Category: XP

Date/Time: January 14, 2026 | 9:00 a.m. – 5:00 p.m. EST

Location: The MITRE Corporation, 7525 Colshire Drive, McLean, VA, 22102

Join the NIST National Cybersecurity Center of Excellence (NCCoE) on January 14, 2026 for a hybrid workshop to discuss the preliminary draft NIST IR 8596, Cybersecurity Framework Profile for Artificial Intelligence (Cyber AI Profile) and hear updates regarding the SP 800-53 Control Overlays for Securing AI Systems (COSAiS).

Register now to attend in-person or virtually and influence the development of the NIST Cyber AI Profile.

Background

Working with the cybersecurity and AI communities, the NCCoE has published a preliminary Cyber AI Profile to help organizations strategically adopt AI while addressing and prioritizing cybersecurity risks stemming from its advancements.

Workshop Details

This workshop will feature presentations in the morning, followed by breakout sessions in the afternoon. The breakout sessions will allow in-person attendees to engage with the NIST Cyber AI Profile team and discuss the preliminary draft of the Profile more in-depth. Note: The virtual portion of this workshop will conclude after the morning presentations.

We encourage you to review the Profile in advance of this workshop – your feedback is crucial in shaping the next and final version of this publication. For more information regarding the workshop and breakout session discussion topics, please visit the event page.

The comment period for the Cyber AI Profile is open through January 30, 2026.

Visit the NCCoE project page for more information on how to submit comments.

Register Now!

The NJCCIC detected a new telephone-oriented attack delivery (TOAD) campaign. Unlike most phishing attempts, TOAD attacks do not include malicious attachments or URLs in their initial messages. The aim of the message is to trick an unwary user into calling the provided number. Upon receiving a call, threat actors employ further social engineering tactics to convince a target to install malware, grant full remote control, or enter credentials on a malicious webpage.

The threat actors behind this campaign impersonate PayPal order receipts for Bitcoin, using the PayPal logo and transaction details to make the email appear legitimate. Currently, they make no attempts to obfuscate the sender’s email address, which is a red flag for malicious emails. Finally, the email includes a contact phone number and a 24-hour deadline to dispute the transaction, creating a sense of urgency to prevent victims from realizing that something is amiss.

Recommendations

Facilitate user awareness training to include these types of phishing-based techniques. Confirm requests from senders via contact information obtained from verified and official sources. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Ensure multi-factor authentication (MFA) is enabled for all online accounts. If you suspect an account has been compromised, change the account’s password immediately and add a secondary authentication method. Report other malicious cyber activity to the NJCCIC and the FBI’s IC3.

Threat actors often impersonate IT support to deceive their targets into disclosing account credentials and installing malware. They usually lure with urgent emails related to account issues, such as expired passwords, full mailboxes, and security alerts. Threat actors send emails containing fraudulent links, malicious attachments, or fake phone numbers to initiate data theft or gain remote access to compromise systems and networks. Key red flags include urgent threats, generic greetings, mismatched senders, and requests for sensitive information

The NJCCIC observed an IT help desk scam targeting New Jersey public sector organizations, including New Jersey State employees and educational institutions. The phishing email’s display name shows “INFORMATION_SERVICES,” implying an internal communication. However, the email is marked with an external tag and comes from a generic Gmail email address that references Steve Jobs and tech. The subject line invites the target to open a file attachment supposedly from the IT (help) desk, and the email contains a misspelled “[impersonated organization name] Mictosoft Office365.pdf” attachment.

If the attachment is opened, the content displays urgent messaging from the impersonated organization’s IT Help Desk, claiming that the target’s password will expire in 24 hours, and they will lose access to their email if they do not follow the instructions. The threat actors instruct the target to update their password immediately by copying the link to their web browser, signing in, and verifying their identity.

