across all your cloud environments.

Leveraging a CIEM tool that has an interactive dashboard and rich visualization capabilities, you’ll see core identity information at-a-glance, such as:

  • the relationships and connections between identities
  • their compute, data and network resources
  • their security risks, such as excessive access rights and potential vulnerabilities, misconfigurations, anomalies and policy violations

Finally, this process of inventorying and monitoring identities must be continuous, because access to resources and systems in multi-cloud environments shifts constantly. Thus, cloud entitlements must be adjusted frequently and at-scale to align your environment with the principle of least-privilege, such as by eliminating unused identities, fine-tuning access policies and “rightsizing” permissions.

2 - Analyze risks

In addition to full visibility into your identity landscape, you must be able to analyze this identity data and discover policy violations and identity risks, such as inactive users and access credentials that have never been updated.

The analysis needs to be continuous and deep, correlating multiple elements of a human or service identity and surfacing risky scenarios that can allow attackers to escalate privileges, move laterally and swipe sensitive data.

For example, you must be able to detect dangerous combinations, such as:

  • Virtual machines with admin privileges that have critical vulnerabilities
  • Users with access to sensitive data whose accounts aren’t secured with MFA
  • A developer with access to secrets like API keys who starts behaving suspiciously

You should also be able to proactively query and drill down on your unified, multi-cloud identity data to proactively investigate threats, such as unusual data access and login setting changes.

With granular details and enriched context about identity risks from multiple sources, including your CSPs’ activity logs, you’ll be able to assess your identity exposure and prioritize remediation.

3 - Conduct continuous access-compliance monitoring

Keeping your multi-cloud environment in compliance with government regulations, industry mandates and internal policies is increasingly challenging – and identity management is central to your cloud compliance efforts.

That’s why it’s key to have unified access-control governance and compliance, with automated and consistent monitoring, auditing and enforcement of identity security policies — across your multi-cloud environment.

This way, you’ll be able to quickly and consistently detect and address compliance gaps and ensure you’re adhering to policies governing areas such as credential rotation and MFA use.

Plus, you should easily track compliance metrics from a central dashboard, as well as generate reports that document how its cloud identity management processes yield compliance with specific regulations and industry standards.

4 - Automate remediation

The remediation process must be automated so that it can scale and match the dynamic nature of cloud entitlements. For example, tools like guided wizards can walk you through the adjustment of a role’s access rights. Meanwhile, integrations between your CNAPP’s CIEM and your security information and event management (SIEM) and ticketing systems streamline remediation collaboration and reduce remediation time. In addition, you can increase IaC security by deploying snippets that enforce identity policies early in the development cycle.

5 - Deploy just-in-time (JIT) access

Another powerful capability is just-in-time (JIT) access management, which temporarily assigns privileges to identities, such as for the duration of a specific project. When the time-limited period ends, the access is automatically revoked or lowered. JIT is an antidote to the pervasive threat of static, long-lived excessive permissions. JIT also automates the process for users to request temporary entitlement elevations.

Learn how you can take action to boost your cloud security in just five minutes.

Nagraj Seshadri

Frequently Asked Questions about Vibe Coding

Tenable Blog
1 week 2 days ago

Vibe coding has attracted much attention in recent weeks with the release of many AI-driven tools. This blog answers some of the Frequently Asked Questions (FAQ) around vibe coding.

Background

Vibe coding is gaining popularity as large language models (LLMs) continue to mature and AI-driven development tools are becoming increasingly available. This blog answers Frequently Asked Questions (FAQ) regarding vibe coding.

FAQ

What is “Vibe Coding”?

The term ‘vibe coding’ was coined in a tweet from Andrej Karpathy. It describes a method of developing code with AI where the AI takes instruction, writes code and fixes errors, all with minimal review. This often includes blindly accepting whatever code the AI has written and whatever changes are suggested. Frequently it will also include usage of a speech-to-text application so the coder can talk directly to the AI.

There's a new kind of coding I call "vibe coding", where you fully give in to the vibes, embrace exponentials, and forget that the code even exists. It's possible because the LLMs (e.g. Cursor Composer w Sonnet) are getting too good. Also I just talk to Composer with SuperWhisper…

— Andrej Karpathy (@karpathy) February 2, 2025

There’s currently some debate around the definition of ‘vibe coding.’ As initially coined, it means using AI tools for code development and blindly accepting what the AI creates without vetting it. There is some semantic diffusion, though, and it’s becoming synonymous with AI assisted code development where you can use AI tools to assist your normal development process.

What are the benefits to vibe coding?

Vibe coding is incredibly powerful for churning out proofs of concept (PoCs), minimum viable products (MVPs) and other prototype projects. In a more organized approach, it’s great at helping make focused changes to existing codebases.

What are the risks of vibe coding?

Currently, vibe coding tends to be fairly myopic. The following are a few of the risks we’ve observed with vibe coding:

  • Refactoring. Refactoring code involves changing how code works in several spots throughout a codebase. Often, an AI coding tool will suggest a refactor, but miss several places in the codebase that needed to be changed.
  • Large codebase exceeds context windows. Usually the entire codebase will be larger than the LLM’s context window (the amount of text it can store in its ‘memory’), so the application must correctly identify the relevant code to read and understand.
  • Introduction of security flaws. Security flaws may exist in generated code.
  • Slopsquatting. Slopsquatting is a term used to describe attackers creating malicious packages matching the names of packages that are commonly hallucinated by LLMs when vibe coding.
  • Poorly written or difficult to maintain code. The application may write good code for a specific area of the project, but it may not fit well with the overall style or structure of the project.

How can I mitigate these risks?

Here are a few steps you can take to mitigate the risks of vibe coding:

  • Conduct a code review of anything vibe coded. Code review is paramount. Ensure that you have engineers that understand the vibe code that was written and can perform a comprehensive review. Never blindly accept the results of your vibe coding for production.
  • Lean on your Secure Software Development Life Cycle (SSDLC) and development, security, and operations tools. Don’t abandon your SSDLC or DevSecOps solutions. Continue to use tools like Snyk, Veracode and SonarQube when vibe coding.
  • Test, test, test. Continue to test vibe-coded software and scripts in lower environments and perform end-to-end integration and unit testing.

How do I get started?

Just feel the vibes and let the AI do the work. While we say that in jest, successful (and less risky) methods involve using multiple AI tools to draft a specification, refine it and then pass it on to the coding agent. Harper Reed’s blog explains this process as part of a very good workflow. Here's our summary of his guidance::

  1. Use an LLM to draft a detailed plan first. Give the LLM a prompt indicating you’d like it to ask you detailed questions about the project design and architecture until you have a useful specification.
  2. Ask for prompts. Ask the LLM to generate a series of prompts from that specification that you can pass to an AI coding tool.
  3. Walk through the prompts with an AI agent. Ask your AI coding agent to walk through the prompts. Accept the changes as-is if you like (or if you’re feeling lucky).
  4. Routinely test after each prompt. Test after every prompt and ask the AI coding tool to fix any errors or tweak any issues as they arise.
  5. Use version tracking solutions like git to take snapshots. Use git to take a snapshot after each testing cycle. The agent can alter your code drastically so it’s very useful to have a way to roll back changes.
  6. Now you have a new application!

What types of applications are available to help with vibe coding?

Several types of applications are available for vibe coding. There are Integrated Development Environments (IDEs) and IDE extensions, tools that integrate with a continued integration/continuous delivery (CI/CD) pipeline, and then there are the LLMs and LLM desktop applications themselves. Some examples of each:

IDEs & IDE extensions:

  • Cursor
  • Cline
  • GitHub Copilot
  • Bolt.new
  • Lovable
  • Codeium WindSurf
  • Replit

CI/CD Integrations

  • CodeRabbit AI
  • graphite dev

LLM Desktop Apps

  • Claude Desktop
  • Aider

So I can get rid of all of my junior engineers?

No! That’s a terrible idea. The tools listed above are great at augmenting and enhancing the development process, but they make mistakes and need trained eyes to ensure quality engineering. They are great at helping to write code, but right now, not great at engineering products. Plus, if there are no more junior engineers, there won’t be anyone to promote to senior engineers in a few years.

How do vibe coding apps work?

These apps work just like any other AI applications. They include a set of ‘system prompts’ instructing an LLM on how to act. The prompt then includes the text of the files open in an IDE and their content in a structured method that an LLM can understand. More information, such as closed files, directory structure, etc, might be included. This creates a large prompt that is sent to the selected LLM. For instance, one popular extension’s system prompt includes:

You are an AI programming assistant. When asked for your name, you must respond with "GitHub Copilot". Follow the user's requirements carefully & to the letter. Follow Microsoft content policies. Avoid content that violates copyrights. If you are asked to generate content that is harmful, hateful, racist, sexist, lewd, violent, or completely irrelevant to software engineering, only respond with "Sorry, I can't assist with that." Keep your answers short and impersonal. You can answer general programming questions and perform the following tasks: * Ask a question about the files in your current workspace * Explain how the code in your active editor works * Make changes to existing code * Review the selected code in your active editor * Generate unit tests for the selected code * Propose a fix for the problems in the selected code * Scaffold code for a new file or project in a workspace * Create a new Jupyter Notebook * Ask questions about VS Code * Generate query parameters for workspace search * Ask how to do something in the terminal * Explain what just happened in the terminal

The applications then have several “tools” available for the LLM to use to edit files and run commands. The same popular extension includes this, giving an insight into how it interacts with the user:

The active document is the source code the user is looking at right now. You have read access to the code in the active document, files the user has recently worked with and open tabs. You are able to retrieve, read and use this code to answer questions. You cannot retrieve code that is outside of the current project. You can only give one reply for each conversation turn.

What configuration options are available?

Many tools have customizable settings where you can indicate libraries or docs to look at. Some tools have favorite libraries and versions set in their system prompts. You can also ask to use specific libraries and languages.

Is Tenable looking into safety and security concerns around vibe coding?

Yes, Tenable Research is actively researching vibe coding methods, tools and results, and will be sharing more of our findings in future publications on the Tenable blog.

Ben Smith

How Exposure Management Can Ease the Pain of Security Tool Sprawl

Tenable Blog
1 week 3 days ago

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, the first of two parts, we explore how exposure management can help ease the pain of having too many siloed security tools. You can read the entire Exposure Management Academy series here

To address complex security challenges, cybersecurity teams are employing a wide variety of tools to keep their organizations safe. Large organizations use as many as 140 security tools to solve specific issues. As a result, it’s a huge challenge to coordinate and monitor all those tools so, stuck in their siloes, they’ve failed to live up to their promise. As a result, exposures linger and risks grow. 

When tools for vulnerability management, endpoint detection and response (EDR), cloud security and application security testing — and the teams responsible for using them — all operate in siloes, it's difficult for you to understand where your true exposures lie. Without the ability to gain a full picture of your organization's risk, whenever a senior executive asks questions about the organization’s risk posture, you probably launch a mad scramble across siloed sources of data on multiple spreadsheets, with no easy way to obtain an accurate assessment of risk. 

What if there were a way to ease this pain? What if all siloes streamed data into a centralized repository where you could analyze it all contextually and create unified workflows to streamline remediation? Better yet, what if you could use this contextualized data to get a complete view of the riskiest areas of your attack surface and quickly show your executives where the organization is most exposed? 

Sounds like a good idea, doesn’t it? But it’s more than just a concept now. The core of an effective exposure management program rests on the need to break down siloes and unify security data from multiple tools so you can quickly gain a cohesive and continuous view of your organization’s risk. 

Security professionals face three main challenges from tool sprawl. We outline them here and share how an exposure management program and platform can help.

Challenge 1: Overcoming operational inefficiencies

In an attempt to stay secure, organizations have bolted on numerous tools, with the average organization working with 60 to 80 and, as we noted earlier, some using as many as 140. Each tool operates independently, creating siloes that don’t communicate with each other. 

