All news with #vulnerability management tag

🔍 Gartner's introduction of Exposure Assessment Platforms (EAPs) reframes vulnerability management toward Continuous Threat Exposure Management, prioritizing attacker reachability over raw CVE counts. The article outlines how EAPs consolidate discovery across cloud, on-prem, and identity layers, contextualize exposures by exploitability and business impact, and integrate with workflows to track remediation lifecycles. It contrasts legacy vendors with native EAP providers and highlights XM Cyber as an example of attack-graph-based modeling driving the new evaluation criteria.

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.

🛡️ The EU-backed GCVE has launched a free, public vulnerability database at db.gcve.eu to reduce reliance on U.S.-centric CVE identifiers and strengthen European digital sovereignty. Using a decentralized GNA model and aggregating more than 25 public sources, the platform normalizes and indexes vulnerability data to allow autonomous assignment and publication of identifiers without central approval. An open API supports integration with compliance and risk tools so security teams, vendors, and researchers can track and assess reports across ecosystems.

🔐The new GCVE database at db.gcve.eu is a free, publicly accessible repository designed to simplify vulnerability reporting and management across Europe. It aggregates normalized data from more than 25 public sources and uses the GCVE Numbering Authority (GNA) model to enable decentralized assignment of identifiers. An open API allows seamless integration into compliance and risk-management tools for security teams, vendors, researchers, CSIRTs, and open-source developers.

🔐 The post argues that traditional vulnerability-sharing frameworks built around software flaws are inadequate for adversarial AI threats such as poisoning and inference attacks that target models and data rather than code. It recommends bridging existing cyber infrastructure — including the CVE Program, CVSS, CNAs, the NVD and CISA’s KEV Catalog — with new standards for AI artifacts like poisoned datasets and backdoored models. Palo Alto Networks supports the White House AI Action Plan and the proposed AI-ISAC to accelerate adoption, coordinate disclosure, and help operationalize AI-specific vulnerability management.

🛡️ Tenzai's December 2025 assessment found that five popular vibe coding tools — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — frequently generate insecure code when given common programming prompts. Across 15 generated applications the researchers identified 69 vulnerabilities, many low‑to‑medium but several rated high and six rated critical. The most serious flaws involved API authorization and business‑logic failures; by contrast, the tools avoided classic issues such as SQLi and XSS. Tenzai concluded human oversight, targeted testing, and embedding security into AI development workflows remain essential.

🔍 Amazon Inspector now supports Java Gradle dependency inventory and vulnerability scanning for Lambda functions and ECR images, using gradle.lockfile content to build Java dependency inventories. The release also adds detection for MySQL, MariaDB, PHP, Jenkins-core, 7zip (Windows), Elasticsearch, and Curl/LibCurl. These enhancements improve detection of packages installed outside package managers, broadening coverage across languages and runtimes and helping teams reduce blind spots. The new capabilities are available today in all AWS Regions where Amazon Inspector is offered.

🔒 Chainguard’s quarterly pulse, The State of Trusted Open Source, analyzes anonymized usage and CVE data across a large customer base and catalog of container images to reveal where real production risk concentrates. The report finds Python leading the modern AI stack, while roughly half of production runs on a diverse longtail of images beyond the top 20. Importantly, 98% of remediated CVE instances occurred in that longtail, and compliance drivers like FIPS adoption materially influence image choices. Chainguard also highlights fast remediation performance, averaging under 20 hours for Critical CVEs.

🛡️MITRE has published its annual CWE Top 25, ranking the most dangerous software weaknesses identified from 39,080 CVEs. Cross-site scripting (XSS) remains top, with SQL injection and cross-site request forgery following; several memory- and injection-related flaws shifted positions. New entries include classic, stack and heap buffer overflows, improper access control, authorization bypass via user-controlled keys, and resource allocation issues. Experts warn that weak credential protection and authorization failures are driving growing real-world risk in SaaS and API-driven environments.

🔐 MITRE released the 2025 CWE Top 25 list after scoring 39,080 CVE records reported between June 1, 2024 and June 1, 2025, highlighting the most severe and prevalent software weaknesses. Cross-Site Scripting (CWE-79) remains at the top, while several flaws — including buffer overflows and missing authorization/authentication — climbed the rankings or appeared as new entries. MITRE and CISA urge organizations to adopt Secure by Design practices and integrate the list into application security testing and vulnerability management.

