Tag Archive for: Cybersicherheit

Markus Feilner

TÜV Study on Cyber Security: German Companies Still Under Pressure

Companies operate under a “false sense of security,” warn the BSI and TÜV. This may sound surprising given the persistent threats. However, it is backed up by a recent study on cyber security in companies.

Many companies underestimate the situation, overestimate their own capabilities, and fail to take sufficient protective measures. These and other findings were made by the German Technical Inspection Association (TÜV) and the German Federal Office for Information Security (BSI). Only half of those surveyed were aware of NIS-2, which is alarming given that 29,000 additional companies will be affected by it. At the same time, over 90 percent consider their own security to be good or very good. Shockingly, for a quarter, IT security only plays a minor role.

BSI Management Is Concerned

The head of the BSI, Claudia Plattner, is concerned and warns that Germany still faces significant challenges ahead. Plattner also refers to the EU’s Cyber Resilience Act, which prescribes minimum requirements for networked products in Europe. TÜV notes that while awareness of the problem has grown, many companies still are not sufficiently prepared.

Dr. Michael Fübi, President of the TÜV Association, and Claudia Plattner, BSI President, at the presentation of the study, Source: BSI

Four Percent More Victims of Cyber Attacks

The 58-page study contains numerous worrying findings. The number of cyberattacks on companies increased be four percent over the last year – now impacting roughly one in seven. In almost all cases (84 percent) the intrusion was carried out via phishing. More and more threat actors utilise AI in their attacks, while it is hardly used by defenders (51 percent vs. 10 percent). Seven out of ten respondents consider security standards to be important, but only 20 percent put them into practice.

“Cybersecurity in German companies” – the TÜV Cybersecurity Study 2025

The TÜV Association is therefore calling on politicians to prioritize cybersecurity and include it in the overarching security strategy, as well as to clarify responsibilities more clearly. NIS2 and CRA must be “launched swiftly” despite all the delays to date.

TÜV’s Recommendations for Business

According to TÜV, companies should take threats seriously and carry out qualified risk analyses regularly. A cyber strategy is essential, as are security guidelines with measurable objectives, clearly assigned responsibilities, and concrete action plans.

Differences Between Large and Small Companies

The study reveals a striking difference based on company size. While 95% of companies with more than 250 employees give great importance to IT security, only two thirds of companies with up to 50 employees do so. Only in terms of self-assessment do large and small companies agree: over 90% consider themselves to be well protected, regardless of company size. However, almost half of large companies (41%) are aware of the high risk in the supply chain, while only 21% of small companies share this assessment. 78% of companies with fewer than 50 employees also do not believe that the supply chain poses a risk of cyberattack.

Origin Unknown

Although most companies fear criminal or state-sponsored attackers, internal actors are perceived as less of a threat. Only 9 percent were able to attribute attacks to a regional source, with 6 percent of the incidences coming from China, according to the more than 500 respondents.

Investment in Cyber Security

27% of companies also increased their IT security budget over the last year, while 15% hired additional experts – a slightly lower ratio than in the previous year. Around 20 percent of companies try to increase security by either using increasing or reducing the use of cloud services. Pentesting and emergency drills are also at the bottom of the list at around 25% each.

The majority of investments focus on hardware updates, new cybersecurity software, and measures for networked systems – exactly the areas covered by Greenbone’s specialized products.

Conclusion: Unspecific Threat, Known Methods, Lack of Security Discipline

Looking at the results of the study, the conclusion will be evident that, although it is by no means clear where the attacks are coming from, the successful methods of attack seem clear. There is also an asymmetry in the use of technology, as the example of AI shows.

The fact that almost 80 percent of respondents admit to only implementing common security standards to a limited extent is a clear warning sign – for BSI, Politicians, and security experts alike. Unsurprisingly, the TÜV association is calling on the German government to advance cyber security, and implement regulations quickly. After all, this is what the majority of respondents want.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Dwell time: Attackers Are Striking Faster and Disguising Themselves Better

Security experts are observing a worrying trend: the time to exploit (TTE), i.e. the time between a security vulnerability becoming known and being exploited by malicious actors, has been falling dramatically in recent times.

At the same time, attackers are becoming increasingly skilled at concealing their presence in a successfully hacked network. Experts refer to the time it takes to establish a foothold and then gain unauthorized access to company resources before being detected (and removed) as “dwell time”. The shorter this time, the better for those under attack. Even the most talented hacker needs time and can cause more (permanent) damage the longer they remain undetected and unobserved.

