Author: blogmirnet

Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution – PATCH: NOW

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

  • Adobe Connect is a software suite for online collaboration.
  • Adobe Commerce is an enterprise-grade eCommerce platform that provides tools for creating and managing online stores for both B2B and B2C businesses.
  • Magento Open Source is a free, downloadable eCommerce platform from Adobe that provides the core tools to create and manage an online store.
  • Adobe Creative Cloud is a subscription service that provides access to Adobe’s suite of creative software applications.
  • Adobe Bridge is a digital asset management and file browser for Creative Cloud applications.
  • Adobe Animate is a multimedia creation tool used for designing interactive animations.
  • Adobe Experience Manager (AEM) is a comprehensive content management and digital asset management system.
  • Adobe Substance 3D Viewer is a free, standalone desktop application (currently in beta) designed to help designers and artists visualize and work with 3D models, textures, and materials.
  • Adobe Substance 3D Modeler is a sculpting and 3D modeling application within Adobe’s Substance 3D suite that combines virtual reality (VR) and desktop experiences for natural, gestural creation of 3D models.
  • Adobe FrameMaker is an authoring and publishing application primarily used for creating and managing long, complex technical and structured documents.
  • Adobe Illustrator is used for creating vector-based graphics like logos, icons, and illustrations that can be scaled to any size without losing quality.
  • Adobe Dimension is a 3D design application for creating photorealistic product mockups, brand visualizations, and other 3D graphics.
  • Adobe Substance 3D Stager is a professional software for creating and rendering 3D scenes to produce photorealistic images.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild. 

SYSTEMS AFFECTED:

  • Adobe Connect 12.9 and earlier versions
  • Adobe Commerce 2.4.9-alpha2 and earlier versions
  • Adobe Commerce B2B 1.5.3-alpha2 and earlier versions
  • Magento Open Source 2.4.9-alpha2 and earlier versions
  • Adobe Creative Cloud Desktop Application 6.7.0.278 and earlier versions
  • Adobe Bridge 14.1.8 (LTS) and earlier versions
  • Adobe Bridge 15.1.1 and earlier versions
  • Adobe Animate 2023 23.0.13 and earlier versions
  • Adobe Animate 2024 24.0.10 and earlier versions
  • Adobe Experience Manager (AEM) Screens 6.5.22 Screens FP11.6
  • Adobe Substance 3D Viewer 0.25.2 and earlier versions
  • Adobe Substance 3D Modeler 1.22.3 and earlier versions
  • Adobe FrameMaker 2020 Release Update 9 and earlier versions
  • Adobe FrameMaker 2022 Release Update 7 and earlier versions
  • Adobe Illustrator 2025 29.7 and earlier versions
  • Adobe Illustrator 2024 28.7.9 and earlier versions
  • Adobe Dimension 4.1.4 and earlier versions
  • Adobe Substance 3D Stager 3.1.4 and earlier versions

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows 

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203): 

Adobe Connect:

  • Cross-site Scripting (DOM-based XSS) (CVE-2025-49552, CVE-2025-49553)
  • URL Redirection to Untrusted Site (‘Open Redirect’) (CVE-2025-54196, CVE-2025-49552)

Adobe Commerce:

  • Improper Access Control (CVE-2025-54263)
  • Cross-site Scripting (Stored XSS) (CVE-2025-54264, CVE-2025-54266)
  • Incorrect Authorization (CVE-2025-54265, CVE-2025-54267)

Adobe Creative Cloud Desktop Application:

  • Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-2025-54271)

Adobe Bridge:

  • Heap-based Buffer Overflow (CVE-2025-54268, CVE-2025-54278)

Adobe Animate:

  • Use After Free (CVE-2025-54279)
  • Heap-based Buffer Overflow (CVE-2025-61804)
  • Out-of-bounds Read (CVE-2025-54269)
  • NULL Pointer Dereference (CVE-2025-54270)

Adobe Experience Manager Screens:

  • Cross-site Scripting (Reflected XSS) (CVE-2025-54272)
  • Cross-site Scripting (Stored XSS) (CVE-2025-54296, CVE-2025-54297)

Substance 3D Viewer:

  • Out-of-bounds Write (CVE-2025-54273, CVE-2025-54280, CVE-2025-54275)
  • Stack-based Buffer Overflow (CVE-2025-54274)

