< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 7 of 11

AI and Automation Accelerate Exploitation in 2025

🔍 Rapid7's 2026 Global Threat Landscape Report finds AI and automation compressed the window between vulnerability disclosure and exploitation in 2025, turning what once unfolded over weeks into days or even minutes. The median time to inclusion on CISA's Known Exploited Vulnerabilities catalog fell from 8.5 days to five, and the mean dropped from 61 to 28.5 days. Confirmed exploitation of CVSS 7–10 flaws rose 105% YoY to 146 incidents, with deserialization, authentication bypass and memory corruption among the most targeted issues. Rapid7 urges CISOs to adopt pre-emptive security that reduces attack surface, prioritizes material risk and improves contextual detection and response.
read more →

AWS Security Agent Adds Customizable Penetration Reports

🔒 AWS Security Agent now lets users generate and download customizable penetration testing reports in PDF format. Reports include an executive summary, test scope and methodology, task details, and comprehensive findings with vulnerability data and risk assessments. Users can filter outputs by risk and confidence levels, finding and task status, and risk types to tailor reports for executives, engineers, or auditors. The capability is intended to accelerate on-demand pentesting from weeks to hours and simplify cross-team review and sharing.
read more →

Google and Industry Pledge $12.5M for Open Source Security

🔒Google and industry partners are committing $12.5 million through the Linux Foundation's Alpha-Omega Project and OpenSSF to strengthen open source security for the AI era. The funding targets maintainer support, moving beyond vulnerability discovery to accelerated deployment of fixes and equipping projects with advanced AI-driven tooling to triage and remediate AI-generated findings. Google highlights internal tools such as Big Sleep and CodeMender, and research like Sec-Gemini, as examples of AI that can autonomously find and fix deep vulnerabilities.
read more →

What Boards Must Demand in the Age of AI Exploitation

⚠️ Boards and executive teams can no longer treat large vulnerability backlogs as a tolerable nuisance: agentic AI has collapsed attackers’ cost and speed of exploitation. Security leaders must present operational truth — not just compliance metrics — about current High and Critical findings, remediation timelines, and exposure costs. Boards should demand measurable remediation programs and a plan to reduce vulnerability accrual at the source. Regulation such as CRA and DORA raise legal and financial stakes, and 'patch faster' is not a complete answer when emergency fixes risk production outages.
read more →

Cloud Threat Horizons: Emerging Cloud Exploitation Risk

⚠️ The Cloud Threat Horizons report from Google Cloud's Office of the CISO warns that AI-assisted exploitation has compressed the window from vulnerability disclosure to active attacks from weeks to days. In H2 2025, third-party software flaws became the leading initial access vector, surpassing weak credentials. The report urges automated defenses, identity-based controls, and tamper-resistant logging to improve forensic readiness.
read more →

Cloud Attackers Favor Exploits Over Credential Theft

🔐 Google Cloud's H1 2026 Threat Horizons Report finds that in the second half of 2025 threat actors shifted from credential-based access to exploiting unpatched third-party software. Third-party software entry rose to 44.5% of primary vectors (up from 2.9%), while credential abuse declined to 27.2%. Google highlights React2Shell (CVE-2025-55182) as a heavily exploited RCE and recommends automated defenses, stronger identity controls and WAF protections to mitigate rapid post-disclosure attacks.
read more →

Reducing Internet Exposure to Avoid Zero-Day Scrambles

🛡️ The window to respond to critical vulnerabilities is collapsing: disclosure-to-exploit can be as short as 24–48 hours today and is projected to shrink to minutes by 2028. Many organizations unknowingly expose unnecessary internet-facing services, turning unpatched systems into immediate attack opportunities. Intruder’s Head of Security recommends deliberate attack surface reduction through robust asset discovery, treating exposure as its own risk category, and continuous monitoring to prevent frantic, last-minute remediation.
read more →

Replacing Annual Pen Tests with Continuous Automation

🔁 I replaced annual manual penetration tests with continuous automated platforms to gain immediate, repeatable validation and rapid retesting. Platforms like Pentera and Horizon3.ai’s NodeZero simulated black‑box, grey‑box, and custom scenarios on a fortnightly cadence, increasing testing from a single yearly engagement to at least 38 automated simulations annually. This change improved ROI, shifted prioritization from CVSS severity to real attack paths, exposed misconfigurations and ineffective controls, and accelerated team learning and SOC validation.
read more →

OpenAI's Codex Security Flags 11,000+ High-Risk Bugs

🔍 OpenAI's Codex Security AppSec agent flagged over 11,000 high-severity and critical flaws during a 30-day research test, including about 800 critical issues across more than 1.2 million scanned commits. Built to act like a security researcher rather than a static scanner, it maps attack paths, verifies exploitability in sandboxes, and proposes fixes as easy-to-accept patches. Early access partners such as Netgear reported improved review workflows, and OpenAI has already coordinated fixes and CVEs for multiple open-source projects.
read more →

OpenAI Launches Codex Security to Scan Codebases at Scale

🔒OpenAI on Friday began rolling out Codex Security, an AI-powered security agent that finds, validates, and proposes fixes for vulnerabilities. The feature is available in a research preview to ChatGPT Pro, Enterprise, Business, and Edu customers via the Codex web and will be free for the next month. During its beta, the agent scanned more than 1.2 million commits, identifying 792 critical and 10,561 high-severity findings across multiple open-source projects. OpenAI says the offering combines frontier-model reasoning with automated validation to reduce false positives and deliver actionable fixes.
read more →