The Enemy Is Listening – and May Already Be There

Alarmingly, dwell time is increasingly reaching months or even years, as was the case with Sony and the US Office for Personal Management. There, attackers were able to operate undisturbed for more than twelve months. As a result, more than 10 terabytes of data were stolen from the Japanese technology group.

The fear of hidden intruders is great; after all, no one can say with certainty whether a malicious listener is already on their own network. It happens. In the 2015 Bundestag hack, for example, it was not the Bundestag’s own monitoring system that informed the German authorities about strange activities by third parties (Russian APT hacker groups) on the Bundestag network, but a “friendly” intelligence service. How long and how many actors had already been active in the network at that point remained unclear. The only thing that was clear was that there was more than one, and that the friendly intelligence services had been watching for some time.

Detection, Prevention and Response Increasingly Critical

This makes it more important to ensure that attackers do not gain access to the system in the first place. But this is becoming increasingly difficult: as reported by experts at Google’s Mandiant, among others, the response time available to companies and software operators between the discovery of a vulnerability and its exploitation has fallen rapidly in recent years, from 63 days in 2018 to just over a month in recent years.

Less and Less Time to Respond

In 2023, administrators had an average of only five days to detect and close vulnerabilities. Today it is already less than three days.

But that’s not all. In the past, security vulnerabilities were often exploited after patches became available, i.e., after experienced administrators had already secured their systems and installed the latest patches. These so-called “N-day vulnerabilities” should not really be a problem, as fixes are available.

Improved Discipline with Side Effects: Attackers Learn

Unfortunately, in the past, discipline (and awareness) was not as strong in many companies, and the issue was neglected, inadvertently contributing to the spread of automated attack methods such as worms and viruses. But there is good news here too: in 2022, attacks via N-day vulnerabilities still accounted for 38% of all attacks, but by 2023 this figure will fall to just 30%.

At first glance, this sounds good because administrators can find and fix known vulnerabilities for which patches are available more quickly and effectively. After years of poor discipline and a lack of update and patch strategies, the major and successful ransomware incidents have certainly also helped to convey the scope and importance of proper vulnerability management to the majority of those responsible.

Two-thirds Are now Zero-days

But there is also a downside to these figures: more than two-thirds of all attacks are now based on zero-day vulnerabilities, i.e., security gaps for which there is no patch yet – in 2023, this figure was as high as 70%. Criminal groups and attackers have reacted, learned and professionalized, automated and greatly accelerated their activities.

Without automation and standardization of processes, without modern, well-maintained and controlled open-source software, administrators can hardly keep up with developments. Who can claim to be able to respond to a new threat within three days?

Powerless? Not with Greenbone

When attackers can respond faster to new, previously unknown vulnerabilities and have also learned to hide themselves better, there can only be one answer: the use of professional vulnerability management. Greenbone solutions allow you to test your network automatically. Reports on the success of measures give administrators a quick overview of the current security status of your company.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Attackers Advance on Two New Ivanti EPMM Flaws

Just last month, CVE-2025-22457 (CVSS 9.8) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways was recognized as a vector for ransomware. Now, two new CVEs have been added to the growing list of high-risk Ivanti vulnerabilities; CVE-2025-4427 and CVE-2025-4428 affecting Ivanti EPMM (Endpoint and Patch Management Mobile) are under active exploitation.

Greenbone includes active check and version detection tests addressing both new CVEs and many other flaws in Ivanti products, allowing users to identify vulnerable instances, proceed with the patch process and verify security compliance once patches have been applied. In this blog post we will review the technical details of both new CVEs and assess the role that Ivanti has played in the global cyber risk calculus.

Two New CVEs in Ivanti EPMM Combine for Unauthorized Access

At the time of disclosure, Ivanti admitted that on-premises EPMM customers had already been breached. However, cloud security firm Wiz claims that self-managed cloud instances have also been effectively exploited by attackers. A full technical description of the attack chain is publicly available, making exploit development easier for attackers and further increasing the risk.

Here is a brief summary of each CVE:

  • CVE-2025-4427 (CVSS 5.3): An authentication bypass in the API component of Ivanti EPMM 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
  • CVE-2025-4428 (CVSS 7.2): Remote Code Execution (RCE) in the API component of Ivanti EPMM 12.5.0.0 and prior allows authenticated attackers to execute arbitrary code via crafted API requests.