Substance 3D Modeler:

  • Out-of-bounds Read (CVE-2025-54276)

Adobe FrameMaker:

  • Use After Free (CVE-2025-54281)
  • Heap-based Buffer Overflow (CVE-2025-54282)

Adobe Illustrator:

  • Out-of-bounds Write (CVE-2025-54283, CVE-2025-54284)

Adobe Dimension:

  • Out-of-bounds Read (CVE-2025-61798, CVE-2025-61799)
  • Integer Overflow or Wraparound (CVE-2025-61800)
  • Use After Free (CVE-2025-61801)

Substance 3D Stager:

  • Use After Free (CVE-2025-61802)
  • Integer Overflow or Wraparound (CVE-2025-61803, CVE-2025-61807)
  • Out-of-bounds Read (CVE-2025-61805, CVE-2025-61806)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
    • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
    • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
    • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
  • Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
    • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
    • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
    • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
    • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/connect/apsb25-70.html
https://helpx.adobe.com/security/products/magento/apsb25-94.html
https://helpx.adobe.com/security/products/creative-cloud/apsb25-95.html
https://helpx.adobe.com/security/products/bridge/apsb25-96.html
https://helpx.adobe.com/security/products/animate/apsb25-97.html
https://helpx.adobe.com/security/products/aem-screens/apsb25-98.html
https://helpx.adobe.com/security/products/substance3d-viewer/apsb25-99.html
https://helpx.adobe.com/security/products/substance3d-modeler/apsb25-100.html
https://helpx.adobe.com/security/products/framemaker/apsb25-101.html
https://helpx.adobe.com/security/products/illustrator/apsb25-102.html
https://helpx.adobe.com/security/products/dimension/apsb25-103.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb25-104.html
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49552
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49553
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54264
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54265
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54266
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54267
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54269
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54270
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54271
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54272
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54274
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54275
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54276
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54278
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54279
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54280
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54281
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54282
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54283
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54284
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54296
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54297
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61798
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61807

Credential Theft Phishing Campaign Employs Tactics to Evade Detection

The NJCCIC identified a phishing campaign that uses tactics to make detection more difficult, leading to increased account compromises. 
Users receive an initial encrypted email with an encrypted link to “Read the message,” which leads to a legitimate Microsoft 365 login page with the URL beginning with “hxxps://outlook.office365[.]com/Encryption/retrieve.ashx…”
Once login credentials are submitted, the user is directed to a webpage titled “Secure Document Access” with a URL ending in “mysharepoint[.]html.” This webpage requests the user to verify their identity to continue, beginning with their full name. 
They are then redirected to a fraudulent Microsoft 365 login page to submit their credentials again. This time, if the credentials are submitted, they are stolen by the threat actor behind the scheme and used to compromise the user’s account and target their contacts to perpetuate the phishing campaign. The webpage URLs used in this campaign are personalized to include the recipient’s email address in order to convey legitimacy.

NJ MVC SMiShing Campaign Continues

SMS text phishing (SMiShing) scams impersonating the New Jersey Motor Vehicle Commission (MVC) or the obsolete New Jersey Division of Motor Vehicles (DMV) continue to be reported to the NJCCIC. The messages claim that the user has an outstanding traffic ticket and payment is due. If not paid by the deadline, the user will have their vehicle registration and driving privileges suspended, receive a toll booth charge increase, and their credit score will be affected. The URL displayed in the message includes “njmvc” and “pay” to appear legitimate; however, the URL contains a “.icu” top-level domain (TLD) instead of the official “.gov” TLD. The message itself does not permit the user to click the included link directly, but instead instructs them to reply to the message with “Y” and reopen the message to click the link or to copy the URL to their browser.
These links lead to fraudulent websites that contain NJ MVC logos and branding and attempt to extract personally identifiable information (PII), financial information, or account credentials. The NJ MVC only sends text messages to remind residents about scheduled MVC appointments. It does not send text messages regarding driver’s licenses or vehicle registration status.

Now Available for Public Comment! NIST CSF 2.0 Manufacturing Profile

The NIST Internal Report (IR) 8183 Revision 2, Cybersecurity Framework Version 2.0 Manufacturing Profile has been published and we’re excited for your feedback! The comment period is now open through November 17, 2025.

