NIST extends the public comment period on the initial public draft (ipd) of NIST Special Publication (SP) 800-172r3 (Revision 3), Enhanced Security Requirements for Protecting Controlled Unclassified Information (CUI) until January 17, 2025. 

NIST strongly encourages you to use the comment template and submit comments to [email protected]. Comments received in response to this request will be posted on the Protecting CUI project site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

For more information, see the NIST Protecting CUI Project.

Read More

Colleges and universities have long been a valuable resource for small businesses in their communities. Examples of support and outreach include running start-up incubators and accelerators, hosting small business development centers, providing a source of interns and entry-level workforce members, hosting legal and medical clinics, and much more. Recently, higher education, with support from industry and government, has been addressing two critical questions in cybersecurity through an emerging network of cybersecurity clinics: 

• How can we bolster the cybersecurity posture of small, under-resourced organizations in our community?
• How can we build a stronger cybersecurity workforce by providing students with valuable, hands-on learning experiences?

Through the clinics, multidisciplinary teams of students work with faculty providing no-cost  cybersecurity services to the region’s small, under-resourced organizations—providing valuable workforce development experiences to students and important cybersecurity support to those organizations who need it the most. 

This webinar will provide an overview of cybersecurity clinics, while also highlighting experiences of students and small businesses who have participated in the program. The panel discussion will run for 45 minutes, with 15 minutes reserved at the end of the hour for questions. 

Opening Remarks: 

• Rodney Petersen, Director, NICE, NIST

Panelists: 

• Mehdi Abid, Cyber Program Coordinator, Department of Computer Science, University of Nevada, Las Vegas
• Aisha Ali-Gombe, Ph.D., Associate Professor and Director, LSU Cybersecurity Clinic, Louisiana State University
• Gary Anderson, Partner, Cardinal Capital, LLC
• Keith Daniel Tan, Scholarship for Service(SFS) Student, University of Nevada, Las Vegas

Moderator: 

• Daniel Eliot, Lead for Small Business Engagement, NIST

Register Here

The NJCCIC received incident reports indicating that the well-known sextortion email scam is again circulating. Some reports noted that the threatening message was included in a PDF attachment named after the target rather than in the body of the email. The targeted individual’s phone number and home address are included in the bolded first line of the attachment. This information can be easily found in public records or through compromised personal data due to data breaches. The fraudulent scheme claims that malware was installed on the target’s device and secretly recorded webcam footage of the recipient engaging in intimate activities. The targeted individual is then threatened with the release of compromising or sexually explicit photos or videos to contacts and their social media platforms if a Bitcoin payment of approximately $2,000 is not made in “one day.” The cybercriminal also claims to have embedded a specific pixel to identify when the email was read, starting the 24-hour countdown.

Recommendations

The NJCCIC recommends users educate themselves and others on this and similar scams to prevent future victimization. There is no indication that these threats are credible; therefore, users are advised to refrain from sending funds and disregard these emails. Avoid clicking links, opening attachments, responding to, or acting on unsolicited text messages or emails. Search for and report the Bitcoin addresses included in the scam email to the Bitcoin Abuse Database. Report the scam to the Federal Trade Commission (FTC), the FBI’s IC3, and the NJCCIC.

Browser extensions frequently grant extensive permissions to sensitive user information, including identity information, cookies, browsing history and data, passwords, web page content, text input, and audio/video capture. Unfortunately, many organizations may not know what extensions are installed on their systems, the permissions granted, or the vulnerabilities or attack vectors associated with the extensions, such as credential theft, account takeover, session hijacking, and data theft.

Threat actors can compromise developer accounts and publish malicious versions of these extensions to the store, which can result in harmful browser extensions being distributed to users when they are installed or updated. Once browser extensions are compromised, they are considered malicious and should be removed immediately, as threat actors can maintain access through live malicious extensions and exfiltrate data.

Last month, threat actors compromised a Cyberhaven account via a phishing campaign to push a new update with malicious code to the Chrome web store. Since then, additional compromised extensions have been discovered, exposing millions of users to data exposure and credential theft.

Furthermore, the NJCCIC received reports of several compromised browser extensions in Google Chrome and Microsoft Edge on multiple systems for various organizations. The compromised browser extensions include Visual Effects for Google Meet, AI Shop Buddy, ChatGPT Quick Access, Earny, Proxy SwitchyOmega, and Reader Mode.