Ivanti has released patches to remediate the flaws. Users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. If immediate patching is not possible, Ivanti recommends restricting API access using either the built-in Portal ACLs (Access Control Lists with the “API Connection” type) or an external WAF (Web Application Firewall). Network-based ACLs are discouraged by the vendor, since they may block some EPMM functionality. While these mitigations reduce risk, they can impact functionality for certain EPMM integrations, such as Microsoft Autopilot and Graph API. Ivanti also offers an RPM file which can be used to patch EPMM via SSH command line access.

The Invanti EPMM Exploit Chain

The exploit chain in Ivanti EPMM begins with CVE-2025-4427. Due to an insecure configuration in the application’s security.xml file, certain endpoints (specifically /rs/api/v2/featureusage) partially process requests if the format parameter is provided. This pre-auth processing allowed unauthenticated requests to access functions that should be protected. This access control flaw caused by CVE-2025-4427 sets the stage for RCE via CVE-2025-4428.

CVE-2025-4428 allows RCE via an Expression Language (EL) injection via HTTP requests. If the format parameter supplied in a request is invalid as per the EPMM’s specification (neither “cve” or “json”), its value is appended to an error message without sanitization and logged via Spring Framework’s message templating engine. By supplying specially crafted values in the format parameter, attackers can execute arbitrary Java code because the logged message is evaluated as an EL formatted string.

Researchers have pointed out these risks associated with message templating engines are well documented and rebuked Ivanti’s claims that the vulnerability was due to a flaw in a third-party library, rather than their own oversight. Also, if the conditions leading to exploitation of CVE-2025-4428 sounds familiar, it is reminiscent of the infamous Log4Shell vulnerability. Like Log4Shell, CVE-2025-4428 results from passing unsanitized user input into an expression engine which will interpret special commands from a formatted string. In the case of Log4Shell, malicious string formatting in JNDI lookups (e.g., ${jndi:ldap://…}), could trigger RCE.

Risk Assessment: Attackers Advance on Ivanti Flaws

Ivanti has been in the hot seat for the past few years. Attackers have often exploited flaws in Ivanti’s products to gain initial access to their victim’s networks. Across all product lines, the vendor has been the subject of 61 Critical severity (CVSS >= 9.0) CVEs since the start of 2023. 30 of these have been added to CISA KEV (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency), although the true tally of actively exploited flaws may be higher. Ivanti CVEs have a high conversion rate for use in ransomware attacks; CISA notes 8 CVEs in this category.

In early 2024, the European Commission, ENISA, CERT-EU and Europol issued a joint statement addressing active exploitation of Ivanti Connect Secure and Policy Secure Gateway products. In the US, CISA directed all federal civilian agencies to disconnect these products and assume they had been breached [1][2]. CISA, the FBI and cybersecurity agencies from the UK, Australia and Canada issued a joint advisory warning of ongoing exploitation. By late 2024, CISA had also alerted to active exploitation of Ivanti Cloud Service Appliances (CSA), warning that both state-sponsored and financially motivated threat actors were successfully targeting unpatched systems.

In 2025, on January 8th, CISA warned that newly disclosed CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure, Policy Secure and ZTA Gateways were also under active exploitation. Unfortunately, attackers continue to advance on new flaws in Ivanti’s products well into 2025 including CVE-2025-22457 [3][4] and now, two new CVEs in EPMM discussed above.

Dennis Kozak replaced Jeff Abbott as Ivanti’s CEO effective January 1, 2025 despite a mid-2024 pledge from Mr. Abbot for improved product security. No public statement was made linking the succession to the Utah company’s security challenges, however it happened with only a few weeks’ notice. Executives have not been called to testify before US congress as many other cybersecurity leaders have following high-risk incidents including Sudhakar Ramakrishna (CEO of SolarWinds), Brad Smith (President of Microsoft) and George Kurtz (CEO of CrowdStrike).

Echoes from EPMM’s Past: CVE-2023-35078 and CVE-2023-35082

In addition to the vortex of vulnerabilities discussed above, CVE-2023-35078 (CVSS 9.8) and CVE-2023-35082 (CVSS 9.8), disclosed in July and August 2023 respectively, also provided unauthenticated RCE for Ivanti EPMM. Public exploitation kicked off almost immediately after their disclosure in 2023.

