The July 2025 Threat Report takes a broad approach, covering some of the top cyber threats from the past month. The Microsoft SharePoint flaw titles “ToolShell” dominated the headlines; see our alert on ToolShell for a detailed analysis. Over 4,000 CVEs were published last month; almost 500 of them were rated Critical, with CVSS over 9.0. Managing this volume of risk is truly a battle of attrition for defenders. In response, Greenbone published almost 5,000 new detection tests. These detection tests allow defenders to find known software flaws in their environment, confirm patch levels, and prevent cyber attackers from gaining the upper hand.

Blog Banner Threat - report July 2025

Critical Cisco ISE Flaws Offer Unauthenticated RCE as Root and More

Cisco has confirmed active exploitation of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC (Passive Identity Connector) versions 3.3 and 3.4. The highest severity CVEs are: CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282; all CVSS 10. CVE-2025-20281 and CVE-2025-20337 have been added to CISA KEV (catalog of known exploited vulnerabilities). Each flaw can be exploited to execute code with root privileges by submitting a malicious API request. Several national CERT agencies have issued alerts: EU-CERT, CSA Singapore, NHS UK, and NCSC Ireland. Cisco advises immediate patching; no workarounds are available. Version detection tests are included in the OPENVAS ENTERPRISE FEED [1][2][3].

Another critical severity CVE in Cisco Unified Communications Manager made waves in early July. CVE-2025-20309 (CVSS 10) allows remote root account access via static SSH credentials. Alerts were issued from Belgium’s CERT.be, NSSC Ireland, and the flaw was featured on the AUSCERT Week in Review.

CrushFTP and WingFTP Servers Under Active Attack

High severity CVEs in CrushFTP and WingFTP were published and quickly added to CISA KEV, with global CERT advisories being issued [1][2][3]. FTP servers are often exposed to the public Internet, but instances within a local network could also offer hackers an opportunity for persistence and lateral movement [4]. Also, FTP servers often store sensitive data, which could represent a high risk of being ransomed.

  • CVE-2025-54309 (CVSS 9.8, EPSS ≥ 91%): If the DMZ proxy feature is not used, CrushFTP is susceptible to an unprotected alternate channel vulnerability [CWE-420]. The software mishandles AS2 validation allowing remote HTTPS admin access. The OPENVAS ENTERPRISE FEED includes a remote banner detection test to identify vulnerable instances. Users should upgrade to CrushFTP 10.8.5_12 (or later) or 11.3.4_23 (or later).
  • CVE-2025-47812 (CVSS 10, EPSS ≥ 99%): Unsanitized null-byte characters in the web-interface of WingFTP prior to version 7.4.4 allow remote execution of arbitrary Lua code with the privileges of the FTP service (root or SYSTEM by default). Greenbone includes an active check and version check to identify vulnerable instances. Users are urged to update to version 7.4.4 or later.

Node.js Patch Bypass Exposes Arbitrary File Access

CVE-2025-27210 (CVSS 7.5) is a bypass for CVE-2025-23084 (CVSS 5.6), a previously patched flaw in Node.js Windows platforms, published in January 2025. An estimated 4.8% of global web servers run Node.js, which also powers many on-premises and cloud-native applications. National CERT advisories have been released warning of high risk [1][2]. At least one proof-of-concept (PoC) has been published [3]. OPENVAS ENTERPRISE FEED and COMMUNITY FEED both include a version detection check.

The flaw, classified as path traversal [CWE-22], is due to built-in functions path.join() and path.normalize() not properly filtering Windows device names like CON, PRN, and AUX, which are reserved names for special system devices [4]. This can be exploited remotely to bypass path protections when user input is passed into these functions. Node.js versions 20.x prior to 20.19.4, as well as 22.x before 22.17.1 and 24.x before 24.4.1 are affected.

CVE-2025-37099: Total Remote Compromise for HPE Insight Remote Support

New vulnerabilities in HPE Insight Remote Support pose an extreme risk of full system compromise within enterprise infrastructure. IRS is used in enterprise local network environments to automate hardware health checks, infrastructure monitoring, and support ticket generation.

CVE-2025-37099 (CVSS 9.8) permits unauthenticated remote code execution (RCE) at SYSTEM level due to improper input validation [CWE-20] in processAttachmentDataStream logic, allowing malicious payloads to be executed as code [CWE‑94][1]. This allows attackers to execute malware across managed systems. While not explicitly documented, SYSTEM-level access could also enable attackers to manipulate or delete monitoring logs to conceal activity. Since the affected service often communicates with devices like servers and iLO controllers, compromise may facilitate pivoting laterally within a network. [2]

Users should upgrade immediately to 7.15.0.646 or newer. The coordinated disclosure also included two additional CVEs; CVE-2025-37098 and CVE-2025-37097, both CVSS 7.5. OPENVAS ENTERPRISE FEED includes a version detection test to identify vulnerable instances and verify patch level to meet compliance.

Critical Patches for DELL CVEs with Elevated EPSS Scores

Cumulative patches for a wide number of Dell Technologies products were released to patch various component vulnerabilities. Canadian Cyber CSE has issued three alerts in July addressing these updates [1][2][3]. Here are some of the most critical CVEs from this batch, all of which can be detected with the OPENVAS ENTERPRISE FEED [1][2][3][4][5]:

  • CVE-2024-53677 (CVSS 9.8, EPSS 99%): Dell Avamar Data Store and Avamar Virtual Edition have received updates to address a flaw in Apache Struts. No mitigations or workarounds are available. See the vendor’s advisory for affected product lists.
  • CVE-2025-24813 (CVSS 9.8, EPSS 99%): Dell Secure Connect Gateway versions prior to 5.30.0.14 are affected by an Apache Tomcat flaw and other critical CVEs. Dell has classified this update as critical.
  • CVE-2004-0597 (CVSS 10, EPSS 99%): Dell Networker is affected by critical buffer overflow flaws in libpng that allow remote attackers to execute arbitrary code via maliciously manipulated PNG images among other vulnerabilities. See vendor advisories for more information [1][2][3][4].
  • CVE-2016-2842 (CVSS 9.8, EPSS ≥ 98%): Dell Data Protection Advisor is affected by flaws in numerous components including CVE-2016-2842 in OpenSSL which does not properly verify memory allocation, allowing DoS or possibly RCE. See the vendor advisory for more information.
  • CVE-2025-30477 (CVSS 4.4): Dell PowerScale uses a risky cryptographic algorithm, potentially leading to information disclosure. In June 2025, PowerScale patched critical severity flaws. See vendor advisories for more information [1][2].

A Cumulative Summary of 2025 D-Link Flaws

OPENVAS ENTERPRISE FEED and COMMUNITY FEED currently include 27 vulnerability tests covering the majority of CVEs affecting D-Link products published so far in 2025. Given the importance of network edge security, users should pay particular attention to vulnerabilities in routers and other gateway devices. After the settlement of a U.S. regulatory action involving D‑Link and the Federal Trade Commission, in 2019 D‑Link agreed to implement a comprehensive security program. However, proponents for accountability may ask whether intervention should be more widespread. Ivanti products, for example, have been inundated with numerous high severity flaws in recent years [1][2][3][4][5], many leveraged in ransomware attacks.

Adobe Patches Critical Flaws for ColdFusion

Security updates for ColdFusion 2025, 2023, and 2021 address 13 new CVEs; five critical severity issues including XXE (CVE-2025-49535, CVSS 9.3), hard-coded credentials (CVE-2025-49551, CVSS 8.8), OS command injection, XML injection, and SSRF. In 2023, the ColdFusion flaw CVE‑2023‑26360 (CVSS 9.8) was used by threat actors to gain initial access to US federal civilian agencies.

OPENVAS ENTERPRISE FEED includes a remote version check to identify unpatched instances. Immediate patching to Update 3 (ColdFusion 2025), Update 15 (2023), or Update 21 (2021) is strongly recommended.

Splunk Enterprise Updates Critical Severity Components

Cumulative updates for Splunk Enterprise patch several third-party components in Splunk Enterprise including golang, postgres, aws-sdk-java, idna, and others. Some of these were Critical CVSS severity flaws such as CVE-2024-45337 (CVSS 9.1) with an EPSS percentile of ≥ 97%, indicating a high likelihood of exploit activity. CERT-FR and the Canadian Cyber CSE have published alerts related to Splunk’s July advisories. Users can verify patch status with a version check in the OPENVAS ENTERPRISE FEED. The feed also includes vulnerability checks for previous Splunk security advisories and CVEs.

