Tag Archive for: it security

Greenbone AG

Greenbone Audits for Compliance with the CIS Windows 11 Enterprise Benchmark”

Microsoft Windows remains the most widely used desktop operating system in enterprise environments – and also one of the most targeted by threat actors. Insecure configurations are a leading source of security breaches [1][2][3], often exploited to gain initial access [TA0001], escalate privileges [TA0004], steal credentials [TA0006], establish persistent access [TA0003], and move laterally within a network [TA0008]. Many national cybersecurity agencies continue to advocate strongly for organizations to enact policies to strengthen operating system (OS) baseline configurations [4][5][6][7][8].

Securing Windows 11 systems requires more than just patching known vulnerabilities. IT operations should start by deploying security hardened baseline images of Windows and periodically verify their configuration. This means adjusting many hidden or often overlooked settings of Microsoft Windows while disabling some features altogether. Hardened security controls include enforcing strong password and account lockout policies, disabling unnecessary system services like Remote Registry, applying application control rules via AppLocker, configuring advanced audit policies to monitor system activity and more.

Aligning with these enterprise IT cybersecurity goals, Greenbone is proud to announce the addition of CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 Level 1 (L1) auditing to our compliance capabilities. This latest enhancement allows our Enterprise feed customers to verify their Windows 11 configurations against the CIS compliance standard and adds to Greenbone’s growing arsenal of CIS compliance policies including Google Chrome, Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows, Linux and Docker [1][2]. Read on to find out more about Greenbone’s latest IT security detection capabilities.

Greenbone Adds CIS Microsoft Windows 11 Enterprise Benchmark

The CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0 L1 is now available in the Greenbone Enterprise Feed. This benchmark defines a comprehensive set of security configurations – from Group Policy and registry hardening to built-in feature restrictions – designed to lock down Windows 11 Enterprise in line with industry best practices. With this new addition, Greenbone makes it easier to identify Microsoft Windows misconfigurations before attackers can exploit them.

Our Enterprise vulnerability feed leverages compliance policies to execute tests to verify each automatable CIS L1 requirement. These tests are grouped into scan configurations, allowing security teams to launch targeted assessments across their Windows 11 fleet. Whether aligning with internal security mandates or regulatory frameworks, Greenbone’s audit will confirm your Windows 11 Enterprise settings, ensuring that systems are locked down and that deprecated or risky features are disabled.

Windows Security Is Paramount

Microsoft Windows plays a prominent role in enterprise IT environments, serving as the backbone for endpoints, servers and domain infrastructure. But this ubiquity also makes it a prime target. Insecure Windows configurations can open the door to Remote Code Execution (RCE), credential theft and privilege escalation. A serious cyber breach can result in full domain compromise, ransomware attacks, loss of customer confidence, regulatory fines and even high cost legal action such as class action lawsuits when user data is leaked.

In recent years, national cybersecurity agencies – including Germany’s BSI [9], the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [10] and the Canadian Centre for Cyber Security [11] among others [12][13] – have issued alerts emphasizing the need to harden OS security configurations and disable legacy features that attackers routinely exploit. The increasing frequency and sophistication of adversarial threat actors further underscores the need for proactive Windows security.

Misconfigurations in Windows can have a cascading impact, compromising both the local system and the wider network. That’s why hardening efforts must go beyond vulnerability patching to include robust configuration management. Greenbone’s new CIS Windows 11 Enterprise compliance policy gives defenders the tools they need to strengthen resilience against many critical IT security weaknesses.

How Does the CIS Windows 11 Benchmark Improve Cybersecurity?

The CIS Microsoft Windows 11 Enterprise Benchmark offers a structured approach to securing Microsoft Windows endpoints. It defines configuration settings that could be used for unauthorized access, privilege abuse and system compromise. The benchmark audits a wide range of policies including account security, system services, network configurations, application controls and administrative templates to reduce attack surface and improve system integrity.

The major sections of the CIS Windows 11 benchmark are:

  • Account Policies: Defines policies for password complexity, history, expiration and account lockout thresholds. These settings help enforce strong authentication hygiene and limit brute-force attacks.
  • Local Policies: Focuses on enforcing a wide array of local access controls and system behavior. It covers audit settings, user rights assignments (like who can log in locally or shut down the system) and security options (like guest account status, access tokens, network access, device drivers, firmware options and cryptography requirements) and more.
  • System Services: Reduces attack surface by limiting active system components. Recommends disabling or configuring Windows services that may be unnecessary or expose the system to risk (e.g., Remote Registry, FTP, Bluetooth, OpenSSH, Geolocation service and more).
  • Windows Defender Firewall with Advanced Security: Covers firewall configurations for domain, private and public profiles. Includes rules for logging, connection restrictions and blocking unsolicited inbound traffic to enforce network segmentation and traffic control.
  • Advanced Audit Policy Configuration: Provides granular auditing settings across categories like logon events, object access and policy changes to enhance visibility and compliance.
  • Administrative Templates (Computer): Covers Group Policy settings at the computer level, including UI restrictions, legacy protocol controls, SMB hardening, UAC behavior and device configuration.
  • Administrative Templates (User): Focuses on user-level policies affecting personalization, privacy, desktop behavior, Windows components, telemetry, cloud content, search and Microsoft Store access.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone is committed to adding additional scan configurations to attest CIS Benchmarks. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Greenbone also has a dedicated compliance view for the Greenbone Security Assistant (GSA) web-interface, to streamline the assessment process for organizations.

Summary

Securing Microsoft Windows 11 Enterprise requires more than patching vulnerabilities – it demands a disciplined approach to configuration management based on proven best practices. By hardening hidden system settings and disabling unnecessary features, security teams can prevent exploitation paths commonly used by attackers to deploy ransomware, exfiltrate data or establish persistence.

With added support for the CIS Microsoft Windows 11 Enterprise Benchmark v3.0.0, Greenbone strengthens its position as a leader in proactive cybersecurity, offering enterprises the tools they need to reduce risk, demonstrate compliance and stay resilient in an increasingly hostile digital landscape. Enterprise Feed subscribers can now audit and verify their Windows 11 configurations with precision and confidence

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Reduces the Blast Radius of a Cyber Breach

Cyber attacks, like other types of security incidents, range dramatically in scope and impact. When defenders are prepared, an incident may be contained, damage limited, and recovery swift. When caught unprepared, a single incident may result in days or weeks of downtime, lost revenue, tarnished reputation, regulatory penalties or class action settlements [1][2]. In May 2024, Change Healthcare forecasted an expected loss of 1.6 billion Dollar. As of January 2025, the total cost of the Change Healthcare ransomware attack has reached almost 3 billion Dollar [3][4].