CVE-2023-35078 was exploited to breach the Norwegian government, compromising data from twelve ministries [3][4]. CISA issued an urgent advisory (AA23-214A) citing confirmed exploitation by Advanced Persistent Threat (APT) actors and advising all federal agencies to take immediate mitigation steps. Even back in 2023, the speed and breadth of the attacks underscored Ivanti’s growing profile as a repeat offender, enabling espionage and financially motivated cybercrime.

Summary

Ivanti EPMM is susceptible to two new vulnerabilities; CVE-2025-4427 and CVE-2025-4428 can be combined for unauthorized remote code execution. Now under active exploitation, they underscore a troubling pattern of high-severity flaws in Ivanti products. Ivanti has released patches to remediate the flaws and users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.

Greenbone’s vulnerability detection capabilities extend to include tests for CVE-2025-4427 and CVE-2025-4428 allowing Ivanti EPMM users to identify all vulnerable instances and verify security compliance once patches have been applied.

/by
Greenbone AG

Greenbone Detection Stays Strong Despite NIST NVD Outage

Despite the NVD (National Vulnerability Database) outage of the NIST (National Institute of Standards and Technology), Greenbone’s detection engine remains fully operational, offering reliable, vulnerability scanning without relying on missing CVE enrichment data.

Since 1999 The MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) has provided free public vulnerability intelligence by publishing and managing information about software flaws. NIST has diligently enriched these CVE reports since 2005; adding context to enhance their use for cyber risk assessment. In early 2024, the cybersecurity community was caught off guard as the NIST NVD ground to a halt. Now roughly one year later, the outage had not been fully resolved [1][2]. With an increasing number of CVE submissions each year, NIST’s struggles have left a large percentage without context such as a severity score (CVSS), affected product lists (CPE) and weakness classifications (CWE).

Recent policy shifts pushed by the Trump administration have created further uncertainty about the future of vulnerability information sharing and the many security providers that depend upon it. The FY 2025 budget for CISA includes notable reductions in specific areas such as a 49.8 million Dollar decrease in Procurement, Construction and Improvements and a 4.7 million Dollar cut in Research and Development. In response to the funding challenges, CISA has taken actions to reduce spending, including adjustments to contracts and procurement strategies.

​To be clear, there has been no outage of the CVE program yet. On April 16, the CISA issued a last minute directive to extend its contract with MITRE to ensure the operation of the CVE Program for an additional 11 months just hours before the contract was set to expire. However, nobody can predict how future events will unfold. The potential impact to intelligence sharing is alarming, perhaps signaling a new dimension to a “Cold Cyberwar” of sorts.

This article includes a brief overview of how the CVE program operates, and how Greenbone’s detection capabilities remain strong throughout the NIST NVD outage.

An Overview of the CVE Program Operations

The MITRE Corporation is a non-profit tasked with supporting US homeland security on multiple fronts including defensive research to protect critical infrastructure and cybersecurity. MITRE operates the CVE program, acting as the Primary CNA (CVE Numbering Authority) and maintaining the central infrastructure for CVE ID assignment, record publication, communication workflows among all CNAs and ADPs (Authorized Data Publishers) and program governance. MITRE provides CVE data to the public through its CVE.org website and the cvelistV5 GitHub repository, which contains all CVE Records in structured JSON format. The result has been highly efficient, standardized vulnerability reporting and seamless data sharing across the cybersecurity ecosystem.

After a vulnerability description is submitted to MITRE by a CNA, NIST has historically added:

  • CVSS (Common Vulnerability Scoring System): A severity score and detailed vector string that includes the risk context for Attack Complexity (AC), Impact to Confidentiality (C), Integrity (I), and Availability (A), as well as other factors.
  • CPE (Common Platform Enumeration): A specially formatted string that acts to identify affected products by relaying the product name, vendor, versions, and other architectural specifications.
  • CWE (Common Weakness Enumeration): A root-cause classification according to the type of software flaw involved.

CVSS allows organizations to more easily determine the degree of risk posed by a particular vulnerability and strategically conduct remediation accordingly. Also, because initial CVE reports only require a non-standardized affected product declaration, NIST’s addition of CPE allows vulnerability management platforms to conduct CPE matching as a fast, although somewhat unreliable way to determine whether a CVE exists within an organization’s infrastructure or not.