Oracle Patches Row of High Severity VirtualBox Flaws

Several CVEs published in mid‑July 2025 affecting Oracle VM VirtualBox version 7.1.10 permit a high‑privileged local attacker (with access to the host infrastructure or guest VM execution environment) to compromise VirtualBox, potentially escalating privileges or achieving full control of the hypervisor core component. CVE‑2025‑53024 (CVSS 8.2) is an integer overflow bug in the VMSVGA virtual device due to insufficient validation of user‑supplied data, leading to memory corruption with potential for full hypervisor compromise. [1] OPENVAS ENTERPRISE FEED and COMMUNITY FEED include version detection tests for Windows, Linux, and macOS.

Post Authentication Flaw Allows RCE in SonicWall SMA100

CVE-2025-40599 (CVSS 9.1) is an authenticated arbitrary file upload vulnerability in SonicWall SMA 100 series appliances. It allows a remote attacker with administrative privileges to gain arbitrary code execution and persistent access. The risk posed by this flaw is increased by weak or stolen credentials. The flaw affects models SMA 210, 410, and 500v, versions 10.2.1.15-81sv and earlier. As per the vendor advisory, no workaround is effective. OPENVAS ENTERPRISE FEED includes a remote version check to identify the affected devices.

New MySQL CVEs Allow Authenticated DoS Attacks

Amidst the abundance of vulnerabilities offering unauthorized RCE, it’s easy to overlook ones that merely cause Denial of Service (DoS). A swath of DoS vulnerabilities and related patches were issued for MySQL 8 and MySQL 9 in July [1]. Although the flaws require privileged access to exploit, Managed Service Providers (MSP) may provide shared MySQL hosting for small-to-medium businesses (SMBs), government agencies, or non-profits that don’t want the overhead of managing their own database infrastructure. In this scenario, tenants are given access to separate databases on the same MySQL server instance. When that happens, an unpatched instance could allow a user to impact other organizations. These flaws also highlight the importance of strong passwords and mitigating the threat from brute-force and password spraying attacks.

Remote version detection tests are available for all CVEs referenced below. These are included in both the OPENVAS ENTERPRISE FEED and COMMUNITY FEED. Tests cover both Linux and Windows MySQL installations.

CVE ID Affected Versions Impact Access Vector Patch Status

CVE-2025-50078

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (hang/crash) Remote authenticated access Patched (July 2025)

CVE-2025-50082

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)

CVE-2025-50083

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)

CVE-2025-8088 (CVSS 8.4) is a new high-risk path traversal vulnerability [CWE-35] in WinRAR versions 7.12 and below and related components including UnRAR.dll. The flaw allows unauthorized attackers to copy malicious files into sensitive directories, including the Windows Startup folder, where they can be executed. ESET Research reports that active exploitation of CVE-2025-8088 began on July 18, 2025, and the RomCom advanced persistent threat (APT) actor has been attributed with the initial attacks. Since then, there are unverified reports that an exploit has surfaced on the dark web and is being sold for $80,000.

RARLAB has published release notes and patched versions of the WinRAR applications and source code, and users are urged to patch immediately. Non-Windows versions are not affected by CVE-2025-8088. OPENVAS SECURITY INTELLIGENCE can help your security team detect vulnerable versions of WinRAR in your organization’s network with our ENTERPRISE FEED. Notably, our May 2025 threat report alerted readers to Russian state-sponsored threat actors exploiting another WinRAR flaw, CVE-2023-38831 (CVSS 7.8) in ransomware attacks. Let’s review the newest campaign targeting WinRAR.

A Summary of RomCom Tactics and Techniques

RomCom (aka Storm-0978, Tropical Scorpius, UNC2596) is a Russian-aligned threat actor known for operating its own signature malware (RomCom RAT), and conducting sophisticated, financially motivated ransomware attacks and espionage-motivated campaigns [1][2][3][4]. Their operations leverage a wide range of attack vectors, including spearphishing, trojan software installers, and exploitation of high-profile vulnerabilities. Most notably, CVE-2023-36884 (CVSS 7.5) in Microsoft Word, CVE-2024-9680 (CVSS 9.8) in Firefox, and CVE-2024-49039 (CVSS 8.8) in Windows Task Scheduler, among others. According to ESET, RomCom’s spearphishing emails now include weaponized RAR archives as attachments and are targeting financial, manufacturing, defense, and logistics companies in Europe and Canada.

Understanding the CVE-2025-8088 Attack Chain

Campaigns exploiting CVE-2025-8088 follow a multi-stage delivery process, leveraging malicious RAR archives to import and execute malware on victim systems. Here is a breakdown of the attack chain discovered by ESET Research:

  • Spearphishing Delivery: Victims receive phishing emails containing specially crafted RAR archives [T1204.002] designed to exploit CVE-2025-8088 once extracted. The attached archive appears to contain only one or two files. However, it actually holds multiple Alternate Data Streams (ADSes) with malicious content. In NTFS, ADSes allow data to be stored in a separate stream linked to a file without appearing in normal directory listings.
  • Path Traversal Exploit: The ADS payloads use ..\ character sequences to traverse the file extraction path and install malicious DLL or EXE files into sensitive directories such as %TEMP%, %LOCALAPPDATA%, and the Windows Startup folder.
  • Payload Deployment: Once the payload is extracted into sensitive directories, a .lnk shortcut file is copied into the Windows Startup folder for persistence [T1547]. WinRAR does not have elevated privileges by default. However, the Windows Startup folder is user-writable and serves to automatically execute the attacker’s payload when the user logs in.
  • Actions on Objectives: Post-exploitation, various malware payloads have been observed for command and control (C2) including:
    • Using COM hijacking [T1546.015] to execute a malicious DLL (Mythic Agent) targeting Active Directory (AD) domains.
    • Using a trojanized PuTTY CAC executable (SnipBot) to perform anti-sandbox checks [T1497] before importing additional payloads [T1105]. PuTTY CAC is a modified version of the popular PuTTY SSH/Telnet client that adds support for smart card and certificate-based logins.
    • Using a Rust-based downloader (RustyClaw) to deliver the MeltingClaw loader for importing additional malware [T1105].

Mitigating the Risk of CVE-2025-8088

WinRAR users on Windows should manually update to WinRAR 7.13 Final, released July 30, 2025. The update fixes the WinRAR desktop application, portable UnRAR source code, and UnRAR.dll components. Organizations should also update any software that relies on UnRAR.dll to version 7.13 Final. In complex environments, it is imperative to conduct thorough vulnerability scanning to ensure all affected instances are remediated and further verify patch status post-remediation.

Additional security measures include:

  • Using antivirus software to scan incoming files for malware
  • Configuring strong directory permissions to prevent archive extraction into sensitive directories
  • Providing user awareness training to educate staff about spearphishing attacks
  • Scanning systems for indicators of compromise (IoCs) to identify potential compromise
  • Configuring EDR solutions to alert on modifications to the Windows Startup folder

Summary

CVE-2025-8088 (CVSS 8.4), a high-risk WinRAR path traversal flaw, is actively exploited by the RomCom APT. Attacks are delivered via spearphishing email messages containing malicious RAR archives designed to deploy malware locally to the victim’s computer. A patched version, WinRAR 7.13 Final, provides urgent fixes to all affected Windows components, including the desktop application, portable UnRAR source code, and UnRAR.dll. Users are urged to patch immediately. OPENVAS SECURITY INTELLIGENCE includes version detection tests as part of the ENTERPRISE FEED, allowing security teams to scan their infrastructure, locate vulnerable WinRAR components, and patch them.

The global financial sector has been slammed with high-profile cyber incidents, placing trust in financial systems in jeopardy. These cyber attacks are extremely costly and widespread. Large corporations are not the only losers in this battle. Citizens also suffer directly when data protection and the integrity of financial transactions are compromised.