The totality of damage caused by an IT security breach, known as the “blast radius”, depends on many factors. These factors include whether vulnerabilities are being managed, if a defense in depth approach to cybersecurity has been applied, network segmentation, effective backup strategies and more. Negligent security hygiene is an open invitation to attackers, resulting in more costly outcomes like extensive data theft, ransomware extortion and even destructive wiper attacks used for industrial sabotage. A recent report found that once inside a network, attackers now deploy ransomware within 48 minutes on average and CVE disclosures are being weaponized into exploits within 18 days.

This article explores the concept of a cyber attack “blast radius” and the role that effective Vulnerability Management plays in containing the fallout from cyber intrusions. With the right controls in place, the damage from a cyber breach can be minimized and worst-case outcomes prevented

What is the “Blast Radius” of a Cyber Breach?

The term “blast radius” is military jargon referring to the physical area damaged by an exploding bomb. In digital systems, the term similarly refers to the extent of damage caused by a cyber attack. How many systems did an attacker compromise? Were they able to subsequently compromise critical systems after initial access? Did they breach adjacent networks or cloud assets?

Far-reaching damage is not a foregone conclusion when hackers gain initial access. Defenders can effectively cut off the attack at an early stage, preventing malicious actors from achieving their ultimate objectives or causing far reaching damage.

The Consequences of a Bigger Blast Radius

While forfeiting unauthorized access to an adversary is bad, it’s the subsequent stages of an attack that keeps IT security managers up at night. The latter stages of a cyber breach such as installing malware on critical assets, exfiltrating sensitive data, or encrypting files have the most profound implications for organizations. As blast radius increases, it is much more likely that an organization will experience a significantly negative impact.

Increased blast radius can result in:

  • Longer “Dwell Time”: Lateral movement and persistence techniques can allow attackers to remain undetected for extended periods, gathering intelligence and preparing subsequent attacks.
  • Increased financial losses: Service disruptions and ransomware attacks contribute to higher financial losses, lost revenue from downtime, risk of regulatory penalties and erode business relationships.
  • Increased operational downtime: The impact of operational downtime can reverberate across an organization causing delays, frustration and desynchronizing operations.
  • Loss of sensitive data: Attackers seek to exfiltrate sensitive data to support espionage campaigns or extort victims into paying ransom.
  • Compromised trust: Unauthorized access to messaging systems or third-party assets can erode trust among stakeholders, including customers, employees and business partners.

Greenbone Reduces the Blast Radius of a Cyber Breach

Vulnerability Management is a powerful factor in reducing the so-called “blast radius”. Effective mitigation of security gaps can leave an adversary with no easily accessible means to extend their initial foothold. Vulnerability management is most efficiently and effectively implemented by automatically scanning for security weaknesses throughout a network infrastructure and remediating the attack surface. In doing so, organizations can greatly reduce the potential blast radius of a successful cyber attack and also reduce probability of being breached in the first place.

Threat Mapping helps IT security teams understand their attack surfaces, the locations where adversaries may be able to enter a network. Greenbone’s core capabilities support Threat Mapping efforts with system and service discovery scans and by scanning both network and host attack surfaces allowing defenders to reduce their attack surface by 99%. Furthermore, Greenbone provides real-time reporting and alerts to keep security teams informed of emerging threats, enabling a proactive cybersecurity posture and timely remediation. This proactive, layered approach to cybersecurity reduces the potential blast radius and results in better security outcomes. Defenders are afforded more time to detect an attacker’s presence and eliminate it before catastrophic damage can be done.

The Strongest Defenses with Greenbone Enterprise Feed

The strongest defenses come from Greenbone’s industry leading Enterprise Vulnerability Feed. In total, the Greenbone Enterprise Feed has approximately 180,000 vulnerability tests and counting which can detect both general security compliance weaknesses and application specific vulnerabilities. Our Enterprise Feed adds hundreds of new tests each week to detect the newest emerging threats.

Here is a list of IT assets that Greenbone is designed to scan:

  • Internal network infrastructure: Scanning internal network devices with any type of exposed service, such as databases, file shares, SNMP enabled devices, firewalls, routers, VPN gateways and more.
  • On-premises and cloud servers: Attesting server configurations to ensure compliance with security policies and standards.
  • Workstations: Greenbone scans workstations and other endpoints across all major operating system (Windows, Linux, and macOS) to identify the presence of known software vulnerabilities attesting compliance with cybersecurity standards like CIS Benchmark
  • IoT and peripheral devices: IoT and peripheral devices, such as printers, use the same network protocols for communication as other network services. This allows them to be easily scanned for device and application specific vulnerabilities and common misconfigurations similarly to other network endpoints.

Reducing Network Attack Surface

Network attack surface consists of exposed network services, APIs and websites within an organization’s internal network environment and public facing infrastructure. To scan network attack surfaces, Greenbone builds an inventory of endpoints and listening services within target IP range(s) or a list of hostnames, then scans for known vulnerabilities.

Greenbone’s network vulnerability tests (NVTs) consist of version checks and active checks. Version checks query the service for a version string and then compare it for matching CVEs. Active checks use network protocols to interact with the exposed service to verify whether known exploit techniques are effective. These active checks use the same network communication techniques as real world cyber attacks, but do not seek to exploit the vulnerability. Instead, they simply notify the security team that a particular attack is possible. Anything an attacker can reach via the internet or local network, Greenbone can scan for vulnerabilities.

Reducing Host Attack Surface

Host attack surface is the software and configurations within individual systems that cannot be accessed directly via the network. Reducing the host attack surface minimizes what an attacker can do with initial access. Greenbone’s authenticated scans conduct Local Security Checks (LSC) to assess a system’s internal components for known weaknesses and non-compliant configurations that could allow attackers to escalate their privilege level, access sensitive information, install additional malware or move laterally to other systems.

Greenbone’s Enterprise Feed includes families of LSC for each major operating system including Ubuntu, Debian, Fedora, Red Hat, Huawei, SuSE Linux distributions, Microsoft Windows, macOS and many more.

Post-Breach Tactics: the Second Stage of Cyber Intrusions

Once attackers gain a foothold within a victim’s network, they engage in secondary exploitation techniques to deepen their access and achieve their objectives. In the modern cybercrime ecosystem, Initial Access Brokers (IABs) specialize in gaining unauthorized access. IABs then sell this access to other cybercriminal groups that specialize in second-stage attack tactics such as deploying ransomware or data theft. Similar to breaching the walls of a fortress, after initial access, an organization’s internal network becomes more accessible to attackers.