If the target copies the link to their browser, a WordPress phishing page is displayed, prompting them to enter their name, email address, password, and phone number. If submitted, the threat actors capture and steal the account credentials in the background. To bypass multi-factor authentication (MFA) and compromise the account, the threat actors initiate the “verification process” by calling the target and claiming they need to verify their identity. In the background, the threat actors submit the stolen credentials on the official organization’s website or application, which then prompts the MFA code to be sent via phone call or a message to the target’s registered device, or an MFA push notification to be sent for approval. Once the target reveals the code or approves the notification, the threat actors can access the account. This “verification process” is not initiated by the target and is considered a red flag. Legitimate IT help desks will never initiate contact with users via email or over the phone to request or demand sensitive information, passwords, MFA codes, or MFA push notification approvals.

Additionally, impersonation and branding are utilized throughout this campaign, but may not be consistent, possibly due to an error by the threat actors. For some emails, the spoofed organization is not associated with the target’s own organization, logos, IT help desk, or domain name. For example, threat actors spoofed one organization in the attachment, but a different organization appeared on the phishing page.

Recommendations

Exercise caution with unsolicited communications from known senders. Confirm requests from senders by verifying their contact information obtained from trusted and official sources before taking action, such as opening attachments or clicking on links. Hover over links in emails or attachments to view the actual destination URL before clicking. Type official website URLs into browsers manually and only submit sensitive information on official websites. If you receive password resets, MFA codes, or MFA push notifications without initiating the request, ignore the code or deny the request and change the account password immediately via the official organization’s website or application to prevent further login attempts and MFA push notification requests. For organizations, implement monitoring and warning mechanisms to detect suspicious MFA prompt activity. Limit the number of MFA authentication requests per user within a specified time period, if this option is available. If thresholds are exceeded, temporarily lock the account and alert the domain administrator. Keep systems and browsers up to date. Report malicious cyber activity to the NJCCIC and the FBI’s IC3.

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Cisco AsyncOS, which could allow for remote code execution. AsyncOS is the operating system used by Cisco Secure Email Gateway and Cisco Secure Email and Web Manager. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands with root-level privileges on the underlying operating system.

Threat Intelligence

Cisco confirmed active exploitation of a previously unknown, maximum-severity vulnerability affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances running AsyncOS. The flaw, tracked as CVE-2025-20393, is already being abused in real-world attacks and allows threat actors to gain deep control over affected systems. The Cybersecurity and Infrastructure Security Agency added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog.

Systems Affected

All releases of Cisco AsyncOS Software are affected when both of the following conditions are met: The appliance is configured with the Spam Quarantine feature. The Spam Quarantine feature is exposed to and reachable from the internet. The Spam Quarantine feature is not enabled by default. Deployment guides for these products do not require this port to be directly exposed to the Internet.

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Once available, apply appropriate workarounds provided by Cisco to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Reference

Cisco: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4#Recommendations

View as a Web Page   NICE | advancing cybersecurity education and workforce     December 18, 2025   PROPOSED NICE FRAMEWORK UPDATES FOR PUBLIC COMMENT   The NICE Program Office of the National Institute of Standards and Technology (NIST) is pleased to publish three proposed Work Roles and updates to two Competency Areas of the NICE Workforce Framework for Cybersecurity (NICE Framework). We welcome and encourage comments from all interested stakeholders. The proposals include: Cybersecurity Supply Chain Risk Management Work Role (new OG-WRL-017) Risk Management Work Role (new OG-WRL-018) Learning Program Management Work Role (new OG-WRL-019) Cryptography Competency Area (NF-COM-006) DevSecOps Competency Area (NF-COM-008) These proposed updates reflect the NICE Program Office’s commitment to maintaining the NICE Framework’s relevance to current cybersecurity practices through the active input of subject matter experts as well as the broader community of cybersecurity practitioners and educators.   WE WANT TO HEAR FROM YOU!   NICE welcomes comments on the proposed updates from all interested parties. Comments received by the February 2, 2026 deadline will be acknowledged by email. Comments will be reviewed and adjudicated, and feedback received during this comment period will be used to inform any necessary updates to the relevant proposed Components. Final updates will be incorporated in the next release of the NICE Framework Components. Take the following steps to share your feedback: Visit the NICE Framework Resource Center Public Comments page to access and review the proposed update spreadsheets Submit comments to NICEFramework@nist.gov by 11:59 pm ET on Monday, February 2, 2026 Join the NICE Framework Users Group to participate in community discussions!