Some of the most impactful breaches of financial entities in the EU and globally include:

  • Equifax (2017): Breached via an unpatched vulnerability in Apache Struts, leading to the theft of Social Security Numbers (SSN), birthdates, addresses and driver’s licenses of 147 million people.
  • UniCredit (2018): Italy’s second-largest bank exposed the Personally Identifiable Information (PII) of 778,000 clients; the Italian DPA finally issued a €2.8 million fine for the breach in 2024.
  • Capital One (2019): A misconfigured firewall was used to breach Capital One to steal the PII of 106 million individuals.
  • Finastra (2023): The UK-based fintech provider servicing global banks, was breached via its secure file-transfer system, resulting in the theft of over 400 GB of sensitive financial data from major banking clients.
  • UBS and Pictet (2025): A third-party cyberattack on Chain IQ exposed the PII of over 130,000 employees, including contact information for top executives.
  • Bybit (2025): North Korean hackers stole $1.5 billion worth of Ethereum from Bybit’s cold wallet, marking the biggest crypto exchange hack ever recorded.

These incidents emphasize the strategic importance of securing financial technology providers. Cyber attacks against banks include fraudulent wire transfers, ATM hacking, POS malware and data theft. Arguably, the impact of sensitive PII being stolen is even worse than simply stealing money. Stolen identities: names, SSNs, addresses and other PII are later sold on darknet marketplaces and used by attackers to commit identity theft, open fraudulent bank accounts or lines of credit and to conduct social engineering against individuals directly. Geopolitical tensions further place data theft victims at risk; hostile nation states and legally ambiguous intelligence brokers collect intelligence on individuals for surveillance, intimidation campaigns or worse.

In response to elevating threats, the Digital Operational Resilience Act, (aka “DORA”) exists to strengthen the EU financial sector’s cybersecurity posture with greater safeguards. This new legal framework is a pivotal piece of legislation within the EU’s financial regulatory framework, to stabilize consumer trust and bolster business confidence.

How OPENVAS SECURITY INTELLIGENCE by Greenbone Supports DORA Compliance:

  • Vulnerability management is a fundamental IT security activity with a well-established benefit to operational resilience. OPENVAS SCAN by Greenbone is an industry leading vulnerability scanner with a proven track record.
  • Our OPENVAS ENTERPRISE FEED has industry leading coverage for CVE detection as well as other network and endpoint vulnerability detection.
  • OPENVAS SCAN can identify the encryption protocols allowed by network services to ensure data-in-transit is compliant with data security best practices.
  • Our compliance scans can attest security hardened configuration for a wide range of operating systems (OS) and applications. This includes certified CIS Benchmarks for Apache HTTPD, Microsoft IIS, NGINX, MongoDB, Oracle, PostgreSQL, Google Chrome, Windows 11 Enterprise, Linux, and more [1][2].
  • All OPENVAS SECURITY INTELLIGENCE components are designed for absolute data sovereignty; your organization’s data never needs to leave the organization.
  • Our core product line is open source, time tested and open to external review by customers and community members alike. This visibility helps streamline third-party ICT service providers auditing.
  • OPENVAS REPORT by Greenbone is specially tailored to support evidence gathering and data retention for compliance reporting.
  • As an active ISO/IEC 27001:2022 and ISO 9001:2015 certified organization, Greenbone is dedicated to the most stringent quality standards for Information Security. Our ISO:14001 certification for Environmental Management Systems shows our continued commitment to things that matter.

The EU’s Digital Operational Resilience Act (DORA)

DORA is an EU regulation published in the Official Journal of the European Union on January 16, 2023, which came into force on January 17, 2025. DORA is part of the EU’s broader Digital Finance Strategy, and its goal is to standardize cybersecurity governance and risk management requirements, strengthening the operational resilience of financial entities in the EU. The act applies to 20 different types of financial entities including banks, insurance companies, investment firms and Information and Communication Technology (ICT) third-party service providers (TPP).

But aren’t financial entities subject to NIS 2 regulation as Essential Entities (EEs)?

Yes, but under Article 4 of NIS 2, financial services firms covered by DORA—such as banks, investment firms, insurance institutions, and financial market infrastructures—must fully adhere to DORA’s requirements when it comes to cybersecurity risk management and incident reporting. Also, any other sector-specific equivalent EU mandates that apply to risk management or incident reporting must take precedence over the corresponding provisions in NIS 2.

Who are the European Supervisory Authorities (ESAs)?

There are three formally designated ESAs responsible for issuing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) which clarify DORA’s requirements. The ESA entities are:

  • The European Banking Authority (EBA) [1]
  • The European Insurance and Occupational Pensions Authority (EIOPA) [2]
  • The European Securities and Markets Authority (ESMA) [3]

What are Regulatory Technical Standards (RTS)?

As the name implies, RTS define the required technical standards that entities covered by DORA must adhere to. RTS documents provide detailed guidance to ensure consistent application of DORA across the EU financial sector [4].

The final draft Regulatory Technical Standards are:

  • ICT risk management framework and simplified ICT risk management framework [5]
  • Criteria for the classification of ICT-related incidents [6]
  • Policy on ICT services supporting critical or important functions provided by TPPs [7]

What are Implementing Technical Standards (ITS)?

ITS are detailed rules that specify how financial entities must comply with obligations. They translate DORA’s general provisions into precise operational, procedural, and reporting standards. ITS address incident reporting, tracking of ICT TPP relationships and assessments, threat-led penetration testing (TLPT), and cyber threat information sharing.

  • The final draft ITS of templates for the register of information [8]

The Scope of DORA’s Impact on IT Security

Here are the fundamental IT security principles that DORA impacts:

  1. Risk Management: DORA mandates that financial entities implement robust IT Risk Management Frameworks (RMF) to reduce their operational risks.
  2. Incident Reporting: Fully regulated entities must report major cybersecurity incidents to their national authorities within 24 hours following a standardized format. However, small, non-interconnected, and exempt entities are eligible for reduced reporting requirements.
  3. Third-Party Risk: DORA establishes stricter oversight and accountability for how financial entities manage their relationships with third-party ICT service providers.
  4. Security Testing: Financial entities must conduct regular security assessments of their digital systems to improve resilience against cyber threats.
  5. Information Sharing: For improved information sharing between financial institutions and relevant authorities, entities are encouraged to report emerging threats if they may be relevant to others.

Summary

High-profile cyberattacks have exposed cracks in the financial sector’s deep digital weaknesses, prompting the EU to enact, and as January 17th, 2025, enforce the Digital Operational Resilience Act (DORA). Greenbone is an ally to support DORA compliance for covered entities with our established and trusted suite of enterprise vulnerability management products and compliance reporting tools. Our products support resilient data sovereignty, and detailed security assessment reporting.

True cyber risk mitigation is not simply about meeting compliance checkboxes. Defenders must be proactive in detecting emerging risks as early as possible to strengthen operational resilience. Greenbone enables early awareness of security vulnerabilities allowing the IT defenders of Europe’s financial entities to fix them before cyber breaches occur.

On Saturday, July 19th, flaws in Microsoft SharePoint Server became the subject of emergency cybersecurity alerts worldwide. Four CVEs are involved and collectively dubbed “ToolShell”; two published in early July already had patches available, but after being bypassed, two new CVEs were issued. The flaws can allow unauthenticated remote code execution (RCE) at the Windows SYSTEM level.

So far, mass exploitation attacks have breached the US Nuclear Weapons Agency and over 400 other organizations including multi-national corporations, healthcare and other government services, financial service providers, and energy critical infrastructure. Active exploitation was first observed by Eye Security and three CVEs have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog and tied to ransomware attacks by Chinese state-sponsored threat actors. Several public proof of concept (PoC) exploit kits are available [1][2][3]. National CERT advisories have been issued from many countries including CERT-EU [4], the Netherlands [5], New Zealand [6], Canada [7], and Germany [8]. The Shadowserver Foundation has observed over 9,000 public facing SharePoint IP addresses globally.

OPENVAS SECURITY INTELLIGENCE by Greenbone includes version detection tests [9][10][11][12], a direct active check [13] for all ToolShell CVEs, and an active check for associated indicators of compromise (IoC) [14] in our ENTERPRISE FEED. OPENVAS ENTERPRISE FEED customers should verify their feed update status regularly to ensure their appliance includes the latest vulnerability checks. Let’s review the details surrounding these elusive ToolShell bugs.

A Timeline of ToolShell Events

Here is a brief timeline of ToolShell events so far:

The ToolShell CVEs in Microsoft SharePoint

When the original “ToolShell” flaws (CVE-2025-49706 and ) were first exposed in May, 2025, no technical details were published with the hack, but the disclosure led to official patches by mid-July. However, security researchers soon observed attacks bypassing fully patched servers. Two new vulnerabilities have been published in response (CVE-2025-53770 and CVE-2025-53771).

