Tag: AI Vulnerabilities

  • European Union Launches Robust Vulnerability Database as US Faces Cybersecurity Challenges

    European Union Launches Robust Vulnerability Database as US Faces Cybersecurity Challenges

    The European Union has officially launched its European Vulnerability Database (EUVD), a comprehensive platform aimed at enhancing the management of security flaws that could jeopardize critical information and communications technology (ICT) systems. The launch comes at a time when the United States grapples with budget constraints and uncertainty regarding its own vulnerability monitoring systems.

    Now fully operational, the EUVD is expected to provide an essential tool for managing vulnerabilities effectively. According to Juhan Lepassaar, Executive Director of the European Union Agency for Cybersecurity (ENISA), the database will ensure transparency for users of affected ICT products and services, acting as a reliable source for mitigation measures. The project was initially announced in June 2024, following the EU’s Network and Information Security Directive.

    In stark contrast to the EU’s proactive measures, the US has seen its Common Vulnerabilities and Exposures (CVE) program face funding uncertainties, leading to concerns over the government’s commitment to cybersecurity. Despite last-minute funding renewal from the Cybersecurity and Infrastructure Security Agency (CISA), the future of the CVE program remains in question, especially with a recent decision by CISA to halt the publication of routine alerts on publicly exploited vulnerabilities.

    The EUVD offers three distinct dashboard views tailored for critical vulnerabilities, actively exploited issues, and those coordinated by members of the EU’s Computer Security Incident Response Teams (CSIRTs) network. It sources information from open databases, advisories, and alerts issued by national CSIRTs, along with vendor mitigation guidelines and details concerning exploited vulnerabilities. As ENISA continues its role as a CVE Numbering Authority, the future collaboration and developments concerning the US CVE program remain uncertain.

  • Surge in Vulnerabilities Plagues SonicWall Devices, Heightening Cybersecurity Concerns

    Surge in Vulnerabilities Plagues SonicWall Devices, Heightening Cybersecurity Concerns

    SonicWall, a California-based cybersecurity vendor, is facing a significant rise in vulnerabilities within its range of devices and software, putting users at increased risk of cyber intrusions. The year commenced with the company unveiling nine security advisories on January 7, and as of now, the total number of publicly disclosed vulnerabilities has escalated to 20.

    Moreover, these vulnerabilities are prominent in the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog, reflecting a growing trend as cybercriminals specifically target SonicWall products. According to cybersecurity authorities, four vulnerabilities have been actively exploited in SonicWall products this year, culminating in a total of 14 exploited vulnerabilities since late 2021, eight of which have been implicated in ransomware campaigns.

    The latest wave of vulnerabilities includes a trio originating from SonicWall Secure Mobile Access (SMA) 100 Appliances, as well as a critical defect in the SonicWall SonicOS. The identified vulnerabilities include CVE-2023-44221, CVE-2021-20035, CVE-2025-23006, and CVE-2024-53704. These vulnerabilities pose serious risks as they may allow malicious actors to achieve remote code execution, granting them control over affected devices.

    In a troubling turn of events, SonicWall recently disclosed three additional vulnerabilities: CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821, impacting the SMA 100 series. Despite SonicWall’s prompt action to release patches for these vulnerabilities, concerns persist that exploitation may have already occurred, as indicated by Ryan Emmons of Rapid7.

    SonicWall, which has yet to sign the CISA’s secure-by-design pledge, announces measures to enhance security among its products, including introducing security features by default in its latest devices. However, with a significant portion of vulnerabilities stemming from outdated technology, the cybersecurity landscape illustrates the urgency for vendors in addressing potential threats before they escalate further.

  • New Study Reveals Cloud Vulnerability Disparities Among Providers

    New Study Reveals Cloud Vulnerability Disparities Among Providers

    A recent report by CyCognito has uncovered significant discrepancies in the vulnerability rates among major cloud service providers, highlighting that Google Cloud and smaller providers are notably at higher risk compared to Amazon Web Services (AWS) and Microsoft Azure. This research, which analyzes nearly five million internet-exposed assets, underscores the pressing need for improved security measures across cloud infrastructures amidst rising global concerns over cyber threats.

