Author: blogmirnet

Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which when chained together, could allow for remote code execution. Commvault Backup & Recovery is a comprehensive data protection solution that offers a range of services for safeguarding data across various environments, including on-premises, cloud, and hybrid setups. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, escalate privileges, run arbitrary commands, and potentially drop a JSP webshell.

THREAT INTELLEGENCE:
Researchers from watchTowr Labs have posted a detailed write-up about the vulnerabilities on their website.

SYSTEMS AFFECTED:

• Commvault versions 11.32.0 – 11.32.101 for Linux and Windows.
• Commvault versions 11.36.0 – 11.36.59 for Linux and Windows.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium 

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which could allow for remote code execution.  Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

• A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk. (CVE-2025-57788)
• During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. (CVE-2025-57789)
• A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution. (CVE-2025-57790)
• A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role. (CVE-2025-57791)

The vulnerabilities can be exploited as part of two separate remote code execution (RCE) chains. One chain works only of the if the built-in admin password hasn’t been changed since installation, and relies on exploiting CVE-2025-57788 (for bypassing authentication), CVE-2025-57789 (to escalate privileges), and CVE-2025-57790 to achieve RCE. The second chain, which works against any unpatched Commvault instance, uses CVE-2025-57791 to bypass authentication and CVE-2025-57790 for RCE (by injecting a webshell).

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Commvault to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Commvault:
https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html

Help Net Security:
https://www.helpnetsecurity.com/2025/08/20/commvault-backup-suite-vulnerabilities-fixed/
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57791

NIST has released a concept paper and proposed action plan for developing a series of NIST SP 800-53 Control Overlays for Securing AI Systems, as well as a launching a Slack channel for this community of interest.

The concept paper outlines proposed AI use cases for the control overlays to manage cybersecurity risks in the use and development of AI systems, and next steps. The use cases address generative AI, predictive AI, single and multi-agent AI systems, and controls for AI developers. NIST is interested in feedback on the concept paper and proposed action plan, and invites all interested parties to join the NIST Overlays for Securing AI (#NIST-Overlays-Securing-AI) Slack channel.

Through the Slack channel, stakeholders can contribute to the development of these overlays, get updates, engage in facilitated discussions with the NIST principal investigators and other subgroup members, and provide real-time feedback and comments. 

Learn more about the Control Overlays for AI Project, Slack space, and how to join the Slack channel at https://csrc.nist.gov/projects/cosais.

Read More

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

Fortinet is aware that CVE-2025-25256 has been exploited in the wild.

Systems Affected

FortiSIEM 5.4 all versions FortiSIEM 6.1 all versions FortiSIEM 6.2 all versions FortiSIEM 6.3 all versions FortiSIEM 6.4 all versions FortiSIEM 6.5 all versions FortiSIEM 6.6 all versions FortiSIEM 6.7.0 through 6.7.9 FortiSIEM 7.0.0 through 7.0.3 FortiSIEM 7.1.0 through 7.1.7 FortiSIEM 7.2.0 through 7.2.5 FortiSIEM 7.3.0 through 7.3.1 FortiManager 6.2 all versions​​​​​ FortiManager 6.4 all versions FortiManager 7.0.0 through 7.0.13 FortiManager 7.2.0 through 7.2.9 FortiManager 7.4.0 through 7.4.5 FortiManager 7.6.0 through 7.6.1 FortiManager Cloud 6.4 all versions FortiManager Cloud 7.0.1 through 7.0.13 FortiManager Cloud 7.2.1 through 7.2.9 FortiManager Cloud 7.4.1 through 7.4.5 FortiOS 6.0 all versions FortiOS 6.2.0 through 6.2.16 FortiOS 6.4 all versions FortiOS 7.0 all versions FortiOS 7.2 all versions FortiOS 7.4.0 FortiOS 7.4.0 through 7.4.7 FortiOS 7.6.0 through 7.6.2 FortiPAM 1.0 all versions FortiPAM 1.1 all versions FortiPAM 1.2 all versions FortiPAM 1.3 all versions FortiPAM 1.4.0 through 1.4.2 FortiPAM 1.5.0FortiProxy 2.0 all versions FortiProxy 7.0 all versions FortiProxy 7.2 all versions FortiProxy 7.4.0 through 7.4.1 FortiProxy 7.4.0 through 7.4.2 FortiProxy 7.4.0 through 7.4.3 FortiProxy 7.6.0 through 7.6.2 FortiSwitchManager 7.0.0 through 7.0.3 FortiSwitchManager 7.2.0 through 7.2.3

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply the stable channel update provided by Fortinet to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Fortinet: https://fortiguard.fortinet.com/psirt https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://fortiguard.fortinet.com/psirt/FG-IR-25-173 https://fortiguard.fortinet.com/psirt/FG-IR-24-473 https://fortiguard.fortinet.com/psirt/FG-IR-23-209 https://fortiguard.fortinet.com/psirt/FG-IR-24-364 https://fortiguard.fortinet.com/psirt/FG-IR-24-042   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52964 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25256 ​​​​​​​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53744

The NIST National Cybersecurity Center of Excellence has developed the draft NIST Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments. The cybersecurity considerations in this two-pager are intended to help operational technology (OT) operators and manufacturers use Universal Serial Bus (USB) devices securely.