Some tactics used during the second stage of cyber attack include:

  • Privilege escalation [TA0004]: Attackers seek ways to elevate their access rights, allowing them access to more sensitive data or to execute administrative actions.
  • Lateral movement [TA0008]: Attackers compromise other systems within the victim’s network, extending their access to high-value resources.
  • Persistent remote access [TA0028]: Creating new accounts, deploying backdoors or using compromised credentials, attackers seek to maintain their access even if the initial vulnerability is remediated or their presence is detected.
  • Credential theft [TA0006]: Stolen sensitive data can be processed offline by attackers attempting to crack passwords, break into protected resources or plan social engineering attacks.
  • Accessing messaging systems [T1636]: Accessing organizational messaging platforms or collaboration tools gives access to sensitive information which can be used to conduct social engineering attacks such as spear phishing, even targeting external partners or customers.
  • Encryption for impact [T1486]: Identifying critical assets, financially motivated adversaries seek to maximize impact by deploying ransomware and extorting the victim to return access to the encrypted data.
  • Data exfiltration [TA0010]: Downloading a victim’s sensitive data can be used for espionage and also gives attackers leverage to extort victims into paying to not release it publicly.
  • Denial of Service attacks [T0814]: Service disruption can be used for further extortion or as a distraction to execute other attacks within the victim’s network.

Summary

Blast radius refers to the scope of damage that an adversary imposes during a cyber attack. As attacks progress, adversaries seek to penetrate deeper, gaining access to more sensitive systems and data. Lack of cyber hygiene gives attackers free reign to steal data, deploy ransomware and cause service disruptions and complicates detection and recovery. Minimizing attack surface is crucial for reducing the potential impact of a cyber breach and helps ensure a better security outcome.

Greenbone’s core contribution to cybersecurity is to increase security visibility in real-time, alerting defenders to vulnerabilities and giving them the opportunity to close security gaps, preventing hackers from exploiting them. This includes both network attack surface: public-facing assets, internal network infrastructure, cloud assets and host attack surface: internal software applications, packages and common misconfigurations.

By delivering industry-leading vulnerability detection, Greenbone empowers real-time threat visibility, empowering defenders to proactively ensure that adversaries are decisively neutralized.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Availability of CVE Vulnerability Data in Greenbone Products

Greenbone AG has been consistently committed to an independent and resilient supply chain for the provision of vulnerability data for many years. Against the background of current discussions on the financing and sustainability of the CVE programme of the US organisation MITRE, we would like to inform you about our measures to ensure the continuous provision of important information about vulnerabilities in IT systems.

Since 1999, the CVE system has formed the central basis for the clear identification and classification of security vulnerabilities in IT. Funding for the central CVE database is currently secured by the US government until April 2026. Against this background, Greenbone took structural measures at an early stage to become less dependent on individual data sources.

With our OPENVAS brand, Greenbone is one of the world’s leading open source providers in the IT security ecosystem. We make an active contribution to the development of sustainable, decentralised infrastructures for the provision of vulnerability information – and are already focusing on future-proof concepts that effectively protect our customers from security risks.

Our sovereign data approach includes the following measures, among others:

  • Broad source diversification: Our Systems and our security research team monitor a large number of international information sources in order to be able to react promptly to new threats independently of the official CVE process – even if there is no official CVE entry yet.
  • Integration of alternative databases: We integrate independent vulnerability catalogues such as the European Vulnerability Database (EUVD) into our systems in order to create a stable and geographically diversified information basis.
  • Promotion of open standards: We actively support the dissemination of the CSAF standard (Common Security Advisory Framework), which enables the decentralised and federated distribution of vulnerability information.

These measures ensure that our customers retain unrestricted access to up-to-date vulnerability information, even in the event of changes in the international data ecosystem. This ensures that your IT systems remain fully protected in the future.

Greenbone stands for independent, sovereign and future-proof weak-point supply – even in a changing geopolitical environment.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

CVE-2025-34028: Commvault Command Center Actively Exploited for RCE

CVE-2025-34028 (CVSS 10) is a maximum severity flaw in Commvault Command Center, a popular admin console for managing IT security services such as data protection and backups across enterprise environments. As of April 28th, CVE-2025-34028 has been flagged as actively exploited. CVE-2025-34028 also presents heightened risk due to the existence of publicly available proof-of-concept (PoC) exploit code and the fact that Command Center manages the backups and other security configurations for many prominent organizations.

The flaw allows unauthenticated attackers to perform Remote Code Execution (RCE) and to take complete control of a Command Center environment. Given the sensitivity and criticality of IT tasks managed by Commvault, forfeiting complete control has a high potential for disastrous impacts. For example, if backups are disabled, an organization could lose their ability to recover from a ransomware attack. This makes CVE-2025-34028 an attractive target for ransomware operators and financially motivated attackers.

The vulnerability, discovered by Sonny Macdonald of watchTowr Labs, exploits a server-side request forgery (SSRF) [CWE-918] weakness in Command Center’s deployWebpackage.do endpoint. In a successful attack, an adversary uploads a poisoned ZIP archive to a publicly accessible path. The malicious ZIP file is automatically extracted allowing attackers to trigger execution via HTTP GET request to the extracted payload.

CVE-2025-34028 affects versions 11.38.0 to 11.38.19 on both Linux and Windows platforms. Greenbone is able to detect CVE-2025-34028 with an active check that sends a crafted HTTP POST request and checks if the target connects back to the scanner host indicating that it is vulnerable to exploitation. Users of affected versions are urged to apply patches immediately. Let’s further examine the risk posed by CVE-2025-34028.

What is Commvault Command Center?

Commvault Command Center is a web-based interface written in Java that enables organizations to manage data protection, backup, and recovery operations across enterprise environments. Commvault markets itself as a single platform with modular components such as Commvault Complete Backup & Recovery, Commvault HyperScale X and Commvault Disaster Recovery. Most of Commvault’s products rely on the Command Center as their primary management interface. As such, Command Center is used to configure backup jobs, monitor systems, restore data and administer user roles and access.

As of 2025, Commvault maintains roughly 6.2% of the Backup And Recovery market share category, serving over 10,000 organizations globally, across various industries such as banking, healthcare, government and technology. Most of its customers are large enterprises, with 42% having more than 1,000 employees. With Commvault’s adoption among critical sectors including healthcare, government and Fortune 500 companies, the potential impact of this vulnerability is widespread and significant.