What does this look like in practice? Each of these tools requires security teams to follow a process that involves: 

  • Analyzing the data 
  • Prioritizing issues
  • Managing exposures based on risk
  • Taking action such as deploying compensating control, changing configuration and/or creating a remediation ticket
  • Creating reports to communicate updates or status

Multiply these steps by the number of tools in use and we’ll wager that “efficient” isn’t the first word that pops into your head. Making matters worse, blind spots crop up where you need visibility.

Talk to a CISO or anyone on a security team and you’ll hear a common refrain: 

  • “My data is spread across too many tools.” 
  • “I don’t have the context I need.” 
  • “It’s difficult to prioritize risks or even answer basic security questions.”

These complaints underscore how the life of security teams is complicated by all those tools they added in an attempt to improve security. Instead of achieving the peace of mind these tools promised, security teams are dealing with more headaches — the operational inefficiencies of constantly jumping from one silo to the next and using multiple tools with redundant workflows. 

Problem is, the bad guys don’t care about your security siloes. They search for your weakest links and move laterally across platforms and identities, looking to exploit issues without regard for those artificial barriers. 

One solution is to look for an exposure management platform that can ingest the various types of security data and knit together this patchwork of information and tools. An exposure management platform helps you correlate all your information and puts it in context so it’s easier to understand where your true exposures lie. 

Must have: A breadth of integrations

When you’re evaluating exposure management software, ask whether the platform can ingest data from your array of security tools, including vulnerability management, dynamic application security testing, cloud security posture management, and endpoint detection and response.

Challenge 2: Dealing with so many spreadsheets 

If you went into security to protect assets and fight the bad guys, we’d bet you didn’t count on being an Excel and PowerPoint jockey as well. But that’s the lot in life for most security professionals. 

You spend countless hours manually consolidating reports and coordinating your efforts across siloed security tools, which gets in the way of remediating your most critical exposures.

All of the data those tools produce is important for an effective exposure management program. Using spreadsheets to collect and analyze their findings is so “late 1900s.” So you need a platform that integrates and streams it directly into risk scoring engines, dashboards and workflows. An exposure management platform can help you do just that.

With the right integration, exposure management platforms will:

  • Give you a cohesive view into your entire attack surface: By ingesting datasets from a variety of security tools, including vulnerability data, cloud configuration baselines, identity graphs and behavioral indicators, an exposure management platform lets you continuously monitor and fix the places where your organization is most exposed. 
  • Relieve the “spreadsheet scramble”: By normalizing and correlating data into a unified view, an exposure management platform enables you to analyze the output from your many siloed tools in a centralized view, giving you insights you can’t get from spreadsheets. You’ll be able to analyze all your siloed security data across domains like endpoints, cloud, identity and applications all in one place.
  • Give you a more accurate picture of risk: This centralized view of your vast array of security tools means you’ll always be ready to answer questions like: “Where are we exposed?” and “Are we at risk?”
  • Enable you to prioritize your remediation efforts: An exposure management platform can analyze the data from across your siloed tools and provide automated prioritization recommendations. You’ll be able to zero in on the true exposures across your ecosystem.

Must have: Unify visibility 

Look for an exposure management tool that deduplicates and normalizes data, provides business and technical data in context, and enables consistent risk scoring that can help address your true exposures. 

Challenge 3: Maximizing the value of existing tools

Those security tools all have a reason for being. You had a problem, found a solution, installed the tool and were off to the races. But if you can’t monitor or track all those tools, how do you know if you’re getting any value at all?

And how do you spot overlapping capabilities and redundant processes? The short answer: You don’t. As Peter Drucker famously said, “You can’t manage what you don’t measure.” 

When security tools operate in isolation, disconnected from one another, they fail to deliver their true value. So how will you ever know their ROI? 

An exposure management platform centralizes all the security data coming from these tools. It deduplicates and normalizes all your security data, which helps streamline processes, cut costs and extract the most from your existing security investments. Plus, you’ll understand the technical and business context of those combined data sets and you’ll be able to create a consistent risk scoring approach that can identify and address your true exposures. 

Must have: Prioritize actual exposures

Find an exposure management platform that provides the context you need across all your security tools so you can prioritize actual exposures. With these connections in place, the team will be more effective and you’ll get your arms around the return on investment of all those tools.

Takeaways

Organizations that continue to operate with siloed visibility will struggle to keep up with building threats. The ability to unify data across multiple siloed security tools is no longer a nice-to-have; it is a requirement for understanding and addressing risk in an interconnected world.

The ability to analyze previously isolated data coming from multiple tools in a unified way enables security teams to make well-informed decisions, reduce attack paths and proactively defend against emerging threats. 

In next week’s Exposure Management Academy post, we’ll dig a bit deeper and look at ways exposure management can move you from disparate sources to a unified view of your exposures.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.

 MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);
Nathan Dyer

Cybersecurity Snapshot: CISA’s Best Cyber Advice on Securing Cloud, OT, Apps and More

Tenable Blog
1 week 6 days ago

In this special edition of the Cybersecurity Snapshot, we’re highlighting some of the most valuable guidance offered by the U.S. Cybersecurity and Infrastructure Security Agency in the past 12 months. Check out best practices, recommendations and insights on protecting your cloud environments, OT systems, software development processes and more.

In case you missed it, here’s CISA’s advice on six cybersecurity areas.

1 - How to choose cyber secure OT products

If your organization is shopping around for operational technology (OT) products, CISA published a guide in January 2025 aimed at helping OT operators choose OT products designed with strong cybersecurity features.

Titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” the publication highlights 12 cybersecurity elements that OT products should have, including:

  • Support for controlling and tracking modifications to configuration settings
  • Logging of all actions using open-standard logging formats
  • Rigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updates
  • Strong authentication methods, such as role-based access control and phishing-resistant multi-factor authentication, to prevent unauthorized access
  • Protection of the integrity and confidentiality of data at rest and in transit

 

 

According to CISA, many OT products aren’t designed and developed securely, so they ship with issues such as weak authentication, known vulnerabilities and insecure default settings. 

In fact, the agency says it’s common for hackers to specifically target OT products they know are insecure, instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products that are built securely.

“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.

Back in September 2024, CISA sounded the alarm on critical infrastructure organizations’ susceptibility to common, well-known attack methods in its “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report.

The report’s findings are based on risk and vulnerability assessments (RVAs) of the security of 143 critical infrastructure organizations that CISA and the U.S. Coast Guard conducted in 2023.

Specifically, CISA and USCG assessors had the most success gaining initial access, attaining network permanence, evading defenses and moving laterally by using valid accounts, phishing schemes and default credentials — all simple attack methods.

For example, the use of valid accounts, which are legitimate accounts whose login credentials have been compromised, was the most successful attack technique for achieving:

  • Initial access (41.3%)
  • Persistence (42.2%)
  • Privilege escalation (44.7%)

Valid-account use also ranked as the second most successful attack technique for evading defenses.
 

(Source: “CISA Analysis: Fiscal Year 2023 Risk and Vulnerability Assessments” report, September 2024)

The report offers troves of recommendations to critical infrastructure organizations, including:

  • Adopt a secure password policy that requires phishing-resistant multi-factor authentication for remote access; strong passwords; unique credentials, and more.
  • Maintain a comprehensive asset inventory, and keep software updated and patched.
  • Segment networks and block outbound connections from internet-facing servers to prevent lateral movement and privilege escalation.

For more information about protecting critical infrastructure environments and about operational technology (OT) security, check out these Tenable resources:

2 - What SBOMs are and how to implement them

Looking to learn more about software bills of materials (SBOMs), which in theory help boost your software supply chain security by listing all ingredients in a software product, such as an application?

In October 2024, CISA updated the document “Framing Software Component Transparency,” which offers foundational guidance about SBOMs, such as what they are and how to implement them. 

SBOMs’ purpose is to provide granular visibility into all software components in your environment. Thus, an SBOM should help you locate all instances of a component with a newly disclosed flaw, such as a critical vulnerability — as happened with the Log4j utility.

However, the software industry is still working through complex SBOM-related challenges in areas including standards, data comprehensiveness and interoperability.

Framing Software Component Transparency” zeroes in on the challenge of “universally identifying and defining certain aspects of software components.”

Specifically, the CISA guidance states the need to:

  • Establish a minimum set of baseline attributes for identifying components “with sufficient relative uniqueness.”
  • Identify optional attributes beyond the baseline ones.
  • Correlate SBOMs with third-party sources for analysis purposes.
     


A few months later, CISA tackled a related topic: secure software development.

The best practices are organized into two categories — software development process goals and product design goals — and include:

  • Software development process goals:
    • Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.
    • Separate all software development environments, including development, build and test, to reduce the lateral movement risk.
    • Enforce multi-factor authentication across all software development environments.
    • Securely store and transmit credentials.
  • Product design goals
    • Reduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.
    • Provide timely security patches to customers.
    • Don’t use default password in your products.
    • Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.

The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” CISA said in a statement.

For more information about SBOMs:

For more information about secure software development:

3 - Key takeaways from red team exercises

In July 2024, CISA published a must-read report explaining how its red team probed a large federal agency’s network, quickly found a way in and stayed undetected for months.

The 29-page report details the so-called SilentShield assessment from CISA’s red team, explains what the agency’s security team should have done differently and offers concrete recommendations and best practices you might find worth reviewing.

Mimicking the modus operandi of a typical nation-state attacker, CISA’s red team exploited a known vulnerability on an unpatched web server, gaining access to the agency’s Solaris environment. Separately, the red team also breached the network’s Windows environment via a phishing attack. 


Once inside, the red team exploited other weaknesses, such as unsecured admin credentials, to extend the scope of the breach, which went undetected for five months. At that point, CISA alerted the agency about the SilentShield operation.

CISA has authorization to conduct SilentShield assessments, whose purpose is to work with the impacted agency and help its security team strengthen its cyberdefenses.

Here’s a brief sampling of the assessed agency’s security weaknesses:

  • Lack of sufficient prevention and detection controls, including an inadequate firewall between its perimeter and internal networks; and insufficient network segmentation
  • Failure to effectively collect, retain and analyze logs, which hampered defensive analysts’ ability to gather necessary information
  • Bureaucratic processes and siloed teams
  • Reliance on flagging “known” indicators of compromise (IOCs) instead of using behavior-based detection
  • Lack of familiarity with the identity and access management system (IAM), which wasn’t tested against credential-manipulation techniques nor were its anomalous-behavior alerts monitored

Recommendations include:

  • Deploy internal and external firewalls
  • Implement strong network segmentation
  • Enroll all accounts in the IAM system, and make sure it’s not vulnerable to credential manipulation
  • Centralize logging and use tool-agnostic detection

To get more details, read the report, titled “CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth.”

For more information about the threat from nation-state cyber attackers:

4 - How to implement secure practices for cloud services

In a move to boost the U.S. government’s cloud security, CISA released in December 2024 a set of required cybersecurity actions for federal civilian agencies — mostly focused on applying secure configuration baselines to their cloud apps.

The mandate to secure cloud environments comes via the Binding Operational Directive (BOD) 25-01 — titled “Implementing Secure Practices for Cloud Services.” 

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access,” CISA said in a statement.

The guidance, while applicable only to U.S. federal civilian agencies, can be helpful to all organizations in the public and private sectors. Its foundation is CISA’s Secure Cloud Business Applications (SCuBA) project, which offers recommendations for hardening the configuration of cloud services.
 

 

“The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365,” Tenable Staff Research Engineer Mark Beblow explained in a recent blog about this directive.

“CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive,” he added.

Earlier in 2024, CISA joined the National Security Agency to publish five information sheets detailing cloud security best practices and mitigations in areas including cloud IAM; keys management; network segmentation and encryption; and data protection.