Here are brief details for each ToolShell CVE:

  • CVE-2025-49704 (CVSS 8.8): Improper code generation (aka “code injection”) [CWE-94] allows an authorized attacker to execute code remotely. According to Cisco Talos, the flaw can be exploited by an authenticated attacker with Site Member privileges, while Microsoft indicates that Site Owner privileges are required. According to Microsoft, exploitation is trivial with a high likelihood of successful attack.
  • CVE-2025-49706 (CVSS 6.3): Improper authentication [CWE-287] allows an authorized attacker to perform spoofing over a network.
  • CVE-2025-53770 (CVSS 9.8): Deserialization of untrusted data [CWE-502] allows an unauthorized attacker to execute code [CWE-94] over a network. This is a variant of CVE-2025-49704.
  • CVE-2025-53771 (CVSS 6.3): Improper limitation of a pathname to a restricted directory [CWE-22] (aka “path traversal”) allows an authorized attacker to perform spoofing over a network. This is a variant of CVE-2025-49706.

The ToolShell Attack Details:

Exploiting ToolShell allows unauthenticated RCE on vulnerable Microsoft SharePoint Servers. Here’s how the attack unfolds:

  1. CVE-2025-49706 allows access to internal SharePoint services by manipulating the header Referer: /_layouts/SignOut.aspx to bypass request validation logic. This tricks SharePoint’s request validation logic into treating the request as authenticated, even though no real session or credentials exist.
  2. Simultaneously, a malicious __VIEWSTATE payload is sent to the /_layouts/15/ToolPane.aspx endpoint which includes a specially crafted .NET gadget chain to exploit the CVE-2025-53770 deserialization flaw. __VIEWSTATE payloads are serialized ASP.NET objects meant to synchronize UI control state between the user’s browser and the SharePoint backend server.
  3. The deserialization flaw allows exe or PowerShell commands to be executed as the Windows SYSTEM user and full control of an affected system.
  4. With full admin control, attackers were observed installing malicious ASPX web shells (named aspx among other filenames) to extract the breached system’s MachineKey configuration (ValidationKey and DecryptionKey) allowing persistent authenticated access.
  5. With these stolen access tokens, attackers may continue to submit valid __VIEWSTATE payloads using the .

Mitigating ToolShell Attacks Against Microsoft SharePoint

ToolShell affects on-premises editions of Microsoft Office SharePoint 2016, 2019, Subscription Edition as well as end-of-life (EOL) editions such as SharePoint Server 2010 and 2013. Users must apply the latest patches as soon as possible. Also, keep in mind that CVE-2025-49704 and CVE-2025-49706 were patched in Microsoft’s July 2025 Security Update, however, the discovery of bypass exploits resulted in the need for new patches:

  • KB5002754 for Microsoft SharePoint Server 2019 Core
  • KB5002768 for Microsoft SharePoint Subscription Edition
  • KB5002760 for Microsoft SharePoint Enterprise Server 2016
  • SharePoint Server 2010 and 2013 are affected, but will not be patched due to their EOL status
  • SharePoint Online for Microsoft 365 is NOT vulnerable

Microsoft’s guidance instructs users to enable AMSI with Full Mode and use Microsoft Defender Antivirus to prevent successful attacks. Defenders should also assume their systems have been compromised and hunt for IoC identified in observed campaigns. In addition to identifying and removing any malware infection, users should mitigate the risk posed by stolen credentials. This is accomplished by rotating their ASP.NET machine keys using PowerShell (Update-SPMachineKey) or through the Central Administration’s Machine Key Rotation Job, then restart IIS with iisreset.exe.

Summary

The ToolShell attack chain puts users at risk of unauthenticated RCE. The attack is an authentication bypass followed by flawed deserialization for RCE. Although patches for CVE-2025-49704 and CVE-2025-49706 were issued in July 2025, new variants (CVE-2025-53770, CVE-2025-53771) have been discovered and are now being actively exploited globally. Defenders must apply all available updates as soon as they become available, remove any persistent malware infection installed by attackers, rotate machine keys, and verify resilience. OPENVAS SECURITY INTELLIGENCE can swiftly and reliably detect vulnerable instances of Microsoft SharePoint and over 180.000 additi

More than 15 years, OPENVAS has stood for excellent open source security worldwide – from small businesses to public institutions to operators of critical infrastructure. OPENVAS is developed by Greenbone and is behind both Greenbone’s enterprise products and the community versions. The OPENVAS brand inspires global confidence in a highly developed open source solution that stands up well against proprietary competitors.

From now on, we are placing the name OPENVAS at the center of all our activities. Our proven solutions and new products will now appear under a single, strong brand: OPENVAS.

Why we chose OPENVAS

OPENVAS is internationally recognized, stands for trust and open source, and clearly describes what it’s all about: identifying and minimizing digital risks. With the new naming scheme, we are making our solutions even more understandable, functional, and globally consistent. Originally intended only as the name of a technical component, the actual vulnerability scanner, the name has itself as the designation for our established product portfolio. We are happy to embrace this and use our open source established OPENVAS brand in all our product names.

For our users, customers, and partners, this means that everything you value about our solutions remains the same — just under new, more descriptive names. And there’s more to come this year: container scanning, agent-based scanning, a new REST API, and much more.

What does this mean for you specifically?

  • What you know stays the same: Your solutions will work as usual, including all services and security updates.
  • Names that create clarity: Each product name now directly describes its function – saving time and avoiding misunderstandings.
  • Strong brand, clear communication: We operate nationally and internationally under a single name – OPENVAS.

Our proven goal: to offer you the best solution for minimizing digital risks quickly, easily, and transparently.

What does this mean for our existing appliance products?

Our existing products will continue to be updated as usual. At the same time, they will be given new names, with OPENVAS always at the center.

A few examples: OPENVAS SCAN is the new product name for the Greenbone Enterprise Appliances, the while designations will remain unchanged. Familiar performance Greenbone Enterprise EXA will become OPENVAS SCAN EXA, and Greenbone Enterprise 600 will become OPENVAS SCAN 600.

Our free community products will of course continue to be available. We are using the name OPENVAS COMMUNITY EDITION for our free appliance and OPENVAS COMMUNITY FEED for the associated data feed with vulnerability tests and security information.

Greenbone remains – OPENVAS becomes new brand name

Greenbone remains the name of our company – headquartered in Germany and with our subsidiaries in the UK, Italy, and the Netherlands. The name Greenbone has become well established in German-speaking countries, which is why we have decided not to rename Greenbone AG as OPENVAS AG. Internationally, we are much better known as OPENVAS and therefore will operate under the OPENVAS brand: OPENVAS UK, OPENVAS IT, OPENVAS NL.

By strengthening our OPENVAS brand, in over 150 countries around the world we are making our mission visible: to make cybersecurity understandable, trustworthy, and accessible.

The 2025 IOCTA report from Europol warns that demand for data on the cybercrime underground is surging. How much data has been stolen exactly? Determining exact numbers is impossible. However, the personal information of 190 million individuals including Social Security Numbers (SSN), was stolen from Change Healthcare in a single breach. That’s more than half of the total US population exposed in one incident. That incident pales in comparison to the 2024 National Public Data Breach, which included 272 million distinct SSNs, 420 million distinct addresses, and 161 million distinct phone numbers. In 2024, Europe saw approximately 363 breach notifications per day across surveyed EEA countries. Now, new strains of destructive wiper malware are emerging. In comparison, victims of data theft may soon be considered the “lucky” ones.

Cyber defenders are in a battle of attrition. Managing the continuous onslaught of new threats is a monumental and critical task. In this month’s threat report, we provide insight into the latest wave of wiper malware, new actively exploited vulnerabilities, and emerging threats shaping the global cyber conflict.

New Wave of Wipers Enter the Cyber Combat

Cisco Talos just observed a previously unknown wiper malware dubbed “PathWiper”, leveraged in a destructive attack against Ukrainian critical infrastructure. Wiper most often gets deployed during Cyber Warfare (CW) campaigns, when financial gain is not the primary motive. Whereas ransomware coerces victims into paying for the return of their encrypted data, wipers simply destroy it. Wipers have been used since the start of the Russia-Ukraine war. HermeticWiper was deployed against Ukraine in 2022, crippling government agencies and critical services hours before Russia first invaded.

Cybersecurity analysts also recently noted an emerging ransomware-as-a-service (RaaS) group, Anubis, which has added a wiper option to their custom ransomware payload. Amidst heightened geopolitical tensions, it’s plausible that nation-state threat actors will incentivize willing RaaS operators and hacktivists to carry out destructive attacks for impact.