A Technical Description of CVE-2025-34028

The discovery and disclosure of CVE-2025-34028 was accompanied by a full technical description and PoC code. Here is a brief summary of the root cause and attack vector for CVE-2025-34028:

The root cause of CVE-2025-34028 is classified as Server-Side Request Forgery (SSRF) [CWE-918]. SSRF vulnerabilities arise when an application is tricked into accessing a remote resource without properly validating it. By exploiting SSRF flaws, an attacker can potentially bypass access controls [CWE-284] such as firewalls that prevent the attackers from accessing the URLs directly. You can think of it as “bouncing” a request off the target in order to bypass security measures. In the case of CVE-2025-34028, the SSRF flaw allows an Unrestricted Upload of File with Dangerous Type [CWE-434].

Here is how the exploit process for CVE-2025-34028 works:

Mixed among the Command Center application endpoints, the researcher found 58 that do not require any form of authentication. Inspecting these unrestricted APIs, researchers discovered the deployWebpackage.do endpoint included a parameter named commcellName, which was used to define the hostname of a URL and which was not filtered for scope. Another parameter, servicePack, defines the local path where the HTTP response to that URL should be stored.

Using a simple directory traversal technique, i.e. prepending the servicePack parameter with “../../” the researcher was able to achieve arbitrary file upload to a custom destination. The Command Center application used a hardcoded filename dist-cc.zip, indicating that the program was expecting a ZIP archive.

When supplying a ZIP archived Java executable (.jsp file), and specifying an unauthenticated route via the servicePack param, a malicious .jsp payload was uploaded, automatically extracted, where it could be accessed directly via an HTTP GET request. This results in execution of the .jsp file by Command Center’s Apache Tomcat web server and unauthenticated, arbitrary RCE on behalf of the attacker.

Mitigating CVE-2025-34028

CVE-2025-34028 affects Commvault Command Center versions 11.38.0 through 11.38.19 on both Linux and Windows platforms and has been resolved in versions 11.38.20 and 11.38.25, with patches released on April 10, 2025. For those unable to update immediately, Commvault recommends isolating the Command Center installation from external network access as a temporary mitigation.

Commvault’s Innovation releases, which are frequent, feature-rich update tracks, are typically updated automatically by the system on a predefined schedule without requiring user action. This is in contrast to Long Term Support (LTS) versions which require manual updates.

Summary

CVE-2025-34028 is a critical severity unauthenticated RCE flaw in Commvault Command Center that doesn’t require user interaction. The vulnerability has been flagged as actively exploited by CISA as of April 2025. CVE-2025-34028 affects Command Center versions 11.38.0–11.38.19 and enables attackers to take full control of backup systems. Commvault is relied upon by many large companies globally for key backup and restoration capabilities making CVE-2025-34028 a hot target for ransomware threat actors. Greenbone is able to detect affected Command Center instances with an active test that uses an HTTP POST request to verify vulnerability.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Intuitive and Clear: Complete Overview of the Security Situation of Your IT Infrastructure – for all Decision-Making Levels

Our newly developed product OPENVAS REPORT integrates the data from practically any number of Greenbone Enterprise Appliances and brings it into a clearly structured dashboard. The user-friendly and comprehensive interface considerably simplifies the protection and safeguarding of even large networks.

Greenbone AG has been developing leading open source technologies for automated vulnerability management since 2008. More than 100,000 installations worldwide rely on the Greenbone community and enterprise editions to strengthen their cyber resilience.

“OPENVAS REPORT stands for innovation from the open source market leader.”

With our new product, we are decisively shortening the path from current security knowledge to the ability to act – faster, clearer and more flexible than ever before,” explains Dr. Jan-Oliver Wagner, CEO of Greenbone AG.

Recognize Hazardous Situations Faster and More Effectively

To protect your digital infrastructures, it is crucial to keep up to date with security-relevant events and to keep the response time to critical incidents as short as possible.

OPENVAS REPORT provides a daily updated, complete overview of the security situation of your IT infrastructure – for all decision-making levels.

Thanks to the connected Greenbone Enterprise Appliances, OPENVAS REPORT automatically recognizes computers and software in the company. Users can mark these with keywords and group and sort them as required – thus maintaining an overview even in very large networks.

Modern, User-friendly Dashboard

The OPENVAS REPORT Dashboard offers modern, user-friendly and highly flexible access for users who work with it on a daily basis. For example, filtering or sorting according to the general severity or specific risk of the vulnerabilities is possible. Companies can thus put together their own customized views, which always show an up-to-date picture of the risk situation in the company network.

Complete Overview

OPENVAS REPORT allows you to record and evaluate your company’s security situation at a glance. Thanks to its simple, clear user guidance, it prepares even the most complex data in a readable and understandable way, thus speeding up decision-making in critical situations.

With flexible and customizable filter options, OPENVAS REPORT considerably simplifies the day-to-day work of administrators and security officers.

Flexible Interfaces

The extensive export functions allow OPENVAS REPORT to be integrated even more deeply into the infrastructure, for example to process external data with OPENVAS REPORT.

Function Added value for your company
Comprehensive asset visibility Complete overview of all IT assets and their vulnerabilities in a single interface – for a complete assessment of your current security situation.
User-friendly dashboards A clearly structured, interactive dashboard makes complex vulnerability information understandable at a glance and accelerates well-founded decisions.
Flexible data processing A wide range of export, API and automation options can be seamlessly integrated into existing workflows and adapted to individual operational requirements.
Efficient data consolidation Aggregates results from multiple scanners and locations in a central database – reduces administrative effort and improves response time.
Customizable classification of vulnerabilities The severity levels and freely definable tags make it possible to precisely map internal compliance and risk models.
Extended reporting functions Target group-specific reports (C-Level, Audit, Operations) can be generated at the touch of a button: filters and drill-down links provide focused insights into critical security problems.

Learn More

Are you interested in a demo or a quote? Contact our sales team and find out more about OPENVAS REPORT. Write to us:sales@greenbone.net or contact us directly. We will be happy to help you!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

March 2025 Threat Report: Who Do You Trust?

When it comes to protecting your organization from digital threats, who should you trust? Reality dictates that high-resilience IT security is forged from a network of strong partnerships, defense in depth; layered security controls, and regular auditing. Defensive posture needs to be monitored, measured and continuously improved. While vulnerability management has always been a core security control, it is nonetheless a fast moving target. In 2025, continuous and prioritized mitigation of security threats can have a big impact on security outcomes as adversarial time-to-exploit diminishes.

In March 2025’s monthly Threat Report, we will highlight the importance of vulnerability management and Greenbone’s industry leading vulnerability detection by reviewing the most recent critical threats. But these new threats only scratch the surface. In March 2025, Greenbone added 5,283 new vulnerability tests to our Enterprise Feed. Let’s jump into some of the important insights from a highly active threat landscape.