Patch, Track, Repeat: 2025 CVE Retrospective Summary

📌 Cisco Talos' 2025 retrospective finds 48,196 CVEs (≈132 per day) and highlights persistent root causes—XSS, SQL injection, and insecure deserialization—responsible for roughly 10,000 vulnerabilities. Known Exploited Vulnerabilities rose ~30% to 241, with many affecting network devices and an expanded vendor set of 99, underscoring patching and supply-chain visibility challenges. The author stresses prioritized patch management, accurate asset inventories, and compensating controls (microsegmentation, network isolation, enhanced monitoring) for unpatchable systems, and also notes a near-doubling of AI-related CVEs.
read more →

UK VMS Cuts Remediation Time for Public Websites by Half

🔒 The UK’s new vulnerability monitoring service (VMS) continuously scans more than 6,000 public bodies, detecting around 1,000 vulnerability types and processing roughly 400 confirmed findings a month. The service reduced median remediation for general vulnerabilities from 53 to 32 days and cut DNS fix times from 50 to eight days. VMS provides specific, actionable guidance and tracks issues until closure, while the government pairs the platform with a £210m Cyber Action Plan and a new Cyber Profession to address skills gaps.
read more →

Beyond CVSS: Smarter Vulnerability Prioritization Strategies

🔍 For years organizations have relied on CVSS scores as the default measure of vulnerability severity, but severity does not equal operational risk. High CVSS numbers can misdirect remediation efforts while lower-scored but actively exploited flaws pose greater danger. KEV lists are useful yet inherently reactive; effective prioritization demands multi-source threat intelligence and real-time exploitation telemetry to focus fixes where they reduce true risk.
read more →

Third-Party Patching: Securing the Common Business Footprint

🔒 Third-party utilities — PDF readers, archives, email clients, browsers, and remote-access tools — form a predictable business footprint attackers favor because of their ubiquity and users' routine behavior. These background applications often drift unpatched across endpoints, creating high-probability targets that scale across organizations. Continuous visibility and consistent third-party patching are presented as practical levers to reduce real-world exploit risk. Organizations should inventory required tools, remove unused defaults, and prioritize remediation to shrink the exposure window.
read more →

UK Vulnerability Monitoring Service Cuts Fix Times

🔒 The UK government says its new Vulnerability Monitoring Service (VMS) has cut the backlog of critical vulnerabilities by 75% and reduced average fix times for serious public-sector website DNS issues from nearly two months to eight days. Operated by the Department for Science, Innovation and Technology (DSIT), the service continuously scans around 6,000 public sector bodies and provides targeted, practical remediation guidance and progress tracking. The update was published on 26 February.
read more →

87% of Orgs Have Exploitable Vulnerabilities in Prod

🔍 A new DataDog State of DevSecOps report finds 87% of organizations run at least one exploitable software vulnerability in production, affecting roughly 40% of services. Vulnerabilities are most prevalent in Java (59%), .NET (47%) and Rust (40%). After accounting for runtime and contextual factors, only 18% of critical dependency CVEs remain critical, with .NET seeing a 98% downgrade rate. The report urges contextual prioritization to reduce alert noise and operator burnout.
read more →

App Exploits Surge as AI Accelerates Vulnerability Use

⚠️ IBM X-Force warns of a 44% increase in attacks exploiting public-facing applications in 2025, driven by missing authentication controls and AI-enabled vulnerability scanning. Vulnerability exploitation accounted for 40% of incidents, while ransomware and extortion groups grew 49% year over year. The report highlights AI is speeding reconnaissance and exploitation and that supply chain compromises have nearly quadrupled since 2020.
read more →

Record Highs in Industrial Control System Vulnerabilities

🔒 Forescout's new report finds that 2025 saw a record 508 ICS advisories covering 2,155 CVEs and a notable rise in vulnerability severity. The average CVSS for advisories rose to above 8.0 in 2024–2025, with the most affected assets including Purdue Level 1 field controllers, Level 3 operational systems and control-level devices. The vendor warns that reduced CISA advisory coverage and many untracked vulnerabilities increase OT/ICS risk and calls for greater vendor accountability and industry collaboration.
read more →

CISA Adds Four Vulnerabilities to Known Exploited Catalog

⚠ CISA has added four vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation. The additions are CVE-2008-0015 (Microsoft Windows Video ActiveX remote code execution), CVE-2020-7796 (Synacor Zimbra SSRF), CVE-2024-7694 (TeamT5 ThreatSonar unrestricted upload of dangerous files), and CVE-2026-2441 (Google Chromium CSS use-after-free). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate KEV entries by the due date, and CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

NCSC Urges SMEs to Use Cyber Essentials as Threats Rise

🔐 The NCSC's CEO Richard Horne has warned that small and medium-sized enterprises (SMEs) wrongly assume they are not attractive to cybercriminals and are failing to take basic protective measures. He stressed that attackers seek opportunity and weaknesses rather than high-profile brands, and urged businesses to adopt Cyber Essentials. The scheme focuses on five core controls — secure configuration, user access control, malware protection, security update management and firewalls — to reduce the risk of common attacks. Horne warned that leaving these protections undone is comparable to operating without physical security or insurance and called on SMEs to act immediately as the NCSC reports rising incidents and risks to critical infrastructure.
read more →