Multiple Vulnerabilities in Microsoft Products Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user or exploited process. Depending on the privileges associated with the user or process, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.​​

SYSTEMS AFFECTED:

  • Microsoft Edge (Chromium-based).
  • Microsoft PC Manager
  • Microsoft Purview Data Governance
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 21H2 for 32-bit Systems
  • Windows 10 Version 21H2 for x64-based Systems
  • Windows 10 Version 21H2 for ARM64-based Systems
  • Windows 10 Version 22H2 for 32-bit Systems
  • Windows 10 Version 22H2 for x64-based Systems
  • Windows 10 Version 22H2 for ARM64-based Systems
  • Windows 11 Version 22H2 for x64-based Systems
  • Windows 11 Version 22H2 for ARM64-based Systems
  • Windows 11 Version 23H2 for x64-based Systems
  • Windows 11 Version 23H2 for ARM64-based Systems
  • Windows 11 Version 24H2 for x64-based Systems
  • Windows 11 Version 24H2 for ARM64-based Systems
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core Installation)..
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server 2022
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022, 23H2 Edition (Server Core installation)
  • Windows Server 2025
  • Windows Server 2025 (Server Core installation)

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows: 

Tactic: [Execution] (TA0002): 
Technique[User Execution: Malicious Link] (T1204.001):   

  • An out of bounds write in V8 for Microsoft Edge (Chromium-based) allows a remote attacker to execute code via a crafted HTML page. (CVE-2025-9132)

Technique: [Exploitation for Client Execution] (T1203)

  • A concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Storage allows an unauthorized attacker to execute code over a network. (CVE-2025-55231)

  Details of lower-severity vulnerabilities are as follows: 

  • An improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. (CVE-2025-53763) 
  • An improper authorization in Microsoft PC Manager allows an unauthorized attacker to elevate privileges over a network. (CVE-2025-53795)
  •  An improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network. (CVE-2025-55229)
  • An untrusted pointer dereference in Windows MBT Transport driver allows an authorized attacker to elevate privileges locally. (CVE-2025-55230)

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user or exploited process. Depending on the privileges associated with the user or process, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-9132
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53763
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53795
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55229
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55230
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55231

CVE:
https://www.cve.org/CVERecord?id=CVE-2025-9132
https://www.cve.org/CVERecord?id=CVE-2025-53763
https://www.cve.org/CVERecord?id=CVE-2025-53795
https://www.cve.org/CVERecord?id=CVE-2025-55229
https://www.cve.org/CVERecord?id=CVE-2025-55230
https://www.cve.org/CVERecord?id=CVE-2025-55231

A Vulnerability in Apple Products Could Allow for Arbitrary Code Execution – PATCH NOW

A vulnerability has been discovered in Apple products which could allow for arbitrary code execution. Successful exploitation could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

SYSTEMS AFFECTED:

  • Versions prior to iOS 18.6.2 and iPadOS 18.6.2
  • Versions prior to iPadOS 17.7.10
  • Versions prior to macOS Sonoma 14.7.8
  • Versions prior to macOS Sequoia 15.6.1
  • Versions prior to macOS Ventura 13.7.8

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in Apple products which could allow for arbitrary code execution. Details of the vulnerability are as follows:

TacticExecution (TA0002):

Technique: Exploitation for Client Execution (T1203):

  • An out-of-bounds write issue was addressed with improved bounds checking. Processing a malicious image file may result in memory corruption. (CVE-2025-43300)

Successful exploitation could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply the stable channel update provided by Apple to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
    • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Apple: 
https://support.apple.com/en-us/100100
https://support.apple.com/en-us/124925
https://support.apple.com/en-us/124926
https://support.apple.com/en-us/124927
https://support.apple.com/en-us/124928
https://support.apple.com/en-us/124929

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-43300

We Want Your Feedback! NIST SP 1800-43, Genomic Data Threat Modeling

The public comment period for Volumes A (Executive Summary) and C (Privacy) of NIST Special Publication (SP) 1800-43, Genomic Data Threat Modeling: An Implementation for Genomic Data Sequencing and Analysis is open through September 4, 2025.

The processing of genomic data poses significant cybersecurity and privacy challenges due to the sensitive and highly personal nature of genomic information. Unauthorized access, data breaches, or malicious tampering can disrupt business operations, compromise patient confidentiality, and undermine trust. To address these risks, this NIST publication series outlines a threat modeling approach that analyzes cybersecurity and privacy risks to system components and data transfers in representative genomic data workflows.

Note: Cybersecurity Threat Modeling for Genomic Data, previously released for public comment as NIST Cybersecurity White Paper (CSWP) 35, will be published as Volume B of this Special Publication later this year.

Provide Your Feedback

We invite you to review this publication and submit your comments by September 4, 2025. Instructions for submitting comments can be found on the NCCoE project page.

Stay Informed and Collaborate

Join the NCCoE Genomic Data Community of Interest (COI) to stay up-to-date on the project and collaborate with us.