The US Treasury Breach: How Did It Happen?

In late December 2024, the U.S. Treasury Department disclosed that its network was breached by Chinese state-backed hackers and subsequently leveraged sanctions in early January 2025. Forensic investigations have tracked the root-cause to a stolen BeyondTrust API key. The vendor has acknowledged 17 other customers breached by this flaw. Deeper investigation has revealed that the API key was stolen via a flaw in a PostgreSQL built-in function for escaping untrusted input.

When invalid two-byte UTF-8 characters are submitted to a vulnerable PostgreSQL function, only the first byte is escaped, allowing a single quote to pass through unsanitized which can be leveraged to trigger an SQL Injection [CWE-89] attack. The exploitable functions are PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() und PQescapeStringConn(). All versions of PostgreSQL before 17.3, 16.7, 15.11, 14.16, and 13.19 are affected as well as numerous products that depend on these functions.

CVE-2024-12356, (CVSS 9.8) and CVE-2024-12686, (CVSS 7.2) have been issued for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) and CVE-2025-1094 (CVSS 8.1) addresses the flaw in PostgreSQL. The issue is the subject of several national CERT advisories including Germany’s BSI Cert-Bund (WID-SEC-2024-3726) and the Canadian Centre for Cybersecurity (AV25-084). The flaw has been added to CISA’s known exploited vulnerabilities (KEV) list, and a Metasploit module that exploits vulnerable BeyondTrust products is available, increasing the risk. Greenbone is able to detect the CVEs (Common Vulnerabilities and Exposures) discussed above both in BeyondTrust products or instances of PostgreSQL vulnerable to CVE-2025-1094.

Advanced fined 3.1 Million Pound for Lack of Technical Controls

This month, the UK’s Information Commissioner’s Office (ICO) imposed a 3.07 million Pound fine on Advanced Computer Software Group Ltd. under the UK GDPR for security failures. The case is evidence of how the financial damage caused by a ransomware attack can be further exacerbated by regulatory fines. The initial proposed amount was even higher at 6.09 million Pound. However, since the victim exhibited post-incident cooperation with the NCSC (National Cyber Security Centre), NCA (National Crime Agency) and NHS (National Health Service), a voluntary settlement of 3,076,320 Pound was approved. While operational costs and extortion payments have not been publicly disclosed, they likely add between 10 to 20 million Pound to the incident’s total costs.

Advanced is a major IT and software provider to healthcare organizations including the NHS. In August 2022, Advanced was compromised, attackers gained access to its health and care subsidiary resulting in a serious ransomware incident. The breach disrupted critical services including NHS 111 and prevented healthcare staff from accessing personal data on 79,404 individuals, including sensitive care information.

The ICO concluded that Advanced had incomplete MFA coverage, lacked comprehensive vulnerability scanning and had deficient patch management practices at the time of the incident – factors that collectively represented a failure to implement appropriate technical and organizational measures. Organizations processing sensitive data must treat security controls as non-negotiable. Inadequate patch management remains one of the most exploited gaps in modern attack chains.

Double Trouble: Backups Are Critical to Ransomware Mitigation

Backups are an organization’s last defense against ransomware and most sophisticated advanced persistent threat (APT) actors are known to target their victim’s backups. If a victim’s backups are compromised, submission to ransom demands is more likely. In 2025, this could mean multi-million Dollar losses. In March 2025, two new significant threats to backup services were revealed; CVE-2025-23120, a new critical severity flaw in Veeam was disclosed, and campaigns targeting CVE-2024-48248 in NAKIVO Backup & Replication were observed. Identifying affected systems and patching them is therefore an urgent matter.

In October 2024, our threat report alerted about another vulnerability in Veeam (CVE-2024-40711) being used in ransomware attacks. Overall, CVEs in Veeam Backup and Replication have a high conversion rate for active exploitation, PoC (Proof of Concept) exploits, and use in ransomware attacks. Here are the details for both emerging threats:

  • CVE-2024-48248 (CVSS 8.6): Versions of NAKIVO Backup & Replication before 11.0.0.88174 allow unauthorized Remote Code Execution (RCE) via a function called getImageByPath which allows files to be read remotely. This includes database files containing cleartext credentials for each system that NAKIVO connects to and backs up. A full technical description and proof-of-concept is available and this vulnerability is now tracked as actively exploited.
  • CVE-2025-23120 (CVSS 9.9): Attackers with domain user access can trigger deserialization of attacker-controlled data through the .NET Remoting Channel. Veeam attempts to restrict dangerous types via a blacklist, but researchers discovered exploitable classes (xmlFrameworkDs and BackupSummary) not on the list. These extend .NET’s DataSet class – a well-known RCE vector – allowing arbitrary code execution as SYSTEM on the backup server. The flaw is the subject of national CERT alerts globally including HK, CERT.be, and CERT-In. As per Veeam’s advisory, upgrading to version 12.3.1 is the recommended way to mitigate the vulnerability.

Greenbone is able to detect vulnerable NAKIVO and Veeam instances. Our Enterprise Feed has an active check [1] and version check [2] for CVE-2024-48248 in NAKIVO Backup & Replication, and a remote version check [3] for the Veeam flaw.

IngressNightmare: Unauthenticated Takeover in 43% of Kubernetes Clusters

Kubernetes is the most popular enterprise container orchestration tool globally. Its Ingress feature is a networking component that manages external access to services within a cluster, typically HTTP and HTTPS traffic. A vulnerability dubbed IngressNightmare has exposed an estimated 43% of Kubernetes clusters to unauthenticated remote access – approximately 6,500 clusters, including Fortune 500 companies.

The root-cause is excessive default privileges [CWE-250] and unrestricted network accessibility [CWE-284] in the Ingress-NGINX Controller tool, based on NGINX reverse proxy. IngressNightmare allows attackers to gain complete unauthorized control over workloads, APIs or sensitive resources in multi-tenant and production-grade clusters. A full technical analysis is available from the researchers at Wiz, who pointed out that K8 Admission Controllers are directly accessible without authentication by default, presenting an appealing attack surface to hackers.

The full attack trajectory to achieve arbitrary RCE against an affected K8 instance requires exploiting Ingress-NGINX. First, CVE-2025-1974 (CVSS 9.8) to upload a binary payload as the request body. It should be larger than 8kb in size while specifying a Content-Length header larger than the actual content size. This triggers NGINX to store the request body as a file, and the incorrect Content-Length header means the file will not be deleted as the server waits for more data [CWE-459].