Wiper attacks themselves aren’t new. Shamoon (aka Disttrack), discovered in 2012, was the first major Wiper malware. Suspected to be developed by Iranian threat actors, it was used to attack Saudi Aramco and other Gulf state organizations. Masquerading as ransomware, NotPetya was another prominent wiper strain that emerged in 2017 with global impact.

Organizations, especially critical infrastructure, need to consider the potential impact that wiper malware could have on their resilience. What if paying ransom is not an option? A well designed backup strategy can enable full or partial data recovery, but downtime also has a financial impact and has even recently resulted in loss of life. Ensuring that mean-time-to-recovery (MTTR) objectives can be realized is key to operational continuity. Of course, diligently closing security gaps before threat actors can exploit them is also essential to a proactive cyber strategy.

Sorting True Risk from “AI-Slop”: Linux CVEs in Flux

The days when Linux attracted fewer cyber attacks have long passed. Linux systems are increasingly targeted by sophisticated actors. Last year, the number of Linux kernel CVEs (Common Vulnerabilities and Exposures) also exploded: the Kernel CNA (CVE Numbering Authority) assigned an average of 55 new CVEs per week in 2024. This growth is sometimes attributed to AI uncovering bugs which are not actually security risks – dubbed “AI slop”. Curl’s creator, Daniel Stenberg, even posted a notice banning “AI slop” bug reports. A related bug report discussion raised the concern of “an attack on our resources to handle security issues”.

On the risk and patch management side of the coin, many defenders don’t have the luxury of conducting a deep investigation into each CVE’s technical feasibility. Conducting technical assessments and analyzing “patch diffs” takes enormous amounts of time. The resulting battle of attrition pits security teams against the clock. To prioritize remediation, they rely on CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), exploit status, and environmental factors such as compliance requirements and operational criticality. Security leaders want to see evidence that progress is continuous and that security gaps are closed. This is truly the benefit of using a vulnerability management platform such as Greenbone.

That being said, here are some new high-risk Linux privilege escalation CVEs that gained attention this month:

  • CVE-2023-0386 (CVSS 7.8): Now deemed actively exploited, the Linux kernel’s OverlayFS subsystem allows escalation to root-level by abusing how files with special privileges are copied between certain mounted filesystems.
  • CVE-2025-6019 (CVSS 7.0): A flaw found in Fedora and SUSE distros allows non-root users in the “allow_active” group to execute privileged disk operations such as mounting, unlocking, and formatting devices via D-Bus calls to udisksd”. The vulnerability is considered easy to exploit, and a public PoC (Proof of Concept) is available, increasing the risk.
  • CVE-2025-32462 and CVE-2025-32463: Two local privilege escalation vulnerabilities were fixed in Sudo 1.9.17p1, released on June 30, 2025. CVE-2025-32462 allows local users to abuse the –host option to escalate privileges on permitted hosts, while CVE-2025-32463 permits unauthorized root access via the chroot option, even when not explicitly allowed in the sudoers file.
  • CVE-2025-40908 (CVSS 9.1): Unauthenticated attackers can modify existing files simply by processing a crafted YAML file as input, due to improper use of the two-argument open call. Vulnerable systems include any Perl applications or distributions (like Amazon Linux, SUSE, Red Hat, Debian) using YAML‑LibYAML before version 0.903.0.

CVE-2025-49113: A Critical Severity CVE in RoundCube Webmail

A recently disclosed vulnerability tracked as CVE-2025-49113 (CVSS 9.9) in RoundCube Webmail allows authenticated attackers to execute arbitrary code on a RoundCube server. A poorly designed PHP deserialization operation [CWE-502] fails to properly validate user input, allowing the “_from” parameter to carry malicious serialized code. Attackers who successfully exploit the bug can potentially gain full control over the RoundCube server to steal data and install command and control (C2) tools for persistent access.

Although CVE-2025-49113 requires valid credentials for exploitation, admin credentials are not required. Technical analysis [1][2], PoC exploits [3][4], and a Metasploit module are available, increasing the potential risk for abuse. An EPSS score of 81 indicates an extremely high probability of exploitation in the near future. Meanwhile, the researcher who discovered the flaw claims that exploit kits are already for sale on underground cybercrime forums. Numerous national CERT agencies have issued alerts for the flaw [5][6][7][8][9], while Shadowserver reported over 84,000 exposed Roundcube services existed in early June.

Greenbone Enterprise Feed includes remote version detection [10][11] and Linux Local Security Checks (LSC) [12][13][14][15][16][17] to identify vulnerable instances of RoundCube Webmail (versions prior to 1.5.10 and 1.6.11). Users are encouraged to apply updates with urgency.

New Critical CVE in Cisco ISE Cloud Has PoC Exploit

CVE-2025-20286 (CVSS 10) is a new flaw affecting Cisco Identity Services Engine (ISE) cloud deployments on AWS, Azure, and Oracle Cloud Infrastructure (OCI). The bug could allow unauthenticated, remote attackers to access sensitive data, perform some limited administrative operations, modify system configurations, and disrupt services. Due to poor software design, identical access credentials [CWE-259] are generated and shared across all connected ISE instances running the same release and platform.

Cisco has acknowledged the existence of a publicly available exploit. The vendor also stated that the vulnerability is only exploitable when the Primary Administration Node is deployed in the cloud. On-premises deployments and several hybrid/cloud VM solutions are not affected. Overall, the widespread use of Cisco ISE in enterprise networks and the availability of exploit code make CVE-2025-20286 a high-risk vulnerability for those with affected configurations. Greenbone includes a version detection test to identify instances that may be vulnerable.

CitrixBleed 2 and Another Actively Exploited Flaw in Citrix NetScaler ADC and Gateway

Dubbed CitrixBleed 2”, CVE-2025-5777 (CVSS 9.3) is an out-of-bounds read [CWE-125] vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, which allows unauthenticated, remote attackers to steal valid session tokens from memory by sending malformed HTTP requests. CVE-2025-5777 is due to insufficient input validation – unfortunately, a common, yet easily preventable root cause of software bugs. Exposure of session tokens allows impersonation of legitimate users, resulting in unauthorized access. Security experts speculate that exploitation is imminent, drawing parallels to the original CitrixBleed (CVE-2023-4966) vulnerability leveraged by ransomware groups in high-profile breaches.

Another flaw, CVE-2025-6543 (CVSS 9.8), also affecting Citrix NetScaler ADC and Gateway, was added to CISA KEV, indicating that active exploitation is already underway. CVE-2025-6543 is a memory overflow vulnerability [CWE-119]. While the impact has been officially described as DoS, researchers believe it may come to arbitrary code execution or device takeover, as seen in similar past cases.

Both flaws only impact devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA (Authentication, Authorization, and Accounting) virtual servers. Both flaws are the subject of widespread national CERT advisories [1][2][3][4][5][6][7]. Greenbone provides a remote version check to detect CitrixBleed 2 and a remote version check for CVE-2025-6543. Users should patch with urgency.

A Trio of Exploitable Sitecore CMS Flaws

Three new CVEs affecting Sitecore Experience Platform can be chained to allow unauthenticated Remote Code Execution (RCE) . The flaws were disclosed with a full technical description and PoC guidance, making their exploitation highly likely. In the attack chain, CVE-2025-34509 provides initial authenticated access, while CVE-2025-34510 or CVE-2025-34511 are both post-auth RCE flaws. Attackers can first exploit hardcoded credentials to generate a valid session token, then upload a malicious “.aspx” web shell and proceed to execute arbitrary shell commands on the victim’s system. Alternatively, CVE-2025-34511 could be used to execute PowerShell commands instead of uploading a web shell.

Here are brief descriptions of each:

  • CVE-2025-34509 (CVSS 8.2): Hardcoded credentials [CWE-798] allow remote attackers to authenticate using this account to access the admin API.
  • CVE-2025-34510 (CVSS 8.8): A relative path traversal vulnerability [CWE-23] known as “Zip Slip” allows an authenticated attacker to extract malicious files from a ZIP archive into the webroot directory, which could lead to RCE via .aspx web shell.
  • CVE-2025-34511 (CVSS 8.8): An unrestricted file upload vulnerability [CWE-434] in the PowerShell Extensions module allows an attacker to upload arbitrary files, including executable scripts, to any writable location. Although CVE-2025-34511 requires the Sitecore PowerShell Extension to be installed, this is considered a common configuration.

