All news with #cvss tag

🔒 ASM provides continuous visibility that answers a core question for IT security teams: what can attackers reach right now? The article presents five practical steps: comprehensive discovery across external, internal, digital, physical, and human surfaces; focusing on the attack vectors that most often break resilience; and shifting from periodic scans to continuous exposure management cycles. It stresses risk-based prioritization using CVSS, exploit probability, and asset criticality, and advocates integrating ASM with detection, response, and recovery while leveraging automation to reduce blind spots.

🔍 For years organizations have relied on CVSS scores as the default measure of vulnerability severity, but severity does not equal operational risk. High CVSS numbers can misdirect remediation efforts while lower-scored but actively exploited flaws pose greater danger. KEV lists are useful yet inherently reactive; effective prioritization demands multi-source threat intelligence and real-time exploitation telemetry to focus fixes where they reduce true risk.

🔒 AWS describes a multi-agent penetration testing capability in AWS Security Agent that pairs LLM-driven reasoning with specialized scanners and browser-based sign-in to automate complex assessments. The design combines baseline scanning, managed static tests, and a guided explorer that dynamically generates contextual attack tasks. A swarm of risk-focused worker agents executes tests and submits structured findings, which are then validated via deterministic checks and LLM-assisted exploit attempts and scored with CVSS to produce actionable remediation reports.

⚠️ A critical sandbox escape in vm2 (CVE-2026-22709) can allow execution of arbitrary code on the host by bypassing Promise handler sanitization. Endor Labs researchers Peyton Kennedy and Cris Staicu reported that async functions return global Promise objects whose then and catch handlers were not properly sanitized, creating an escape vector. The flaw carries a CVSS score of 9.8 and was addressed in vm2 3.10.2; the article cites 3.10.3 with additional fixes. Users are urged to update and consider stronger isolation alternatives such as isolated-vm or container-level separation.

⚠️ A critical vulnerability (CVE-2025-14988) in iba Systems ibaPDA 8.12.0 permits unauthorized file-system actions that can affect confidentiality, integrity, and availability; CISA assigns a CVSS v3.1 base score of 9.8. Siemens reported the issue and the vendor has released ibaPDA 8.12.1 as a remediation. If immediate updating is not possible, vendor-recommended mitigations include enabling User Management and setting a strong admin password, configuring Server Access Manager to restrict access (for example to 127.0.0.1 or specific system IPs), disabling automatic Windows Firewall port openings and removing or deactivating incoming ibaPDA firewall rules, and creating manual rules that permit only required ports. After applying updates or mitigations, verify that all ibaPDA services and data acquisition continue to function correctly.

⚠️ CISA and Johnson Controls disclose CVE-2025-26385, a critical remote SQL execution vulnerability in Metasys components with a CVSS v3.1 base score of 10.0. An attacker could execute SQL remotely, potentially altering or destroying data in affected products including ADS, ADX, LCS8500, NAE8500, SCT, and CCT. Johnson Controls provides a patch (GIV-165989) via the License Portal and recommends applying the Metasys Release 14 Hardening Guide, segmenting installations, and closing TCP port 1433 as immediate mitigations. CISA notes there is no known public exploitation of this vulnerability at this time.

🔗 CVSS remains a useful baseline for rating technical severity, but the article argues it often misses operational context and relational risk. It introduces the unified linkage model (ULM), which evaluates vulnerabilities by how they can propagate through adjacency, inheritance and trust relationships. By mapping connections—shared libraries, CI/CD pipelines, identity systems—organizations can prioritize based on reach and downstream influence rather than score alone.

🛡️ The EU-backed GCVE has launched a free, public vulnerability database at db.gcve.eu to reduce reliance on U.S.-centric CVE identifiers and strengthen European digital sovereignty. Using a decentralized GNA model and aggregating more than 25 public sources, the platform normalizes and indexes vulnerability data to allow autonomous assignment and publication of identifiers without central approval. An open API supports integration with compliance and risk tools so security teams, vendors, and researchers can track and assess reports across ecosystems.

🔐 The post argues that traditional vulnerability-sharing frameworks built around software flaws are inadequate for adversarial AI threats such as poisoning and inference attacks that target models and data rather than code. It recommends bridging existing cyber infrastructure — including the CVE Program, CVSS, CNAs, the NVD and CISA’s KEV Catalog — with new standards for AI artifacts like poisoned datasets and backdoored models. Palo Alto Networks supports the White House AI Action Plan and the proposed AI-ISAC to accelerate adoption, coordinate disclosure, and help operationalize AI-specific vulnerability management.

🔒 Johnson Controls reported a Direct Request (Forced Browsing) vulnerability (CVE-2025-26381) in the OpenBlue Mobile Web Application for OpenBlue Workplace. Versions 2025.1.2 and earlier may allow remote attackers to gain unauthorized access to sensitive information; CISA cites a CVSS v3.1 score of 9.3 and a CVSS v4 score of 6.5. Johnson Controls recommends upgrading to patch level 2025.1.3 when available; until then, administrators should disable the mobile app in IIS or use the primary Workplace web interface as a mitigation.

⚠️ Advantech iView versions 5.7.05.7057 and earlier are affected by an SQL injection vulnerability in SNMP v1 trap handling (port 162) that can be exploited remotely with low attack complexity. CISA assigns CVE-2025-13373 with a CVSS v4 base score of 8.7 (and CVSS v3.1 7.5). Successful exploitation could disclose, modify, or delete data. Advantech recommends updating to iView v5.8.1; CISA advises network isolation, firewalls, and secure remote access.

🔒 CISA and Schneider Electric describe a vulnerability (CVE-2024-10085) in EcoStruxure that allows remote actors to exhaust server resources and cause denial of service by sending a large number of OPC UA requests to the server. Affected products include EcoStruxure OPC UA Server Expert versions prior to SV2.01 SP3 and EcoStruxure Modicon Communication Server (all versions). The issue has a CVSS v4 base score of 8.2 and is noted as remotely exploitable with low attack complexity. Schneider has released SV2.01 SP3 to address the OPC UA Server Expert and plans remediation for Modicon; interim mitigations and hardening guidance are provided.

🔴 watchTowr Labs reports credible evidence that the critical unsafe deserialization flaw CVE-2025-10035 in Fortra GoAnywhere MFT was exploited in the wild as early as Sept 10, 2025, a week before public disclosure. The License Servlet vulnerability can permit unauthenticated command injection, earning a CVSS 10.0 rating. Fortra has released fixes (GoAnywhere 7.8.4 and Sustain 7.6.3); affected organizations should apply updates immediately and investigate for signs of compromise.