The second stage of this attack requires exploiting CVE-2025-1097, CVE-2025-1098, or CVE-2025-24514 (CVSS 8.8). These CVEs all similarly fail to properly sanitize input [CWE-20] submitted to Admission Controllers. Ingress-NGINX converts Ingress objects to configuration files and validates them with the nginx -t command, allowing attackers to execute a limited set of NGINX configuration directives. Researchers found the ssl_engine module can be triggered to load the shared library binary payload uploaded in the first stage. Although exploitation is not trivial and no public PoC code exists yet, sophisticated threat actors will easily convert the technical analysis into effective exploits.

The Canadian Centre for Cyber Security has issued a CERT advisory (AV25-161) for IngressNightmare. Patched Ingress-NGINX versions 1.12.1 and 1.11.5 are available and users should upgrade as soon as possible. If upgrading the Ingress NGINX Controller is not immediately possible, temporary workarounds can help reduce risk. Strict network policies can restrict access to a cluster’s Admission Controllers allowing access to only the Kubernetes API Server. Alternatively, the Admission Controller component of Ingress-NGINX can be disabled entirely.

Greenbone is able to detect IngressNightmare vulnerabilities with an active check that verifies the presence of all CVEs mentioned above [1][2].

CVE-2025-29927: Next.js Framework Under Attack

A new vulnerability in Next.js, CVE-2025-29927 (CVSS 9.4) is considered high risk due the framework’s popularity and the simplicity of exploitation [1][2]. Adding to the risk, PoC exploit code is publicly available and Akamai researchers have observed active scans probing the Internet for vulnerable apps. Several national CERTs (Computer Emergency Response Teams) have issued alerts for the issue including CERT.NZ, Australian Signals Directorate (ASD), Germany’s BSI Cert-Bund (WID-SEC-2025-062), and the Canadian Centre for Cyber Security (AV25-162).

Next.js is a React middleware framework for building full-stack web applications. Middleware refers to components that sit between two or more systems and handle communication and orchestration. For web-applications, middleware converts incoming HTTP requests into responses and is often also responsible for authentication and authorization. Due to CVE-2025-29927, attackers can bypass Next.js middleware authentication and authorization simply by setting a malicious HTTP header.

If using HTTP headers seems like a bad idea for managing a web application’s internal process flow, CVE-2025-29927 is the evidence. Considering user-provided headers were not correctly distinguished from internal ones, this vulnerability should attain the status of egregious negligence. Attackers can bypass authentication by simply adding the `x‑middleware‑subrequest` header to a request and overloading it with at least as many values as the MAX_RECURSION_DEPTH which is 5. For example:

`x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`

The flaw is fixed in Next.js versions 15.2.3, 14.2.25, 13.5.9 and 12.3.5, and users should follow the vendor’s upgrade guide. If upgrading is infeasible, it is recommended to filter the `x-middleware-subrequest` header from HTTP requests. Greenbone is able to detect vulnerable instances of Next.js with an active check and a version check.

Summary

The March 2025 threat landscape was shaped by vulnerable and actively exploited backup systems, unforgivably weak authentication logic, high-profile regulatory fines and numerous other critical software vulnerabilities. From the U.S. Treasury breach to the Advanced ransomware fallout, the theme is clear: trust doesn’t grow on trees. Cybersecurity resilience must be earned; forged through layered security controls and backed up by accountability.

Greenbone continues to play a vital role by providing timely detection tests for new emerging threats and standardized compliance audits that support a wide array of enterprise architectures. Organizations that want to stay ahead of cyber crime need to proactively scan their infrastructure and close security gaps as they appear.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

The CPU as a Weakness: how to Manage Hardware Risks with Confidence

Vulnerabilities in IT environments appear in different forms. The most common ones are likely software vulnerabilities that have not been patched. Then there are weak passwords, misconfigurations or network switches that have been EOL for five years. However, another type of security gap sometimes causes significant confusion during the scans: hardware vulnerabilities.

We have become accustomed to the continuous emergence of software vulnerabilities, and hopefully, it is now standard practice for every company to regularly scan its network for vulnerabilities and apply patches. Unfortunately, mistakes are not limited to software developers – CPU developers are not immune either. CPU vulnerabilities often arise from design flaws, allowing malicious actors to exploit unintended side effects to access sensitive data. Unlike software vulnerabilities, which can often be resolved through patches or updates, hardware vulnerabilities require either microcode updates or fundamental architectural changes in future processor designs.

Microcode Updates

The only way to mitigate CPU vulnerabilities is by applying microcode updates, which are typically distributed through the operating system or sometimes even through firmware (UEFI/BIOS). Microcode is a low-level software layer within the processor that translates higher-level machine instructions into specific internal operations.

While end users do not traditionally update microcode themselves, manufacturers like Intel provide relevant updates to patch certain vulnerabilities without requiring a full hardware replacement. However, these updates often introduce performance loss, as they disable or modify certain CPU optimizations to prevent exploitation. In some cases, this can even lead to performance reductions of up to 50%.

Flaws on different levels

Since these vulnerabilities exist at the CPU level, tools like the Greenbone Enterprise Appliance detect and report them. However, this can lead to misconceptions, as users might mistakenly believe that the reported vulnerabilities originate from the operating system. It is crucial to understand that these are not OS vulnerabilities; rather, they are architectural flaws in the processor itself. The vulnerabilities are detected by checking for the absence of appropriate microcode patches when an affected CPU is identified. For example, if a scan detects a system that lacks Intel’s microcode update for Downfall, it will be reported as vulnerable. However, this does not mean that the OS itself is insecure or compromised.

Performance or safety?

In the end, mitigating CPU vulnerabilities always involves trade-offs, and users must decide which approach best suits their needs. In principle, there are three options to choose from:

  • Apply microcode updates and accept significant performance degradation in compute-heavy workloads.
  • Forego certain microcode updates and accept the risks if the probability of exploitation is low in their environment.
  • Replace the affected hardware with CPUs that are not vulnerable to these issues.

Ultimately, the decision depends on the specific use case and risk tolerance of the organization or individual responsibles.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

Dennis-Kenji Kipker about the future of NIS2 in Germany and Europe

With the new elections, the implementation of NIS2 in Germany appears to have been halted for the time being. While other European countries are already ready, German companies will have to wait several more months until legal certainty is established. Everything has actually been said, templates have been drawn up, but the change of government means a new start is necessary.

We spoke to one of the leading experts on NIS2: Dennis-Kenji Kipker is Scientific Director of the cyberintelligence.institute in Frankfurt/Main, professor at the Riga Graduate School of Law and regularly consults as an expert at the German Federal Office for Information Security (BSI) and many other public and scientific institutions.