Here are the links to the documents:

To get more details and analysis on these cloud security best practices and mitigations, read the blog “CISA and NSA Cloud Security Best Practices: Deep Dive” from Tenable Senior Research Engineer Zan Liffick.

To learn more about cloud security, check out these Tenable resources:

5 - How to design software more securely

CISA has been pushing its “Secure by Design” program, which encourages software manufacturers to build cybersecurity into the design of their products, which the agency firmly believes would dramatically lower cyber risk.

Examples of this effort are CISA’s calls to stamp out well-known software flaws that nonetheless remain prevalent in applications and other software products, such as traversal vulnerabilities, OS command injection vulnerabilities and cross-site scripting vulnerabilities.
 


Also part of the program is the Secure by Design pledge, an initiative CISA launched in May 2024 to encourage software manufacturers to voluntarily commit to secure software development practices, such as using multi-factor authentication and being more transparent in vulnerability reporting.

Tenable was one of the 68 original signatories of the pledge. “This initiative is a commitment to enhance the security posture of our products and, by extension, the broader digital ecosystem,” Tenable CSO and Head of Research Bob Huber wrote in a blog.

As part of the Secure by Design initiative, CISA also reached out to technology buyers, encouraging them to seek software products designed and built securely. To help technology buyers make this assessment, CISA, joined by cyber agencies from the Five Eyes countries — Australia, Canada, New Zealand, U.S. and U.K. — published the guide “Secure-by-Design: Choosing Secure and Verifiable Technologies.

The 40-page document seeks “to assist procuring organizations to make informed, risk-based decisions” about digital products and services, and is aimed at executives, cybersecurity teams, product developers, risk advisers, procurement specialists and others.

“It is important that customers increasingly demand manufacturers embrace and provide products and services that are secure-by-design and secure-by-default,” reads the guide.
 

 

The authoring agencies define the secure-by-design principles that software manufacturers should follow when building digital products and services. Here’s a sampling:

  • Adopt a proactive, security-focused approach
  • Align cybersecurity goals across all levels of the organization 
  • Mitigate threats through software design, development, architecture and security measures
  • Design, build and deliver software with fewer vulnerabilities

The guide is divided into two main sections: External procurement considerations, which is by far the longest; and internal procurement considerations. Topics covered include:

  • Supply chain risk management
  • Open source software usage
  • Data sharing
  • Development process
  • Maintenance and support
  • Contracts, licensing and service level agreements

For more information about the secure-by-design concept:

6 - The importance of adopting a common security posture for your organization

Is your company considering implementing a consistent and uniform set of foundational cybersecurity practices for all teams and departments throughout the organization? If so, you might want to check out how CISA plans to lead such an effort across 100-plus federal agencies.

CISA will be in charge of the project, which it detailed in the document “Federal Civilian Executive Branch (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan,” announced in September 2024.

The goal: To standardize the cybersecurity operations of civilian agencies in the executive branch, known by the acronym FCEB, to ensure they can all properly manage cyber risk in today’s complex and fast-evolving threat landscape.


Currently, these agencies architect their IT and cybersecurity operations independently, and consequently their ability to manage cyber risk varies. “There is no cohesive or consistent baseline security posture across all FCEB agencies” and as a result “the FCEB remains vulnerable,” CISA says in the FOCAL plan’s document.

The FOCAL plan focuses on five core areas:

  • Asset management
  • Vulnerability management
  • Defensible architecture
  • Cyber supply-chain risk management
  • Incident detection and response

“The FOCAL Plan was developed for FCEB agencies, but public and private sector organizations should find it useful as a roadmap to establish their own plan to bolster coordination of their enterprise security capabilities,” CISA said in a statement.

To get more details, check out the Tenable blog “CISA Releases FOCAL Plan to Help Federal Agencies Reduce Cyber Risk” from Tenable Director of Security Engineering Garrett Cook.

Juan Perez

MCP Prompt Injection: Not Just For Evil

Tenable Blog
2 weeks 1 day ago

MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.

Background

Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.

Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.

Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.

Experiments with MCP

For my research, I used the 5ire client because it makes it incredibly simple to switch out and restart MCP servers and switch between LLMs. In 5ire, I can easily configure our MCP servers (for this test case, I’ve already configured the reference MCP weather server):

Tenable Research using the 5ire client, April 2025

Anatomy of an MCP server

Let’s talk about how an MCP server is written and configured. First, we define a simple MCP server in Python with FastMCP. The FastMCP library makes it fairly simple to get up and running with MCP.

I can use this framework to develop several different servers and tools for my experiments. Now that I’ve got the framework, I’ll create a tool.

Now that I know how to create a simple tool in Python, let’s see what else I can do.

Logging tool use

Multiple MCP servers can be configured in an MCP host and each server can have multiple tools. As I was exploring this new technology, I wondered if there was a way to log all tool calls across configured MCP servers. This is doable at the MCP host level or via each MCP server, but I asked myself: why not find another way? I wanted to log all MCP tool calls that the host makes, so I decided to see if I could create a tool that would insert itself before any other tool calls and log information about those tool calls.

Let’s break down the above MCP tool:

  1. I start out with a decorator from FastMCP (1) to indicate this is an MCP tool.
  2. Then I define the function (2) with all of the parameters I want. The function name and parameters are exposed to the LLM and the LLM is intelligent enough to infer how to populate them.
  3. Next is the description (3). This is the meat of the tool, instructing the LLM to insert this tool before any other tool call. You can read through the parameters and what I’m trying to accomplish. It may seem a little repetitive, but this is the current iteration that seems to work well across different models.
  4. Then, I write it to a file (4). I could use Python’s ‘logger’ here, but I had issues getting that working with the MCP clients we used. In most of our testing, it wasn’t easy to get anything written to stdout, so we chose logging to a file instead.
  5. Finally, we return a nice message thanking the AI and passing the name of the actual tool to run (5).

In testing, some models had no problem inserting the tool before any other tool call. Some did it sporadically, while others did not unless we asked about it.

Source: Tenable Research, April 2025

As the image above shows, the LLM runs the logging tool just before it runs the weather tool I requested. The logging tool then logs information about the tool it was asked to run, including the MCP server name, MCP tool name and description, and the user prompt that caused the LLM to try to run that tool. In this case, it actually logs twice, but I wasn’t able to investigate why.

Tool filtering / firewall

Using the same method, I can block unapproved tools from running.

Here I’m using the same technique to run prior to other tools calls. In this case I’m simply looking for the tool name to match a string `get_alerts`. If it matches, I tell the LLM not to run the tool. Sometimes it respects this!

Source: Tenable Research, April 2025

MCP introspection

This method of using the tool description block to ask the LLM to run this tool before other tools could clearly be abused. Can I use a similar technique to find out about other tools in use that ask for a similar hierarchy? I give it a try:

Note that I’m logging to the same log file so that it’s easier to see what’s happening. In a real world scenario, these tools would likely log to separate files.

Source: Tenable Research, April 2025

Here we can see that log_other_inline_tools runs after the logging tool in this case. The tool then logs the other “inline” tool that the LLM is aware of. It then lists the other available tools.

Can this technique be used to extract the LLM system prompt?

Maybe. Here’s what I tried:

You can see in the return value that I tried to trick the model further by giving it a score at the end, so maybe it’ll think I’m really doing some sort of analysis.

Source: Tenable Research, April 2025

Source: Tenable Research, April 2025

Source: Tenable Research, April 2025

Source: Tenable Research, April 2025

Source: Tenable Research, April 2025

It seems like the LLM models vary between something realistic and complete hallucination. Remember that the models try to figure out how to fill out the tool’s parameters. So, if they don’t have a good idea of what goes where, they may just make it up. Based on my testing, it looks like Claude Sonnet 3.7 displays a piece of the prompt it has around running tools. Google Gemini 2.5 Pro Experimental seems to do the same. OpenAI’s GPT-4o puts variations in the log each time, so it seems like it’s just made up. It should also be noted that directly asking for the system prompt is successful for some models while unsuccessful for others. Regardless, some prompt text is still sent to the logging tool. While I can’t say for certain if I’m seeing actual developer instructions or hallucinated text, these tests may be useful to facilitate other research.

Conclusion

Tools should require explicit approval before running in most MCP Host applications. In fact, this is required by the MCP specification. Still, there are many ways in which tools can be used to do things that may not be strictly understood by the specification. Here I’ve demonstrated a few interesting techniques that could be used to develop security tooling, perform research or to help identify other malicious tools. These methods rely on LLM prompting via the description and return values of the MCP tools themselves. Since LLMs are non-deterministic, so, too, are the results. Lots of things could affect the results here: the model in use, temperature and safety settings, specific language, etc. Additionally, the descriptions used to instruct the LLM to do different things with the tools may need to be different depending on the model used. I’ve had varying results with different models, though I haven’t tested every case on every model.

Some of these techniques could be used to advance both positive and negative goals. We believe that some can be used to further LLM and MCP research.

The code from this blog can be found on github.

References

While working on this blog, I saw some great work by Trail of Bits dubbing one of the techniques used here “jumping the line.” I offer one possible detection method in the MCP Introspection section of this post. In that section, I show the use of an MCP tool to identify other MCP tools requesting to run first.

Ben Smith

The Future of Cloud Access Management: How Tenable Cloud Security Redefines Just-in-Time Access

Tenable Blog
2 weeks 1 day ago

Traditional approaches to cloud access rely on static, permanent permissions that are often overprivileged. Learn how just-in-time access completely changes the game.

The access challenge in modern cloud environments

As cloud adoption accelerates, organizations are grappling with a fundamental security challenge: How do you grant people the access they need — such as on-call developers needing to debug problems, site reliability engineers (SREs) needing to repair issues with infrastructure, or DevOps engineers needing to provision or architect resources — without opening the door to overprivileged accounts and breach risks?

Traditional approaches rely heavily on static, permanent permissions. Human users often receive more access than necessary simply because it’s hard to predict specifically which permissions they’ll need. These permissions rarely get revoked, leaving organizations exposed.

This is where Tenable Cloud Security changes the game. As a powerful cloud-native application protection platform (CNAPP) solution, Tenable Cloud Security doesn't just identify access-related risk — it actively helps you solve it.

In this blog, we explore how you can address the excessive permissions challenge using the just-in-time (JIT) access capability in Tenable Cloud Security.

Just-in-time access: The elegant solution to human identity risk

JIT access enables organizations to dramatically reduce their exposure from compromised identities by providing a substitute for permanent access. Instead of being granted standing access, which may be exploited if and when an identity is compromised, users are provided with the eligibility to request temporary access based on a defined business need.

Here’s how it works:

  1. All (or at the very least sensitive) standing access is removed.
  2. Users are assigned eligibility profiles for specific resources or roles.
  3. Users request access and are optionally required to provide a reason when access is needed.
  4. If required, the request can be approved by an assigned approver or simply be automatically granted, which still has a huge security benefit compared to a standing permission.
    • For highly sensitive cases where more than one person needs to confirm access, several approval levels can be enforced if necessary.
  5. Access is granted for a limited time (measured in hours), then automatically revoked.

JIT access dramatically reduces the attack surface tied to human identities, ensuring that elevated privileges are used only when necessary and only for as long as needed.

Fig. 1: Creating an eligibility to request just-in-time access to a cloud environment instead of standing permissions User experience: Where security meets usability

Tenable understands that even the best security solution won't succeed without adoption and cooperation from its target audience. That’s why JIT access in Tenable Cloud Security is designed with a seamless user experience in mind.

Access requests and approvals can be managed directly within messaging platforms, such as Slack or Microsoft Teams, which meet your teams where they are. Users and approvers stay in their native workflows while benefiting from a secure, auditable process.