    According to the study, 38% of assets hosted by Google Cloud were found to have at least one security issue, doubling the vulnerability rate of AWS at 15% and reflecting a troubling trend among less well-known cloud providers, including Oracle Cloud, DigitalOcean, and Linode, which also reported a 38% vulnerability rate. Furthermore, major hosting companies like GoDaddy and Hetzner were recorded at 33%, further contributing to a landscape marred by potential security breaches.

    In examining critical vulnerabilities, classified as those registering a Common Vulnerability Scoring System (CVSS) score of 9.0 or higher, Azure exhibited the highest instance among leading cloud platforms at 0.07%. In comparison, both AWS and Google Cloud were at 0.04%. While these figures seem minimal, the sheer volume of assets translates to considerable exposure, indicating that even a slight percentage can lead to hundreds of vulnerable points.

    CyCognito also assessed the ease of exploitation of these vulnerabilities, revealing a stark reality: over 13% of assets on smaller cloud platforms displayed easily exploitable flaws, while the corresponding figure for major hosting providers was close to 10%. Notably, Google Cloud showcased a higher propensity for exploitation, with 5.35% of its assets deemed easy targets – significantly outpacing AWS and Azure.

    Despite the alarming statistics from smaller cloud services, the major providers demonstrated lower overlapping risks, with less than 0.1% of their assets falling into the high-risk category of both critical and easily exploitable vulnerabilities. However, as CyCognito warns, organizations utilizing multiple cloud environments must enhance visibility and ensure that potential weak points do not go unnoticed.

    To combat these vulnerabilities, CyCognito recommends employing advanced security measures beyond conventional inventory techniques, advocating for ‘seedless’ discovery methods to better monitor all assets. Additionally, organizations should implement dynamic security testing post-deployment to effectively mitigate risks associated with cloud misconfigurations and forgotten assets.

  • Future of CVE Program in Jeopardy: Cybersecurity Community Calls for Stability

    Future of CVE Program in Jeopardy: Cybersecurity Community Calls for Stability

    The Common Vulnerabilities and Exposures (CVE) Program, a vital resource for cybersecurity professionals, faces uncertainty as the US government retracts its support. For 25 years, this program has provided a standard method for naming and cataloguing vulnerabilities, thereby allowing defenders to communicate and respond effectively to real-world threats.

    The withdrawal of consistent federal funding has sparked concerns throughout the security industry. Although an 11-month extension of funding provides temporary relief, experts are questioning the long-term stability of a program on which the global cybersecurity defense framework relies. In light of this, the pressing issue is how the industry can remain prepared and aligned without this critical resource.

    The CVE program plays an essential role in training and readiness by providing real-world scenarios for cybersecurity practice. As an integral part of purple team exercises, it enhances collaboration between red and blue teams. However, disruptions in the program could lead to outdated defense strategies, undermining the preparedness of cyber teams against evolving threats.

    The potential ripple effect across the cyber ecosystem could be significant, particularly for businesses in sensitive sectors such as healthcare, finance, and energy, where timely response to vulnerabilities is essential. Without the CVE system, cybersecurity efforts may become uncoordinated, exposing organizations to greater risks. Experts are calling for a stable governance model to safeguard the future of the program and are considering new alternatives as the need for consistent threat communication persists. The newly established CVE Foundation aims to ensure continued access to the CVE program in the years to come, symbolizing hope for a resilient future.

  • Exploitation of Vulnerabilities on the Rise: 159 CVEs Flagged in Q1 2025

    Exploitation of Vulnerabilities on the Rise: 159 CVEs Flagged in Q1 2025

    In the first quarter of 2025, a striking total of 159 Common Vulnerabilities and Exposures (CVEs) have been identified as actively exploited in the wild, marking an increase from the 151 CVEs reported in the previous quarter, according to a recent analysis by VulnCheck. The report highlights a concerning trend wherein 28.3% of these vulnerabilities were exploited within one day of their disclosure.

    This rapid exploitation translates to 45 security flaws being weaponized for real-world attacks within the crucial first 24 hours following their announcement. Furthermore, 14 other flaws were found to be exploited within a month, and another 45 vulnerabilities were reported to be abused within a year. Such statistics emphasize the urgent need for organizations to prioritize timely patching of vulnerabilities.