Why did the German government reject the final NIS2 draft?

Portrait of Prof. Dr. Dennis-Kenji Kipker, expert in IT law and cyber security, in an interview on the implementation of the NIS2 Directive

Prof. Dr. Dennis-Kenji Kipker

Kipker: This is due to the so-called discontinuity principle. Just like with the old government, all unfinished projects must be archived. “Due to the early elections, the parliamentary procedure for the NIS2UmsuCG could not be completed” is the official term. In line with the principle of discontinuity, when a newly elected Bundestag is constituted, all bills not yet passed by the old Bundestag must be reintroduced and renegotiated. This means that the work already done on NIS2 will fall by the wayside. But you can of course build on this and reintroduce almost the same text.

Will that happen?

Kipker: There is an internal 100-day plan from the Federal Ministry of the Interior for the period after the election. According to rumors, cybersecurity is a very high priority in the plan, and NIS2 in particular is now to be implemented very quickly. If this can be implemented before fall/winter 2025 (the actual current schedule), Germany will at least avoid the embarrassment of bringing up the rear in Europe.

Is that realistic?

Kipker: You would have to recycle a lot, i.e. take over things from the last legislative period despite the principle of discontinuity. Now, it seems that the current Ministry of the Interior wants to do just that. Only the politicians and officials directly involved know whether this is realistic. However, 100 days seems very ambitious to me in the Berlin political scene, even if everyone involved pulls together. There would need to be a budget, the current NIS2UmsuCG draft would need to be revised and addressed but also finalized, and the German scope of application of the law would need to be clarified and aligned with EU law. Furthermore, at the end of 2024 and the beginning of 2025, attempts were still being made to push through many things in the Bundestag after the expert hearing on NIS2, some of which are rather questionable. In any case, this would have to be renegotiated politically and evaluated technically.

When do you think this will happen?

Kipker: It’s hard to say, but even if you break the 100-day deadline, it should be feasible to complete a national NIS2 implementation before the winter of 2025/2026. But that’s just a very preliminary assumption that I keep hearing from “usually well-informed circles”. One way or another, we will be at the bottom of the league when it comes to Europe-wide implementation, and all the current ambitions won’t change that.

And what is the situation like in other European countries?

Kipker: A lot is happening right now. It has been recognized, for example, that the different national implementations of NIS2 lead to frictional losses and additional costs for the affected companies – that’s not really surprising. A few weeks ago, the European Union Agency For Cybersecurity (ENISA) published a report that is well worth reading, which explains and evaluates the maturity and criticality of relevant NIS2 sectors in a European comparison. “NIS360 is intended to support Member States and national authorities in identifying gaps and prioritizing resources”, writes the EU cybersecurity authority. And we at cyberintelligence.institute have produced a comprehensive study on behalf of the Swiss company Asea Brown Boveri, which also takes a closer look at the EU-wide implementation of the NIS2 directive.

What key insight did you gain there?

Kipker: The Comparison Report is primarily aimed at transnationally operating companies that are looking for a first point of contact for cybersecurity compliance. Above all, there is a lack of central administrative responsibilities in the sense of a “one-stop store”, and the diverging implementation deadlines are causing problems for companies. As of the end of January, only nine EU states had transposed NIS2 into national law, while the legislative process had not yet been completed in 18 other states. Another key insight: Just because I am NIS2-compliant in one EU member state does not necessarily mean that this also applies to another member state.

So, Germany may not be a pioneer, but it is not lagging behind either?

Kipker: We are definitely not at the forefront, but if we manage to implement it nationally this year, we may not be the last, but we will be among the last. My guess in this respect now is that we won’t have really reliable results until the fourth quarter of 2025. So, it’s going to be close to avoid being left in the red after all. Politicians will have to decide whether this can meet our requirements in terms of cyber security and digital resilience.

Where can affected companies find out about the current status?

Kipker: There are ongoing events and opportunities for participation. On March 18, for example, there will be a BSI information event (in German language) where you can ask about the plans. Then, in May 2025, there will also be the NIS-2 Congress right next door to us in Frankfurt, for which the “most recognized NIS-2 Community Leader” has just been selected. There will certainly be one or two interesting tidbits of information to pick up here. Otherwise, feel free to contact me at any time if you have any questions about NIS2!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

February 2025 Threat Report: Tectonic Technology

Cyber threats are evolving at breakneck speed, but the fundamental weaknesses attackers exploit remain strikingly unchanged. So far in 2025, many analysts have published landscape reviews of 2024 and outlooks for 2025. The cost of cyber breaches is ticking upwards, but overall, cyber breach root-causes have not changed. Phishing [T1566] and exploiting known software vulnerabilities [T1190] continue to top the list. Another key observation is that attackers are weaponizing public information faster, converting CVE (Common Vulnerabilities and Exposures) disclosures into viable exploit code within days or even hours. Once inside a victim’s network, they are executing precision second-stage objectives faster too, deploying ransomware within minutes.

In this month’s edition of the Greenbone Threat Report, we will briefly review the disclosed chats of the Black Basta ransomware group and highlight Greenbone’s coverage of their now exposed techniques. We will also review a report from Greynoise about mass exploitation attacks, a new actively exploited vulnerability in Zimbra Collaboration Suite and new threats to edge networking devices.

The Era of Tectonic Technology

If security crises are like earthquakes, then the global tech ecosystem is the underlying tectonic plates. The global technology ecosystem would be best represented as the Paleozoic Era of geological history. Rapid innovative and competitive market forces are pushing and pulling at the fabric of IT security like the colliding supercontinents of Pangea; continuous earthquakes constantly forcing continental shift.

Entirely new paradigms of computing such as generative AI and quantum computing are creating advantages and risks; volcanoes of value and unstable ground. Global governments and tech giants are wresting for access to citizen’s sensitive personal data, adding gravity. These struggles have significant implications for privacy, security and how society will evolve. Here are some of the major forces destabilizing IT security today:

  • Rapidly evolving technologies are driving innovation, forcing technical change.
  • Organizations are both forced to change as technologies and standards depreciate and motivated to change to remain competitive.
  • Fierce market competition has accelerated product development and release cycles.
  • Strategic planned obsolescence has been normalized as a business strategy for reaping financial gain.
  • Pervasive lack of accountability for software vendors has led to prioritization of performance over “security-first” design principles.
  • Nation-states weaponize technology for Cyber Warfare, Information Warfare and Electronic Warfare.

