All news with #vulnerability management tag

🔒 Third-party utilities — PDF readers, archives, email clients, browsers, and remote-access tools — form a predictable business footprint attackers favor because of their ubiquity and users' routine behavior. These background applications often drift unpatched across endpoints, creating high-probability targets that scale across organizations. Continuous visibility and consistent third-party patching are presented as practical levers to reduce real-world exploit risk. Organizations should inventory required tools, remove unused defaults, and prioritize remediation to shrink the exposure window.

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.

🔍 A new DataDog State of DevSecOps report finds 87% of organizations run at least one exploitable software vulnerability in production, affecting roughly 40% of services. Vulnerabilities are most prevalent in Java (59%), .NET (47%) and Rust (40%). After accounting for runtime and contextual factors, only 18% of critical dependency CVEs remain critical, with .NET seeing a 98% downgrade rate. The report urges contextual prioritization to reduce alert noise and operator burnout.

⚠️ IBM X-Force warns of a 44% increase in attacks exploiting public-facing applications in 2025, driven by missing authentication controls and AI-enabled vulnerability scanning. Vulnerability exploitation accounted for 40% of incidents, while ransomware and extortion groups grew 49% year over year. The report highlights AI is speeding reconnaissance and exploitation and that supply chain compromises have nearly quadrupled since 2020.

🔒 Forescout's new report finds that 2025 saw a record 508 ICS advisories covering 2,155 CVEs and a notable rise in vulnerability severity. The average CVSS for advisories rose to above 8.0 in 2024–2025, with the most affected assets including Purdue Level 1 field controllers, Level 3 operational systems and control-level devices. The vendor warns that reduced CISA advisory coverage and many untracked vulnerabilities increase OT/ICS risk and calls for greater vendor accountability and industry collaboration.

⚠ CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions are CVE-2008-0015 (Microsoft Windows Video ActiveX remote code execution), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar unrestricted upload of dangerous files), and CVE-2026-2441 (Google Chromium CSS use-after-free). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by the due date, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.

🔐 The NCSC's CEO Richard Horne has warned that small and medium-sized enterprises (SMEs) wrongly assume they are not attractive to cybercriminals and are failing to take basic protective measures. He stressed that attackers seek opportunity and weaknesses rather than high-profile brands, and urged businesses to adopt Cyber Essentials. The scheme focuses on five core controls — secure configuration, user access control, malware protection, security update management and firewalls — to reduce the risk of common attacks. Horne warned that leaving these protections undone is comparable to operating without physical security or insurance and called on SMEs to act immediately as the NCSC reports rising incidents and risks to critical infrastructure.

🔒 Siemens has identified multiple third-party component vulnerabilities in SINEC OS versions prior to V3.3 that affect numerous RUGGEDCOM and SCALANCE industrial network devices worldwide. Siemens ProductCERT published firmware updates (V3.3+) and recommends timely upgrades; CISA republished the vendor advisory. Reported issues originate in libraries such as OpenSSL, libcurl, BusyBox, libpcap and others and include high- and critical-severity flaws (unauthenticated RCEs, buffer overflows, path traversal and improper certificate validation). Administrators should apply vendor patches, restrict network access, isolate control networks, and use secure remote access methods while performing impact analysis.

🔒 Flashpoint reports that the median time between disclosure and exploitation fell 94% over five years, from 745 days in 2020 to 44 days in 2025. The vendor attributes the decline to rapid weaponization of researcher proof-of-concept code and the growing use of n-day exploits, which now represent over 80% of CVEs in its VulnDB KEV list. Attackers are combining turnkey exploits with mass-scanning tools to achieve large-scale compromise in hours. Limited asset inventories and a 'CVE blind spot' from vulnerabilities lacking CVE IDs further shrink defenders' remediation window.

🔔 FIRST forecasts a median of approximately 59,427 new CVEs in 2026, with a 90% confidence interval from 30,012 to 117,673. Using a new statistical model built from historical records and publication trends in the NVD and MITRE, the non-profit warns 2026 could be the first year to exceed 50,000 published vulnerabilities. FIRST urges organisations to assess capacity, prioritise ruthlessly, and plan contingency scenarios to allocate resources strategically.