Fig. 2: Filling out the access request form directly from Slack

Fig. 3, below, shows how the request, approval and access link are all grouped together on the same thread for a simplified, clean and simple experience.

Fig. 3: The request generated, approval granted and connection link to the cloud environment all in one thread in Slack

And speaking of audits, Tenable Cloud Security doesn’t just log access. It provides a clean, intuitive activity log interface for every session. Unlike the often fragmented logs from cloud providers, these are tailored for easy auditing, compliance review or incident response. So, if you want to apply more scrutiny and review what happened during sessions, or if you are compelled to do so in the event of an incident, it’s extremely easy to open up the session log and review it.

Fig. 4: The intuitive activity log for events generated in the cloud environment during the JIT access session; easy to review and filter to perform scrutiny / investigate incidents Expanding the reach: JIT access in Tenable Cloud Security now extends to SaaS applications

Based on customer feedback, Tenable extended JIT functionality to cover identity provider (IdP) group memberships. This is a big deal.

In many organizations, access to software as a service (SaaS) applications (such as secrets managers, observability tools, ticketing platforms, etc.) is governed through group memberships in identity providers like Okta or Microsoft Entra ID. With Tenable Cloud Security, you can now provide temporary group membership through the same JIT access model — effectively controlling and auditing access to SaaS apps with the same granularity and automation as cloud resources.

This means Tenable Cloud Security customers now have unified control over cloud infrastructure and SaaS access through a single solution.

Simplified procurement: JIT access is now included with Tenable Cloud Security

Perhaps the most exciting news: JIT access no longer requires a separate purchase. As of today, it’s included with Tenable Cloud Security.

Billing is simple. Just as Tenable Cloud Security charges based on the number of cloud resources, JIT access treats each eligible user as a billable resource. If you're a Tenable Cloud Security customer, you already have access to the full power of JIT — no separate contract, no additional platform. For example, if you have a team of five developers eligible to request elevated permissions, these would count as an additional five billable resources, no matter how many eligibilities they have.

Why JIT access makes Tenable Cloud Security the CNAPP of choice

Tenable Cloud Security doesn’t just identify problems. It solves them:

  • It prioritizes identity risks with real-world context.
  • It provides granular, real-time controls for both service and human identities.
  • It offers native integration with your daily collaboration tools.
  • It simplifies auditability and incident response.
  • It extends protection beyond the cloud to the SaaS layer.
  • It streamlines adoption with an intuitive UX and frictionless billing model.
Conclusion: Access management, reimagined

The best security tools blend into your workflow and quietly eliminate risk before it becomes a problem.

Tenable Cloud Security's JIT access capability is more than a feature — it's a philosophy shift. It reduces identity-based risk without sacrificing agility. It simplifies compliance without adding overhead. And it empowers teams to move fast, stay secure and maintain clarity over who has access to what, when and why.

If you're already a Tenable Cloud Security customer, there’s never been a better time to start using JIT access. And if you're evaluating CNAPPs, ask yourself: do they help you fix the problem, or just show you where it is?

With Tenable Cloud Security, the answer is clear.

Visit https://www.tenable.com/announcements/provide-access-just-in-time to learn more about how JIT access capabilities in Tenable Cloud Security can help you reduce your exposures.

Lior Zatlavi

Exposure Management Works When the CIO and CSO Are in Sync

Tenable Blog
2 weeks 3 days ago

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable CIO Patricia Grant looks at how the CIO/CSO relationship is key to a successful exposure management program. You can read the entire Exposure Management Academy series here

When I first joined Tenable, one of the first things I did was sit down with our CSO, Robert Huber, to align on how we were going to work together. 

In 2024, I was even featured in a WSJ article titled CIOs and CISOs Are ‘Better Together because that’s what it comes down to. We can’t operate in silos. If you’re serious about securing your organization, your IT and security teams have to be tightly linked philosophically and operationally. Exposure management is a great example of where that partnership plays out every day.

Risk is shared — and so is the responsibility 

Let me start with a simple truth: securing the enterprise is a shared responsibility between IT and security. While the CSO defines the strategy and risk posture, IT plays a critical role in execution — from patching systems and deploying controls to maintaining uptime and interpreting security signals.

That’s why tight alignment between our teams isn’t optional — it’s essential. We have regular interlocks to ensure we’re making decisions with the same context and urgency. Annual planning isn’t enough anymore. The threat landscape shifts by the quarter — sometimes by the month — so our collaboration has to be constant, responsive and agile.

Ultimately, you can’t do exposure management the right way without a strong relationship between the CIO and the CSO. We’re both accountable and responsible for protecting our employees, customers, partners and the company. And we both bring something essential to the table. 

A single pane of glass beats swivel-chair security

Exposure management is a great tool to keep us on track. 

It gives us a unified view across all our assets, including cloud, on-prem and hybrid. I’m not a fan of “swivel-chair security.” I don’t want my team jumping between tools trying to figure out what to fix first. Exposure management moves us toward a single pane of glass. 

We can see what matters, what’s critical, what needs to be patched now and what can wait. 

That kind of visibility is essential when your infrastructure spans everything from data centers and headquarters to home offices and digital nomads working from just about anywhere.

Endpoints are the new front line

Unlike data centers or cloud infrastructure, endpoints move with your workforce — and that makes them harder to secure. At Tenable, we’ve taken a firm stance: when a zero-day emerges, patch your device within 24 hours or it’ll be automatically locked.

But security doesn’t stop at the office door. No matter where employees are, they’re part of the defense. That’s why we focus on education — not to slow people down, but to empower them to keep the business safe.

Exposure management uncovers what you don’t know

We’ve also learned that managing systems is only part of the battle. You’ve got to worry about identities, access and misconfigurations. 

And it’s not just about what you know. Exposure management helps you uncover what you don’t know. Things like systems you forgot were running or ports you didn’t realize were open are now visible.

The “Oh, no, I didn’t know that port was live” moment happens more often than you’d think. Exposure management finds and closes that down. 

Prioritizing the right problems is a strategic advantage

Risk prioritization is always a looming challenge. The goal isn’t to fix everything. It’s to fix what matters most. Chasing thousands of vulnerabilities without context wastes time and energy. Exposure management helps us shift the conversation from volume to impact.

That’s what exposure management solves. Instead of bragging that “we closed 3,000 vulnerabilities,” we can say, “we addressed the 50 that posed real risk.” 

That’s a fundamental mindset shift for IT teams. And, yes, it comes down to change management.

Change management isn’t optional anymore

Change management is underrated, especially in cybersecurity. I’ve always said going live on day one with technology is easy. It’s day two and beyond that’s hard. And in this hybrid, distracted world, traditional methods just don’t cut it. 

People aren’t reading emails. And they’re half-listening in meetings. So we need new approaches. We go for quick hits, with clear messaging, along with different formats to cater to different learning styles. Cybersecurity is everyone’s job, and reaching everyone means rethinking how we communicate.

Speaking the board’s language means translating risk

We need to elevate the conversation. I regularly participate in board-level discussions about cybersecurity, and the key is translating cyber risk into business language. It’s not just about technical debt or patch status anymore. It’s about quantifying risk the same way the CFO quantifies financial exposure. 

Boards don’t want tech jargon. They want to know: Are we covered? Where are we vulnerable? What’s the worst-case scenario? An exposure management solution helps translate technical complexity into strategic insight.

Helping our customers protect what they can’t see

At Tenable, we take that same philosophy to our customers. Exposure management isn’t just about visibility. It’s about enabling action. I see our job as helping customers answer those questions. Threat exposure management gives our customers clarity into what they need to know. 

That means knowing the threats that matter, the systems that are exposed and the actions that will make a difference. You can’t protect what you are not aware of as a risk. And in a world where the attack surface is constantly expanding and evolving — whether it’s AI, autonomous vehicles or just more remote workers — you need to see everything. You need a single pane of glass.

Takeaways

Ultimately, you can’t do exposure management the right way without a strong relationship between the CIO and the CSO. We’re both accountable and responsible for protecting our employees, customers, partners and the company. And we both bring something essential to the table. 

So, my advice to fellow CIOs: Stay close to your CSO. Build trust. Share responsibility. 

And make sure your teams are operating from the same playbook. Because in cybersecurity, the stakes are too high to go it alone.

Have a question about exposure management you’d like us to tackle?

We’re all ears. Share your question and maybe we’ll feature it in a future post.

 MktoForms2.loadForm("//info.tenable.com", "934-XQB-568", 14070);
Patricia Grant

Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help

Tenable Blog
2 weeks 5 days ago

Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help.

Background

Over the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations in the immediate aftermath of disclosure or even years afterwards. Following each blog post or threat report we’ve published, I kept coming back to the same question: Why are so many organizations struggling to remediate vulnerabilities in a timely manner?

As someone who followed the evolution of COVID-19 variants throughout the beginning of the pandemic, I saw that the World Health Organization (WHO) began to label new variants under a classification system as the virus began to mutate. This classification system was designed to help prioritization efforts for monitoring and research. It included accessible labels like variants of interest and variants of concern to help communicate urgency and focus global attention.

I began to wonder: What if we borrowed from the same type of classification system used by the WHO and applied it to vulnerability intelligence? Numeric-based systems like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) provide mechanisms for prioritization based on scoring. However, they don’t always provide enough context to help decision makers. So, what if we used simple, clear and status-based terminology to communicate risks surrounding vulnerabilities in order to guide action?

This led us to develop Vulnerability Watch, a classification system for vulnerabilities inspired by the WHO’s classification of COVID-19 variants. Vulnerability Watch is a small, but important part of Tenable’s Vulnerability Intelligence offering that was launched in 2024. Now, in addition to being available in product, Vulnerability Watch classifications can be found on the Tenable CVE page, as well as within individual CVE pages for select vulnerabilities that have been classified under the Vulnerability Watch.

In this blog, we discuss some of the challenges organizations face when it comes to vulnerability prioritization and remediation and how a classification system like Vulnerability Watch can help.

If everything is important, nothing is important

CVSS is the most widely used metric when assigning a severity score for Common Vulnerabilities and Exposures (CVEs). CVSS scores are assigned by a vendor and or an authority like the National Institute of Standards and Technology (NIST). Each CVE score is based on various metrics from exploitability to impact, with a corresponding severity level tied to these scores. Severity levels include low, medium, high and critical.

When looking at repositories, such as the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, we can make observations about severity and vulnerability risk. In 2024, CISA added a total of 186 CVEs to the KEV.

Source: Tenable Research

Four in ten (40%) of these 186 CVEs were rated as critical. The remaining 60% was made up of high severity vulnerabilities (46.2%) and medium vulnerabilities(13.4%). This underscores that severity alone is not enough when it comes to making decisions around vulnerability prioritization.

Remediation rates underscore a need for more clarity

While the KEV serves as a valuable resource for security practitioners, we still see many organizations not patching these critical flaws in a timely manner. Despite the severity and inclusion on the KEV, our research has found an overall trend of poor remediation rates.

This trend was highlighted as part of a collaboration with Verizon on the 2025 Data Breach Investigations Report (DBIR). Tenable Research analyzed over 160 million data points and evaluated the remediation rates for a list of 17 CVEs in edge devices highlighted in the DBIR. Of the 17 CVEs, over half (52.9%) were non-critical flaws (less than 9.0 CVSS scores).

We also analyzed average remediation rates for these CVEs across various industry sectors. Through this analysis, we found many industries faced challenges with remediating many of these flaws. For instance, CVE-2024-21762 and CVE-2024-23113, a pair of critical Fortinet flaws, had very long remediation rates, averaging between 172 days and 260 days. Even CVE-2024-3400, a critical vulnerability in Palo Alto Networks PAN-OS assigned the maximum CVSS score of 10.0, also saw most industries average over 100 days to remediate the flaw.

