Month: July 2025

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals. NOTE: If you already receive cybersecurity advisories direct from the MS-ISAC, please let us know by responding to this email.

A vulnerability has been discovered in Google Chrome which could allow for arbitrary code execution. Successful exploitation of the the vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, threat actors could then install programs; view, change, delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6554 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Systems Affected

Chrome prior to 138.0.7204.96/.97 for Windows Chrome prior to 138.0.7204.92/.93 for Mac Chrome prior to 138.0.7204.92 for Linux

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources. Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources.

Reference

Google: https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html

NIST has issued draft updates to Special Publication (SP) 800-53 to provide additional guidance on how to securely and reliably deploy patches and updates in response to the Executive Order 14306, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694 and Executive Order 14144. A two-week expedited public comment period on the draft updates is open through August 5, 2025. 

NIST proposes an update to an existing control enhancement, two new control enhancements, six updates to existing control/control enhancement discussions, and updates to related controls for the new control enhancements. The updates address software resiliency, developer testing, secure logging, least privilege for functions and tools, deployment management of updates, software integrity and validation, delineation of roles and responsibilities between organizations and developers, and root cause analysis and improvement.

The NIST SP 800-53 Public Comment Site provides an online tool for quickly reviewing the proposed updates, providing real-time comments, and viewing the unattributed comments of other users. Suggestions for new controls and edits to existing controls can also be submitted at any time. This tool allows NIST to maintain its open and transparent comment process while promoting a more agile and efficient delivery approach. Only changed or new controls are being issued as drafts for public comment, enabling more efficient comment participation and adjudication. NIST plans to issue the finalized updates to NIST SP 800-53 as a dataset through the Cybersecurity and Privacy Reference Tool.

Following the completion of the comment period, NIST will review and adjudicate comments. NIST SP 800-53 Release 5.2.0 will be issued on or before September 2, 2025, as an online dataset on the Cybersecurity and Privacy Reference Tool.

Questions on the NIST SP 800-53 Public Comment Site and draft SP 800-53 controls can be directed to 800-53comments@list.nist.gov.

Read More

Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution. Microsoft SharePoint Server is a web-based collaborative platform that integrates with Microsoft Office. Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

THREAT INTELLIGENCE:
CISA is aware of active exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

SYSTEMS AFFECTED:

• Microsoft SharePoint Server Subscription Edition prior to security update KB5002768.
• Microsoft SharePoint Server 2019 Core prior to security update KB5002754.
• Microsoft SharePoint Server 2019 Language Pack prior to security update KB5002753
• Microsoft SharePoint Enterprise Server 2016 prior to security update KB5002760.
• Microsoft SharePoint Enterprise Server 2016 Language Pack prior to security update KB5002759.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple Vulnerabilities have been discovered in Microsoft SharePoint Server, which could allow for remote code execution.  Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. (CVE-2025-53770)
• Improper limitation of a pathname to a restricted directory (patd traversal) in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. (CVE-2025-53771)
  • These vulnerabilities are evolutions of previously patched flaws (CVE-2025-49704 and CVE-2025-49706), for which initial vendor-provided remediation was incomplete, enabling attackers to achieve unauthenticated RCE attacks through advanced deserialization techniques and ViewState abuse. Patches addressing these vulnerabilities were released by Microsoft on July 20. 

Successful exploitation of these vulnerabilities allows for unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. 
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. 
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. 
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Microsoft:

https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770

CISA:

https://www.cisa.gov/news-events/alerts/2025/07/20/microsoft-releases-guidance-exploitation-sharepoint-vulnerability-cve-2025-53770

Trendmicro:

https://www.trendmicro.com/en_us/research/25/g/cve-2025-53770-and-cve-2025-53771-sharepoint-attacks.html

Unit42:

https://unit42.paloaltonetworks.com/microsoft-sharepoint-cve-2025-49704-cve-2025-49706-cve-2025-53770

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53770

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53771

CISA, in partnership with the Federal Bureau of Investigation (FBI), the Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint Cybersecurity Advisory to help protect businesses and critical infrastructure organizations in North America and Europe against Interlock ransomware.  

This advisory highlights known Interlock ransomware indicators of compromise and tactics, techniques, and procedures identified through recent FBI investigations.  

Actions organizations can take today to mitigate Interlock ransomware threat activity include:  

• Preventing initial access by implementing domain name system filtering and web access firewalls and training users to spot social engineering attempts.  
• Mitigating known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.  
• Segmenting networks to restrict lateral movement from initial infected devices and other devices in the same organization.  
• Implementing identity, credential, and access management policies across the organization and then requiring multifactor authentication for all services to the extent possible.  

The #StopRansomware Interlock joint Cybersecurity Advisory is part of an ongoing effort to publish guidance for network defenders that detail various ransomware variants and ransomware threat actors. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. 