Sitecore is a popular enterprise Content Management System (CMS) used by major global organizations across industries. While it is estimated that Sitecore represents between 0.45% and 0.86% of the global CMS market share [1][2], this user base consists of high-value targets. Greenbone is able to detect vulnerable instances of Sitecore with an active check and a remote version detection test. Patches were released in Sitecore version 10.4 and backported to earlier supported versions, allowing users to upgrade.

Bypass of CVE-2025-23120 in Veeam Backups

CVE-2025-23121 (CVSS 9.9) is a deserialization flaw [CWE-502] that allows authenticated domain users to execute arbitrary code [CWE-94] on Veeam Backup & Replication servers. The vulnerability arises from insecure data processing and is considered a bypass of a previously patched flaw, CVE-2025-23120.

No public PoC exploit is currently available. However, CVEs in Veeam Backup & Replication are often targeted by attackers. Furthermore, the vulnerability only applies to organizations using domain-joined backup servers. However, it presents a serious threat given the importance of backups in ransomware recovery. Attackers may gain valid credentials for authentication via credential theft or use password spraying to target re-used credentials.

Greenbone can remotely detect affected Veeam products and prompt patching to version 12.3.2.3617, which is strongly recommended.

Summary

June 2025 saw the emergence of at least two new wiper malware strains, threatening to impact critical infrastructure and enterprises. Widespread massive data breaches are escalating, impacting organizations and individuals as stolen data gets used for various malicious ends. This month also saw a deluge of newly discovered, critical-severity vulnerabilities in enterprise-grade products, most of which were not covered in this report. Many with PoCs or full exploit kits available within hours of their disclosure. From RoundCube and Cisco ISE to Citrix and Linux systems, high-risk digital weaknesses that demand attention are escalating the cyber war of attrition for defenders worldwide.

It’s not “unauthenticated” because the first step is to gain authentication, right?

A fresh vulnerability, CVE-2025-25257 (CVSS 9.6) in Fortinet’s FortiWeb Fabric Connector presents high risk globally. Although the CVE is still only in RESERVED status as of July 14th, 2025, it has already received a national CERT advisory from Belgium’s CERT.be and the Center for Internet Security (CIS) has also issued an alert. More alerts should follow shortly as CVE reaches PUBLISHED status.

Multiple public Proof of Concept (PoC) exploits [1][2] are available, further increasing the risk level.  Users should apply updates with urgency. Greenbone has issued a detection test for this flaw soon after its disclosure, allowing defenders to identify vulnerable systems across their networks. Let’s dig into the details of CVE-2025-25257 to find out what it’s all about.

CVE-2025-25257: Unauthenticated RCE in FortiWeb Fabric Connector

CVE-2025-25257 (CVSS 9.6) is an unauthenticated Remote Code Execution (RCE) flaw in Fortinet FortiWeb Fabric Connector with a critical impact score of CVSS 9.6. The flaw allows both SQL code and Python code to be executed on a victim’s system due to improper neutralization of HTTP headers. Shockingly, this vulnerability exists because the HTTP “Authorization:Bearer” header value is inserted into SQL queries without being sanitized [CWE-89] – which is an unforgivably poor software design. Full technical descriptions and exploits [1][2][3] have been published by watchTowr Labs and other security researchers. This means exploitation should now be considered trivial for all attackers of all skill levels.

In addition to all typical SQL Injection attacks, such as enumerating the database or modifying data, attackers can gain RCE by injecting SQL code to exploit MySQL’s INTO OUTFILE command. By writing an executable .pth file into Python’s site-packages directory (/usr/local/lib/python3.10/site-packages/ in the case of FortiWeb), it will be executed every time a Python script is run. This is because Python’s built-in initialization mechanism (site.py) is triggered during interpreter startup. FortiWeb’s web-based admin console also includes a Python-based CGI script (ml-draw.py), which can be triggered without authentication, completing the exploit-chain.

Although the vulnerability is not yet known to be exploited in the wild, its pre-auth RCE status and historical attacks against Fortinet products indicate that a low-hanging fruit such as CVE-2025-25257 is likely to be exploited soon after disclosure. FortiWeb Fabric Connector is not an edge service. However, local attackers may exploit it to modify FortiWeb WAF configurations, steal sensitive information, or install additional persistent malware.

What Is FortiWeb Fabric Connector?

FortiWeb itself is a Web Application Firewall (WAF), which can be considered an edge security device when deployed in that role. Fabric Connector is a system integration component, designed to facilitate automated coordination between FortiWeb WAF and other Fortinet products such as FortiGate and FortiManager. As other Fortinet devices generate threat data, Fabric Connector can convert that data into real-time security responses within FortiWeb. Luckily, the FortiWeb Fabric Connector is not an edge service, and therefore not typically accessible via the public Internet. However, as a WAF, FortiWeb devices are tasked with blocking malicious traffic from reaching webservers. Therefore, if attackers are able to alter its configuration, they could enable secondary attacks against web-based assets.

Mitigating CVE-2025-25257

CVE-2025-25257 affects FortiWeb versions 7.0.0 through 7.0.10, 7.2.0 through 7.2.10, 7.4.0 through 7.4.7, and 7.6.0 through 7.6.3. Users should upgrade immediately to versions 7.0.11, 7.2.11, 7.4.8 or 7.6.4 or later. If updating is not possible, Fortinet advises users to disable the FortiWeb HTTP/HTTPS administrative interface.

Summary

CVE-2025-25257 offers attackers unauthenticated RCE via Fortinet’s FortiWeb Fabric Connector HTTP API. The flaw is driven by a SQL injection vulnerability that has so far been leveraged to escalate privileges and execute Python code as well. Public PoCs and a national CERT advisory from CERT.be highlight the urgency to patch or otherwise remediate. Greenbone has issued detection tests for this flaw soon after its disclosure, allowing defenders to identify vulnerable systems across their networks.

Germany’s Bundesrechnungshof has sharply criticized the current state of cybersecurity in the federal administration. Der Spiegel quotes a document classified as confidential, which concludes that significant parts of the government’s IT infrastructure have serious security flaws and do not meet the minimum requirements of the Federal Office for Information Security (BSI).

The Bundesrechnungshof (BRH) is Germany’s supreme audit institution responsible for the federal government’s budgetary and economic oversight. It examines whether federal authorities, ministries, federal enterprises, and other public institutions are using taxpayers’ money properly, economically, and efficiently. It is independent of both the federal government and the Bundestag.

The report criticizes the lack of a central, cross-departmental information security control system. It also states that the existing security architecture must become more efficient.

Inadequate Governance  and NIS2 Preparation

Another point of criticism concerns the requirements of the NIS 2 Directive [1] [2] [3]. This introduces significant new obligations for federal authorities and KRITIS-related organizations – particularly with regard to prevention, documentation requirements, and BSI oversight. Many institutions are neither technically nor organizationally prepared for this.

The Court of Auditors welcomes the fact that the adjustment of Germany’s debt limit will allow targeted investment in cybersecurity. However, the investments are tied to the demonstrable effectiveness of the measures. In practice, this means only those who can prove their security measures lead to concrete improvements will receive future funding.

Increasing Pressure to Act

The report highlights growing pressure on public administration. The threat landscape continues to worsen, with annual damages in the hundreds of billions. The BRH is calling for a shift toward structured, data-driven, and sustainable security management.

The widespread failure is alarming. Serious weaknesses have been found in almost all data centers of German public authorities – with dramatic consequences for the security, resilience, and trustworthiness of the government’s IT infrastructure. Public authorities and KRITIS operators must take action now and introduce modern vulnerability management.

In many cases, there is not even an emergency power supply, and fewer than one in ten examined data centers meet the BSI’s minimum standards for high availability. According to the investigation, this is concerning: lack of redundancy, outdated systems, and insufficient reliability all jeopardize the functionality of critical infrastructure in the event of a crisis.

Over 180 Billion Euros in Damage Every Year

The damage is already being done: according to current figures, cyberattacks cause over 180 billion euros in damage every year in Germany. Acts of sabotage, hybrid attacks, and blackout scenarios have long been a reality – and the trend is rising.

However, the German BRH identifies many shortcomings: a lack of structured information security, cross-departmental and data-based IT risk management, and appropriate governance . Reliable information is lacking – without which it is impossible to realistically assess risk levels or progress in individual cases, let alone provide evidence.

