My information Resource (blog.mir.net)

NIST SP 800-171, R3,  Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems, is a set of recommended security requirements for protecting the confidentiality of CUI.

NIST has released a supplementary small business primer to SP 800-171, R3 to help smaller, under-resourced organizations better protect CUI. 

Key Highlights Include:

• A foundational overview of SP 800-171, R3.
• Considerations to be mindful of as organizations begin implementing the requirements in SP 800-171, R3.
• An emphasis on the important relationship between SP 800-171 and SP 800-171A.
• A list of frequently asked questions and their answers.
• Key differences between SP 800-171 Revision 2 and Revision 3.
• Tips to help those tasked with implementing SP 800-171 get started.
• Additional resources that small businesses can put into action.
• Concepts and language that can be used when seeking support from internal or external cybersecurity teams.

Who is it for?  

The document is separated into two sections to accommodate various audiences.

• Pages 1-6 are designed to provide a brief overview of SP 800-171. This is designed for anyone, not just small business owners, who may need a general overview of 800-171.
• Pages 7-27 are for those who are tasked with managing the implementation SP 800-171, R3. It is not all-encompassing, but it does provide tips and resources to help with getting started with each of the 17 control families. This section serves as a bridge to the larger SP 800-171 publication.

This is the first part of an effort to begin breaking down components of 800-171, R3 for the small business community. Future resources will expand upon the primer’s content.

View the Primer

Microsoft.Source Newsletter | Issue 74 In this issue, explore GitHub Copilot customizations, get started with Model Context Protocol (MCP), and find tools and events to support your AI development.   Watch now How Microsoft Engineers Build AI: in-depth conversations with Microsoft engineers as they build and scale AI agents. Explore real-world challenges, reusable implementation patterns, and practical strategies to apply to your own projects.     Featured Tune in to Model Mondays > Join these weekly deep dives into model selection. Each session explores a specific model, tool, or technique such as MCP, AI agents, and RAG offering practical insights on choosing the right model for your use-case.   What’s New 10 Microsoft MCP servers that streamline daily dev tasks > Explore Microsoft’s top MCP servers and how each can improve developer productivity.   GitHub Copilot customizations repository > Share and adapt prompt templates, custom instructions, and chat configurations built by the developer community.   Build AI apps with Azure Database for PostgreSQL > In this four-part series, learn how to orchestrate agents, enhance search accuracy, and integrate Azure AI services using the AI capabilities of Azure Database for PostgreSQL.     Events Find community events > Azure Dev Summit / October 13-16 / Lisbon > Join the premier European event for developers, tech leaders, and AI experts working with Azure, .NET, and Microsoft AI. Use code MSADSCT200 for €200 off.   Microsoft AI Tour / Multiple cities and dates > The Microsoft AI Tour is free and coming to a city near you. Join for hands-on sessions, expert guidance, and the latest tools.   Let’s learn about the Model Context Protocol (MCP) series > Get started building your first MCP server with this beginner-friendly workshop, available in 8 languages and 4 code bases.   GitHub Universe / October 28-29 / San Francisco > Explore how AI agents, automation, and tools can bring your ideas to life through workshops, panels, and interactive product demos.   Europe FabCon / September 15-18 / Vienna, Austria > Be part of FabCon in Europe. Gain hands-on experience with AI-powered data and analytics tools. Plus, connect with Fabric peers and leaders.   Learning Build your retrieval-augmented generation skills > Learn how to improve the accuracy, reliability, and flexibility of your AI models using retrieval-augmented generation (RAG) in this six-part video series.   AI Show: There’s no reason not to fine-tune > See how to fine-tune foundation models in Azure AI Foundry to optimize performance, reduce costs, or support agentic behavior.   Enhance your .NET MAUI apps with multimodal AI capabilities > Follow the Telepathic sample app to learn how to extract information from images and automatically generate projects and tasks.

Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which when chained together, could allow for remote code execution. Commvault Backup & Recovery is a comprehensive data protection solution that offers a range of services for safeguarding data across various environments, including on-premises, cloud, and hybrid setups. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, escalate privileges, run arbitrary commands, and potentially drop a JSP webshell.

THREAT INTELLEGENCE:
Researchers from watchTowr Labs have posted a detailed write-up about the vulnerabilities on their website.

SYSTEMS AFFECTED:

• Commvault versions 11.32.0 – 11.32.101 for Linux and Windows.
• Commvault versions 11.36.0 – 11.36.59 for Linux and Windows.

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium 

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Commvault Backup & Recovery, which could allow for remote code execution.  Details of the vulnerabilities are as follows:

Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):

• A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk. (CVE-2025-57788)
• During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. (CVE-2025-57789)
• A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution. (CVE-2025-57790)
• A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role. (CVE-2025-57791)

The vulnerabilities can be exploited as part of two separate remote code execution (RCE) chains. One chain works only of the if the built-in admin password hasn’t been changed since installation, and relies on exploiting CVE-2025-57788 (for bypassing authentication), CVE-2025-57789 (to escalate privileges), and CVE-2025-57790 to achieve RCE. The second chain, which works against any unpatched Commvault instance, uses CVE-2025-57791 to bypass authentication and CVE-2025-57790 for RCE (by injecting a webshell).