As cybersecurity threats to critical infrastructure continue to escalate in frequency and severity, it is crucial for manufacturing organizations to implement robust cybersecurity measures to safeguard sensitive data and prevent potential system disruptions and financial losses. This Profile is designed to help manufacturing organizations manage cybersecurity risks in alignment with industry best practices and sector goals.

The Profile gives manufacturers:

  • A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system.
  • An evaluation of their ability to operate the manufacturing environment at their acceptable risk level.
  • A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security.

The Profile is structured around the functional areas of the NIST CSF 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. These core areas form the basis for prioritizing cybersecurity outcomes tailored to the manufacturing sector, enabling manufacturers to align their cybersecurity efforts with business needs, risk tolerance, and available resources.

We want your feedback!

Visit the publication page to learn more about the publication and instructions for submitting comments. For any questions, please reach out to the team CSF_Manufacturing_Profile@nist.gov.

Comment Now!

NIST Releases Draft Enhanced Security Requirements and Assessment Procedures for Protecting CUI 

SP 800-172r3 and SP 800-172Ar3 Now Available for Public Comment!

As part of ongoing efforts to strengthen the protections for securing controlled unclassified information (CUI) in nonfederal systems, NIST has released the following drafts for comment:

  • SP 800-172r3 (Revision 3) fpd (final public draft), Enhanced Security Requirements for Protecting Controlled Unclassified Information, provides new enhanced security requirements that support cyber resiliency objectives, focus on protecting CUI, and are consistent with the source controls in SP 800-53r5.
  • SP 800-172Ar3 ipd (initial public draft), Assessing Enhanced Security Requirements for Controlled Unclassified Information, provides a set of assessment procedures for the enhanced security requirements. These procedures are based on the source assessment procedures in SP 800-53Ar5.

Both drafts implement a one-time “revision number” change for consistency with SP 800-171r3 and SP 800-171Ar3.

Public Comment Period

A public comment period will be open from September 29 through November 14, 2025. Reviewers should submit comments on all or parts of the drafts to 800-171comments@list.nist.gov. All comments submitted during the public comment period will be posted to the NIST Protecting CUI Project page with contact information redacted.

Learn More about Protecting CUI Project: https://csrc.nist.gov/projects/protecting-CUI

SP 800-172r3SP 800-172Ar3

Multiple Vulnerabilities in VMware Aria Operations and VMware Tools Could Allow for Privilege Escalation – PATCH NOW

Multiple vulnerabilities have been discovered in VMware Aria Operations and VMware Tools, the most severe of which could allow for privilege escalation to root. VMware Aria is a multi-cloud management platform that provides automation, operations, and cost management for applications and infrastructure across private, public, and hybrid cloud environments. Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation to root. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

NVISO indicates the vulnerability CVE-2025-41244 has been exploited in the wild as a zero-day since mid-October 2024 by the China-linked threat actor UNC5174.

SYSTEMS AFFECTED:

  • VMware Cloud Foundation Operations versions prior to 9.0.1.0
  • VMware Tools versions prior to 13.0.5.0, 13.0.5, and 12.5.4
  • VMware Aria Operations versions prior to 8.18.5

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium 

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in VMware Aria Operations and VMware Tools, the most severe of which could allow for privilege escalation to root. Details of the vulnerability are as follows:

Tactic: Privilege Escalation (TA0004):

Technique: Exploitation for Privilege Escalation (T1068):

  • A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM. (CVE-2025-41244)
  • A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations. (CVE-2025-41245)
  • A malicious actor with non-administrative privileges on a guest VM, who is already authenticated through vCenter or ESX may exploit this issue to access other guest VMs. Successful exploitation requires knowledge of credentials of the targeted VMs and vCenter or ESX. (CVE-2025-41246)

Successful exploitation of the most severe of these vulnerabilities could allow for privilege escalation to root. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Broadcom or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:
 

Broadcom:

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

NVISO:

You name it, VMware elevates it (CVE-2025-41244)

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41244

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41245

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-41246

OT Security Series: Keeping Your Industrial Systems Safe from USB Threats

Two-Pager Now Available! Reducing Cyber Risk of Portable Storage Media in OT Environments

The NIST National Cybersecurity Center of Excellence (NCCoE) has finalized a guide, NIST Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in Operational Technology (OT) Environments, to help organizations protect their industrial control systems from cybersecurity threats when using removable media devices.