Greenbone’s Vulnerability Management Helps

When it comes to implementing the right measures and proving their effectiveness, solutions like those offered by Greenbone come into play. Modern vulnerability management provides a decisive strategic advantage. Among other things, it provides a reliable, robust basis to support data-driven decision-making for administrators and management.

Greenbone’s OPENVAS automatically, continuously, and objectively detects, evaluates, and prioritizes vulnerabilities. This creates a reliable foundation for IT governance  structures – even in ministries, government agencies, and other public-sector enterprises. Vulnerability Management also ensures the essential transparency in times of growing accountability – thus becoming a mandatory component rather than a “nice-to-have.”

Greenbone Vulnerability Management reports contain CVSS ratings, trend analyses, and progress indicators. Authorities can use these not only for internal documentation but also to demonstrate measurable improvements to audit offices and ministries.

Equipped for NIS2

The new NIS2 directive tightens requirements for operators of critical infrastructure. It defines new responsibilities, expands BSI controls and reporting obligations, and specifies the software components to be used. As a result, more companies are dealing with the upcoming German version of the regulation.

Greenbone’s solutions actively support public authorities and KRITIS-related organizations in preparing for regulatory audits. Features such as automated vulnerability management, audit-proof reporting, and audit trails provide security, even under increasing regulatory control.

Webinars Help with Prevention – Now Is the Time to Act!

Greenbone customers receive concrete help when it comes to meeting BSI requirements in the data center, preparing for audits, and viewing vulnerability management as part of emergency preparedness. After all, prevention is always cheaper and more effective than crisis management.

The report by the German BRH is a wake-up call – and an opportunity. And because cybersecurity begins with visibility, Greenbone is the right choice. Contact us or attend our webinars – like the latest series for public authorities and KRITIS, offering in-depth information on implementing the NIS 2 Directive, data center hardening, and georedundancy, as well as on the basic structure of vulnerability control . Dates, content, and registration can be found on the website.

In 2025, IT security teams are overwhelmed with a deluge of new security risks. The need to prioritize vulnerability remediation is an ongoing theme among IT security and risk analysts. In a haystack of tasks, finding the needles is imperative. Factors compounding this problem include a cybersecurity talent shortage, novel attack techniques, and the increasing rate of CVE (Common Vulnerabilities and Exposures) disclosure.

To meet this need for better precision and efficiency, a wave of new prioritization metrics has emerged. Not that more perspectives on risk are a bad thing, but already overwhelmed defenders find themselves in a difficult position; the choice between pushing forward or pausing to evaluate the value of new metrics.

Released by NIST (National Institute of Standards and Technology) in May 2025, the Likely Exploited Vulnerabilities (or just LEV) metric consolidates historical EPSS (Exploit Prediction Scoring System) time-series, and in-the-wild exploitation status, to compute, among other things, an aggregate risk score. In this article, we will take a dive into what LEV is and the supplemental equations released in NIST’s recent technical whitepaper (NIST CSWP 41).

The Reason Behind LEV (Likely Exploited Vulnerabilities)

LEV uses a CVE’s historical EPSS time-series to calculate a cumulative risk score representing the probability that it has ever been actively exploited. But how is this different from EPSS itself? Isn’t EPSS, a machine learning (ML) model with almost 1,500 predictive features, good enough?

Some academic criticisms have revealed that EPSS can miss critical vulnerabilities. Direct observation of historical EPSS data shows that scores can spike for a very short period of time (1-2 days), then return to a moderate or low baseline. This presents potential problems for defenders using EPSS.

For example, EPSS does not reflect how cybercriminals operate. Industry reports show that attackers exploite vulnerabilities whenever and wherever they are found, even old ones. In other words, attackers don’t say “Let’s not exploit that vulnerability because it’s too old”. Therefore, using only the most current EPSS score can hide severe risk, even those uncovered in the recent past. Defenders may solve this problem by always applying the highest EPSS score in their risk assessment. But another weakness still looms with raw EPSS scores: According to fundamental statistical theory, the accumulation of moderate probability scores should also signify high probability of an event occurring.

LEV addresses this last limitation by calculating a cumulative probability using each CVE’s historical EPSS data. LEV applies the common product-based approach for calculating cumulative probability of at least one event occurring among several independent events. As a result, CVEs which didn’t trigger alerts (even using the max EPSS) now appear as high-risk using LEV.

Mathematical Input and Symbol Reference

This section explains the input variables and mathematical symbols used in the LEV equations.

Input Reference

  A vulnerability (e.g., a CVE) All equations
d A date (without time component) All equations
d0 First date with EPSS data for v All equations
dn The analysis date (usually today) LEV, Expected Exploited, Composite Probability
dkev Date of latest KEV (Known Exploited Vulnerabilities) list update KEV Exploited
LEV (v,d0,dn) Cumulative likelihood vulnerability v is exploited from d0 to dn All equations
EPSS (v,dn) EPSS score for vulnerability v on date dn Composite Probability
KEV (v,dn) 1.0 if v is in KEV list on dn, else 0 Composite Probability
scopedcves CVEs eligible for KEV tracking (where d0 ≤ dkev) KEV Exploited
cves CVEs considered in analysis (where d0 ≤ dn)  

Symbol Reference

Symbol Name Meaning
Universal quantifier “For all” / “For every” similar to a programming loop.
Π Capital Pi A “Product notation” for repeated multiplication over a sequence, similar to how ∑ means repeated addition.
Capital Sigma A “Cumulative notation” for repeated addition over a sequence.
Element of “Is an element of” / “belongs to”. Indicates membership in a set.

Understanding the LEV Equations

LEV is described by the “NIST Cybersecurity White Paper 41” (CSWP 41) as a lower-bound probability (conservative estimate) that a vulnerability has been exploited​. It calculates the cumulative probability that a vulnerability has been exploited at least once during a given time window. Two similar equations are provided: LEV and LEV2. The first has been optimized to reduce CPU load.

In both the LEV and LEV2 equations, each term being multiplied by the product notation Π represents the probability that no exploitation occurred on a given day within the time window. This gives the cumulative probability of no exploitation ever. Subtracting this result from 1 inverts this probability, resulting in the probability of at least one exploitation over the time window.

The two LEV equations are described below:

The Performance Optimized LEV Equation

LEV uses a CVE’s historical EPSS scores, sampled every 30 days (epss(vi, di)), along with a compensating weight when the observation window is shorter than 30 days (i.e. dn < 30 days.

The LEV equation proposed in NIST CSWP 41

The High Resolution LEV2 Equation

LEV2 uses the complete historical EPSS time-series rather than sampling scores every 30 days. LEV2 applies weighting by dividing by the duration of the EPSS window (30 days). LEV2 increases the temporal resolution and produces a more reliable score. Short bursts of high EPSS cannot be skipped over, as can happen with the LEV equation shown above. Each daily EPSS value is scaled by 1/30 to preserve consistent risk density across the date range.

The LEV2 equation proposed in NIST CSWP 41

The Supplemental Equations

This section introduces the supplemental equations from NIST’s LEV whitepaper, their mathematical structure and potential use-cases.

Calculating a Composite Risk Score

The supplemental Composite Probability metric described in NIST’s LEV whitepaper simply selects the strongest available signal across three exploitation indicators: EPSS, inclusion in CISA’s (Cybersecurity and Infrastructure Security Agency) KEV list and LEV.

The Composite Probability equation proposed in NIST CSWP 41

By selecting the strongest intelligence signal, Composite Probability supports vulnerability prioritization. This helps reduce blind spots where one signal may be incomplete or outdated. It is especially valuable for prioritizing remediation in large enterprise vulnerability management programs, where choosing what to fix first is a critical challenge.

Estimating Total Number of Exploited CVEs

NIST’s whitepaper also suggests a method to estimate the total number of exploited CVEs during a specified time window and how to estimate the comprehensiveness of a repository of known exploited vulnerabilities.

The Expected Exploited Calculation

The Expected Exploited metric estimates the number of exploited CVEs within a given time window by summing all LEV probabilities from a defined set of vulnerabilities. The equation simply applies the sum (∑) of all LEV probabilities for a set of CVEs to estimate the total number of likely events. Although the NIST CSWP 41 describes it as a lower bound (conservative) estimate, there is no precedent for treating this basic technique as such. In probability theory, it is a fundamental principle that the expected number of events is equal to the sum of the individual event probabilities.