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Commvault to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

REFERENCES:

Commvault:
https://documentation.commvault.com/securityadvisories/CV_2025_08_1.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_2.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_3.html
https://documentation.commvault.com/securityadvisories/CV_2025_08_4.html

Help Net Security:
https://www.helpnetsecurity.com/2025/08/20/commvault-backup-suite-vulnerabilities-fixed/
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57789
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57790
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57791

NIST has released a concept paper and proposed action plan for developing a series of NIST SP 800-53 Control Overlays for Securing AI Systems, as well as a launching a Slack channel for this community of interest.

The concept paper outlines proposed AI use cases for the control overlays to manage cybersecurity risks in the use and development of AI systems, and next steps. The use cases address generative AI, predictive AI, single and multi-agent AI systems, and controls for AI developers. NIST is interested in feedback on the concept paper and proposed action plan, and invites all interested parties to join the NIST Overlays for Securing AI (#NIST-Overlays-Securing-AI) Slack channel.

Through the Slack channel, stakeholders can contribute to the development of these overlays, get updates, engage in facilitated discussions with the NIST principal investigators and other subgroup members, and provide real-time feedback and comments. 

Learn more about the Control Overlays for AI Project, Slack space, and how to join the Slack channel at https://csrc.nist.gov/projects/cosais.

Read More

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account, threat actors could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Threat Intelligence

Fortinet is aware that CVE-2025-25256 has been exploited in the wild.

Systems Affected

FortiSIEM 5.4 all versions FortiSIEM 6.1 all versions FortiSIEM 6.2 all versions FortiSIEM 6.3 all versions FortiSIEM 6.4 all versions FortiSIEM 6.5 all versions FortiSIEM 6.6 all versions FortiSIEM 6.7.0 through 6.7.9 FortiSIEM 7.0.0 through 7.0.3 FortiSIEM 7.1.0 through 7.1.7 FortiSIEM 7.2.0 through 7.2.5 FortiSIEM 7.3.0 through 7.3.1 FortiManager 6.2 all versions​​​​​ FortiManager 6.4 all versions FortiManager 7.0.0 through 7.0.13 FortiManager 7.2.0 through 7.2.9 FortiManager 7.4.0 through 7.4.5 FortiManager 7.6.0 through 7.6.1 FortiManager Cloud 6.4 all versions FortiManager Cloud 7.0.1 through 7.0.13 FortiManager Cloud 7.2.1 through 7.2.9 FortiManager Cloud 7.4.1 through 7.4.5 FortiOS 6.0 all versions FortiOS 6.2.0 through 6.2.16 FortiOS 6.4 all versions FortiOS 7.0 all versions FortiOS 7.2 all versions FortiOS 7.4.0 FortiOS 7.4.0 through 7.4.7 FortiOS 7.6.0 through 7.6.2 FortiPAM 1.0 all versions FortiPAM 1.1 all versions FortiPAM 1.2 all versions FortiPAM 1.3 all versions FortiPAM 1.4.0 through 1.4.2 FortiPAM 1.5.0FortiProxy 2.0 all versions FortiProxy 7.0 all versions FortiProxy 7.2 all versions FortiProxy 7.4.0 through 7.4.1 FortiProxy 7.4.0 through 7.4.2 FortiProxy 7.4.0 through 7.4.3 FortiProxy 7.6.0 through 7.6.2 FortiSwitchManager 7.0.0 through 7.0.3 FortiSwitchManager 7.2.0 through 7.2.3

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply the stable channel update provided by Fortinet to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Fortinet: https://fortiguard.fortinet.com/psirt https://fortiguard.fortinet.com/psirt/FG-IR-25-152 https://fortiguard.fortinet.com/psirt/FG-IR-25-173 https://fortiguard.fortinet.com/psirt/FG-IR-24-473 https://fortiguard.fortinet.com/psirt/FG-IR-23-209 https://fortiguard.fortinet.com/psirt/FG-IR-24-364 https://fortiguard.fortinet.com/psirt/FG-IR-24-042   CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45584 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26009 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52964 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25248 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25256 ​​​​​​​https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53744

The NIST National Cybersecurity Center of Excellence has developed the draft NIST Special Publication (SP) 1334, Reducing the Cybersecurity Risks of Portable Storage Media in OT Environments. The cybersecurity considerations in this two-pager are intended to help operational technology (OT) operators and manufacturers use Universal Serial Bus (USB) devices securely.

Portable storage media can be used to transfer data physically to and from OT environments. USB storage devices are convenient, but their use poses potential cybersecurity risks for organizations that utilize them in their OT environments. Organizations can reduce these risks with secure physical and logical controls on the access, storage, and usage of USB devices. 

The NCCoE created an OT Security Series to provide simplified guidance that will assist organizations in securing their OT systems.