“Sneaky Log” is a sophisticated cybercrime group that emerged in late 2024, operating a Phishing-as-a-Service (PhaaS) kit called “Sneaky 2FA” which is designed to bypass two-factor authentication (2FA), also known as multi-factor authentication (MFA). This kit generates highly realistic phishing webpages, often pre-populated with the victim’s email address. It harvests Microsoft 365 session cookies to circumvent MFA, allowing attackers to authenticate directly to services. “Sneaky 2FA” also employs advanced evasion techniques like blurring login backgrounds and distinguishing between human users and bots to avoid detection and analysis. Offered on a monthly subscription basis for around $200 via Telegram, “Sneaky 2FA” highlights the ongoing struggle between cyber defenders and evolving threat tactics.

The NJCCIC detected a new variant of Sneaky Log in which the message contains a URL that leads to a password-protected PDF file hosted on Adobe[.]com or Google Drive. In one campaign, threat actors use compromised accounts to send a “Kindly review the document” themed message that also contains the password for viewing the document on an Adobe[.]com webpage.

Once the intended victim clicks the link and enters their password, they are presented with a “Review Document” link impersonating a PDF file. If the intended victim clicks this link, they are redirected to a website hosting the “Sneaky 2FA” kit.

The kit uses a Cloudflare Turenstile, IP filtering, and anti-debugging to evade bot-sandboxing and analysis.

If the kit detects Bot sandboxing or analyst activity, it redirects to a benign site (e.g., Wikipedia) or shows other harmless content.

If the kit determines the activity as a potential victim, it proceeds to the next stage and displays a fake Microsoft sign-in screen.

If the victim enters their credentials, the kit performs credential and session cookie harvesting (Adversary-in-the-Middle AiTM) by:

Intercepting the victims’ credentials. Forwarding the credentials to the legitimate Microsoft 365 login page. Intercepting the response from the legitimate service, including MFA prompts. If MFA is required, the kit presents the MFA prompt to the victim and intercepts the MFA code. The kit uses the MFA code to complete the authentication process and then harvests the session cookies issued by the legitimate service after successful authentication. This step allows the attacker to replay the session to gain access to the victim’s account without needing to enter the victim’s password or MFA again.

After successfully collecting the session cookies, the kit will often redirect the victim to a legitimate page (e.g., their actual Microsoft 365 dashboard or a generic website) to avoid suspicion.

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Windows Kernel
• Remote Desktop Client
• Windows Visual Basic Scripting
• Microsoft Intune
• Virtual Hard Disk (VHDX)
• Microsoft Input Method Editor (IME)
• Windows SSDP Service
• Windows Kerberos
• Windows Imaging Component
• Windows SPNEGO Extended Negotiation
• Windows Storage VSP Driver
• Windows GDI
• Windows Event Tracing
• Universal Print Management Service
• Windows Cred SSProvider Protocol
• Azure Monitor Agent
• Microsoft PC Manager
• Microsoft Office
• Windows MBT Transport driver
• Windows Routing and Remote Access Service (RRAS)
• Role: Windows Hyper-V
• Windows Connected Devices Platform Service
• Windows BitLocker
• Windows Update Service
• Windows SMB
• Windows Virtualization-Based Security (VBS) Enclave
• Microsoft MPEG-2 Video Extension
• Windows Secure Kernel Mode
• Microsoft Office Excel
• Windows Remote Desktop Licensing Service
• HID class driver
• Windows Universal Plug and Play (UPnP) Device Host
• Windows AppX Deployment Service
• Windows Cryptographic Services
• Windows TDX.sys
• Windows Ancillary Function Driver for WinSock
• Windows User-Mode Driver Framework Host
• Workspace Broker
• Windows Win32K – ICOMP
• Kernel Streaming WOW Thunk Service Driver
• Microsoft Brokering File System
• Windows NTFS
• Windows Shell
• Windows Performance Recorder
• Windows Media
• Storage Port Driver
• Microsoft Windows Search Component
• Windows TCP/IP
• Capability Access Management Service (camsvc)
• Microsoft Office Word
• Microsoft Office SharePoint
• Microsoft Office PowerPoint
• Microsoft Edge (Chromium-based)
• Visual Studio Code – Python extension
• Windows Netlogon
• SQL Server
• Windows Fast FAT Driver
• Windows Print Spooler Components
• Windows StateRepository API
• Windows Notification
• Windows Win32K – GRFX
• Microsoft Windows QoS scheduler
• Microsoft Teams
• Microsoft Graphics Component
• Windows KDC Proxy Service (KPSSVC)
• Visual Studio
• Windows SmartScreen
• Office Developer Platform
• Windows Storage

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jul 
https://msrc.microsoft.com/update-guide

A vulnerability has been discovered FortiWeb, which could allow for SQL injection. FortiWeb is a web application firewall (WAF) developed by Fortinet. It’s designed to protect web applications and APIs from a wide range of attacks, including those targeting known vulnerabilities and zero-day exploits. Successful exploitation of this vulnerability could allow for SQL injection attacks that could lead to arbitrary code execution in the context of the system.