For a more detailed perspective on how the vulnerability disclosure process works and how CSAF 2.0 offers a decentralized alternative to MITRE’s CVE program, check out our article: How CSAF 2.0 Advances Automated Vulnerability Management. Next, let’s take a closer look at the NIST NVD outage and understand what makes Greenbone’s detection capabilities resilient against the NIST NVD outage.

The NIST NVD Outage: What Happened?

Starting on February 12, 2024, the NVD drastically reduced its enrichment of Common Vulnerabilities and Exposures (CVEs) with critical metadata such as CVSS, CPE and CWE product identifiers. The issue was first identified by Anchore’s VP of Security. As of May 2024, roughly 93% of CVEs added after February 12 were unenriched. By September 2024, NIST had failed to meet its self-imposed deadline; 72.4% of CVEs and 46.7% of new additions to CISA’s Known Exploited Vulnerabilities (KEVs) were still unenriched [3].

The slowdown in NVD’s enrichment process had significant repercussions for the cybersecurity community not only because enriched data is critical for defenders to effectively prioritize security threats, but also because some vulnerability scanners depend on this enriched data to implement their detection techniques.

As a cybersecurity defender, it’s worthwhile asking: was Greenbone affected by the NIST NVD outage? The short answer is no. Read on to find out why Greenbone’s detection capabilities are resilient against the NIST NVD outage.

Greenbone Detection Strong Despite the NVD Outage

Without enriched CVE data, some vulnerability management solutions become ineffective because they rely on CPE matching to determine if a vulnerability exists within an organization’s infrastructure.  However, Greenbone is resilient against the NIST NVD outage because our products do not depend on CPE matching. Greenbone’s OPENVAS vulnerability tests can be built from un-enriched CVE description. In fact, Greenbone can and does include detection for known vulnerabilities and misconfigurations that don’t even have CVEs such as CIS compliance benchmarks [4][5].

To build Vulnerability Tests (VT) Greenbone employs a dedicated team of software engineers who identify the underlying technical aspects of vulnerabilities. Greenbone does include a CVE Scanner feature capable of traditional CPE matching. However, unlike solutions that rely solely on CPE data from NIST NVD to identify vulnerabilities, Greenbone employs detection techniques that extend far beyond basic CPE matching. Therefore, Greenbone’s vulnerability detection capabilities remain robust even in the face of challenges such as the recent outage of the NIST NVD.

To achieve highly resilient, industry leading vulnerability detection, Greenbone’s OPENVAS Scanner component actively interacts with exposed network services to construct a detailed map of a target network’s attack surface. This includes identifying services that are accessible via network connections, probing them to determine products, and executing individual Vulnerability Tests (VT) for each CVE or non-CVE security flaw to actively verify whether they are present. Greenbone’s Enterprise Vulnerability Feed contains over 180,000 VTs, updated daily, to detect the latest disclosed vulnerabilities, ensuring rapid detection of the newest threats.

In addition to its active scanning capabilities, Greenbone supports agentless data collection via authenticated scans. Gathering detailed information from endpoints, Greenbone evaluates installed software packages against issued CVEs. This method provides precise vulnerability detection without depending on enriched CPE data from the NVD.

Key Takeways:

  • Independence from enriched CVE data: Greenbone’s vulnerability detection does not rely on enriched CVE data provided by NIST’s NVD, ensuring uninterrupted performance during outages. A basic description of a vulnerability allows Greenbone’s vulnerability test engineers to develop a detection module.
  • Detection beyond CPE matching: While Greenbone includes a CVE Scanner feature for CPE matching, its detection capabilities extend far beyond this basic approach, utilizing several methods that actively interact with scan targets.
  • Attack surface mapping: The OPENVAS Scanner actively interacts with exposed services to map network attack surface, identifying all network reachable services. Greenbone also performs authenticated scans to gather data directly from endpoint internals. This information is processed to identify vulnerable packages. Enriched CVE data such as CPE is not required.
  • Resilience to NVD enrichment outages: Greenbone’s detection methods remain effective even without NVD enrichment, leveraging CVE descriptions provided by CNAs to create accurate active checks and version-based vulnerability assessments.

Greenbone’s Approach is Practical, Effective and Resilient

Greenbone exemplifies the gold standard of practicality, effectiveness and resilience, achieving a benchmark that IT security teams should be striving to achieve. By leveraging active network mapping, authenticated scans and actively interacting with target infrastructure, Greenbone ensures reliable, resilient detection capabilities in diverse environments.

