< ciso
brief />
Tag Banner

All news with #vulnerability management tag

213 articles · page 8 of 11

Siemens SINEC OS Third-Party Vulnerabilities — Patch Now

🔒 Siemens has identified multiple third-party component vulnerabilities in SINEC OS versions prior to V3.3 that affect numerous RUGGEDCOM and SCALANCE industrial network devices worldwide. Siemens ProductCERT published firmware updates (V3.3+) and recommends timely upgrades; CISA republished the vendor advisory. Reported issues originate in libraries such as OpenSSL, libcurl, BusyBox, libpcap and others and include high- and critical-severity flaws (unauthenticated RCEs, buffer overflows, path traversal and improper certificate validation). Administrators should apply vendor patches, restrict network access, isolate control networks, and use secure remote access methods while performing impact analysis.
read more →

Rapid Drop in Time-to-Exploit from N-Day Vulnerabilities

🔒 Flashpoint reports that the median time between disclosure and exploitation fell 94% over five years, from 745 days in 2020 to 44 days in 2025. The vendor attributes the decline to rapid weaponization of researcher proof-of-concept code and the growing use of n-day exploits, which now represent over 80% of CVEs in its VulnDB KEV list. Attackers are combining turnkey exploits with mass-scanning tools to achieve large-scale compromise in hours. Limited asset inventories and a 'CVE blind spot' from vulnerabilities lacking CVE IDs further shrink defenders' remediation window.
read more →

FIRST Forecasts Record CVE Volume in 2026, Warns Teams

🔔 FIRST forecasts a median of approximately 59,427 new CVEs in 2026, with a 90% confidence interval from 30,012 to 117,673. Using a new statistical model built from historical records and publication trends in the NVD and MITRE, the non-profit warns 2026 could be the first year to exceed 50,000 published vulnerabilities. FIRST urges organisations to assess capacity, prioritise ruthlessly, and plan contingency scenarios to allocate resources strategically.
read more →

CVE Volumes Surge: CISOs Must Prioritize Signal Effectively

🔍 A new forecast from FIRST projects a median of roughly 59,000 CVEs in 2026 and warns that under extreme scenarios the count could approach 118,000, up from about 48,000 in 2025. Experts stress this growth reflects improved discovery and disclosure — more CNAs, bug bounties, and scrutiny of long-neglected code — rather than a sudden rise in attacker capability. Historically, only a small fraction of published CVEs are weaponized: recent data shows fewer than 3,000 had public proof-of-concept exploits and only about 700 showed evidence of exploitation in the wild. The primary challenge for CISOs is separating signal from noise through prioritization, automation, and capacity planning rather than trying to patch every disclosed flaw.
read more →

ZAST.AI Raises $6M Pre-A to End False Positives at Scale

🔒 ZAST.AI announced a $6 million Pre-A round led by Hillhouse Capital, bringing total funding close to $10 million. The startup uses an AI-driven Automated PoC Generation + Automated Validation pipeline to produce runnable Proof-of-Concepts and verify exploitable flaws, aiming for near-zero false positives. In 2025 the company reported hundreds of zero-day findings that led to 119 CVE assignments and patches across major open-source projects. The new capital will support R&D, product expansion, and international growth.
read more →

CISA Orders Federal Agencies to Remove EOS Edge Devices

🔒 The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-02 requiring federal civil executive branch agencies to decommission end-of-support (EOS) edge devices within specified timelines. Agencies must identify and remediate vulnerabilities within three months and remove EOS devices from external-facing network edges within 18 months, replacing them with vendor-supported hardware. The directive also mandates continuous discovery and inventory processes to prevent future exposure.
read more →

Anthropic's Claude Opus 4.6 Finds 500 High-Severity Bugs

🔍 Anthropic says its newly released large language model, Claude Opus 4.6, was used internally to identify zero-day vulnerabilities in open-source software. The model ran inside a virtual machine with access to current project repositories and standard analysis utilities but received no specific instructions on how to conduct hunts. Despite that, Anthropic reports the system flagged 500 high-severity vulnerabilities, and company staff are manually validating findings before reporting them to maintain accuracy.
read more →

Anthropic Claude Opus 4.6 Finds 500+ High-Severity Bugs

🔍 Anthropic's Claude Opus 4.6 has identified more than 500 previously unknown high-severity vulnerabilities across major open-source libraries, including Ghostscript, OpenSC, and CGIF. Launched this week, the model shows improved code-review and debugging capabilities and was evaluated by Anthropic's Frontier Red Team in a virtualized environment using standard developer tools. Anthropic says each flagged defect was validated and patched by maintainers, positioning the model as a defender-oriented tool to help prioritize serious memory-corruption risks while it iterates on additional safeguards to limit misuse.
read more →

Eclipse Foundation Mandates Pre-Publish Checks for Open VSX

🔒 The Eclipse Foundation will require pre-publish security checks for extensions submitted to the Open VSX Registry, moving from reactive takedowns to proactive vetting. The staged rollout uses February 2026 to monitor uploads without blocking to tune detections and reduce false positives, with enforcement beginning in March 2026. The checks aim to flag name or namespace impersonation, accidentally published credentials, and known malicious patterns, quarantining suspicious uploads for manual review.
read more →