    The majority of the exploited vulnerabilities were discovered in content management systems (CMSes), which accounted for 35 instances, followed by network edge devices (29), operating systems (24), open source software (14), and server software (14). Major vendors affected during this quarter included Microsoft Windows with 15 exploits, followed by Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4).

    According to VulnCheck, an average of 11.4 Known Exploited Vulnerabilities (KEVs) were disclosed weekly, contributing to a total of 53 per month. Also noteworthy, the Cybersecurity and Infrastructure Security Agency (CISA) added 80 vulnerabilities during this quarter, with only 12 showing no prior public evidence of exploitation. The findings underscore the importance of proactive cybersecurity measures as the landscape of threats continues to evolve.

    Moreover, Verizon’s newly released Data Breach Investigations Report for 2025 revealed that the exploitation of vulnerabilities has grown by 34% as an initial access method for data breaches, now accounting for 20% of all intrusions. Data from Mandiant also showed that exploits remain the most frequently observed initial infection vector for the fifth consecutive year.

    While there is a slight decline in the percentage of intrusions starting with exploitation of vulnerabilities compared to previous years, the data continues to underscore the critical need for vigilance within the cybersecurity community.

  • Cybersecurity Expert Warns of Rising Threats from Visible Networks

    Cybersecurity Expert Warns of Rising Threats from Visible Networks

    As cyber threats continue to escalate at unprecedented rates, a troubling warning has emerged for businesses and government entities: traditional networks may be exposing organizations to dangers greater than they realize. Lawrence Pingree, Vice President at Dispersive and former security lead at Gartner, has published an insightful article titled “Your Network Is Showing — Time to Go Stealth,” which examines the evolution of cyberattacks beyond conventional perimeter defenses.

    Pingree emphasizes that malicious actors have shifted their tactics, moving from simply trying to bypass defenses to executing coordinated campaigns that target the defenses themselves. Firewalls, VPNs, and control planes, once considered the backbone of cybersecurity, are increasingly becoming the first points of failure in many organizations’ security strategies.

    Highlighting the vulnerabilities of openly advertised networks, Pingree notes that even encrypted data can be exposed through metadata, such as IP addresses and DNS queries. This visibility turns networks into potential targets for reconnaissance and exploitation, raising serious concerns about organizational security.

    Recent incidents demonstrate the urgency of the issue. In April 2024, Palo Alto Networks’ PAN-OS faced a critical zero-day vulnerability that allowed attackers to install a Python-based backdoor, named UPSTYLE, effectively bypassing firewall defenses. Additionally, the Volt Typhoon campaign, attributed to a state-sponsored group, targeted crucial infrastructure by compromising Fortinet’s FortiGuard devices and Cisco routers, showcasing the strategic nature of these cyber assaults.

    In response to these challenges, Pingree advocates for a shift in defensive strategies toward emerging stealth networking technologies. By obfuscating network presence, these solutions can significantly reduce an organization’s attack surface, aligning with zero trust principles that ensure only verified users can access sensitive resources.

    Dispersive is urging organizations to rethink their security measures, transitioning from traditional methods to more resilient, stealth-based networking models. As Pingree stresses, reevaluating network visibility is becoming a cybersecurity imperative.

  • Organizations Struggle to Address Cybersecurity Vulnerabilities, New Report Reveals

    Organizations Struggle to Address Cybersecurity Vulnerabilities, New Report Reveals

    SAN FRANCISCO—A recent report by Cobalt, the leader in penetration testing as a service, has revealed a troubling trend in cybersecurity: organizations are remediating less than half of identified vulnerabilities. The State of Pentesting Report 2025 indicates that only 48% of all pentest results are addressed, and worrying statistics emerge regarding more serious vulnerabilities, particularly within generative AI applications.

    The analysis shows that while 81% of security leaders express confidence in their organization’s cybersecurity stance, 31% of serious vulnerabilities identified during assessments remain unresolved. Among findings related to generative AI, only 21% of vulnerabilities were rectified, raising concerns among security professionals. In fact, a significant 72% identified AI-related attacks as their primary worry, outpacing concerns regarding insider threats and third-party software risks.