Comment Now!

Draft CSF 2.0 Quick-Start Guide on Emerging Cybersecurity Risks

NIST has released the initial public draft (IPD) of Special Publication (SP) 1331, Quick-Start Guide for Using CSF 2.0 to Improve the Management of Emerging Cybersecurity Risks, for public comment. The document highlights the topic of emerging cybersecurity risks and explains how organizations can improve their ability to address such risks through existing practices within the cyber risk discipline in conjunction with the NIST Cybersecurity Framework (CSF) 2.0. The guide also emphasizes the importance of integrating these practices with organizational enterprise risk management (ERM) to proactively address emerging risks before they occur. 

The comment period is open through September 21, 2025, at 11:59 PM. Please send your feedback about this draft publication to csf@nist.gov.

This publication is the most recent in a portfolio of CSF 2.0 Quick-Start Guides released since February 26, 2024. These resources provide different audiences with tailored pathways into the CSF 2.0 and make the Framework easier to put into action. View all CSF 2.0 quick-start guides here

Read the Quick-Start Guide

The 2025 NY Metro Joint Cyber Security Conference 


The 2025 NY Metro Joint Cyber Security Conference is in the planning stage, celebrating our 12th year featuring keynotes, panels and sessions aimed at educating everyone on the various aspects of information security and technology. Workshops featuring in-depth extended classroom-style educational courses to expand your knowledge and foster security discussions will take place virtually post-conference.

The conference will be held October 30th, 2025 (Conference)
Borough of Manhattan Community College Tribeca Performing Arts Center – Theatre 2 – 199 Chambers St, New York, NY 10007 

The call for speakers in now open
Call for Speakers
(Closes August 31st, 2025)

We respectfully invite qualified members from the cybersecurity community to submit for speaking at the 2025 New York Metro Joint Cyber-Security Conference and Workshop.

We collectively started this collaboration with the mission to educate our respective populations about the cybersecurity contributions of each of our organizations – as each brings a unique but important perspective to the same set of problems.

Submission Requirements:
Our audience looks for real-world solutions to real-world problems. Sessions should have actionable take-aways or case studies of organizations that created a strategy or solved a problem. It must be objective and vendor agnostic. (No proposal related to product offerings will be considered.)

All selected speakers will receive:
A complimentary speaker registration to the event
Exposure in the conference program materials and on the conference website

Submit your talk here

NIST Guidelines Can Help Organizations Detect Face Photo Morphs, Deter Identity Fraud

NIST Guidelines Can Help Organizations Detect Face Photo Morphs, Deter Identity Fraud Face morphing software, which can blend photos of different people’s faces into a single synthesized image, can make it easier for bad actors to bypass identity verification systems in buildings, at borders, in airports and in other settings.

Morphed photos can deceive face recognition systems into falsely identifying the image as belonging to both original individuals, allowing the first individual to assume the second person’s identity and vice versa.  

To address this issue, the National Institute of Standards and Technology (NIST) has released guidelines that can help organizations deploy and use modern detection methods designed to catch morph attacks before they succeed.

Read More

NIST Releases NIST SP 800-171, R3 Small Business Primer

NIST SP 800-171, R3,  Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, is a set of recommended security requirements for protecting the confidentiality of CUI.

NIST has released a supplementary small business primer to SP 800-171, R3 to help smaller, under-resourced organizations better protect CUI. 

Key Highlights Include:

  • A foundational overview of SP 800-171, R3.
  • Considerations to be mindful of as organizations begin implementing the requirements in SP 800-171, R3.
  • An emphasis on the important relationship between SP 800-171 and SP 800-171A.
  • A list of frequently asked questions and their answers.
  • Key differences between SP 800-171 Revision 2 and Revision 3.
  • Tips to help those tasked with implementing SP 800-171 get started.
  • Additional resources that small businesses can put into action.
  • Concepts and language that can be used when seeking support from internal or external cybersecurity teams.

Who is it for?  

The document is separated into two sections to accommodate various audiences.

  • Pages 1-6 are designed to provide a brief overview of SP 800-171. This is designed for anyone, not just small business owners, who may need a general overview of 800-171.
  • Pages 7-27 are for those who are tasked with managing the implementation SP 800-171, R3. It is not all-encompassing, but it does provide tips and resources to help with getting started with each of the 17 control families. This section serves as a bridge to the larger SP 800-171 publication.

This is the first part of an effort to begin breaking down components of 800-171, R3 for the small business community. Future resources will expand upon the primer’s content.

View the Primer

Microsoft.Source | New AI tools, code samples, and developer events.