Recommendations

Use Group Policy Objects (GPOs) to help prevent users from installing browser extensions. Rotate passwords and tokens, clear session data (such as cookies, cache, saved passwords, and autofill forms), and review logs for suspicious activity. Check if extensions are listed and flagged as malware in the browser settings. Remove malicious browser extensions immediately. Keep browsers and anti-virus/anti-malware software up to date.

ultiple vulnerabilities have been discovered in SonicWall SonicOS that could allow for authentication bypass. SonicOS is SonicWall’s operating system designed for their firewalls and other security devices.  Successful exploitation of the most severe of these vulnerabilities could allow for authentication bypass on the affected system. Depending on the privileges associated with the system, an attacker could then; view, change, or delete data.

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild

SYSTEMS AFFECTED:

• Gen6 Hardware Firewalls versions prior to 6.5.5.1-6n
• Gen7 Firewalls versions prior to 7.1.3-7015
• Gen7 NSv versions prior to 7.0.1-5165
• TZ80 versions prior to 8.0.0-8037

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in SoincWall products, the most severe of which could allow for authentication bypass. Details of the vulnerabilities are as follows:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

• An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. (CVE-2024-53704)
• Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. (CVE-2024-40762)

Details of lower severity vulnerabilities:

• A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. (CVE-2024-53705)
• A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. (CVE-2024-53706)

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by SoincWall to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
   
• Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
  • Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
  • Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 13.10:  Performing Application Layer Filtering:  Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.

REFERENCES:

SonicWall:?
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-40762
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53706

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Photoshop 2025 26.1 and earlier versions
• Photoshop 2024 25.12 and earlier versions
• Adobe Substance 3D Stager 3.0.4 and earlier versions
• Adobe Illustrator on iPad 3.0.7 and earlier versions
• Adobe Animate 2023 23.0.9 and earlier versions
• Adobe Animate 2024 24.0.6 and earlier versions
• Adobe Substance 3D Designer 14.0 and earlier versions

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows
 

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203): 

Adobe Photoshop:

• Uncontrolled Search Path Element (CVE-2025-21127)
• Integer Underflow (Wrap or Wraparound) (CVE-2025-21122)

Adobe Substance 3D Stager:

• Out-of-bounds Read (CVE-2024-47449)

Adobe After Effects:

• Stack-based Buffer Overflow (CVE-2025-21128)
• Heap-based Buffer Overflow (CVE-2025-21129)
• Out-of-bounds Write (CVE-2025-21130, CVE-2025-21131, CVE-2025-21132)
   

Adobe Illustrator on iPad:

• Integer Underflow (Wrap or Wraparound) (CVE-2025-21133, CVE-2025-21134)
   

Adobe Animate:

• Integer Underflow (Wrap or Wraparound) (CVE-2025-21135)
   

Adobe Substance 3D Designer:

• Out-of-bounds Write (CVE-2025-21136, CVE-2025-21138)
• Heap-based Buffer Overflow (CVE-2025-21137, CVE-2025-21139)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2 : Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.6 : Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7 : Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 16.13 Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Safeguard 18.1 : Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2 : Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3 : Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5 : Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6 : Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7 : Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/photoshop/apsb25-02.html
https://helpx.adobe.com/security/products/substance3d_stager/apsb25-03.html
https://helpx.adobe.com/security/products/illustrator-mobile-ios/apsb25-04.html
https://helpx.adobe.com/security/products/animate/apsb25-05.html
https://helpx.adobe.com/security/products/substance3d_designer/apsb25-06.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-21139 

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• .NET
• .NET and Visual Studio
• .NET, .NET Framework, Visual Studio
• Visual Studio
• Microsoft Office Access
• Power Automate
• Windows MapUrlToZone
• Active Directory Federation Services
• Windows Recovery Environment Agent
• Windows Connected Devices Platform Service
• Windows Virtual Trusted Platform Module
• Windows Boot Loader
• Windows BitLocker
• Windows Boot Manager
• Windows Mark of the Web (MOTW)
• Windows Kerberos
• Windows Message Queuing
• Windows Telephony Service
• Line Printer Daemon Service (LPD)
• Windows Remote Desktop Services
• Windows Digital Media
• IP Helper
• Windows PrintWorkflowUserSvc
• Windows WLAN Auto Config Service
• Windows Cloud Files Mini Filter Driver
• Windows COM
• Windows Event Tracing
• Windows Installer
• Windows Direct Show
• Microsoft Windows Search Component
• Active Directory Domain Services
• Microsoft Digest Authentication
• Windows SPNEGO Extended Negotiation
• BranchCache
• Windows OLE
• Windows UPnP Device Host
• Windows Geolocation Service
• Windows DWM Core Library
• Reliable Multicast Transport Driver (RMCAST)
• Windows Themes
• Windows NTLM
• Windows Smart Card
• Windows Security Account Manager
• Windows SmartScreen
• Microsoft Brokering File System
• Windows Kernel Memory
• Internet Explorer
• Windows Hyper-V NT Kernel Integration VSP
• Windows Cryptographic Services
• Windows Win32K – GRFX
• Windows Hello
• Windows Web Threat Defense User Service
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft AutoUpdate (MAU)
• Microsoft Office Outlook for Mac
• Microsoft Office Word
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Client-Side Caching (CSC) Service
• Azure Marketplace SaaS Resources
• Microsoft Graphics Component
• Microsoft Purview
• Microsoft Office OneNote
• Microsoft Azure Gateway Manager