    Gunter Ollman, CTO of Cobalt, emphasized the urgency of regular penetration testing in light of the rapid adoption of AI technologies. “It’s a concern that 31% of serious vulnerabilities are not being fixed,” Ollman stated, suggesting that companies must develop strategies to mitigate these risks. He also pointed out that organizations adopting offensive security measures are better positioned to fortify their defenses against potential cybercriminal activities.

    The report further highlights a lack of trust in software security. Only half of the security leaders surveyed believed they could rely on their suppliers to identify and prevent vulnerabilities, exacerbated by the fact that 82% are mandated by clients and regulators to provide assurance on software security. The findings underscore a significant gap that organizations must address to enhance their cybersecurity posture and reassure their stakeholders.

  • Future of CVE Program in Question Amid Funding Concerns

    Future of CVE Program in Question Amid Funding Concerns

    The Common Vulnerabilities and Exposures (CVE) Program, an essential resource for identifying software vulnerabilities, faced a critical funding challenge earlier this week, raising alarms within the cybersecurity community. Established in 1999 and managed by the federal contractor Mitre, the program’s funding from the U.S. Department of Homeland Security was set to expire, leading to fears of disruption in vital security operations reliant on CVE data. Experts noted that effective bug coordination, national incident response, and various critical security tools could be jeopardized if the program ceased to function.

    Fortunately, the Cybersecurity and Infrastructure Security Agency (CISA), a part of DHS, intervened at the last moment by exercising a contract option that secures the program’s funding for the next 11 months. Tod Beardsley, a CVE Program board member and VP of security research at runZero, expressed relief that immediate crisis was avoided, stating, “we’re in no immediate danger, which is great.” This temporary funding arrangement allows Mitre to continue managing the CVE Program until early March 2026.

    Nevertheless, this situation highlights an underlying need for a long-term strategy regarding the governance and funding of the CVE Program. Experts suggest that transitioning to a more globally oriented, non-profit model may be the optimal solution, particularly as the number of assigned CVEs surged from 28,818 in 2023 to 40,009 in 2024. Chester Wisniewski, director of global field CTO program at Sophos, indicated that a shift away from a U.S.-centric management framework could provide numerous benefits for the international community.

    A newly formed CVE Foundation, established by key figures from the CVE board, aims to ensure a more distributed funding model for CVEs, enhancing the integrity, availability, and identification of vulnerabilities in a sustainable manner. In tandem with these efforts, other initiatives are emerging, including the EU’s cybersecurity agency ENISA establishing its own vulnerability database, and the introduction of the Global CVE Allocation System.

    As discussions unfold about the future of the CVE Program, the industry has a window of approximately 10 months to unite behind a new governance strategy that could restore stability and confidence within the cybersecurity landscape. Collective efforts will be crucial in supporting a program that has become indispensable for IT defenders worldwide as they work to maintain a robust security posture against evolving cyber threats.

  • End of CVE Program Sparks Concerns Among Cybersecurity Experts

    End of CVE Program Sparks Concerns Among Cybersecurity Experts

    In a surprising move, the Department of Homeland Security (DHS) has decided to let its contract with the nonprofit organization MITRE expire, leaving the future of the Common Vulnerabilities and Exposures (CVE) program uncertain. The contract will officially end at midnight on April 16, 2025, according to a statement from MITRE’s vice president, Yosry Barsoum. With this decision, experts in the field are voicing serious concerns over the potential implications for the cybersecurity landscape.

    The CVE program serves as a cornerstone for tracking vulnerabilities in software and is considered a global standard in managing these risks. “Without it, we can’t track newly discovered vulnerabilities,” stated Sasha Romanosky, a senior policy researcher at the Rand Corporation. The loss of the CVE’s structured approach could severely handicap the ability to gauge the severity of software flaws and take the necessary actions for remediation.