Microsoft Microsoft.Source Newsletter | Issue 74 In this issue, explore GitHub Copilot customizations, get started with Model Context Protocol (MCP), and find tools and events to support your AI development.   Watch now How Microsoft Engineers Build AI: in-depth conversations with Microsoft engineers as they build and scale AI agents. Explore real-world challenges, reusable implementation patterns, and practical strategies to apply to your own projects.    
Featured
event calendar icon Tune in to Model Mondays > Join these weekly deep dives into model selection. Each session explores a specific model, tool, or technique such as MCP, AI agents, and RAG offering practical insights on choosing the right model for your use-case.  
What’s New
blog, article icon 10 Microsoft MCP servers that streamline daily dev tasks > Explore Microsoft’s top MCP servers and how each can improve developer productivity.   GitHub icon GitHub Copilot customizations repository >
Share and adapt prompt templates, custom instructions, and chat configurations built by the developer community.  
video play button icon Build AI apps with Azure Database for PostgreSQL >
In this four-part series, learn how to orchestrate agents, enhance search accuracy, and integrate Azure AI services using the AI capabilities of Azure Database for PostgreSQL.    
Events Find community events >
event calendar icon Azure Dev Summit / October 13-16 / Lisbon > Join the premier European event for developers, tech leaders, and AI experts working with Azure, .NET, and Microsoft AI. Use code MSADSCT200 for €200 off.  
event calendar icon Microsoft AI Tour / Multiple cities and dates > The Microsoft AI Tour is free and coming to a city near you. Join for hands-on sessions, expert guidance, and the latest tools.  
event calendar icon Let’s learn about the Model Context Protocol (MCP) series > Get started building your first MCP server with this beginner-friendly workshop, available in 8 languages and 4 code bases.  
event calendar icon GitHub Universe / October 28-29 / San Francisco > Explore how AI agents, automation, and tools can bring your ideas to life through workshops, panels, and interactive product demos.  
event calendar icon Europe FabCon / September 15-18 / Vienna, Austria > Be part of FabCon in Europe. Gain hands-on experience with AI-powered data and analytics tools. Plus, connect with Fabric peers and leaders.  
Learning
video play button icon Build your retrieval-augmented generation skills > Learn how to improve the accuracy, reliability, and flexibility of your AI models using retrieval-augmented generation (RAG) in this six-part video series.  
video play button icon AI Show: There’s no reason not to fine-tune > See how to fine-tune foundation models in Azure AI Foundry to optimize performance, reduce costs, or support agentic behavior.  
blog, article icon Enhance your .NET MAUI apps with multimodal AI capabilities > Follow the Telepathic sample app to learn how to extract information from images and automatically generate projects and tasks.    

Multiple Vulnerabilities in Commvault Backup & Recovery Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which when chained together, could allow for remote code execution. Commvault Backup & Recovery is a comprehensive data protection solution that offers a range of services for safeguarding data across various environments, including on-premises, cloud, and hybrid setups. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, escalate privileges, run arbitrary commands, and potentially drop a JSP webshell.

THREAT INTELLEGENCE:
Researchers from watchTowr Labs have posted a detailed write-up about the vulnerabilities on their website.

SYSTEMS AFFECTED:

  • Commvault versions 11.32.0 – 11.32.101 for Linux and Windows.
  • Commvault versions 11.36.0 – 11.36.59 for Linux and Windows.

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium 

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which could allow for remote code execution.  Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

  • A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk. (CVE-2025-57788)
  • During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. (CVE-2025-57789)
  • A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution. (CVE-2025-57790)
  • A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role. (CVE-2025-57791)

The vulnerabilities can be exploited as part of two separate remote code execution (RCE) chains. One chain works only of the if the built-in admin password hasn’t been changed since installation, and relies on exploiting CVE-2025-57788 (for bypassing authentication), CVE-2025-57789 (to escalate privileges), and CVE-2025-57790 to achieve RCE. The second chain, which works against any unpatched Commvault instance, uses CVE-2025-57791 to bypass authentication and CVE-2025-57790 for RCE (by injecting a webshell).

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Commvault to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Commvault:
https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html

Help Net Security:
https://www.helpnetsecurity.com/2025/08/20/commvault-backup-suite-vulnerabilities-fixed/
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57791

NIST Releases Control Overlays for Securing AI Systems Concept Paper

NIST has released a concept paper and proposed action plan for developing a series of NIST SP 800-53 Control Overlays for Securing AI Systems, as well as a launching a Slack channel for this community of interest.

The concept paper outlines proposed AI use cases for the control overlays to manage cybersecurity risks in the use and development of AI systems, and next steps. The use cases address generative AI, predictive AI, single and multi-agent AI systems, and controls for AI developers. NIST is interested in feedback on the concept paper and proposed action plan, and invites all interested parties to join the NIST Overlays for Securing AI (#NIST-Overlays-Securing-AI) Slack channel.

Through the Slack channel, stakeholders can contribute to the development of these overlays, get updates, engage in facilitated discussions with the NIST principal investigators and other subgroup members, and provide real-time feedback and comments. 

Learn more about the Control Overlays for AI Project, Slack space, and how to join the Slack channel at https://csrc.nist.gov/projects/cosais.

Read More