Cryptographic (crypto) agility refers to the capabilities needed to replace and adapt cryptographic algorithms in protocols, applications, software, hardware, firmware, and infrastructures while preserving security and ongoing operations. The transition to post-quantum cryptography (PQC) has highlighted significant challenges to adapting applications to new algorithms.

This final version of Cybersecurity White Paper (CSWP) 39, Considerations for Achieving Crypto Agility: Strategies and Practices, describes current approaches to operational mechanisms for crypto agility, challenges, trade-offs, and working areas for future consideration. The invaluable comments received on the initial and second public drafts helped improve many aspects of this document. Additionally, stakeholder discussions during the Crypto Agility Workshop in April 2025 helped identify strategies, frameworks, requirements, and metrics for various sectors and environments.

This publication is intended to be a new starting point to pursue crypto agility by developing environment-specific and actionable mechanisms. NIST remains committed to supporting collaboration and continued progress in this space.

Read More

This Malware Analysis Report was originally published on December 4 to share indicators of compromise (IOCs) and detection signatures for BRICKSTORM malware. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) updated this Malware Analysis Report with IOCs and detection signatures for three additional BRICKSTORM samples.

CISA, NSA, and Cyber Centre assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors. BRICKSTORM is a sophisticated backdoor for VMware vSphere (specifically VMware vCenter servers and VMware ESXI) and Windows environments.

The cyber actors have been observed targeting VMware vSphere platforms. Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs. See CISA’s Alert PRC State-Sponsored APT Actors Employ BRICKSTORM Malware Across Public Sector and Information Technology.

CISA analyzed 11 BRICKSTORM samples obtained from victim organizations, including an organization where CISA conducted an incident response engagement. (CISA initially analyzed eight samples, this update includes analysis of three additional samples.)

At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server. They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys. The cyber actors used BRICKSTORM for persistent access from at least April 2024 through at least September 3, 2025.

CISA, NSA, and Cyber Centre recommend organizations implement the mitigations listed in the report to improve their cybersecurity posture based on the cyber actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals 2.0 (CPG 2.0) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPG 2.0 webpage for more information on the CPGs, including additional recommended baseline protections.

Hands Off my Tokens! NIST Seeks Comments on the Initial Public Draft of NIST Interagency Report 8587, Protecting Tokens and Assertions from Forgery, Theft, and Misuse through January 30, 2026.

What is in the Report?

Developed in coordination with CISA’s Joint Cyber Defense Collaborative and in response to Executive Order 14144, Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Order 13694, NIST Interagency Report (IR) 8587 provides implementation guidance to help federal agencies and cloud service providers (CSPs) protect identity tokens and assertions from forgery, theft, and misuse.

Building on updates to NIST SP 800-53, the report outlines principles for CSPs and consuming agencies, details architectural considerations for identity providers and authorization servers, and recommends enhancements to key management, token verification, and lifecycle controls. The report also addresses threats demonstrated in recent high-profile attacks, emphasizes the importance of secure and configurable cloud services, and provides technical recommendations to safeguard single sign-on, federation, and application programming interface (API) access scenarios.

What kind of input is NIST seeking?

As an initial public draft, NIST IR 8587 is intended to gain critical feedback from stakeholders across government and industry. While comments are welcome and encouraged on all aspects of this document, NIST is particularly interested in the following five feedback areas:

1. Signing Key Validity Periods. Feedback on the length of validity, the structure of the scenarios, and any additional feedback reviewers may have.
2. Token Validity Periods. Opinions on token validity lengths and compensating controls that may impact commenters, particularly their availability, adoption, and use in government systems.
3. Key Protection and Isolation. Feedback on the clarity and suitability of key management definitions and whether they are appropriately mapped to FISMA system classification levels.
4. Key Scoping. Sharing of operational considerations, implementation challenges, and best practices that could strengthen these recommendations.
5. Emerging Standards. Comments about emerging standards and protocols that might support the technical achievement of token and assertion protection outcomes (e.g., Demonstrated Proof-of-Possession, Global Revocation).