This higher standard enables organizations to confidently address vulnerabilities, even in complex and dynamic threat landscapes. Even in the absence of NVD enrichment, Greenbone’s detection methods remain effective. With only a general description Greenbone’s VT engineers can develop accurate active checks and product version-based vulnerability assessments.

Through a fundamentally resilient approach to vulnerability detection, Greenbone ensures reliable vulnerability management, setting itself apart in the cybersecurity landscape.

NVD / NIST / MITRE Alternatives

The MITRE issue is a wake-up call for digital sovereignty, and the EU has already (and fast) reacted. A long-awaited alternative, the EuVD by the ENISA, the European Union Agency for Cybersecurity, is there, and will be covered in one of our upcoming blog posts.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Portrait of Prof. Dr. Dennis-Kenji Kipker, expert in IT law and cyber security, in an interview on the implementation of the NIS2 Directive

Prof. Dr. Dennis-Kenji Kipker

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

The “Perfect Storm” for Zyxel: EOL Routers and Ransomware Attacks

Every product has a due date, but customers often have little warning and no recourse when a vendor decides to sunset a product. Once a vendor designates a product as end-of-life (EOL) or end-of-service (EOS), managing associated risks becomes more complex. Risk is magnified when cyber criminals find and exploit vulnerabilities that will never be patched. If an EOL product becomes vulnerable in the future, its users need to implement additional security controls on their own.

Digital illustration of storm clouds and a trash bin with a router symbol, representing end-of-life IT products and increasing ransomware risks.

If the vendor is found to be still selling these vulnerable EOL products, it may be considered the “perfect storm” or the maximum disaster. In this article we will investigate several security alerts for Zyxel products including some designated EOL and another flaw exploited in ransomware attacks.

An Overview of Recent Vulnerabilities in Zyxel Products

CVE-2024-40891 (CVSS 8.8), a high severity Remote Code Execution (RCE) flaw in Zyxel’s telnet implementation has been known since mid-2024. Yet, almost six months later, Zyxel has not issued a patch, claiming the affected products are EOS and EOL. Early in 2025, Greynoise observed active exploitation of CVE-2024-40891 against vulnerable Zyxel CPE networking devices. That CVE (Common Vulnerabilities and Exposures) and another RCE flaw, CVE-2024-40890 (CVSS 8.8), were both added to CISA’s Known Exploited Vulnerabilities (KEV) list by mid-February. While both CVEs (Cybersecurity and Infrastructure Security Agency) were post-authentication RCE flaws, a third security gap, CVE-2025-0890 (CVSS 9.8), published on February 4th, provided the final piece to the puzzle: extremely weak default credentials for remotely accessible services – that is, on top of the already unencrypted Telnet authentication process.

Researchers at VulnCheck who originally discovered the flaws also pointed out that the vendor continues to sell the faulty devices despite being aware of active exploitation and having no intention to issue patches. As of February 25th, 2025, some of the affected products were still being sold from Zyxel’s official Amazon store [1][2]. On top of these, another vulnerability in Zyxel products, CVE-2024-11667, is being actively exploited in ransomware attacks by the Helldown threat actor.

In the telecom technologies sector, Zyxel holds an estimated market share of 4.19%, serving around 2,277 companies including the world’s biggest tech giants. Zyxel Group, headquartered in Hsinchu Science Park, Taiwan, is a prominent provider of networking solutions for both businesses and home users, operating globally in over 150 countries.

A Timeline of Events

  • 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in CPE series products.
  • 2024-07-31: VulnCheck published information about CVE-2024-40890 and CVE-2024-40891 on their blog.
  • 2025-01-28: Active exploitation of CVE-2024-40891 was reported by GreyNoise.
  • 2025-02-03: VulnCheck released further information highlighting the risk presented by Zyxel’s position and providing evidence that vulnerable devices were still being sold online by the vendor.
  • 2025-02-04: Zyxel released a security advisory labelling affected products as EOL and stating they will not receive updates.