THREAT INTELLIGENCE:
There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• FortiWeb 7.6 versions 7.6.0 through 7.6.3
• FortiWeb 7.4 7.4.0 versions through 7.4.7
• FortiWeb 7.2 7.2.0 versions through 7.2.10
• FortiWeb 7.0 7.0.0 versions through 7.0.10

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered FortiWeb, which could allow for SQL injection. The details of this vulnerability are:

Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

• An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. (CVE-2025-25257)

Successful exploitation of this vulnerability could allow for SQL injection attacks that could lead to arbitrary code execution in the context of the system.

RECOMMENDATIONS:
We recommend the following actions be taken: 

• Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Fortinet:
https://www.fortiguard.com/psirt/FG-IR-25-151
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25257

Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Thunderbird is an email client. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Thunderbird versions prior to 140

RISK:
Government:

• Large and medium government entities: N/A
• Small government: MEDIUM

Businesses:

• Large and medium business entities: N/A
• Small business entities: MEDIUM

Home Users: LOW

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Mozilla Thuderbird, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows: 

Tactic: Initial Access (TA0001):

Technique: Drive-by Compromise (T1189)

• A use-after-free in FontFaceSet resulted in a potentially exploitable crash. (CVE-2025-6424)
• Memory safety bugs fixed in Firefox 140 and Thunderbird 140. (CVE-2025-6436)

Additional lower severity vulnerabilities include:

• The WebCompat WebExtension shipped exposed a persistent UUID. (CVE-2025-6425)
• No warning when opening executable terminal files on macOS. (CVE-2025-6426)
• connect-src Content Security Policy restriction could be bypassed. (CVE-2025-6427)
• Incorrect parsing of URLs could have allowed embedding of youtube.com. (CVE-2025-6429)
• Content-Disposition header ignored when a file is included in an embed or object tag. (CVE-2025-6430)
• DNS Requests leaked outside of a configured SOCKS proxy. (CVE-2025-6432)
• WebAuthn would allow a user to sign a challenge on a webpage with an invalid TLS certificate. (CVE-2025-6433)
• HTTPS-Only exception screen lacked anti-clickjacking delay. (CVE-2025-6434)
• Save as in Devtools could download files without sanitizing the extension. (CVE-2025-6435)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051:Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026:Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050:Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021:Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040:Behavior Prevention on Endpoint)
  • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017:User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.

                    Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Mozilla:
https://www.mozilla.org/en-US/security/advisories/
https://www.mozilla.org/en-US/security/advisories/mfsa2025-54/

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6424
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6425
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6427
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6430
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6436

The initial public draft (IPD) of NIST Special Publication (SP) 800-234, High-Performance Computing (HPC) Security Overlay, is available for public comment. The new due date for submitting public comments is August 4, 2025.

---

High-performance computing (HPC) systems provide fundamental computing infrastructure for large-scale artificial intelligence (AI) and machine learning (ML) model training, big data analysis, and complex simulations at exceptional speeds. Securing HPC systems is essential for safeguarding AI models, protecting sensitive data, and realizing the full benefits of HPC capabilities.

This NIST Special Publication introduces an HPC security overlay that is designed to address the unique characteristics and requirements of HPC systems. Built upon the moderate baseline defined in SP 800-53B, the overlay tailors 60 security controls with supplemental guidance and/or discussions to enhance their applicability in HPC contexts. This overlay aims to provide practical, performance-conscious security guidance that can be readily adopted. For many organizations, it offers a robust foundation for securing HPC environments while also allowing for further customization to meet specific operational or mission needs.

The public comment period is open through August 4th, 2025. See the publication details for a copy of the draft and instructions for submitting comments. Additional information can be found at the NIST HPC Security Working Group website.

Note: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More

The initial public draft (ipd) of NIST Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization, is now available for public comment.

Sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. This guide outlines the important elements of a sanitization program to assist organizations and system owners in making practical sanitization decisions based on the sensitivity of their information.

Important changes in this revision of SP 800-88 include:

• Focus is shifted to establishing an agency or enterprise media sanitization program
• Sanitization technique descriptions are replaced with recommendations to comply with the latest relevant standards
• Security assurance is improved through sanitization validation, which determines the effectiveness of sanitization from a confidentiality and sensitivity perspective
• The concept of logical sanitization is included to consider the presence of storage media in modern computing environments (e.g., the cloud)
• References section is updated to include the latest versions of documents and remove obsolete ones 

The public comment period is open through August 29, 2025. See the publication details for a copy of the draft and instructions for submitting comments.

NOTE: A call for patent claims is included in the front matter of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.

Read More