The public comment period is open through January 30, 2026.

Please submit your comments and share your feedback with us via email at iam@list.nist.gov.Read More

This Joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, Joint Fact Sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.

FBI, CISA, National Security Agency (NSA), US and International partners—hereafter referred to as the authoring organizations—are releasing this joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists.

The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.

The authoring organizations encourage critical infrastructure organizations to implement the recommendations in the mitigations section of this advisory to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories webpage.

Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution.

• Adobe ColdFusion is a rapid web application development platform that uses the ColdFusion Markup Language (CFML).
• Adobe Experience Manager (AEM) is a content management and experience management system that helps businesses build and manage their digital presence across various platforms.
• The Adobe DNG Software Development Kit (SDK) is a free set of tools and code from Adobe that helps developers add support for Adobe’s Digital Negative (DNG) universal RAW file format into their own applications and cameras, enabling them to read, write, and process DNG images, solving workflow issues and improving archiving for digital photos.
• Adobe Acrobat is a suite of paid tools for creating, editing, converting, and managing PDF documents.
• The Adobe Creative Cloud desktop app is the central hub for managing all Adobe creative applications, files, and assets.

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Creative Cloud Desktop Application 6.4.0.361 and earlier versions
• ColdFusion 2025 Update 4 and earlier versions
• ColdFusion 2023 Update 16 and earlier versions
• ColdFusion 2021 Update 22 and earlier versions
• Adobe Experience Manager (AEM) AEM Cloud Service Release 2025.12 
• Adobe Experience Manager (AEM) 6.5 LTS SP1 (GRANITE-61551 Hotfix)           
• Adobe Experience Manager (AEM) 6.5.24   
• AEM Cloud Service (CS) 6.5 LTS
• AEM Cloud Service (CS) 6.5 6.5.23 and earlier versions
• Adobe DNG Software Development Kit (SDK) DNG SDK 1.7.0 and earlier versions
• Acrobat DC 25.001.20982 and earlier versions
• Acrobat Reader DC 25.001.20982 and earlier versions
• Acrobat 2024 24.001.30264 and earlier versions for Windows, 24.001.30273 and earlier versions for MAC
• Acrobat 2020 20.005.30793 and earlier versions for Windows, 20.005.30803 and earlier versions for MAC
• Acrobat Reader 2020 20.005.30793 and earlier versions for Windows, 0.005.30803 and earlier versions for MAC

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows 

Tactic: Execution (TA0002)
Technique: Exploitation for Client Execution (T1203):

Adobe ColdFusion:
Unrestricted Upload of File with Dangerous Type (CVE-2025-61808)
Improper Input Validation (CVE-2025-61809, CVE-2025-61812, CVE-2025-61822)
Deserialization of Untrusted Data (CVE-2025-61830, CVE-2025-61810)
Improper Access Control (CVE-2025-61811, CVE-2025-64897)
Improper Restriction of XML External Entity Reference (‘XXE’) (CVE-2025-61813, CVE-2025-61821, CVE-2025-61823)
Insufficiently Protected Credentials (CVE-2025-64898)

Adobe Experience Manager:

• Cross-site Scripting (DOM-based XSS) (CVE-2025-64537, CVE-2025-64539, CVE-2025-64540, CVE-2025-64542, CVE-2025-64543, CVE-2025-64544, CVE-2025-64545, CVE-2025-64550, CVE-2025-64551, CVE-2025-64560, CVE-2025-64562, CVE-2025-64563, CVE-2025-64564, CVE-2025-64565, CVE-2025-64569, CVE-2025-64583, CVE-2025-64887, CVE-2025-64888)
• Cross-site Scripting (Stored XSS) (CVE-2025-64541, CVE-2025-64546, CVE-2025-64547, CVE-2025-64548, CVE-2025-64549, CVE-2025-64552, CVE-2025-64553, CVE-2025-64554, CVE-2025-64555, CVE-2025-64556, CVE-2025-64557, CVE-2025-64558, CVE-2025-64559, CVE-2025-64572, CVE-2025-64574, CVE-2025-64575, CVE-2025-64576, CVE-2025-64577, CVE-2025-64578, CVE-2025-64579, CVE-2025-64580, CVE-2025-64581, CVE-2025-64582, CVE-2025-64585, CVE-2025-64586, CVE-2025-64590, CVE-2025-64591, CVE-2025-64592, CVE-2025-64593, CVE-2025-64594, CVE-2025-64596, CVE-2025-64597, CVE-2025-64598, CVE-2025-64599, CVE-2025-64600, CVE-2025-64601, CVE-2025-64602, CVE-2025-64603, CVE-2025-64604, CVE-2025-64605, CVE-2025-64606, CVE-2025-64607, CVE-2025-64609, CVE-2025-64610, CVE-2025-64611, CVE-2025-64612, CVE-2025-64614, CVE-2025-64615, CVE-2025-64616, CVE-2025-64619, CVE-2025-64620, CVE-2025-64622, CVE-2025-64623, CVE-2025-64626, CVE-2025-64627, CVE-2025-64789, CVE-2025-64790, CVE-2025-64791, CVE-2025-64792, CVE-2025-64793, CVE-2025-64794, CVE-2025-64796, CVE-2025-64797, CVE-2025-64799, CVE-2025-64800, CVE-2025-64801, CVE-2025-64802, CVE-2025-64803, CVE-2025-64804, CVE-2025-64808, CVE-2025-64814, CVE-2025-64817, CVE-2025-64820, CVE-2025-64821, CVE-2025-64822, CVE-2025-64823, CVE-2025-64825, CVE-2025-64826, CVE-2025-64827, CVE-2025-64829, CVE-2025-64833, CVE-2025-64839, CVE-2025-64840, CVE-2025-64841, CVE-2025-64845, CVE-2025-64847, CVE-2025-64850, CVE-2025-64852, CVE-2025-64853, CVE-2025-64857, CVE-2025-64858, CVE-2025-64860, CVE-2025-64861, CVE-2025-64863, CVE-2025-64869, CVE-2025-64872, CVE-2025-64873, CVE-2025-64875, CVE-2025-64881)

Adobe DNG Software Development Kit (SDK):

• Integer Overflow or Wraparound (CVE-2025-64783)
• Heap-based Buffer Overflow (CVE-2025-64784)
• Out-of-bounds Read (CVE-2025-64893)
• Integer Overflow or Wraparound (CVE-2025-64894)

Adobe Acrobat and Reader:

• Untrusted Search Path (CVE-2025-64785)
• Out-of-bounds Read (CVE-2025-64899)
• Improper Verification of Cryptographic Signature (CVE-2025-64786, CVE-2025-64787)

Adobe Creative Cloud Desktop Application:

• Creation of Temporary File in Directory with Incorrect Permissions (CVE-2025-64896)

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply the stable channel update provided by Adobe to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 2.3: Address Unauthorized Software: Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Block execution of code on a system through application control, and/or script blocking. (M1038:Execution Prevention)
  • Safeguard 2.5: Allowlist Authorized Software: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.
  • Safeguard 2.6: Allowlist Authorized Libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
  • Safeguard 2.7: Allowlist Authorized Scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040: Behavior Prevention on Endpoint)
  • Safeguard 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Adobe:
https://helpx.adobe.com/security/Home.html
https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html
https://helpx.adobe.com/security/products/dng-sdk/apsb25-118.html
https://helpx.adobe.com/security/products/acrobat/apsb25-119.html
https://helpx.adobe.com/security/products/creative-cloud/apsb25-120.html

CVE: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61814