There are a variety of reasons why organizations may struggle with remediation — including organizational siloes, operational downtime required to patch systems, and difficulty determining how to prioritize vulnerabilities based on the risk they represent. While existing scoring systems provide invaluable guidance, we believe additional context is needed in order to improve remediation times.

A semantic layer for vulnerability intelligence

Our Vulnerability Watch classifications are not a replacement for CVSS, EPSS or any other scoring metric. Those still serve a distinct purpose in vulnerability prioritization. We also recognize that cybersecurity teams are often inundated by a deluge of alerts and it can be difficult at times to separate the signal from the noise. These vulnerability watch classifications offer a semantic layer to help translate risk into terminology that is easier to understand for various stakeholders in remediation efforts.

Tenable’s Vulnerability Watch classifications

Vulnerability Watch includes the following classifications: vulnerability being monitored, vulnerability of interest and vulnerability of concern. The following are short descriptions of each classification.

Vulnerability Being Monitored

A vulnerability being monitored (VBM) is a vulnerability that has the potential to impact customers of a particular software or hardware and is being actively tracked and researched by Tenable Research. VBMs may quickly evolve into Vulnerabilities of Interest (VOIs) or Vulnerabilities of Concern (VOCs) if a proof-of-concept (PoC) or exploitation is discovered, or if additional intelligence indicates that special attention should be given to this vulnerability. VBMs are actively monitored and elevated to VOI/VOC status should Tenable’s Vulnerability Intelligence justify an escalation of vulnerability status.

A few recent examples of VBMs include CVE-2024-48887, an unverified password change vulnerability in FortiSwitch, and CVE-2025-23120, a remote code execution flaw in Veeam Backup and Replication.

Vulnerability of Interest

A vulnerability of interest (VOI) is a vulnerability that meets the criteria of a VBM, but for which additional intelligence indicates that risk of impacts to customers is elevated or demonstrated through the publication of a PoC or details that could be used to craft a PoC along with initial reports of exploitation.

A few recent examples of VOIs include CVE-2025-22457, which was exploited by a China-Nexus threat actor known as UNC5221, and CVE-2025-32433, a remote code execution flaw in Erlang/OTP SSH.

Vulnerability of Concern

A Vulnerability of Concern (VOC) is a vulnerability that meets the criteria of a VOI, but for which active, widespread exploitation is imminent or ongoing. For VOCs, the ease of exploitation combined with severity of the issue may lead us to believe that widespread exploitation is imminent, if it has not already begun. Maintainers of software or devices vulnerable to VOCs can expect to see exploitation attempts and probing for vulnerable assets.

A few recent examples of VOCs include a pair of ConnectWise Screen Connect vulnerabilities (CVE-2024-1709, CVE-2024-1708) and Citrix Bleed (CVE-2023-4966).

The classifications are also flexible: a CVE can be reclassified from VBM to VOI, from VOI to VOC, or even from VOC back to VOI as risk context evolves.

Conclusion

We know there’s no single panacea for the challenges of vulnerability prioritization and remediation. These challenges require a multi-pronged approach. Backed by Tenable Research experts, our Vulnerability Watch classifications can help demystify some of the complexities introduced by CVSS and EPSS and provide stakeholders a simpler, more intuitive way to assess and prioritize risks posed by emerging threats that can contribute to faster responses and remediation.

Our Vulnerability Watch classifications can now be found on our CVE page.

Get more information

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Satnam Narang

CVE-2025-31324: Zero-Day Vulnerability in SAP NetWeaver Exploited in the Wild

Tenable Blog
2 weeks 6 days ago

SAP has released out-of-band patch to address CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver that has been exploited by threat actors. Organizations are strongly encouraged to apply patches as soon as possible.

Background

On April 22, ReliaQuest published details of their investigation of exploit activity in SAP NetWeaver servers. Initially it was unclear if their discovery was a new vulnerability or the abuse of CVE-2017-9844, a vulnerability that could lead to a denial-of-service (DoS) condition or arbitrary code execution. ReliaQuest reported their findings to SAP and on April 24, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability with the highest severity CVSS score of 10.0.

CVEDescriptionCVSSv3VPRCVE-2025-31324SAP NetWeaver Unauthenticated File Upload Vulnerability10.08.1

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 25 and reflects VPR at that time.

Analysis

CVE-2025-31324 is an unauthenticated file upload vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. The flaw is the result of missing authorization checks to the “/developmentserver/metadatauploader” endpoint. According to ReliaQuest, this vulnerability has been exploited in the wild as a zero-day by threat actors who have abused the flaw to upload malicious web shells to affected hosts. These webshells were used to deploy malware and establish communications with command and control (C2) servers.

Proof of concept

At the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-31324. If a public PoC exploit becomes available, we anticipate a variety of attackers will attempt to leverage this flaw in their attacks as SAP products are widely used by a variety of organizations, including government agencies.

Solution

SAP has released patches for affected versions of SAP NetWeaver. At this time, the SAP security note #3594142 is not publicly accessible, so we are unable to provide a list of affected and patched versions. It is important to note that these patches were released after SAP’s April 2025 Security Patch Day published on April 8. So even if those patches were applied, you will still need to apply the out-of-band patches released for CVE-2025-31324.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-31324 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running SAP NetWeaver by using the following filters:

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza

Cybersecurity Snapshot: Verizon DBIR Finds Attackers Feast on Vulnerability Exploits for Initial Access, While MITRE ATT&CK Adds Mobile, Cloud, ESXi Threat Intel

Tenable Blog
2 weeks 6 days ago

Check out highlights from this year’s Verizon DBIR, including a surge in zero-day exploits targeting edge devices and VPNs. Plus, find out what’s new in the latest version of MITRE ATT&CK. Also, see what Tenable webinar attendees said about AI security. And get the latest on ransomware preparedness for OT systems and on the FBI’s 2024 cyber crime report.

Dive into five things that are top of mind for the week ending April 25.

1 - Verizon DBIR: To break in, hackers favor credentials and vulnerabilities

As your organization fine-tunes its cyber defenses, here’s an unsurprising yet highly relevant fact: The two most common avenues for cyberattackers to hack into victims’ networks are compromised credentials and exploited vulnerabilities.

That’s according to Verizon’s “2025 Data Breach Investigations Report” (DBIR), which was published this week. The report is based on an analysis of 22,000 real-world security incidents — including about 12,200 confirmed breaches — that occurred globally between Nov. 1, 2023 and Oct. 31, 2024.

"The DBIR's findings underscore the importance of a multi-layered defense strategy," Chris Novak, VP of Global Cybersecurity Solutions at Verizon Business, said in a statement. 

"Businesses need to invest in robust security measures, including strong password policies, timely patching of vulnerabilities, and comprehensive security awareness training for employees," he added.

Cyber attackers used credential abuse as their initial access vector in 22% of breaches. Meanwhile, vulnerability exploitation came in second at 20%, a spike of 34% compared with the prior period. Phishing (16%) ranked third.

 



What drove the sharp rise in vulnerability exploits? The raft of zero-day bugs that attackers have exploited in network edge devices and virtual private networks. These accounted for 22% of vulnerability exploits — a proportion that rocketed from just 3% during the prior period. Organizations fully remediated only 54% of these edge vulnerabilities. The median time-to-remediate was 32 days.

Tenable Research was a key contributor to this section of the 2025 DBIR by providing enriched data on the most exploited vulnerabilities

“We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times,” Tenable Senior Staff Research Engineer Scott Caveza wrote in a blog that details Tenable Research’s contribution.

Other key findings in the 2025 DBIR include:

  • Ransomware attacks rose 37% and were present in 44% of all breaches. However, median ransom payments fell to $115,000 from $150,000, as 64% of victims refused to pay.
  • Third-party involvement in breaches surged to 30%, up from 15%, which highlights the growing cyber risks organizations face from their supply chain partners, such as vendors and contractors.
  • 15% of employees routinely access generative AI systems via their work devices — at least once every two weeks. But most (72%) do so using personal accounts, suggesting they’re circumventing corporate policies that prohibit using generative AI tools for work.
  • The percentage of malicious emails crafted using AI has risen from about 5% to about 10% in the past two years.

To get more details, check out: Tenable’s blog “Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends” and these Verizon resources:

2 - MITRE ATT&CK update beefs up cloud, mobile security sections

Information about protecting VMWare’s ESXi hypervisor. Expanded guidance on mobile and cloud security. More intel on nation-state actors and cyber crime operations.

That’s just some of what’s new in the latest version of the MITRE ATT&CK framework, the popular knowledge base of cyberattack tactics, techniques and procedures designed to help security teams develop threat models and methodologies.

Announced this week, version 17 of MITRE ATT&CK “aims to help defenders stay aligned with where adversaries are headed by looking at where they’ve recently been,” MITRE ATT&CK officials wrote in a blog.

“This release aims to inform defensive efforts by focusing on the platforms adversaries are exploiting, the techniques they’re adapting, and the environments they’re targeting,” they added.

Here’s some of what’s new:

  • In response to a spike in attacks against virtualization systems, a new platform has been added devoted to securing VMWare’s ESXi hypervisor, which hackers have targeted recently. Specifically, the new MITRE ATT&CK version adapts 34 existing techniques to ESXi and adds four new techniques for it.

  • There’s broader guidance on protecting mobile devices and securing cloud environments. 

    For example, on the cloud security front, there’s new information about how OAuth app integrations are abused in software-as-a-service (SaaS) platforms to bypass multi-factor authentication (MFA) and swipe data.

    For mobile security, the new version documents recent techniques and tools that attackers are using, among other things, to make their attacks stealthier. There’s also new guidance to help developers build safer software for mobile devices.

  • Regarding nation-state attackers, the new version adds information on various groups, including Salt Typhoon, RedEcho, Velvet Ant and Sea Turtle.

To get more information, check out:

3 - Tenable polls webinar attendees on AI security

During our recent webinar “2025 Cloud AI Risk Report: Helping You Build More Secure AI Models in the Cloud,” we polled attendees on AI security, including which risks they’re most concerned about. Find out what they said.

(63 webinar attendees polled by Tenable, April 2025)

(74 webinar attendees polled by Tenable, April 2025)

Want details on the findings of our “Tenable Cloud AI Risk Report 2025” and on mitigation and security best practices for protecting your AI workloads and applications? Watch the webinar on-demand.

4 - SANS publishes ransomware response framework for ICS/OT environs

How can critical infrastructure organizations prepare an effective response plan for ransomware attacks against their industrial control systems and operational technology (OT) systems?

SANS Institute tackled that question and the result is a white paper published this week titled “A Simple Framework for OT Ransomware Preparation.” 

With the document, SANS aims to outline an actionable, hands-on approach for critical infrastructure organizations seeking to build or fine-tune ransomware response playbooks.

“The key message? Preparation matters. And in the OT world, a lack of preparation can have real-world consequences,” reads a SANS blog titled “Building a Better OT Ransomware Response Plan: A Simple Framework for ICS Environments.

At a high level, SANS recommendations for critical infrastructure organizations with OT / ICS environments include:

  • Before drafting the playbook, you need to collect foundational data about your environment, such as its architecture, asset inventory, key staff and security controls.
     
  • It’s also key to proactively foster collaboration between the IT, OT and cybersecurity teams.
     
  • The ransomware-preparedness playbook should cover five key areas:
    • Preparation
    • Identification
    • Containment
    • Eradication
    • Recovery

“By focusing on the unique challenges of OT networks, such as their architectural immaturity and the criticality of safe operations, the framework provides actionable guidance to enhance incident response capabilities,” the white paper reads.

