As cybersecurity threats to critical infrastructure continue to escalate in frequency and severity, it is crucial for manufacturing organizations to implement robust cybersecurity measures to safeguard sensitive data and prevent potential system disruptions and financial losses. This Profile is designed to help manufacturing organizations manage cybersecurity risks in alignment with industry best practices and sector goals.
The Profile gives manufacturers:
A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system.
An evaluation of their ability to operate the manufacturing environment at their acceptable risk level.
A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security.
The Profile is structured around the functional areas of the NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. These core areas form the basis for prioritizing cybersecurity outcomes tailored to the manufacturing sector, enabling manufacturers to align their cybersecurity efforts with business needs, risk tolerance, and available resources.
We want your feedback!
Visit the publication page to learn more about the publication and instructions for submitting comments. For any questions, please reach out to the team CSF_Manufacturing_Profile@nist.gov.
SP 800-172r3 and SP 800-172Ar3 Now Available for Public Comment!
As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:
SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.
Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.
Public Comment Period
A public comment period will be open from September 29 through November 14, 2025. Reviewers should submit comments on all or parts of the drafts to 800-171comments@list.nist.gov. All comments submitted during the public comment period will be posted to the NIST Protecting CUI Project page with contact information redacted.
Multiple vulnerabilities have been discovered in VMware Aria Operations and VMware Tools, the most severe of which could allow for privilege escalation to root. VMware Aria is a multi-cloud management platform that provides automation, operations, and cost management for applications and infrastructure across private, public, and hybrid cloud environments. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation to root. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
NVISO indicates the vulnerability CVE-2025-41244 has been exploited in the wild as a zero-day since mid-October 2024 by the China-linked threat actor UNC5174.
SYSTEMS AFFECTED:
VMware Cloud Foundation Operations versions prior to 9.0.1.0
VMware Tools versions prior to 13.0.5.0, 13.0.5, and 12.5.4
VMware Aria Operations versions prior to 8.18.5
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in VMware Aria Operations and VMware Tools, the most severe of which could allow for privilege escalation to root. Details of the vulnerability are as follows:
Technique: Exploitation for Privilege Escalation (T1068):
A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. (CVE-2025-41244)
A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations. (CVE-2025-41245)
A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access other guest VMs. Successful exploitation requires knowledge of credentials of the targeted VMs and vCenter or ESX. (CVE-2025-41246)
Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation to root. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
Apply appropriate updates provided by Broadcom or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Portable storage media devices, like USB flash drives, are commonly used to transfer data between computers. However, using them in OT environments and industrial control systems, such as those used in power plants or manufacturing facilities, can pose a cybersecurity risk. If a USB device is infected with malware, it can spread to the industrial control system and cause problems, such as disrupting operations or compromising safety.
This NCCoE resource suggests implementing physical and technical controls to limit access to these devices and ensure they are used securely.
The Value of a Quick Read
We’re excited to offer this concise, two-page guide. It’s designed to be a quick and easy read, providing you with the essential information you need to protect your OT systems based off existing standards and best practices.
Want to see other OT two-pagers? If you have ideas for future guides or topics you’d like to see covered, you can email the team to let us know at manufacturing_nccoe@nist.gov.
Over the past few months, NIST has been revising and updating Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft), which describes recommended pre-market and post-market activities for manufacturers to develop products that meet their customers’ cybersecurity needs and expectations. Thank you so much for the thoughtful comments and feedback throughout this process; 400+ participants across industry, consumer organizations, academia, federal agencies, and researchers shared feedback in both the December 2024 and March 2025 workshops—as well as through written comments on the initial public draft. Others came to the virtual Discussion Forum Event in June to discuss updates, share initial ideas for a worked example of NIST IR 8259, and explore topics from an essay on planned updates to NIST SP 800-213/213A.
NIST shared two workshop summary reports (December 2024 Workshop and March 2025 Workshop) and distilled the comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity.
What Happens Next?
Serving as a culmination of this collaborative effort, we are announcing the release of our latest resource, NIST IR 8259 Revision 1 Second Public Draft, today…
Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Cisco is a leading technology company best known for its networking hardware and software, such as routers and switches, that form the backbone of the internet and enterprise networks. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.
THREAT INTELLIGENCE: The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of CVE-2025-20333 and CVE-2025-20362. A detection guide can be found in the references section further down this advisory.