    Ben Edwards, a principal research scientist at Bitsight, expressed his disappointment over the contract termination, calling it a “valuable resource” that deserves continued funding. He noted that while there is hope that other stakeholders might step in to fill the void left by MITRE, a transition would not be without challenges. “The federated framework and openness of the system make this possible, but it’ll be a rocky road if operations do need to shift to another entity,” he commented.

    The cessation of the CVE program would have cascading effects on the cybersecurity ecosystem, warned Brian Martin, a vulnerability historian. He explained that without MITRE, the federated model which allows numerous authorities to assign CVE IDs will be disrupted, creating immediate ramifications for vulnerability management on a global scale. As the clock ticks down to the contract expiration, uncertainties loom regarding how vulnerabilities will be monitored and managed moving forward.

    Sources have indicated that the decision to end funding is tied to broader government budget cuts affecting the Cybersecurity and Infrastructure Security Agency (CISA), which oversees the CVE program. Despite prior reductions in funding, some argue that the cost of maintaining the CVE program is relatively minor compared to cuts in other areas. Meanwhile, CISA has pledged to work urgently to mitigate the impact of this decision, asserting, “We are committed to maintaining CVE services on which global stakeholders rely.”

    The future remains uncertain as to how stakeholders in the cybersecurity community will adapt following this critical turning point. Experts are now left to wonder if a private sector alternative will emerge to fill the vacuum, a situation being closely monitored by various institutions.

  • Organizations Struggle to Address Cyber Vulnerabilities, Despite Increased Pentesting Efforts

    Organizations Struggle to Address Cyber Vulnerabilities, Despite Increased Pentesting Efforts

    Recent findings from Cobalt reveal that organizations are addressing less than half of all exploitable vulnerabilities, with a concerningly low 21% of flaws in Generative AI (GenAI) applications being resolved. A substantial 94% of firms recognize the importance of penetration testing (pentesting), highlighting its critical role in enhancing security programs. Pentesting serves not only as a defensive measure but also reflects the inadequacies of existing security measures, as breaches frequently occur despite established safeguards.

    Compliance emerges as a significant motivator for pentesting, with 91% of respondents citing it as a key reason for conducting these tests. Notably, 92% of firms assert that pentests are vital to their organizational strategy and have the backing of senior leadership. However, while the rate of fixing serious pentest findings surged from 27% in 2017 to 55% in 2021, this figure has plateaued. Currently, serious vulnerabilities are resolved in a third of the time it took in 2017, cutting the exposure window from 112 to just 37 days.

    Large organizations face notable delays, taking over a month longer than smaller firms to address serious vulnerabilities (61 days versus 27 days). Despite three-quarters of organizations establishing Service Level Agreements (SLAs) promising fixes within two weeks, the average median time to resolution stands at a staggering 67 days, five times longer than the stipulated SLA. Alarmingly, 81% of security leaders express confidence in their organizations’ security posture, even as 31% of serious findings remain unresolved.

    A crucial area of concern is the security of GenAI LLM web applications, with 95% of firms having conducted pentests on these systems in the past year. Unfortunately, 32% of tests identified serious vulnerabilities, yet a mere 21% of these were remedied. This issue raises significant concerns about risks such as prompt injection, model manipulation, and data leakage. With 72% of organizations ranking AI-related attacks as their top security threat, it is evident that there are inadequacies in preparedness against potential exploits.

    OWASP has acknowledged these vulnerabilities, updating the 2025 edition of its Top 10 for LLM and GenAI to address new threats like Denial of Wallet (DoW), which exploit the cost-per-use model of AI services. As organizations strive to keep pace with technological advancements, they increasingly experience pressure from leadership to prioritize speed over thorough security measures. Nearly half of security leaders report that they are being urged to compromise security to achieve faster deployment timelines, significantly jeopardizing their overall security landscape.

    In light of these findings, Gunter Ollman, CTO of Cobalt, emphasizes the critical importance of regular pentesting, especially amidst the rapid adoption of AI technologies and the associated vulnerabilities that emerge. He points out that the persistent issue of unresolved vulnerabilities signals a need for heightened awareness and proactive mitigation strategies. Organizations adopting an offensive security approach not only strengthen their defenses but also position themselves favorably in meeting compliance obligations and reassuring customers of their commitment to safety in business transactions. Source