For more information about protecting OT systems from ransomware and other cyber attacks, check out these Tenable resources:

Tenable.ot Security Spotlight - Episode 1: The Ransomware Ecosystem

Tenable.ot Security Spotlight - Episode 2: The Business Risk From a Ransomware Attack on OT Systems

Tenable.ot Security Spotlight - Episode 3: Ransomware in OT Systems

5 - FBI: U.S. cyber crime losses hit “staggering” levels in 2024

Cyber crime shows no sign of abating in the U.S.

Americans lost $16.6 billion due to internet crime last year, up 33% compared with 2023 and a new record, the U.S. Federal Bureau of Investigation said in its “Internet Crime Report 2024.” The data comes from the FBI’s IC3 division, which fields internet crime complaints.

Cyber fraud schemes account for most of the monetary losses — $13.7 billion — according to the report, released this week. Investment scams ranked first, accounting for about $6.5 billion, followed by business email compromise (BEC) at around $3 billion and tech support scams at almost $2 billion.

Overall, cyber crime victims filed almost 860,000 complaints. Of those, about 256,000 included a loss of money, for an average loss per complaint of about $19,300. Although the overwhelming majority of complaints came from the U.S., the report includes complaints from 200-plus countries.

(Source: FBI’s “Internet Crime Report 2024,” May 2025)

The rest of the losses came from cyber threats: $1.57 billion. Critical infrastructure organizations filed more than 4,800 cyber threat complaints, most of them for ransomware attacks — up 9% — and data breaches. Akira, LockBit, RansomHub, Fog and Play were the top ransomware variants impacting the critical infrastructure sector.

(Source: FBI’s “Internet Crime Report 2024,” May 2025)

For more information about cyber threats to critical infrastructure:

Juan Perez

Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse

Tenable Blog
3 weeks ago

Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchronization options can be exploited.

Synchronizing identity accounts between Microsoft Active Directory (AD) and Entra ID is important for user experience, as it seamlessly synchronizes user identities, credentials and groups between on-premises and cloud-based systems. At the same time, Tenable Research shows the following synchronization options can introduce cybersecurity risk that extend beyond hybrid tenants:

  • the already known Directory Synchronization Accounts Entra role
  • the new On Premises Directory Sync Account Entra role
  • the new Microsoft Entra AD Synchronization Service application

In 2024, Microsoft introduced two new security hardening measures for hybrid Entra ID synchronization. However, despite these improvements, both the Directory Synchronization Accounts and the new On Premises Directory Sync Account roles retain access to critical synchronization APIs. Moreover, the new 'Microsoft Entra AD Synchronization Service' application exposes the privileged ADSynchronization.ReadWrite.All permission, introducing another potential attack path that security teams must watch closely.

In this technical blog, we break down the changes Microsoft made to each of its synchronization options, explore where new risks were introduced and provide guidance on how Tenable Identity Exposure can help you monitor and secure your hybrid synchronization environment.

Directory Synchronization Accounts role: Where it all begins

In hybrid environments, Entra ID — the Identity Provider in Microsoft’s suite of Entra products — and Active Directory (AD) are synchronized through a specific service account in Entra ID (called “SYNC_…<server>_<random>” for Entra Connect and “ADToAADSyncServiceAccount” for Entra Cloud Sync). This service account is assigned the Entra role called Directory Synchronization Accounts and it is hidden in Azure Portal / Entra Admin Center.

In August 2024, as part of its security hardening effort, Microsoft announced it had removed unused permissions from the privileged Directory Synchronization Accounts role.

At Tenable Research we wondered: how can Entra ID <-> AD synchronization continue working following this reduction of privileges?

Answer: our tests showed that the Directory Synchronization Accounts role is still privileged because it can continue calling the synchronization API.

In December 2024, Microsoft announced a second security hardening with the introduction of a new app called Microsoft Entra AD Synchronization Service.

At Tenable Research, we were naturally curious about this new app. What does it look like? What are its characteristics? Does it have an API? Does it have, or expose, interesting permissions?

Answer: this application exposes the ADSynchronization.ReadWrite.All API permission, which is privileged since it allows calling the private synchronization API.

Directory Synchronization Accounts Entra role remains privileged

In June 2024, I explored the "Directory Synchronization Accounts" role in the article Stealthy Persistence with “Directory Synchronization Accounts” Role in Entra ID. I explained two ways role was privileged:

  • it had privileged Entra permissions; and
  • it had implicit permissions in the private undocumented “Azure AD Synchronization” API (the one at https://adminwebservice.microsoftonline.com/provisioningservice.svc).

The latter is also called “Sync provisioning service” by Dr. Nestori Syynimaa who implemented it in AADInternals.

The August security hardening update introduced a number of changes to the Directory Synchronization Accounts role, but did these changes successfully eliminate the role’s privileges?

Reduced permissions in the Directory Synchronization Accounts role

The Directory Synchronization Accounts role used to have 48 Entra role permissions. It underwent a drastic reduction as a result of the security hardening, with Microsoft removing all of them and replacing them with only one: microsoft.directory/onPremisesSynchronization/standard/read. Now that the role only has this read permission, it isn’t privileged anymore, which might lead you to assume it is not dangerous.

Previously, the role included microsoft.directory/applications/credentials/update and microsoft.directory/servicePrincipals/credentials/update, which could allow attackers to add credentials to privileged applications/service principals so they could authenticate as these service principals and benefit from their privileges. These made the role privileged.

Fabian Bader popularized in 2023 a similar technique of abusing this role by taking over privileged applications, via the microsoft.directory/applications/owners/update and microsoft.directory/servicePrincipals/owners/update permissions. He has since updated his article From on-prem to Global Admin without password reset after Microsoft eliminated these permissions.

But permissions for the Synchronization API were implicit in the Directory Synchronization Accounts role, i.e. not listed as Entra role permissions in the role itself. So what about them?

Implicit synchronization API permissions are still present

Since they are implicit, the only way I knew to test their privileges was to simply try it out and see what happened.

I created a user, assigned it only the Directory Synchronization Accounts role and used the corresponding commands of the AADInternals toolkit, like Set-AADIntAzureADObject and Set-AADIntUserPassword. These continued working as they had before Microsoft’s security hardening. Here’s a proof with a password reset:

PS C:\> Import-Module -Name AADInternals [...] PS C:\> $at = Get-AADIntAccessTokenForAADGraph Logging in to Microsoft Services Enter email, phone, or Skype: <redacted>@<redacted>.onmicrosoft.com Password: <redacted> PS C:\> $userid = (Read-AADIntAccesstoken $at).oid PS C:\> Connect-AzureAD -AadAccessToken $at -TenantId <redacted> -AccountId $userid [...] PS C:\> Get-AzureADUserMembership -ObjectId $userid | Where-Object { $_.ObjectType -eq "Role" } ObjectId DisplayName Description -------- ----------- ----------- <redacted> Directory Synchronization Accounts Only used by Azure AD Connect service. PS C:\> Set-AADIntUserPassword -AccessToken $at -SourceAnchor <redacted> -Password <redacted> CloudAnchor Result SourceAnchor ----------- ------ ------------ CloudAnchor 0 <redacted>

The Result is 0 means that the password reset worked.

I conclude then that these implicit permissions remain present in the Directory Synchronization Accounts role and thus the role is still privileged. It can be used to create and edit users, reset their password and manage synchronized groups. This isn’t that surprising; I had assumed it would be so, for how else could the AD <-> Entra ID synchronization process continue working after the massive permissions reduction?

I wondered a while ago if this wasn’t perhaps made possible via the microsoft.directory/passwordHashSync/allProperties/allTasks Entra permission in the role, but as we can see, it continues working without it so this hypothesis is rejected. It’s indeed an implicit and hidden permission.

Of course there are some limitations when abusing the private undocumented Azure AD Synchronization API. For example, this API is meant for managing hybrid users only. In Entra ID you can have cloud-only users as well and hybrid users. Previously, this API was allowed to touch both kinds of users. This wasn’t necessary and could create a larger-than-necessary blast radius if it was abused. Microsoft addressed this by restricting the power of this API to only hybrid users.

Which is, by the way, one of the reasons why we have an Indicator of Exposure in Tenable Identity Exposure in order to verify that privileged accounts in Entra ID are cloud-only. But even with these limitations, we can agree that the Directory Synchronization Accounts role is risky enough to cause concern.

What about the new On Premises Directory Sync Account Entra role?

Microsoft announced the permissions reduction as part of its initial security hardening in August 2024. I had noticed things moving one month earlier, when I detected a new, interesting role called On Premises Directory Sync Account. This new role is very similar to the Directory Synchronization Accounts role that I know very well. Both are hidden in Azure Portal / Entra Admin Center. The On Premises Directory Sync Account role is even undocumented. This is likely because they aren’t meant to be used by customers. Even so they both remain present and available for misuse by attackers.

It’s unclear to me what Microsoft’s reasons were for creating the new On Premises Directory Sync Account role. Perhaps it’s meant to be used with Entra Cloud Sync, and the old one for Entra Connect, as Nathan McNulty thought too. The descriptions for Entra Connect and Entra Cloud Sync don’t make this clear, and both synchronization software still use the old Directory Synchronization Accounts role. If anyone has a clue, please let me know!

Here are the details of both roles coming from the Microsoft Graph API:

 Old roleNew roleDisplay nameDirectory Synchronization AccountsOn Premises Directory Sync AccountIDd29b2b05-8046-44ba-8758-1e26182fcf32a92aed5d-d78a-4d16-b381-09adb37eb3b0DescriptionOnly used by Microsoft Entra Connect service.Only used by Microsoft Entra Connect Sync Account.Rich descriptionThis role is automatically assigned to the Microsoft Entra Connect service, and is not intended or supported for any other use.This role is automatically assigned to the Microsoft Entra Connect Sync Account, and is not intended or supported for any other use.Permissionsmicrosoft.directory/onPremisesSynchronization/standard/readmicrosoft.directory/onPremisesSynchronization/standard/readIs privilegedfalsefalse

Naturally I wondered if there was a difference when calling the Synchronization API, but it turns out both roles allow the same operations. Here’s the same proof as before, this time with a user having the On Premises Directory Sync Account role:

PS C:\> Import-Module -Name AADInternals [...] PS C:\> $at = Get-AADIntAccessTokenForAADGraph Logging in to Microsoft Services Enter email, phone, or Skype: <redacted>@<redacted>.onmicrosoft.com Password: <redacted> PS C:\> $userid = (Read-AADIntAccesstoken $at).oid PS C:\> Connect-AzureAD -AadAccessToken $at -TenantId <redacted> -AccountId $userid [...] PS C:\> Get-AzureADUserMembership -ObjectId $userid | Where-Object { $_.ObjectType -eq "Role" } ObjectId DisplayName Description -------- ----------- ----------- <redacted> On Premises Directory Sync Account Only used by Microsoft Entra Connect Sync Account. PS C:\> Set-AADIntUserPassword -AccessToken $at -SourceAnchor <redacted> -Password <redacted> CloudAnchor Result SourceAnchor ----------- ------ ------------ CloudAnchor 0 <redacted>

As we noted with the old Directory Synchronization Accounts role, the new On Premises Directory Sync Account role also can only touch hybrid users and cannot modify Entra applications/service principals since it doesn’t have the necessary permissions either. Moreover, the latest version of Entra Connect (2.4.129.0 at the time this blog was written), continues to create a user called On-Premises Directory Synchronization Service Account with the old Directory Synchronization Accounts role assigned.

Tenable considers both Entra synchronization roles as privileged

According to the new privileged roles and permissions feature of Entra ID, these roles are not considered privileged. The new feature marks some permissions as privileged which then flows down to all roles having at least one privileged permission. Because the Directory Synchronization Accounts role and the On Premises Directory Sync Account role lack privileged permissions they are not marked as privileged.

Tenable respectfully disagrees with this conclusion because of the potential for abuse of these roles.