SYSTEMS AFFECTED:
Cisco Secure Firewall ASA Software
Cisco Secure FTD Software
Cisco Secure FMC Software
Cisco IOS and IOS XE Software
Cisco IOS XR Software
RISK: Government:
Large and medium government entities: High
Small government entities: Medium
Businesses:
Large and medium business entities: High
Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY: Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Details of the vulnerability are as follows:
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication. (CVE-2025-20362)
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. (CVE-2025-20333)
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. (CVE-2025-20363)
Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.
RECOMMENDATIONS: We recommend the following actions be taken:
Apply appropriate updates provided by Cisco or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
Safeguard 10.5:Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
OH, BEHAVE! The 2025 Cybersecurity Attitudes and Behaviors Report is now available Each year, the National Cybersecurity Alliance and CybSafe release research to better understand the public’s security behavior and to act as a call to action for better secure habits online.
With support from international partners across seven countries, this year’s report polls more than 6,500 individuals in the United States, United Kingdom, Germany, Australia, India, Brazil, and Mexico, exploring key cybersecurity behaviors and attitudes, and the growing impact of artificial intelligence.
TAKE A SNEAK PEEK AT THE FINDINGS While AI usage has surged, 58% of users report receiving no training on security or privacy risks associated with these technologies.
With cybercrime rising, 44% of respondents reported experiencing cybercrime that led to data or monetary loss.
Everyday cybersecurity practices remain inconsistent. Just 62% of respondents report regularly creating unique passwords.
More than half of participants (55%) report having no access to cybersecurity training, a figure that has barely shifted from last year. 66% of participants are confident in their ability to identify a malicious email or link, but confidence differs sharply by age and geography. While it is widely recognized, less than half (41%) use multi-factor authentication regularly.
Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.
Important revisions in this version compared to SP 800-88r1 (2014) are as follows:
The document’s focus has shifted from providing guidelines for hands-on sanitization decisions to maintaining the confidentiality of sensitive information by establishing an agency or enterprise media sanitization program as part of media disposal or reuse.
Program-focused guidelines now improve the alignment of media sanitization with cybersecurity standards (e.g., SP 800-53, ISO/IEC 27040), update certain sanitization methods to be in tune with the state of practice, and address trust establishment in the vendor’s implementation of sanitization techniques for clear and purge sanitization methods.
Apart from cryptographic erase (CE), which is commonly used across all encrypted media, all sanitization techniques and tool details have been replaced with recommendations to comply with IEEE 2883, NSA specifications, or an organizationally approved standard.
A focused set of guidelines have been added to the CE technique to expand the types of cryptographic keys that may be used for CE, consolidate content from different parts of text to a dedicated section, provide guidelines for key sanitization using the state of practice ISO/IEC 19790 zeroization, and clarify when the use of externally managed keys is potentially acceptable.
The National Cybersecurity Center of Excellence (NCCoE) hosted a virtual event on August 27, 2025, to discuss and gather feedback on the NCCoE Development, Security and Operations (DevSecOps) project.
Recap: This virtual event focused on the preliminary draft of NIST Special Publication (SP) 1800-44, Secure Software Development, Security, and Operations Practices. Key discussion topics included an overview of the NCCoE project as well as an overview of the Secure Software Development Framework (SSDF). This event also featured two panel discussions focused on cybersecurity challenges and recommendations for software producers and consumers, and the use of AI and Zero Trust in DevSecOps.
The feedback gathered during this event will help to shape the final version of NIST SP 1800-44.
Post Event Materials Now Available!
To access the event recording and slides from this event, please visit the NCCoE event page. To stay up to date on this project and contribute to future events, please consider joining the NCCoE DevSecOps Community of Interest (COI).
A vulnerability has been discovered in Nx (build system) Package, which could allow for sensitive data exfiltration. Nx is a smart, fast, and extensible build system designed for managing monorepos efficiently by providing features like dependency graph analysis, computation caching, distributed task execution, and codebase upgrades. Successful exploitation of this vulnerability could allow threat actors to perform network reconnaissance and leak sensitive data.
Threat Intelligence
According to StepSecurity: Threat Actors have successfully injected malicious code into the Nx build system package and several related plugins to collect host information, cryptocurrency wallets, and development credentials.
Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Recommendations
Review Stepsecurity.io immediate remediation steps. Apply appropriate updates provided by Nx or other vendors which use this software to vulnerable systems immediately after appropriate testing. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them.