Technical Descriptions of Recent Zyxel Vulnerabilities

Aside from Zyxel’s slow response to security researchers and their decision to continue selling EOL products with exploitable vulnerabilities, there are additional lessons to learn from a technical assessment of the flaws themselves. Namely, how product vendors continue to market products with unforgivable security flaws while skirting accountability.                                                                                

  • CVE-2024-40891 (CVSS 8.8 High): Authenticated users can exploit Telnet command injection due to improper input validation in `libcms_cli.so`. Commands are passed unchecked to a shell execution function, allowing arbitrary RCE. Aside from checking that the command string starts with an approved command, the `prctl_runCommandInShellWithTimeout` function has no filtering, allowing command chaining and arbitrary command injection.
  • CVE-2024-40890 (CVSS 8.8 High): A post-authentication command injection vulnerability in the CGI program of the legacy DSL Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
  • CVE-2025-0890 (CVSS 9.8 Critical): Devices use weak default credentials such as usernames and passwords admin:1234, zyuser:1234, and supervisor:zyad1234. None of these accounts are visible via the web interface but can be found in the device’s `/etc/default.cfg` These default credentials are now well-known by attackers. The “supervisor” and “zyuser” accounts can both access devices remotely via Telnet. “supervisor” has hidden privileges, granting full system access, while “zyuser” can still exploit CVE-2024-40891 for RCE. Use of such default credentials violate CISA’s Secure by Design pledge and the EU’s upcoming Cyber Resilience Act (CRA).

The affected products include Zyxel VMG1312-B Series (VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A) and two Zyxel Business Gateway Series routers (SBG3300, and SBG3500). The Zyxel CPE (Customer Premises Equipment) series devices are designed for home and small business internet connectivity, such as DSL, fiber and wireless gateways. As such, they are typically installed at a customer’s location to connect them to an Internet  Service Provider’s (ISP) network and are therefore not easily protected from the Internet by firewalls. Considering the nature of Zyxel CPE devices and the vulnerabilities in question, it would not be surprising if tens of thousands or more Zyxel devices were participating in malicious botnet activity.

Greenbone is able to detect EOL Zyxel devices that are vulnerable to the aforementioned CVEs.

CVE-2024-11667: Zyxel Firewalls Exploited in Ransomware Attacks

CVE-2024-11667 (CVSS 9.8 Critical), published in late December 2024, is a path traversal flaw [CWE-22] in the web-management console of Zyxel ATP and USG FLEX firewall series. The vulnerability is known to be exploited by the Helldown threat actor in ransomware attacks and the subject of several national cybersecurity advisories [1][2].

The Helldown ransomware group emerged in August 2024 as a notable threat actor in the cybersecurity landscape. This group employs a double extortion strategy, wherein they exfiltrate sensitive data from targeted organizations and subsequently deploy ransomware to encrypt the victims’ systems. If the ransom demands are not met, Helldown threatens to publicly release the stolen data on their data leak site. In addition to exploiting these Zyxel flaws, Helldown is known to exploit Windows OS vulnerabilities, VMware ESX,  and Linux environments, often using compromised VPN credentials to move laterally within networks.

Zyxel has released an advisory acknowledging the ransomware attacks and patches for affected products. Greenbone is able to detect Zyxel products affected by CVE-2024-11667 with three separate product specific version detection tests [1][2][3].

Summary

The situation with Zyxel seems to be a perfect storm leading to an important question: What recourse do customers have when a vendor fails to patch a security gap in their product? Zyxel’s EOL networking devices remain actively exploited, with vulnerabilities that can be combined for unauthorized arbitrary RCE and other unauthorized actions. CVE-2024-40891, CVE-2024-40890, and CVE-2025-0890 are now in CISA’s KEV list, while CVE-2024-11667 has been linked to ransomware attacks. The researchers from VulnCheck, who discovered several of these CVEs, have criticized Zyxel for poor communication and further for selling unpatched EOL devices. Greenbone detects affected products enabling a proactive approach to vulnerability management and the opportunity for users to mitigate exposure.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Exciting New Features Arrive for Greenbone Enterprise Appliances

We’re excited to announce the release of several feature updates to our Greenbone Operating System (GOS), the software stack behind our physical and virtual Enterprise Appliances. The updates introduce new front-end features to enhance enterprise vulnerability management capabilities, and performance enhancing back-end features. The newest updates to the Greenbone Operating System (GOS), version 24.10, reflect Greenbone’s commitment to empowering fundamental cybersecurity best practices and enabling organizations to prioritize and close security gaps faster than ever before.

In this post, we’ll delve into the latest features and improvements that make our line of Enterprise Appliances even more powerful tools for exposure management and cybersecurity compliance.