Portable storage media can be used to transfer data physically to and from OT environments. USB storage devices are convenient, but their use poses potential cybersecurity risks for organizations that utilize them in their OT environments. Organizations can reduce these risks with secure physical and logical controls on the access, storage, and usage of USB devices. 

The NCCoE created an OT Security Series to provide simplified guidance that will assist organizations in securing their OT systems.

If you have any comments about this paper, and/or recommendations for additional topics that the OT Security Series could cover, please reach out to the NCCoE Manufacturing team via manufacturing_nccoe@nist.gov.

View the Paper

Cybersecurity Insights a NIST Blog Let’s get Digital! Updated Digital Identity Guidelines are Here. NIST just released Special Publication 800-63, Digital Identity Guidelines, Revision 4, which intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published by NIST in 2017. The new guidelines explain the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation—including requirements for security and privacy, as well as considerations for improved customer experience of digital identity solutions and technology. There are also many substantial content changes to the entire suite of documents. Questions? Send us an email: dig-comments@nist.gov. Read the Blog

Check out the recently published NIST Cybersecurity Insights Blog: Reflections from the First Cyber AI Profile Workshop, covering the key takeaways from the April 2025 Cyber AI Profile Workshop.

The purpose of this workshop was to gather community feedback on the Cybersecurity and AI Workshop Concept Paper to inform the direction and contents of the Cyber AI Profile. The team is currently working to publish a workshop summary – in the interim, this blog shares a preview of what they heard during this event.

View the Blog

Review the Pre-Recorded Session in Advance of Virtual Series

The NIST NCCoE team has generated a pre-recorded video to help you prepare to participate in the virtual working sessions – you’re encouraged to listen to the recording in advance of the session(s) you plan to participate in so that you’re prepared for a productive discussion. The recording covers:

• Introduction to the NCCoE
• Background and Purpose of the Cyber AI Profile
• Overviews of the NIST Cybersecurity Framework (CSF) and Community Profiles
• Summary of Feedback in Early 2025
• Working Session Approach
• Resources

View the Recording

Each session in this series will explore one of the three Focus Areas planned for the Cyber AI Profile:

Session	Topic	Date/Time
Session #1	Securing AI System Components	August 5, 2025 / 1:00 – 4:00 P.M. EDT
Session #2	Conducting AI-enabled Cyber Defense	August 19, 2025 / 1:00 – 4:00 P.M. EDT
Session #3	Thwarting AI-enabled Cyber Attacks	September 2, 2025 / 1:00 – 4:00 P.M. EDT

Who Should attend?

These events are open to the public. We encourage cybersecurity and AI leaders from industry, academia, and government to share expertise on cybersecurity for AI and AI for cybersecurity. Please come ready to share your knowledge and insights during these interactive working sessions!

Register Now

Visit the NCCoE event session pages to learn more. We welcome you to register for any session topic you’re interested in discussing. Attendance for each event is limited to 500 participants.

Over the last several days, SonicWall issued an advisory of a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSL VPN is enabled. A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass multi-factor authentication (MFA) and deploy ransomware. Threat actors are likely to pivot directly to domain controllers within hours of the initial breach.

SonicWall is actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.

Until further notice, SonicWall strongly advises, where practical, disabling the VPN service immediately and applying other mitigations in the advisory to reduce exposure while SonicWall continues its investigation.

References

SonicWall: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 Huntress: https://www.huntress.com/blog/exploitation-of-sonicwall-vpn BleepingComputer: https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-disable-sslvpn-amid-rising-attacks/

The Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this Joint White Paper to raise awareness of cyber threat actors (CTAs) activity targeting vendor accounts within vendor portals belonging to US state, local, tribal, and territorial (SLTT) government or public entities, as well as school districts and higher-education institutions.