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low
 

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
 

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Multiple Vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for authentication bypass. Ivanti Avalanche is a mobile device management system. Network security features allow one to manage wireless settings (including encryption and authentication) and apply those settings on a schedule throughout the network. Successful exploitation could allow for a remote unauthenticated attacker to bypass authentication. Depending on the privileges associated with the logged-on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• Ivanti Avalanche versions prior to 6.4.7
   

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium 

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low
 

TECHNICAL SUMMARY:
Multiple Vulnerabilities have been discovered in Ivanti Avalanche, the most severe of which could allow for authentication bypass. Details of these vulnerabilities are as follows: 

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190):

• Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to bypass authentication. (CVE-2024-13181 and CVE-2024-13179)
• Path Traversal in Ivanti Avalanche before version 6.4.7 allows a remote unauthenticated attacker to leak sensitive information. (CVE-2024-13180)

Successful exploitation could allow for a remote unauthenticated attacker to bypass authentication. Depending on the privileges associated with the logged-on user, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
 

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates provided by Ivanti to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. 
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:Ivanti: 
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Avalanche-6-4-7-Multiple-CVEs

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13180
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-13179

In recent years, numerous Internet routing incidents — such as Border Gateway Protocol (BGP) prefix hijacking, and route leaks — have resulted in denial of service (DoS), unwanted data traffic detours, and performance degradation. Large-scale distributed denial-of-service (DDoS) attacks on servers using spoofed Internet Protocol (IP) addresses and reflection amplification in the data plane have resulted in significant disruptions of services and damages.

NIST has released the initial public draft (IPD) of Revision 1 of NIST Special Publication (SP) 800-189, Border Gateway Protocol Security and Resilience. This document provides technical guidance and recommendations to improve the security and resilience of Internet routing based on BGP. Technologies recommended in this document for securing Internet routing include Resource Public Key Infrastructure (RPKI), Route Origin Authorization (ROA), ROA-based route origin validation (ROA-ROV), and prefix filtering. Additionally, the technologies recommended for mitigating DDoS attacks focus on the prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies are also recommended as part of the overall security mechanisms, such as remotely triggered black hole (RTBH) filtering and flow specification (Flowspec).

While this document is intended to guide information security officers and managers of federal enterprise networks, it also applies to the network services of hosting providers (e.g., cloud-based applications and service hosting) and Internet service providers (ISPs) that support federal IT systems. This guidance may also be useful for enterprise and transit network operators and equipment vendors in general.

The public comment period ends February 25, 2025. See the publication details for a copy of the document.

Read More

The Advanced Encryption Standard (AES) specifies a subset of the Rijndael block cipher family with 128-bit blocks that was submitted to the NIST AES development effort. While this block size remains sufficient for many applications, the increasing demand for processing large volumes of data highlights the potential advantages of a larger block size. This need was pointed out in the public comments received for (Special Publication) SP 800-38A, acknowledged in NIST Internal Report 8459, and further reinforced during two NIST public workshops on block cipher modes of operation.

In August 2024, NIST indicated its interest in vetting another Rijndael variant for approval: Rijndael with 256-bit blocks (i.e., Rijndael-256) with a single key size of 256-bits. NIST plans to develop a draft standard for Rijndael-256 over the next year and requests public comments on this plan by June 25, 2025, especially for the following categories:

• Security analysis, including any new cryptanalytic results related to the 256-bit block size
• Performance and efficiency, particularly in environments with hardware support for AES

Comments may be submitted to [email protected] with “Comments on Rijndael-256” in the subject line. Comments received in response to this request will be posted on this site after the due date. Submitters’ names and affiliations (when provided) will be included, while contact information will be removed.

Read More