The Expected Exploited equation proposed in NIST CSWP 41

The KEV Exploited Calculation

The KEV Exploited metric estimates how many vulnerabilities are missing from a KEV catalog such as CISA KEV. Quantifying the gap between Expected Exploited and KEV Exploited gives insight into potential underreporting of a KEV catalog. The equation uses the same technique as the Expected Exploited equation above: the sum of all probabilities.

The KEV Exploited equation proposed in NIST CSWP 41

The Revelations of LEV

Here are some ways to visualize the value that LEV can provide to a vulnerability management program. The supplemental Composite Probability equation is best for visualizing the contribution that LEV makes to a more comprehensive CVE risk analysis. Therefore, the observations below all use Composite Probability unless otherwise stated.

The Estimated Total Number of Exploited CVEs

When considering all CVEs since ~1980 (273,979), LEV’s Expected Exploited metric shows that 14.6% of all CVEs (39,925) are likely to have been actively exploited in the wild. This implies that the vast majority of exploitation activity is not accounted for in any known KEV list (e.g. CISA KEV included 1,228 at the time of calculation). However, Expected Exploited does not account for how many individual CVEs may be uncovered at various EPSS thresholds.

The Number of Uncovered High Risk CVEs

To assess how LEV may impact an organization’s ability to uncover risk and prioritize remediation, it is useful to consider how many CVEs are elevated to high risk status at various probability thresholds. The chart below shows how many CVEs would become visible above 50% Composite Probability.

 

Visualizing Risk Migration Using Composite Probability

The Sankey diagram compares the number of CVEs in each risk level. The left side shows maximum EPSS scores, while the right side shows LEV’s Composite Probability. Because Composite Probability is used, by rule, no CVEs can move to a lower probability bucket. The chart reveals a significant shift from the lowest risk bucket to higher risk categories, along with a increase for all other groups when using Composite Probability to estimate risk.

Sankey diagram showing the migration CVEs between risk buckets when using max EPSS and LEV’s Composite Probability metric

Limitations and Criticisms of LEV

While LEV offers valuable insights, it’s important to examine its assumptions and potential shortcomings:

  • The LEV whitepaper does not present empirical validation or comparisons with other statistical models. However, a frequentist approach, using product-based probability, is a well-established method for calculating cumulative probability for a set of independent events.
  • LEV is described as a lower-bound probability. However, there is no academic precedent claiming that the mathematical constructs in NIST CSWP 41 are conservative lower-bounds estimates.
  • LEV is not an opaque prediction system in itself, but it is based on EPSS, which is not a fully public model. While LEV addresses some potential blind-spots, it does depend on EPSS. As EPSS improves, LEV will also benefit from these improvements. For example, EPSS v4 has added malware activity and endpoint detections to its “ground truth” of exploitation in the wild. This will reduce bias towards remotely accessible network vulnerabilities.
  • Defenders should not over-rely on LEV, EPSS, or CVSS to prioritize vulnerabilities. While evidence of active exploitation is the strongest risk signal, this evidence often comes post-hoc – too late for defenders to leverage.

Summary

LEV may offer some enhancements to vulnerability prioritization by aggregating historical EPSS signals into a cumulative exploitation probability. This approach increases visibility for CVEs with a historical duration of moderate EPSS scores. Perhaps the most useful metric is the proposed Composite Probability, which will select the strongest signal from LEV, EPSS, and CISA KEV exploitation status.

Artificial intelligence (AI), the security of AI systems and the use of AI in security are no longer a thing of the future – they are our present. And they have long been an integral part of our daily work to improve IT security. At the same time, they bring with them a new quality of risks that we in the security industry must take very seriously.

From Bach to Artificial Intelligence: a Journey Through Time

My first encounter with AI was a long time ago. In 1979, a friend of mine spent every spare minute reading a thick white book called “Gödel, Escher, Bach”. As a musician, I was initially only interested in the aspect relating to Johann Sebastian Bach. Unfortunately, it didn’t help me much in my attempts to play “The Well-Tempered Clavier and its fugues. But I did learn about AI.

In the book, author Douglas R. Hofstadter describes how complex, intelligent behavior can arise from astonishingly simple systems. The idea: self-referential loop structures that create levels of meaning – whether in logical proofs, drawings, or musical compositions.

Bach’s fugues repeatedly contain melodies that contain themselves and are played simultaneously in variations, creating a new musical level in which the individual melody seems to disappear again and again, but is actually always there. So, it’s a bit like what we experience with large language models and generative AI: the individual disappears into a new, larger whole.

When complex structures generate meaning at a higher level and we can then map this using digital tools, we call the whole thing artificial intelligence. Hofstadter refers to these as rule-based systems. Our current AI systems do this in the form of neural networks, which produce seemingly “intelligent” outputs through the interaction of billions of parameters. Similar to flocks of birds, ant colonies, or the stock market, emergent behavior arises: we use systems that we no longer fully understand, but whose results seem plausible and useful enough to us to use them.

The Balancing Act Between Usefulness and Control

After decades of development, the use of artificial intelligence has become commonplace in recent years. Whether we have already largely exhausted its actual capabilities or are still at the very beginning of an exponential curve remains to be seen. We are on the critical path from simple dialogue functions to semi-autonomous or even autonomous systems. Here, technical efficiency (e.g., response time or loss tolerance) naturally conflicts with human qualities such as judgment, responsibility, and the ability to make reasoned decisions. And because we are making AI systems increasingly powerful, the question becomes more urgent: How secure, vulnerable, and trustworthy are they really?

Trust

Just as with our partners, colleagues, and people in general, we cannot fully understand the internal processes of AI. This not only makes AI difficult to verify, but also particularly vulnerable to targeted manipulation, whether through adversarial attacks or subtle input distortions. But not using AI is obviously not a solution either. There is no way around it: we have to deal with it. We can only establish trustworthy tools and processes that protect us well enough.

It is in the nature of things that we have to be content with statistical probabilities instead of provable truths that we can understand. In practice, this usually works well – but not always. Where trust is based on habit rather than understanding, there is no basis for control in an emergency. This can lead to misunderstandings about what AI can and cannot do. Serious proposals are then made to simply let AI control nuclear power plants due to a lack of available specialist personnel. We’d rather not do that.

The potential technical protection of AI systems is probably more advanced than protection against such ideas. What is the current state of technical protection for AI systems? Here are a few answers:

  1. AI systems are just software and hardware. Classic IT security architecture remains relevant, even for AI. On the one hand, this is somewhat alarming, but on the other hand, it means we are at least well equipped to test security.
  2. There are initial AI-specific protection mechanisms that can at least mitigate simple things like prompt injection. Content filtering and moderation systems can protect against toxic or unwanted output.
  3. AI systems can be monitored using a combination of statistical and rule-based checks.
  4. Smaller models such as Small Language Models (SLMs) allow us to reduce the attack surface. Large models such as ChatGPT, Claude, or Gemini are powerful, but particularly difficult to control and test. They are also very large, practically impossible to transport, extremely energy-intensive, and very expensive to maintain. However, there are increasingly better and smarter solutions available.

The more specifically I can define a task, the less I need a general-purpose LLM – and the better an SLM can be used: SLMs are easier to oversee, more transparent to operate, can be hardened locally, and secured more efficiently. These are not panaceas, but important building blocks for responsible AI use. One might ask: If this AI can do so much, why can’t it simply protect itself? Why don’t we build security AI for AI?

Why AI Cannot Simply Secure Itself

As early as 1937, Alan Turing published “On Computable Numbers”, a mathematical description of what he called a universal machine, an abstraction that can, in principle, solve any mathematical problem presented to it in symbolic form. However, the decision problem revealed the limits of machine thinking right from the start. Turing proved that there is no general method for completely predicting the behavior of arbitrary programs. This also applies equally, if not more, to today’s AI.

In any sufficiently powerful formal system, there are true statements that cannot be proven. This brings us to Gödel and his incompleteness theorem. AI can and will become increasingly powerful, even if it will never be completely predictable or understandable. Of course, this does not prevent us from using AI systems.

However, superintelligence will not exist in the foreseeable future. We cannot build AI that is guaranteed to be error-free, and AI cannot do so either. It is interesting and sometimes fascinating, but it is neither a panacea nor a mystery. Our task, therefore, is not to eliminate risks but to identify them, limit them, and bear them responsibly. Pragmatism is called for: we must seize the opportunities while managing the risks.

Optimists say: We can do it.

Pessimists say: It will be a disaster.

Pragmatists say: We have to get through it.