Now, let’s talk about that new app: Microsoft Entra AD Synchronization Service

No, Entra "AD" is not a typo. And even though the name might lead one to conclude this is a brand new offering, it appears that the name is likely meant to indicate its function as a bridge between Entra [ID] and AD.

Microsoft describes Entra AD Synchronization Service as “a dedicated first-party application to enable the synchronization between Active Directory and Microsoft Entra ID.” It’s described as being for customer tenants using Microsoft Entra Connect Sync or Microsoft Entra Cloud Sync service. While Microsoft communicated about this new app in December and made it available in all tenants, for now it isn't used. At least not publicly. My goal in discussing it here is to raise awareness of the fact that, while this app is not yet generally used, it is available and already open for potential abuse.

As a first-party application, the application object (aka “app registration”) is hosted in Microsoft’s tenant, while the corresponding Service Principal (SP) object (aka “enterprise application”) is instantiated in the customer’s tenant (see how below). Below are key characteristics of this service principal (retrieved via the Graph API):

AttributeValuedisplayNameMicrosoft Entra AD Synchronization ServiceidNot relevant as it’s different in each tenantappId6bf85cfa-ac8a-4be5-b5de-425a0d0dc016appOwnerOrganizationIdf8cdef31-a31e-4b4a-93e4-5f571e91255a
(well-known “Microsoft Services” tenant where many first-party apps are registered)servicePrincipalNames["6bf85cfa-ac8a-4be5-b5de-425a0d0dc016"]

In my test tenant, this SP doesn’t have any app/delegated permissions granted. But its related app exposes two permissions:

  • app permission (appRoles): ADSynchronization.ReadWrite.All having the ID ab43b826-2c7a-4aff-9ecd-d0629d0ca6a9
  • delegated permission (publishedPermissionScopes): ADSynchronization.ReadWrite.All having the ID 0b41ed4d-5f52-442b-8952-ea7d90719860

The SP doesn’t have any password/key/federated credentials set. Entra ID blocked my attempts to add some (CannotUpdateLockedServicePrincipalProperty), which I believe is caused by app instance property lock.

So, how to get this SP in your tenant if you don’t have it already? I already had Entra Connect in my test tenant, so I just had to reinstall it, which triggered the creation of the SP. Surprisingly, according to the audit logs, it was created by the classic synchronization service user (“SYNC_…<server>_<random>” for Entra Connect):

Perhaps you have noticed in the above image the following intriguing Credential property: [{"CredentialType":2,"KeyStoreId":"291154f0-a9f5-45bb-87be-9c8ee5b6d62c","KeyGroupId":"291154f0-a9f5-45bb-87be-9c8ee5b6d62c"}]

I’ve observed the same for other SPs so we can ignore it.

The dangers of ADSynchronization.ReadWrite.All

Now, I know that the “Microsoft Entra AD Synchronization Service” app exposes a single permission: ADSynchronization.ReadWrite.All. This permission is available both as an app permission and a delegated permission. So I tried using it with a client Service Principal.

  1. Create an app registration

  2. In the “API permissions” menu, click “Add a permission” and search for the “Microsoft Entra AD Synchronization Service” API:

  3. Select the “application permissions” type. There’s only one, as I already know, so I check it and add:

  4. Grant admin consent:

  5. Assign credentials to the client app to allow authenticating as its SP

Now that I have a new client SP, with this permission granted on the Microsoft Entra AD Synchronization Service API, how to use it?

On the Microsoft Entra AD Synchronization Service SP, I have no clue (e.g. reply URL) where the corresponding API is. But I know that it’s related to synchronization and I assume it’s meant to replace the usual service account. So, I’ll try to access the Synchronization API. This is the API we discussed earlier in this blog — the private undocumented “Azure AD Synchronization” API at https://adminwebservice.microsoftonline.com/provisioningservice.svc, also called “Sync provisioning service” by Dr. Nestori Syynimaa who implemented it in AADInternals.

Here’s the PowerShell script I’m using to obtain a token (using the client credentials grant OAuth 2.0 flow, also refer to this doc on the .default scope), for the Microsoft Entra AD Synchronization Service API (using known ID 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016), with the credentials of my client app. Then it shows the content of the token and tries to use the Synchronization API to reset the password of a hybrid user:

Import-Module AADInternals -Force $TenantId = <redacted>' $ClientId = '<redacted>' # my "client app for Microsoft Entra AD Synchronization Service" $ClientSecret = '<redacted>' $at = $null $response = $null $response = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token" -Body @{grant_type = "client_credentials"; client_id = $ClientId; client_secret = $ClientSecret; scope="6bf85cfa-ac8a-4be5-b5de-425a0d0dc016/.default"} $at = $response.access_token Read-AADIntAccessToken -AccessToken $at Set-AADIntUserPassword -AccessToken $at -SourceAnchor <redacted> -Password <redacted>

Here’s the output I get. First, the obtained access token:

aud : 6bf85cfa-ac8a-4be5-b5de-425a0d0dc016 iss : https://login.microsoftonline.com/<$TenantId>/v2.0 [...] azp : <$ClientId> [...] idtyp : app oid : <object ID of my client SP> [...] roles : {ADSynchronization.ReadWrite.All} sub : <object ID of my client SP> tid : <$TenantId> [...]

Which confirms that I obtained a token as desired: meant for (aud) the Microsoft Entra AD Synchronization Service API, with the ADSynchronization.ReadWrite.All permission. Then, I have the confirmation that it works when I use it (since the Result is 0):

CloudAnchor : CloudAnchor Result : 0 SourceAnchor : <redacted>

Actually it doesn’t work immediately, because normally the token to call the Synchronization API has to be for the Azure AD Graph API (graph.windows.net), which is, by the way, currently being deprecated. And the code of AADInternals doesn’t expect anything else, so to make it work, I had to add -Force:$True to the following line of code in Set-UserPassword, like so:

$AccessToken = Get-AccessTokenFromCache -AccessToken $AccessToken -ClientID "1b730954-1685-4b74-9bfd-dac224a7b894" -Resource "https://graph.windows.net" -Force:$True

To conclude, any service principal granted the ADSynchronization.ReadWrite.All permission on the “Microsoft Entra AD Synchronization Service” app can do everything that the Synchronization API allows (such as resetting hybrid users’ passwords). Therefore, these potential service principals must be considered as malicious until the app is officially put in use. Then, when Microsoft releases it, there will be legitimate cases to exclude, of course.

Tenable Identity Exposure considers “ADSynchronization.ReadWrite.All” to be dangerous

Tenable Identity Exposure has two Indicators of Exposure related to the topic of dangerous API permissions:

They were focused on dangerous permissions on the Azure AD Graph and MS Graph APIs, but following this research, we’ve expanded them to include the ADSynchronization.ReadWrite.All permission on the Microsoft Entra AD Synchronization Service API (see screenshot below).

I want to highlight here that most online resources and tools are focused on checking permissions granted for the two most well-known APIs — Azure AD Graph and MS Graph API permissions, e.g. RoleManagement.ReadWrite.Directory. By only focusing on these two APIs, organizations risk overlooking the dangerous permission on the Microsoft Entra AD Synchronization Service API. You can use Tenable Identity Exposure to address these permissions, or you can check your scripts/tools to better secure your hybrid identity environment

Conclusion

Even after Microsoft’s 2024 hardening efforts, hybrid Entra ID synchronization remains a critical exposure point. The 'Directory Synchronization Accounts' and 'On Premises Directory Sync Account' roles still retain implicit access to sensitive synchronization APIs, and the new 'Microsoft Entra AD Synchronization Service' app introduces the powerful ADSynchronization.ReadWrite.All permission — creating additional risk if misused.

Security teams should proactively monitor for these roles and permissions in their environments, treat them as privileged and ensure they are continuously assessed for exposure risks. Tenable Identity Exposure accounts for these evolving exposures to help defenders stay ahead.

Tenable Research will continue to monitor this evolution to provide the most accurate indicators to our customers — ensuring you have the visibility needed to protect your hybrid identity environments.

Clément Notin

Stronger Cloud Security in Five: How To Protect Your Cloud Workloads

Tenable Blog
3 weeks 1 day ago

In the first installment of Tenable’s “Stronger Cloud Security in Five” blog series, we covered cloud security posture management (CSPM), which focuses on protecting your multi-cloud infrastructure by detecting misconfigurations. Today, we turn to securing cloud workloads, which are the applications and services — along with all the resources they need to function — that run within your multi-cloud infrastructure.

Because cloud environments are dynamic, distributed and multi-layered, securing cloud workloads is challenging, as their security posture can quickly shift. The variety of workloads — virtual machines, container images, databases, serverless functions, and more — adds to the complexity.

Also complicating matters: The deployment of cloud workloads on more than one cloud service provider (CSP), which requires that security teams protect workloads in multi-cloud environments.

In fact, an Enterprise Strategy Group (ESG) survey last year found that most organizations need to secure applications across multi-cloud environments. The report also found that almost all organizations suffered serious cybersecurity incidents.

As a result, 89% of organizations planned to invest more in cloud security platforms and DevSecOps, including in cloud workload protection platforms, ESG Cybersecurity Practice Director Melinda Marks explained.

Clearly, cloud workload integrity is essential. As the Cloud Security Alliance tells us in its “Security Guidance: For Critical Areas of Focus in Cloud Computing”: “For businesses using the cloud, securing these workloads is not just about protecting data. It is also about ensuring that their operations can continue without interruption.” 

At Tenable, we believe that to secure your multi-cloud workloads, you need a cloud-native application protection platform (CNAPP) with a strong cloud workload protection solution that can help you prevent, detect and address exposures, including vulnerabilities, misconfigurations and insecure APIs.

“Choosing a security provider that has conflicting priorities can introduce risk. The best cloud security program is built on independence, transparency and aligned priorities around your security needs.” -- Tenable Chief Product Officer Shai Morag

Here are five key best practices for protecting your cloud workloads.

1 - Continuous and contextualized vulnerability management

It’s critical to automate the continuous scanning of your cloud workloads to detect vulnerabilities across operating systems, containers, virtual machines, and more — whenever they crop up.

In addition, you need contextualized vulnerability analysis. Your CNAPP’s CWP tool must enrich the context of detected vulnerabilities with granular research information, including severity ratings and exploit details. This rich context will allow you to identify the riskiest vulnerabilities to your organization and prioritize remediation accordingly.

For example, you’ll be able to detect cloud workloads afflicted with toxic combinations, such as those that are publicly exposed and have critical vulnerabilities and excessive permissions. How prevalent is this “toxic trilogy”? The “Tenable Cloud Risk Report 2024” found that almost 40% of organizations have at least one toxic trilogy — and 27% have at least five. 

2 - Cloud scanning

To protect workloads in a cloud-native manner, you’ll need an effective method to scan. Agentless scanning is one effective way to do just that. By using the APIs provided by CSPs to gather security data, agentless scanning protects workload performance and delivers a holistic view of your security posture at scale. 

You get visibility into your cloud workload inventory, telemetry and risks, including vulnerabilities, data exposure, overprivileged identities, malware and misconfigurations across virtual machines, containers, serverless workloads and Kubernetes clusters. With this data in hand, you can establish sound priorities to guide your remediation efforts. 

3 - Build-to-runtime container security

A critical component of cloud workload security is the protection of containers throughout their lifecycles — from build to deployment. This continuous, end-to-end container security also needs to be automated and baked into your DevOps workflows and CI/CD pipeline.

Such an automated and comprehensive approach is critical given the large number of containers in a typical cloud environment, the speed with which they’re spun up and down, and their ephemeral duration.

“For businesses using the cloud, securing these workloads is not just about protecting data. It is also about ensuring that their operations can continue without interruption.” -- Cloud Security Alliance

It all starts during the container build process. Your cloud workload protection platform (CWPP) must give your developers visibility into container risks, such as outdated operating system images and vulnerabilities. It should also empower developers to remediate the detected security flaws by giving them risk insights so they can prioritize remediation effectively.

