Articles about vulnerability

Details have emerged about a now-patched flaw in Microsoft Entra ID which could have been exploited to gain access to any tenant of any company in the world.

Tracked as CVE-2025-55241, the Azure Entra Elevation of Privilege Vulnerability has a CVSS 3.1 severity rating of 10.0. The security researcher who discovered the flaw said that he had “found the most impactful Entra ID vulnerability that I will probably ever find. This vulnerability could have allowed me to compromise every Entra ID tenant in the world”.

Continue reading →

WhatsApp has addressed a serious security flaw in certain versions of its app. The vulnerability was a zero-click exploit, which the company says was being used to target specific users.

No details have been provided about those who were being targeted, so it is not clear whether they are celebrities, people linked to businesses, or something else. What is interesting, however, is the fact that it was Apple users who had been single out.

Continue reading →

Microsoft has issued a warning about a high-severity vulnerability in hybrid Microsoft Exchange Server deployments.

Tracked as CVE-2025-53786, the vulnerability could allow for privilege escalation by cyber threat actors with administrative access to an on-premise Microsoft Exchange server. Although there is not currently any indication of active exploitation, the issue is considered extremely serious and requires immediate attention.

Continue reading →

A disconnect between cybersecurity confidence and data reality is leaving organizations exposed, according to a new report released today by Axonius.

The study, based on a survey of 500 US director-level and above cybersecurity and IT leaders, reveals that while 90 percent of cybersecurity leaders say their organization is prepared to take immediate action on a vulnerability, only 25 percent trust all the data in their own security tools.

Continue reading →

New analysis from CyCognito of over two million internet-exposed assets, across on-prem, cloud, APIs, and web apps, identifies exploitable assets across several key industries, using techniques that simulate real-world attacker behavior.

Techniques used include black-box pentesting using 90,000+ exploit modules, credential stuffing simulations, data exposure detection, etc. The study also used Dynamic Application Security Testing (DAST) to identify runtime web application vulnerabilities, as well as active vulnerability scanning of internet-facing services to detect CVEs, misconfigurations, and exposed assets.

Continue reading →

A vulnerability in the Windows NTLM authentication protocol, which is known to have been actively exploited for at least a month, has been added to the US CISA’s Known Exploited Vulnerabilities Catalog.

While Microsoft deprecated NTLM last year, it remains widely used. Security researchers discovered the hash disclosure spoofing bug, and Microsoft quietly patched it in March. But the creation of a patch is one thing -- having users install it is something else. By adding the vulnerability, tracked as CVE-2025-24054, to its catalog, CISA is raising aware that action needs to be taken.

Continue reading →

Nearly every organization today builds a lot of software, and the majority of that software is developed by cobbling together open source components. When using open source and trying a software composition analysis (SCA) scanner for the first time, it is not uncommon for those organizations to be surprised at what they learn about their open source usage. Many times it quickly comes to light that they have a large load of new and unplanned work to address in the form of security issues in dependencies. They need to fix these issues not just for the organization itself but also to stay compliant with certifications such as PCI or SOC2.

That’s when these organizations begin to experience the five stages of vulnerability management.

Continue reading →

Vulnerability management is one of the most painful challenges of cybersecurity. The lack of transparency in our industry isn’t helping matters. Vendors often work behind the curtain to fix the identified security flaws without effective communication or -- if they do communicate -- with significant delays in reporting.

However, there are signs of positive steps toward this much-needed transparency. In July, for example, the Microsoft Security Response Center announced that it will start issuing Common Vulnerabilities and Exposures (CVEs) for critical cloud service vulnerabilities. There have also been moves from legislators to ensure greater rigor in reporting, such as the EU's Cyber Resilience Act, which mandates that manufacturers of all connected and IoT devices report serious cyber incidents and unpatched vulnerabilities. This is essential for building trust among vendors, businesses, and stakeholders alike. Greater resilience starts with a common understanding.

Continue reading →

A serious security vulnerability exists in Cisco Integrated Management Controller (IMC) which can be used by an attacker to elevate privileges to root.

The company has issued a warning about the vulnerability and acknowledged the availability of proof-of-concept exploit code for it. The high severity warning is accompanied by the release of patches, as well as a note that there is no workaround other than a software update.

Continue reading →

As we approach the end of the year, a new report from Detectify shows that none of the top three vulnerabilities found across all industries in 2023 were covered by a CVE.

What's more, 75 percent of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, don't have a CVE assigned. This suggests that over-reliance on frameworks like the CVE program can weaken an organization's security posture and give it an unrealistic sense of security.

Continue reading →

New research shows 52 percent of the top 100 AI open source projects on GitHub reference known vulnerable open source software packages.

The report from Endor Labs explores emerging trends that software organizations need to consider as part of their security strategy, and risks associated with the use of existing open source software (OSS) in application development.

Continue reading →

A new report uncovers a worrying 25 percent increase in the total number of new vulnerabilities published in 2022.

The latest Vulnerability and Threat Trends Report from the Skybox Security Research Lab shows 25,096 new vulnerabilities published last year, representing the largest year-on-year rise seen since 2017.

Continue reading →

New research reveals that CISOs are finding it increasingly difficult to keep their software secure as hybrid and multicloud environments become more complex, and teams continue to rely on manual processes that make it easier for vulnerabilities to slip into production.

The study from Dynatrace shows 68 percent of CISOs say vulnerability management is more difficult because the complexity of their software supply chain and cloud ecosystem has increased.

Continue reading →

Proper patch management is an important component of cybersecurity hygiene. If organizations don’t apply fixes to software bugs in a timely manner, they risk exposing themselves to a variety of threats. But scrambling to fix bugs identified by the Common Vulnerabilities and Exposures (CVE) program is not a complete solution. Organizations need to be doing much more.

The CVE and CVSS programs are essential components of information security management systems (ISMS) at most organizations, but they clearly have issues. The CVE program offers a reference for publicly known vulnerabilities and exposures. CVSS provides a way to capture the main characteristics of a vulnerability and produce a numerical score that reflects its severity. Among the many challenges with these programs, CVSS is not a true indication of the risk a CVE represents to an organization. That’s because it attempts to take the environment into consideration but only has limited success doing so.

Continue reading →

Following a security disclosure by Intel way back in June of last year about vulnerabilities affecting its processors, Microsoft has issued a series of out-of-band fixes for the flaws.

In all, Intel revealed details of four data-exposing chip flaws (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127 and CVE-2022-21166) described collectively as Processor MMIO (memory-mapped I/O) Stale Data Vulnerabilities. Now Microsoft has released a total of six emergency updates for various versions of Windows 10, Windows 11 and Windows Server.

Continue reading →