🔍 The Cybersecurity and Infrastructure Security Agency (CISA), with MITRE/HSSEDI, released the 2025 CWE Top 25, highlighting the most exploited software weaknesses that enable data theft, system compromise, and service disruption. The list is designed to help developers, security teams, and procurement managers prioritize fixes and adopt Secure by Design practices. CISA urges organizations to integrate the Top 25 into vulnerability management and procurement decisions to reduce risk and downstream costs.

🛡️ Sonatype reports that 13% of Log4j downloads in 2025 — roughly 40 million of 300 million Maven Central downloads analyzed — remain vulnerable to the CVSS 10.0 Log4Shell flaw first disclosed four years ago. The vendor describes this as corrosive risk, where fixes exist but unsafe versions continue to spread because consumers don’t upgrade or transitive dependencies reintroduce bad releases. Sonatype highlights noisy SCA alerts, set-and-forget dependencies and poor selection criteria as root causes. It urges using SCA and artifact repositories to map exposure, automating upgrade PRs, enforcing repository guardrails and adopting new metrics to reduce unnecessary risk.

🔔 SecAlerts provides a streamlined, cloud-native vulnerability notification service that maps new advisories directly to the software you run, avoiding intrusive scans or local installs. Using near-real-time sources rather than relying solely on the NVD, it reduces alert noise through configurable Stacks, Channels, and Alerts, so teams only receive actionable notifications. The platform includes a searchable Feed, visualised severity metrics, per-client properties for MSSPs, an API for integrations, and audit-ready reporting to accelerate remediation.

🔎 Vulnerability-informed hunting transforms static vulnerability scans into dynamic intelligence by enriching CVE data with asset context, exploit activity and threat feeds. The article shows how mapping vulnerabilities to adversary behaviors (for example, Log4Shell, ProxyShell and Zerologon) lets teams run focused hunts that detect exploitation or reveal telemetry gaps. It advocates a continuous loop where hunts inform detection engineering, improving logging, SIEM content and overall resilience.

🔔 Amazon RDS for MySQL now supports MySQL minor versions 8.0.44 and 8.4.7, matching the latest community releases. Amazon recommends upgrading to these minors to remediate known security vulnerabilities and to benefit from bug fixes, performance improvements, and new functionality. You can enable automatic minor version upgrades during scheduled maintenance or use Amazon RDS Managed Blue/Green deployments for safer, faster updates. Consult the Amazon RDS user guide for upgrade procedures and regional availability.

🆕 Amazon is releasing Aurora MySQL - Compatible Edition 3 updated to v3.11 with support for MySQL 8.0.43. The update delivers multiple security enhancements and bug fixes, addresses additional group replication errors, and introduces the mysql client commands option to enable or disable most client commands. You can upgrade manually by modifying a DB cluster or enable the Auto minor version upgrade option; the release is available in all AWS regions where Aurora MySQL is offered.

🛡️ Google reports that adopting Rust across Android has reduced memory-safety vulnerabilities to under 20% for the first time and claims a 1000x lower vulnerability density versus legacy C and C++ code. The company says Rust changes have a 4x lower rollback rate, require about 20% fewer revisions, and cut code review time by roughly 25%, improving overall delivery speed. Google plans to extend Rust to kernel, firmware and critical first-party apps while maintaining layered defenses.

🔒 Palo Alto Networks found that 26% of Linux systems and 8% of Windows systems are running outdated versions across telemetry from 27 million devices spanning 1,800 companies. The analysis also shows 39% of devices lack active endpoint protection and roughly one-third of devices operate outside IT control. Poor segmentation and unmanaged edge devices increase the risk of undetected compromise.

⚡ Attackers are weaponizing many newly disclosed CVEs within hours, forcing defenders to close the gap by moving beyond manual triage to automated remediation. Drawing on 2025 industry reports and CISA and Mandiant observations, the article notes roughly 50–61% of new vulnerabilities see exploit code within 48 hours. It urges adoption of policy-driven automation, controlled rollback, and streamlined change processes to shorten exposure windows while preserving operational stability.

🛡️ CrowdStrike argues legacy vulnerability management cannot keep pace with AI-accelerated adversaries. Their Falcon Exposure Management platform leverages a single lightweight sensor to deliver continuous, native visibility across endpoints, cloud, and network assets. It pairs adversary-aware risk prioritization with agentic automation and Charlotte Agentic SOAR to reduce manual triage and remediate high-risk exposures quickly. The emphasis is on speeding effective action, cutting tool sprawl, and focusing teams on the small subset of issues that drive most breach risk.