You also need automated security scanning of the containers you check into registries, such as DockerHub and Amazon ECR.

Finally, containers should undergo automated security tests in production runtime environments because attackers will readily exploit buggy and misconfigured containers.

4 - Automated compliance monitoring

Improperly securing your cloud workloads can have serious implications if your organization runs afoul of the numerous and complex cybersecurity laws and rules that apply to cloud computing.

Keeping your cloud workloads compliant with government regulations and industry standards requires a methodical, automated approach that can match your cloud environments’ quicksilver nature.

A CWP system that automatically identifies compliance violations and provides out-of-the-box policies and templates can dramatically simplify the thorny cloud compliance process.

5 - Centralized security visibility and management

Your CWP system should provide a unified, continuously updated and contextually rich view of your multi-cloud workload resources and their risks — and it should do this in an agnostic manner. 

As Tenable Chief Product Officer Shai Morag pointed out recently: “Choosing a security provider that has conflicting priorities can introduce risk. The best cloud security program is built on independence, transparency and aligned priorities around your security needs.”

In ESG’s survey, respondents expressed a preference for consolidated solutions and platforms “to help provide better context, drive efficient actions, rapidly mitigate issues and save valuable time” instead of having to manually analyze results from separate solutions, ESG’s Marks said.

At Tenable, we believe that a centralized CWP user interface with multi-cloud visibility, security management and reporting gives your teams a single source of truth for cloud workload risks, allowing them to collaborate and prioritize remediation. 

Learn how you can take action to boost your cloud security in just five minutes.

Nagraj Seshadri

Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends

Tenable Blog
3 weeks 1 day ago

The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that vulnerability exploitation was present in 20% of breaches — a 34% increase year-over-year. To support the report, Tenable Research contributed enriched data on the most exploited vulnerabilities. In this blog, we analyze 17 edge-related CVEs and remediation trends across industry sectors.

Background

Since 2008, Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats. For the 2025 edition, Tenable Research contributed enriched data on the most exploited vulnerabilities of the past year. We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times. In this blog, we take a closer look at these vulnerabilities, revealing industry-specific trends and highlighting where patching still lags — often by months.

In this year’s DBIR, vulnerabilities in Virtual Private Networks (VPNs) and edge devices were particular areas of concern, accounting for 22% of the CVE-related breaches in this year’s report, almost eight times the amount of 3% found in the 2024 report.

Analysis

The 2025 DBIR found that exploitation of vulnerabilities surged to be one of the top initial access vectors for 20% of data breaches. This represents a 34% increase over last year’s report and is driven in part by the zero-day exploitation of VPN and edge device vulnerabilities – asset classes that traditional endpoint detection and response (EDR) vendors struggle to assess effectively. The DBIR calls special attention to 17 CVEs affecting these edge devices, which remain valuable targets for attackers. Tenable Research analyzed these 17 CVEs and evaluated which industries had the best and worst remediation rates across the vulnerabilities. As a primer, the table below provides this list of CVEs and details for each, including their Common Vulnerability Scoring System (CVSS) and Tenable Vulnerability Priority Rating (VPR) scores. It’s worth noting that each of these CVEs was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list in 2024.

CVEDescriptionCVSSv3VPRTenable BlogCVE-2024-20359Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability6.06.7CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoorCVE-2023-6548Citrix NetScaler ADC and Gateway Authenticated Remote Code Execution (RCE) Vulnerability8.87.4CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler GatewayCVE-2023-6549Citrix NetScaler ADC and Gateway Denial of Service Vulnerability7.55.1CVE-2023-48788FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability9.89.4CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection VulnerabilityCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd9.87.4CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2024-23113Fortinet FortiOS Format String Vulnerability9.87.4CVE-2024-47575FortiManager Missing Authentication in fgfmsd Vulnerability (FortiJump)9.89.6CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager CloudCVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability8.26.7CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure GatewaysCVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.19.8CVE-2024-21893Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability8.27.2CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure GatewaysCVE-2023-36844Juniper Networks Junos OS PHP External Variable Modification Vulnerability5.32.9Exploit Chain Targets Unpatched Juniper EX Switches and SRX FirewallsCVE-2023-36845Juniper Networks Junos OS PHP External Variable Modification Vulnerability9.88.4CVE-2023-36846Juniper Networks Junos OS Missing Authentication Vulnerability5.32.9CVE-2023-36847Juniper Networks Junos OS Missing Authentication Vulnerability5.32.9CVE-2023-36851Juniper Networks Junos OS Missing Authentication Vulnerability5.32.9CVE-2024-3400Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS10.010CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the WildCVE-2024-40766SonicWall SonicOS Management Access and SSLVPN Improper Access Control Vulnerability9.87.4 

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 23 and reflects VPR at that time.

Tenable Research Analyzes Edge CVE Remediation Trends

Featured prominently in the DBIR, these 17 edge device CVEs were further analyzed by Tenable Research and are organized by vendor with each chart below consisting of CVEs fixed in the same patch release. To understand remediation efforts from Tenable’s telemetry data, we analyzed the average time in days for remediation of these vulnerabilities. The charts shown below spotlight the three industries that had the shortest average time to remediate each vulnerability as well as the three sectors that took the longest amount of time to remediate.

Cisco

CVE-2024-20359 was highlighted in April 2024 by Cisco Talos as one of two known vulnerabilities being exploited by an advanced persistent threat (APT) actor labeled as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The flaw was used as part of an espionage campaign known as ArcaneDoor. From our analysis, we found that the education, energy and utilities, and shipping and transportation industries had the longest average remediation time for this vulnerability. CVE-2024-20359 was added to the CISA KEV list on April 24, 2024; the same date Cisco Talos released its research on ArcaneDoor. This KEV addition had a due date of seven days for federal civilian executive branch (FCEB) agencies, which are mandated by Binding Operational Directive (BOD) 22-01. Despite this short patch window, we see that the government sector had a surprisingly high average remediation rate of 116 days. While this is well outside the KEV due date, government was one of the three industries with the fastest average remediation rate.

Source: Tenable Research, April 2025

Citrix

CVE-2023-6548 and CVE-2023-6549 are a pair of zero-day vulnerabilities that were exploited against Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances. These vulnerabilities were patched in early January 2024, only months after Citrix addressed CVE-2023-4966, a critical flaw in NetScaler appliances called “CitrixBleed” that was widely exploited by a variety of attackers. While Citrix appliances continue to remain a high value target for attackers, the remediation rates, even amongst the three industries with the shortest average remediation rates, are much higher than we anticipated. The lowest average patch rate observed was 160 days for the consulting industry.

Source: Tenable Research, April 2025

Fortinet

CVE-2024-21762 and CVE-2024-23113 are two critical severity vulnerabilities affecting Fortinet’s FortiOS network operating system. At the time the Fortinet advisory was released for these vulnerabilities, CVE-2024-21762 was listed as “potentially being exploited in the wild.” Just a day later, CISA added it to the KEV list. Similar to the Citrix vulnerabilities above, the average remediation time for these vulnerabilities ranged from 172 days on the low end to over 260 days on the high end. The consulting industry had the longest average remediation rate while the software, internet and technology sector had the shortest at 172 days.

Source: Tenable Research, April 2025

In stark contrast to the Fortinet CVEs above is CVE-2023-48788, a critical SQL injection vulnerability affecting FortiClient Enterprise Management Server (FortiClientEMS). The communications and telecommunications sector led the way with an average remediation rate of only 12 days with healthcare a distant second, with an average of 71 days to remediate the flaw.

Source: Tenable Research, April 2025

Similar to CVE-2023-48788, CVE-2024-47575, a missing authentication vulnerability in FortiManager dubbed “FortiJump,” appears to have been urgently addressed by organizations. Our analysis revealed it had the lowest average remediation rates of the 17 CVEs we examined. Remediation times averaged a week, even for the slowest to patch industries.

Source: Tenable Research, April 2025

Ivanti

Over the last five years, Ivanti’s Connect Secure and Policy Secure have been targeted by a variety of threat actors including ransomware groups and other nation-state aligned threat actors. Unsurprisingly, CVE-2023-46805 and CVE-2024-21887 have been reportedly abused by threat actors in chained attacks to achieve RCE. Additionally, these flaws were exploited as zero-days. From our analysis, even the quickest of industries to remediate these flaws took over 260 days to do so with the highest average just shy of 300 days.

Source: Tenable Research, April 2025

Only a few weeks after patches for CVE-2023-46805 and CVE-2024-21887 were released, Ivanti released a new advisory with additional CVEs, including CVE-2024-21893. While initially it was believed that CVE-2024-21893 was only exploited in limited attacks, Shadowserver reported a major increase in exploit activity hours prior to a public proof-of-concept (PoC) being released. Interestingly this vulnerability saw some differing remediation rates with the biotechnology and chemicals sector being the fastest to patch with an average of nine days for remediation.

Source: Tenable Research, April 2025

Juniper Networks

Next we examined five CVEs from Juniper Networks (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851) affecting Junos OS. These vulnerabilities were quickly exploited in a chained attack just days after being disclosed by Juniper Networks, which released its patches on August 17, 2024. While four of the five vulnerabilities had medium severity CVSSv3 scores, chaining these flaws allows for a remote, unauthenticated attacker to execute arbitrary code on unpatched devices. The average remediation rate for these vulnerabilities varied greatly, with food and beverage at over 420 days and shipping and transportation on the low end with an average remediation time of 80 days.

Source: Tenable Research, April 2025

Palo Alto Networks

CVE-2024-3400 is a critical command injection vulnerability affecting the Palo Alto Networks GlobalProtect Gateway feature of PAN-OS that was exploited in the wild as a zero-day. In our dataset, this CVE had a smaller footprint than others examined, yet it shared a similar trend with most industries requiring over 100 days to remediate. The banking, finance and insurance sector performed far better with an average of 45 days to close out this vulnerability.

Source: Tenable Research, April 2025

SonicWall

The final CVE we examined was CVE-2024-40766, a critical improper access control vulnerability in the SonicWall SonicOS management access and SSLVPN. This flaw saw exploitation from ransomware groups, including Fog and Akira, which utilized the vulnerability to gain initial access to their victims' networks. In the case of this SonicWall vulnerability, average remediation rates were low in comparison to the other CVEs we examined, with the slowest sector taking 52 days (consulting) and the fastest (engineering) taking an average of only six days.

Source: Tenable Research, April 2025

Conclusion

The 17 CVEs we examined in our analysis, while only representing a small portion of the CISA KEV, encompass devices that have an elevated risk, due to their placement at the forefront of a network. Despite these being some of the most valuable targets for attackers, our examination of remediation rates show us that there’s still room for improvement across all industry verticals. Known and exploitable vulnerabilities continue to be abused by threat actors, many of which take advantage of readily available exploits. Data has become increasingly valuable and attackers and APT groups alike have zeroed in on the exploits and vulnerabilities that provide and help them maintain access to victim networks. In order to reduce risk and harden your networks, we recommend addressing each of the CVEs discussed in this post as well as reading the Verizon 2025 DBIR to understand the trends and tactics used by threat actors. Security isn’t just for infosec professionals — it’s everyone’s responsibility. The data compiled by Verizon, in collaboration with Tenable, offer valuable insights into today’s modern threat landscape and what you can do to better protect the networks, devices and people you defend.

Identifying affected systems

A list of Tenable plugins for the vulnerabilities discussed in the blog can be found on the individual CVE pages for each of the CVEs listed below. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Scott Caveza
Checked
7 hours 36 minutes ago
URL
https://www.tenable.com/
Tenable Blog feed

Managed ad