GOS 24.10 Brings All New Features

The Greenbone Security Assistant (GSA) is the IT administrator’s doorway into security visibility. From a high-level vantage, the GSA web-interface has a totally new look. The updated version features a modern minimalist look and feel, emphasizing utility and usability, while keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA) require organizations to take more proactive actions to protect digital infrastructure. Other forces such as cybersecurity insurance, the need for stronger third party oversight and accountability to customers are impacting how companies oversee their cybersecurity operations.

The GOS 24.10 update includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The updated user-interface allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of new CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a CVE being exploited in the wild. EPSS applies machine learning (ML) to historical data to predict which new CVEs are at highest risk of active attack.

EPSS data is now integrated into our Enterprise Appliances. Regularly updated exploitation probabilities for every active CVE are not available in the Greenbone platform. Administrators can leverage up-to-date exploit probability scores and percentiles in addition to the traditional CVSS severity, empowering them to focus on the most critical pressive vulnerabilities in their operations.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility. As such, the solutions fit a wide spectrum of unique operational needs. GOS 24.10 introduces JSON formatted report exporting. Users can also now customize the fields in exported CSV and JSON reports. This allows reports to be customized directly from Greenbone to more precisely match report requirements and focus on what’s essential for analysis, compliance or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, Greenbone has introduced several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • Greenbone Enterprise Appliances now support JSON-based CVE, CPE, EPSS, and CERT feeds and gzip data compression.

Summary

With the release of a new round of updates, Greenbone is strengthening the flagship Greenbone Enterprise Appliances. The updates introduce a modernized GSA web-interface, a compliance-focused audit report view for improved visibility, and enhanced CSV and JSON exporting capabilities give users control over report data. We’ve also added AI-based EPSS to the available options for vulnerability risk prioritization. Finally, backend optimizations ensure seamless compatibility with new CPE formats and JSON-based feeds. Together, these features add to Greenbone’s adaptable vulnerability management capabilities allowing organizations to stay ahead of emerging threats with industry leading vulnerability detection and prioritization.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

#GreenboneGoesGlobal: Strong Presence at ITASEC 2025 in Bologna

ITASEC, Italy’s most important conference for cyber security, takes place in Bologna from February 3 to 8, 2025. As a platinum sponsor, Greenbone is sending a strong signal for European cooperation and digital security. This step demonstrates our commitment to a global presence and direct customer interaction.

Street scene in the old town of Bologna with a view of the medieval 'Due Torri' towers, venue of the IT security conference ITASEC 2025

The “Due Torri”, two medieval towers, shape the image of the historic old town of Bologna. (Photo: Markus Feilner, CC-BY 2016)

 

New Perspectives in Italy and Worldwide

“At Greenbone, we are increasingly realizing how important our vulnerability management is for customers throughout Europe and how important it is for these customers to be able to communicate with us directly on site,” explains Chief Marketing Officer Elmar Geese. To meet this demand, Greenbone has established the Italian subsidiary OpenVAS S.R.L. At the same time, Greenbone is expanding into other regions. A new subsidiary in the Netherlands and an increased engagement in the Asian market are on the agenda.

We will not only be present at ITASEC with a booth, but will also contribute to the content: Dirk Boeing, Senior Consultant and cybersecurity expert at Greenbone, will speak on February 6th at 11:00 a.m. on the panel “Security Management in the NIS2 Era”.

Visit Us in Bologna!

The annual ITASEC takes place on the campus of the “Alma Mater Studiorum Università di Bologna”, the oldest university in Europe, which has been writing science history since 1088 – an ideal place for a conference dedicated to security in the digital future. The fair is organized by the CINI Cybersecurity National Lab, with a special focus in 2025 on the topic of security and rights in cyberspace. This is also reflected in the cooperation with the SERICS conference (Security and Rights in the Cyber Space), which is supported by the SERICS foundation as part of the almost 200 billion euro Italian „National Recovery and Resilience Plan“ (NRRP).

ITASEC at the University of Bologna offers an excellent opportunity to experience Greenbone live and learn more about our solutions. And this is just the beginning: in 2025 we will be in Italy, for example, at CyberSec Italia in Rome on March 5 and 6. And from March 18 to 19, Greenbone will be at the „Digitaler Staat“ congress in Berlin, and from March 19 at secIT in Hanover. We look forward to your visit!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by