The FBI refers to these incidents as vendor account compromises (VACs). Since 2023, the FBI has recorded an uptick in the number of unique threat actor groups conducting VACs. This uptick appears to be in part due to CTAs’ increased awareness of the extent to which government and academic entities rely on online systems for conducting business and managing payment information. These CTAs use a mix of social engineering and exploitation of portal authentication measures to gain unauthorized access to vendor accounts, with the goal of manipulating vendor records and redirecting vendor payments. Increased cyber actor adoption of this scheme for stealing vendor payments poses an increased risk, as successful VACs can result in millions or tens of millions of lost dollars.

The FBI and MS-ISAC encourage organizations who use their own public-facing vendor portals, specifically federal and SLTT government entities, along with educational institutions, implement the recommendations in the mitigations section of this Joint White Paper to reduce the likelihood and impact of VAC incidents. The FBI and MS-ISAC also encourage these same organizations to educate both their information technology teams and finance and procurement teams on the VAC threat and the mitigations, as collaboration between these teams is integral to vendor portal security.

This Joint White Paper includes an overview of the VAC threat, a walkthrough of typical steps of VAC incidents, characteristics of VAC actors, and ways to mitigate the VAC threat.

The Cybersecurity and Infrastructure Security Agency (CISA) and US Coast Guard (USCG) are issuing this Joint Cybersecurity Advisory to present findings from a recent CISA and USCG hunt engagement. The purpose of this advisory is to highlight identified cybersecurity issues, thereby informing security defenders in other organizations of potential similar issues and encouraging them to take proactive measures to enhance their cybersecurity posture.

CISA led a proactive hunt engagement at a US critical infrastructure organization with the support of USCG analysts. During hunts, CISA proactively searches for evidence of malicious cyber activity or threat actor presence on customer networks. The organization invited CISA to conduct a proactive hunt to determine if a threat actor had been present in the organization’s environment.

During this engagement, CISA did not identify evidence of malicious cyber activity or threat actor presence on the organization’s network, but did identify cybersecurity risks.

In coordination with the organization where the hunt was conducted, CISA and USCG are sharing cybersecurity risk findings and associated mitigations to assist other critical infrastructure organizations with improving their cybersecurity posture. Recommendations are listed for each of CISA’s findings, as well as general practices to strengthen cybersecurity for OT environments. These mitigations align with CISA and the National Institute for Standards and Technology’s (NIST) Cross-Sector Cybersecurity Performance Goals and with mitigations provided in the USCG Cyber Command’s 2024 Cyber Trends and Insights in the Marine Environment Report.

Although no malicious activity was identified during this engagement, critical infrastructure organizations are advised to review and implement the mitigations listed in this advisory to prevent potential compromises and better protect our national infrastructure. These mitigations are listed in order of importance.

The NJCCIC received reports of a surge in cryptocurrency scams in the past month. These scams aim to steal personally identifiable information (PII), private keys, wallet addresses, and funds. In fraudulent investment schemes, threat actors impersonate legitimate organizations, experienced investment advisors, or registered professionals as part of an investment group. They send unsolicited requests to convince their targets to deposit funds on fraudulent platforms with lures of high-yield, quick-return investments, gold trading, mining, and electric scooter rentals. Weeks or months later, the targets cannot withdraw funds from the fraudulent platforms, or they do not receive the promised payment on their investments. The reported losses from these fraudulent investment schemes ranged from approximately $2,500 to $310,000.

Threat actors also impersonate cryptocurrency platforms, such as Coinbase, in unsolicited emails, text messages, and phone calls. These scams create urgency with claims of compromised accounts, security concerns, and suspicious logins or account activity. Also, unsuspecting targets may search for legitimate customer service phone numbers, potentially revealing “poisoned” search results . If they take further action to “resolve” the urgent issue, the threat actors claim to require account verification or authentication. Once the targets divulge sensitive information and their private keys, funds are transferred to threat actor-controlled cryptocurrency wallets. The reported losses from these scams ranged from approximately $1,300 to $274,000.

Recommendations

Do your research when purchasing cryptocurrency and look for reputable sources. Check for reviews and performance history. Never invest more than you can afford to lose. Avoid clicking links, opening attachments, responding to, or acting on unsolicited communications. Independently verify unsolicited offers and do not release any personally identifying information, financial details, or funds until you have confirmed the legitimacy of the offer. Always refrain from sharing your private key or seed phrase with anyone. Keep systems and apps up to date. Report these scams and malicious cyber activity to the NJCCIC, the FBI’s IC3, and the  FTC. If victimized, monitor bank accounts, credit profiles, and other online accounts for any irregularities or suspicious behavior.  Review the Identity Theft and Compromised PII  NJCCIC Informational Report for additional recommendations and resources, including credit freezes and enabling MFA on accounts. Review the NJCCIC Cryptocurrency Scams webpage for additional information, recommendations, and resources.