🔍 A new forecast from FIRST projects a median of roughly 59,000 CVEs in 2026 and warns that under extreme scenarios the count could approach 118,000, up from about 48,000 in 2025. Experts stress this growth reflects improved discovery and disclosure — more CNAs, bug bounties, and scrutiny of long-neglected code — rather than a sudden rise in attacker capability. Historically, only a small fraction of published CVEs are weaponized: recent data shows fewer than 3,000 had public proof-of-concept exploits and only about 700 showed evidence of exploitation in the wild. The primary challenge for CISOs is separating signal from noise through prioritization, automation, and capacity planning rather than trying to patch every disclosed flaw.

🔒 ZAST.AI announced a $6 million Pre-A round led by Hillhouse Capital, bringing total funding close to $10 million. The startup uses an AI-driven Automated PoC Generation + Automated Validation pipeline to produce runnable Proof-of-Concepts and verify exploitable flaws, aiming for near-zero false positives. In 2025 the company reported hundreds of zero-day findings that led to 119 CVE assignments and patches across major open-source projects. The new capital will support R&D, product expansion, and international growth.

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02 requiring federal civil executive branch agencies to decommission end-of-support (EOS) edge devices within specified timelines. Agencies must identify and remediate vulnerabilities within three months and remove EOS devices from external-facing network edges within 18 months, replacing them with vendor-supported hardware. The directive also mandates continuous discovery and inventory processes to prevent future exposure.

🔍 Anthropic says its newly released large language model, Claude Opus 4.6, was used internally to identify zero-day vulnerabilities in open-source software. The model ran inside a virtual machine with access to current project repositories and standard analysis utilities but received no specific instructions on how to conduct hunts. Despite that, Anthropic reports the system flagged 500 high-severity vulnerabilities, and company staff are manually validating findings before reporting them to maintain accuracy.

🔍 Anthropic's Claude Opus 4.6 has identified more than 500 previously unknown high-severity vulnerabilities across major open-source libraries, including Ghostscript, OpenSC, and CGIF. Launched this week, the model shows improved code-review and debugging capabilities and was evaluated by Anthropic's Frontier Red Team in a virtualized environment using standard developer tools. Anthropic says each flagged defect was validated and patched by maintainers, positioning the model as a defender-oriented tool to help prioritize serious memory-corruption risks while it iterates on additional safeguards to limit misuse.

🔒 The Eclipse Foundation will require pre-publish security checks for extensions submitted to the Open VSX Registry, moving from reactive takedowns to proactive vetting. The staged rollout uses February 2026 to monitor uploads without blocking to tune detections and reduce false positives, with enforcement beginning in March 2026. The checks aim to flag name or namespace impersonation, accidentally published credentials, and known malicious patterns, quarantining suspicious uploads for manual review.

🔎 The EU-hosted GCVE.eu aggregates advisories from more than 25 public sources and is operated by CIRCL with co-funding from the EU's FETTA project, aiming to reduce reliance on the US-run CVE/NVD. Experts applaud redundancy but warn that without enforced mapping, automated cross-referencing, and strong governance, parallel identifiers risk creating fragmented silos. GCVE.eu says it supports cross-referencing, distributed allocation, and open-source tooling to aid coordinated disclosure and integration.

🔒 Festo Didactic SE MES PCs shipped with Windows 10 include a pre-installed copy of XAMPP that bundles Apache, PHP, MariaDB/MySQL, phpMyAdmin and other open-source components. The included XAMPP contains roughly 140 known vulnerabilities—ranging from denial-of-service and information disclosure to remote code execution and authentication weaknesses, with several CVEs scoring in the 9.x CVSS range. Festo has released a Factory Control Panel replacement; customers should contact services.didactic@festo.com to obtain the updated software and mitigation guidance and to schedule replacement.

🔒 Exposure management has emerged because organizations often identify risk but cannot translate insight into timely, safe action. From the moment an exposure is discovered and is reachable, exploitable, and known, the remediation clock starts — environments change, dependencies multiply, and attackers adapt faster. Manual workflows, unclear ownership, and fear of disruption extend exposure windows, making exposure management essential to reduce attack surface and operational risk.

🔗 CVSS remains a useful baseline for rating technical severity, but the article argues it often misses operational context and relational risk. It introduces the unified linkage model (ULM), which evaluates vulnerabilities by how they can propagate through adjacency, inheritance and trust relationships. By mapping connections—shared libraries, CI/CD pipelines, identity systems—organizations can prioritize based on reach and downstream influence rather than score alone.