If you have any comments about this paper, and/or recommendations for additional topics that the OT Security Series could cover, please reach out to the NCCoE Manufacturing team via manufacturing_nccoe@nist.gov.

View the Paper

Cybersecurity Insights a NIST Blog Let’s get Digital! Updated Digital Identity Guidelines are Here. NIST just released Special Publication 800-63, Digital Identity Guidelines, Revision 4, which intends to respond to the changing digital landscape that has emerged since the last major revision of this suite was published by NIST in 2017. The new guidelines explain the process and technical requirements for meeting digital identity assurance levels for identity proofing, authentication, and federation—including requirements for security and privacy, as well as considerations for improved customer experience of digital identity solutions and technology. There are also many substantial content changes to the entire suite of documents. Questions? Send us an email: dig-comments@nist.gov. Read the Blog

Check out the recently published NIST Cybersecurity Insights Blog: Reflections from the First Cyber AI Profile Workshop, covering the key takeaways from the April 2025 Cyber AI Profile Workshop.

The purpose of this workshop was to gather community feedback on the Cybersecurity and AI Workshop Concept Paper to inform the direction and contents of the Cyber AI Profile. The team is currently working to publish a workshop summary – in the interim, this blog shares a preview of what they heard during this event.

View the Blog

Review the Pre-Recorded Session in Advance of Virtual Series

The NIST NCCoE team has generated a pre-recorded video to help you prepare to participate in the virtual working sessions – you’re encouraged to listen to the recording in advance of the session(s) you plan to participate in so that you’re prepared for a productive discussion. The recording covers:

• Introduction to the NCCoE
• Background and Purpose of the Cyber AI Profile
• Overviews of the NIST Cybersecurity Framework (CSF) and Community Profiles
• Summary of Feedback in Early 2025
• Working Session Approach
• Resources

View the Recording

Each session in this series will explore one of the three Focus Areas planned for the Cyber AI Profile:

Session	Topic	Date/Time
Session #1	Securing AI System Components	August 5, 2025 / 1:00 – 4:00 P.M. EDT
Session #2	Conducting AI-enabled Cyber Defense	August 19, 2025 / 1:00 – 4:00 P.M. EDT
Session #3	Thwarting AI-enabled Cyber Attacks	September 2, 2025 / 1:00 – 4:00 P.M. EDT

Who Should attend?

These events are open to the public. We encourage cybersecurity and AI leaders from industry, academia, and government to share expertise on cybersecurity for AI and AI for cybersecurity. Please come ready to share your knowledge and insights during these interactive working sessions!

Register Now

Visit the NCCoE event session pages to learn more. We welcome you to register for any session topic you’re interested in discussing. Attendance for each event is limited to 500 participants.

Over the last several days, SonicWall issued an advisory of a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSL VPN is enabled. A likely zero-day vulnerability in SonicWall VPNs is being actively exploited to bypass multi-factor authentication (MFA) and deploy ransomware. Threat actors are likely to pivot directly to domain controllers within hours of the initial breach.

SonicWall is actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.

Until further notice, SonicWall strongly advises, where practical, disabling the VPN service immediately and applying other mitigations in the advisory to reduce exposure while SonicWall continues its investigation.

References

SonicWall: https://www.sonicwall.com/support/notices/gen-7-sonicwall-firewalls-sslvpn-recent-threat-activity/250804095336430 Huntress: https://www.huntress.com/blog/exploitation-of-sonicwall-vpn BleepingComputer: https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-disable-sslvpn-amid-rising-attacks/

The Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this Joint White Paper to raise awareness of cyber threat actors (CTAs) activity targeting vendor accounts within vendor portals belonging to US state, local, tribal, and territorial (SLTT) government or public entities, as well as school districts and higher-education institutions.

The FBI refers to these incidents as vendor account compromises (VACs). Since 2023, the FBI has recorded an uptick in the number of unique threat actor groups conducting VACs. This uptick appears to be in part due to CTAs’ increased awareness of the extent to which government and academic entities rely on online systems for conducting business and managing payment information. These CTAs use a mix of social engineering and exploitation of portal authentication measures to gain unauthorized access to vendor accounts, with the goal of manipulating vendor records and redirecting vendor payments. Increased cyber actor adoption of this scheme for stealing vendor payments poses an increased risk, as successful VACs can result in millions or tens of millions of lost dollars.

The FBI and MS-ISAC encourage organizations who use their own public-facing vendor portals, specifically federal and SLTT government entities, along with educational institutions, implement the recommendations in the mitigations section of this Joint White Paper to reduce the likelihood and impact of VAC incidents. The FBI and MS-ISAC also encourage these same organizations to educate both their information technology teams and finance and procurement teams on the VAC threat and the mitigations, as collaboration between these teams is integral to vendor portal security.

This Joint White Paper includes an overview of the VAC threat, a walkthrough of typical steps of VAC incidents, characteristics of VAC actors, and ways to mitigate the VAC threat.