Portable storage media devices, like USB flash drives, are commonly used to transfer data between computers. However, using them in OT environments and industrial control systems, such as those used in power plants or manufacturing facilities, can pose a cybersecurity risk. If a USB device is infected with malware, it can spread to the industrial control system and cause problems, such as disrupting operations or compromising safety.

This NCCoE resource suggests implementing physical and technical controls to limit access to these devices and ensure they are used securely.

The Value of a Quick Read

We’re excited to offer this concise, two-page guide. It’s designed to be a quick and easy read, providing you with the essential information you need to protect your OT systems based off existing standards and best practices.

Want to see other OT two-pagers? If you have ideas for future guides or topics you’d like to see covered, you can email the team to let us know at manufacturing_nccoe@nist.gov.

View the Publication

NEW BLOG | Updating Foundational Activities for IoT Product Manufacturers

Over the past few months, NIST has been revising and updating Foundational Activities for IoT Product Manufacturers (NIST IR 8259 Revision 1 Initial Public Draft), which describes recommended pre-market and post-market activities for manufacturers to develop products that meet their customers’ cybersecurity needs and expectations. Thank you so much for the thoughtful comments and feedback throughout this process; 400+ participants across industry, consumer organizations, academia, federal agencies, and researchers shared feedback in both the December 2024 and March 2025 workshops—as well as through written comments on the initial public draft. Others came to the virtual  Discussion Forum Event in June to discuss updates, share initial ideas for a worked example of NIST IR 8259, and explore topics from an essay on planned updates to NIST SP 800-213/213A.

NIST shared two workshop summary reports (December 2024 Workshop and March 2025 Workshop) and distilled the comprehensive changes that expand the focus on IoT products, highlighting product cybersecurity capabilities as central to IoT cybersecurity.

What Happens Next?

Serving as a culmination of this collaborative effort, we are announcing the release of our latest resource, NIST IR 8259 Revision 1 Second Public Draft, today…

Read More

Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution – PATCH NOW

Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Cisco is a leading technology company best known for its networking hardware and software, such as routers and switches, that form the backbone of the internet and enterprise networks. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.

THREAT INTELLIGENCE:
The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of CVE-2025-20333 and CVE-2025-20362. A detection guide can be found in the references section further down this advisory.

SYSTEMS AFFECTED:

  • Cisco Secure Firewall ASA Software
  • Cisco Secure FTD Software
  • Cisco Secure FMC Software
  • Cisco IOS and IOS XE Software
  • Cisco IOS XR Software

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

  • A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication. (CVE-2025-20362)
  • A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device. (CVE-2025-20333)
  • A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device. (CVE-2025-20363)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution as root, which may lead to the complete compromise of the affected device.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate updates provided by Cisco or other vendors which use this software to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
    • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
    • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
    • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
    • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
    • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
    • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
    • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
    • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
    • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Cisco:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW#vp
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-code-exec-WmfP3h3O
https://sec.cloudapps.cisco.com/security/center/resources/detection_guide_for_continued_attacks

CISA: 
https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20333
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20363

Oh, Behave! The Cybersecurity Attitudes and Behaviors Report is here!

oh behave 2025 600x300

OH, BEHAVE! The 2025 Cybersecurity Attitudes and Behaviors Report is now available Each year, the National Cybersecurity Alliance and CybSafe release research to better understand the public’s security behavior and to act as a call to action for better secure habits online.   

Download Oh, Behave!
With support from international partners across seven countries, this year’s report polls more than 6,500 individuals in the United States, United Kingdom, Germany, Australia, India, Brazil, and Mexico, exploring key cybersecurity behaviors and attitudes, and the growing impact of artificial intelligence.  

TAKE A SNEAK PEEK AT THE FINDINGS
While AI usage has surged, 58% of users report receiving no training on security or privacy risks associated with these technologies.

With cybercrime rising, 44% of respondents reported experiencing cybercrime that led to data or monetary loss.

Everyday cybersecurity practices remain inconsistent.
Just 62% of respondents report regularly creating unique passwords.

More than half of participants (55%) report having no access to cybersecurity training, a figure that has barely shifted from last year. 66% of participants are confident in their ability to identify a malicious email or link, but confidence differs sharply by age and geography. While it is widely recognized, less than half (41%) use multi-factor authentication regularly.

Learn more about the report