EU GCVE Initiative Addresses CVE Dependence, Risks

🔎 The EU-hosted GCVE.eu aggregates advisories from more than 25 public sources and is operated by CIRCL with co-funding from the EU's FETTA project, aiming to reduce reliance on the US-run CVE/NVD. Experts applaud redundancy but warn that without enforced mapping, automated cross-referencing, and strong governance, parallel identifiers risk creating fragmented silos. GCVE.eu says it supports cross-referencing, distributed allocation, and open-source tooling to aid coordinated disclosure and integration.
read more →

Festo Didactic MES PC XAMPP Components: 140 Vulnerabilities

🔒 Festo Didactic SE MES PCs shipped with Windows 10 include a pre-installed copy of XAMPP that bundles Apache, PHP, MariaDB/MySQL, phpMyAdmin and other open-source components. The included XAMPP contains roughly 140 known vulnerabilities—ranging from denial-of-service and information disclosure to remote code execution and authentication weaknesses, with several CVEs scoring in the 9.x CVSS range. Festo has released a Factory Control Panel replacement; customers should contact services.didactic@festo.com to obtain the updated software and mitigation guidance and to schedule replacement.
read more →

Exposure Management: A Foundational Security Imperative

🔒 Exposure management has emerged because organizations often identify risk but cannot translate insight into timely, safe action. From the moment an exposure is discovered and is reachable, exploitable, and known, the remediation clock starts — environments change, dependencies multiply, and attackers adapt faster. Manual workflows, unclear ownership, and fear of disruption extend exposure windows, making exposure management essential to reduce attack surface and operational risk.
read more →

Prioritizing Vulnerabilities Beyond the CVSS Number

🔗 CVSS remains a useful baseline for rating technical severity, but the article argues it often misses operational context and relational risk. It introduces the unified linkage model (ULM), which evaluates vulnerabilities by how they can propagate through adjacency, inheritance and trust relationships. By mapping connections—shared libraries, CI/CD pipelines, identity systems—organizations can prioritize based on reach and downstream influence rather than score alone.
read more →

Gartner Elevates Exposure Assessment Platforms (EAPs)

🔍 Gartner's introduction of Exposure Assessment Platforms (EAPs) reframes vulnerability management toward Continuous Threat Exposure Management, prioritizing attacker reachability over raw CVE counts. The article outlines how EAPs consolidate discovery across cloud, on-prem, and identity layers, contextualize exposures by exploitability and business impact, and integrate with workflows to track remediation lifecycles. It contrasts legacy vendors with native EAP providers and highlights XM Cyber as an example of attack-graph-based modeling driving the new evaluation criteria.
read more →

Regular Cyber Risk Assessments Improve Data Security

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.
read more →

EU launches independent GCVE vulnerability database

🛡️ The EU-backed GCVE has launched a free, public vulnerability database at db.gcve.eu to reduce reliance on U.S.-centric CVE identifiers and strengthen European digital sovereignty. Using a decentralized GNA model and aggregating more than 25 public sources, the platform normalizes and indexes vulnerability data to allow autonomous assignment and publication of identifiers without central approval. An open API supports integration with compliance and risk tools so security teams, vendors, and researchers can track and assess reports across ecosystems.
read more →

EU Launches GCVE Vulnerability Database to Boost Sovereignty

🔐The new GCVE database at db.gcve.eu is a free, publicly accessible repository designed to simplify vulnerability reporting and management across Europe. It aggregates normalized data from more than 25 public sources and uses the GCVE Numbering Authority (GNA) model to enable decentralized assignment of identifiers. An open API allows seamless integration into compliance and risk-management tools for security teams, vendors, researchers, CSIRTs, and open-source developers.
read more →

Modernizing Vulnerability Sharing for AI Threats and Policy

🔐 The post argues that traditional vulnerability-sharing frameworks built around software flaws are inadequate for adversarial AI threats such as poisoning and inference attacks that target models and data rather than code. It recommends bridging existing cyber infrastructure — including the CVE Program, CVSS, CNAs, the NVD and CISA’s KEV Catalog — with new standards for AI artifacts like poisoned datasets and backdoored models. Palo Alto Networks supports the White House AI Action Plan and the proposed AI-ISAC to accelerate adoption, coordinate disclosure, and help operationalize AI-specific vulnerability management.
read more →

Vibe coding tools produce critical security vulnerabilities

🛡️ Tenzai's December 2025 assessment found that five popular vibe coding tools — Claude Code, OpenAI Codex, Cursor, Replit, and Devin — frequently generate insecure code when given common programming prompts. Across 15 generated applications the researchers identified 69 vulnerabilities, many low‑to‑medium but several rated high and six rated critical. The most serious flaws involved API authorization and business‑logic failures; by contrast, the tools avoided classic issues such as SQLi and XSS. Tenzai concluded human oversight, targeted testing, and embedding security into AI development workflows remain essential.
read more →

Amazon Inspector Adds Java Gradle and Expanded Coverage

🔍 Amazon Inspector now supports Java Gradle dependency inventory and vulnerability scanning for Lambda functions and ECR images, using gradle.lockfile content to build Java dependency inventories. The release also adds detection for MySQL, MariaDB, PHP, Jenkins-core, 7zip (Windows), Elasticsearch, and Curl/LibCurl. These enhancements improve detection of packages installed outside package managers, broadening coverage across languages and runtimes and helping teams reduce blind spots. The new capabilities are available today in all AWS Regions where Amazon Inspector is offered.
read more →