Due to these forces, well-resourced and well-organized cyber criminals find a virtually unlimited number of security gaps to exploit. The Paleozoic Era lasted 300 million years. Hopefully, we won’t have to wait that long for product vendors to show accountability and employ secure design principles [1][2][3] to prevent so-called “unforgivable” vulnerabilities of negligence [4][5]. The takeaway is that organizations need to develop technical agility and efficient patch management programs. Continuous prioritized vulnerability management is a must.

Black Basta Tactics Revealed: Greenbone Has Coverage

Leaked internal chat logs belonging to Black Basta ransomware group have provided insight into the group’s tactics and inner workings. The logs were leaked by an individual using the alias “ExploitWhispers” who claimed the release was in response to Black Basta’s controversial targeting of Russian banks, allegedly creating internal conflicts within the group. Since its emergence in April 2022, Black Basta has reportedly amassed over $100 million in ransom payments from more than 300 victims worldwide. 62 CVEs referenced in leaked documents reveal the group’s tactics for exploiting known vulnerabilities. Of these 62, Greenbone maintains detection tests for 61, covering 98% of the CVEs.

The Greynoise 2025 Mass Exploitation Report

Mass exploitation attacks are fully automated network attacks against services that are accessible via internet. This month, Greynoise published a comprehensive report summarizing the mass exploitation landscape including the top CVEs attacked by the largest botnets (unique IPs), the most exploited product vendors and top CVEs included in the CISA’s (Cybersecurity and Infrastructure Security Agency) KEV (Known Exploited Vulnerabilities) catalog and exploited by botnets. Greenbone Enterprise Feed has detection tests for 86% of all CVEs (86 total) referenced in the report. When considering only CVEs issued in 2020 or later (66 total), our Enterprise Feed has 90% detection coverage.

Additional findings include:

  • 60% of CVEs exploited in mass exploitation attacks were published in 2020 or later.
  • Attackers are exploiting vulnerabilities within hours of disclosure.
  • 28% of vulnerabilities in CISA KEV are exploited by ransomware threat actors.

Zimbra Collaboration Suite

CVE-2023-34192 (CVSS 9.0) is a high-severity Cross-Site Scripting (XSS) vulnerability in Zimbra Collaboration Suite (ZCS) version 8.8.15. The flaw allows authenticated remote attackers to execute arbitrary code via crafted scripts targeting the `/h/autoSaveDraft` function. CISA added CVE-2023-34192 to its KEV catalog, indicating that it has been actively exploited in real-world attacks. Proof-of-concept (PoC) exploit code is publicly available, allowing low-skilled attackers to join the fray. CVE-2023-34192 has held a very high EPSS since its disclosure in 2023. For defenders leveraging EPSS for remediation prioritization, this indicates a high priority to patch.

Zimbra Collaboration Suite (ZCS) is an open-source office productivity platform that integrates email, calendar, contacts, tasks and collaboration tools but holds a niche market share of less than 1% of all email and messaging platforms.

Living on the Edge: New Critical Networking Device Flaws

In our monthly threat report we have been tracking the persistent threat to edge network devices. Earlier this-month, we reported on a perfect security storm affecting end-of-life (EOL) Zyxel routers and firewalls. In this section we will review new security risks that fall into the “edge networking” category. Greenbone has detection capabilities for all CVEs discussed below.

Chinese Hackers Exploit Palo Alto’s PAN-OS for Ransomware

CVE-2024-0012 (CVSS 9.8), a vulnerability in Palo Alto PAN-OS disclosed last November, is considered one of the most exploited vulnerabilities of 2024. The CVE is also reportedly being used by Chinese state-backed threat actors for ransomware attacks. Another new flaw affecting PAN-OS, CVE-2025-0108 (CVSS 9.1), was just disclosed this month and immediately tagged as actively exploited by CISA. CVE-2025-0108 is an authentication bypass in the management web-interface and can be chained together with CVE-2024-9474 (CVSS 7.2), a separate privilege escalation vulnerability to gain unauthenticated root control over an unpatched PAN-OS device.

SonicWall Patches a Critical Actively Exploited CVE in SonicOS

CVE-2024-53704, a critical severity vulnerability in SonicWall devices, has been recently added to CISA’s KEV list. Astoundingly, CISA lists 8 SonicWall CVEs that are known to be actively exploited in ransomware attacks. CVE-2024-53704 (CVSS 9.8) is an Improper Authentication vulnerability [CWE-287] in the SSLVPN authentication mechanism of SonicWall’s SonicOS versions 7.1.1-7058 and older, 7.1.2-7019, and 8.0.0-8035. It allows remote attackers to bypass authentication and and hijack active SSL VPN sessions, potentially gaining unauthorized network access. A full technical analysis is available from BishopFox. An advisory from SonicWall also names additional high severity CVEs in SonicOS that have been patched along with CVE-2024-53704.

Sophos’ CyberroamOS and EOL XG Firewalls Actively Exploited

Sophos, which acquired Cyberoam in 2014, has issued an alert and patch for CVE-2020-29574. CyberoamOS is part of Sophos’ product ecosystem. Aside from this CVE, Sophos XG Firewall, soon to be EOL, is also the subject of an active exploitation alert.

  • CVE-2020-29574 (CVSS 9.8): A critical SQL injection [CWE-89] vulnerability identified in the WebAdmin interface of CyberoamOS versions up to December 4, 2020. This flaw allows unauthenticated attackers to remotely execute arbitrary SQL statements, potentially gaining complete administrative access to the device. A hotfix patch has been issued, which also extends to some affected end-of-life (EOL) products.
  • CVE-2020-15069 (CVSS 9.8) is a critical Buffer Overflow vulnerability in Sophos XG Firewall versions 17.x through v17.5 MR12, allowing unauthenticated RCE via the HTTP/S Bookmarks feature for clientless access. This vulnerability, published in 2020 is now being actively exploited and has been added to CISA KEV indicating heightened risk. Sophos released an advisory in 2020 when the vulnerability was disclosed, along with a hotfix affected firewalls. The XG Series hardware appliances are soon scheduled to reach end-of-life (EOL) on March 31, 2025.

PrivEsc and Auth Bypasses in Fortinet FortiOS and FortiProxy

Fortinet disclosed two critical vulnerabilities, both affecting FortiOS and FortiProxy. The Canadian Center for Cybersecurity and the Belgian Center for Cybersecurity have issued advisories. Fortinet acknowledges active exploitation of CVE-2024-55591 and has released official guidance that includes details on affected versions and recommended updates. ​

  • CVE-2024-55591 (CVSS 9.8): An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS allows a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module. Multiple PoC exploits are available [1][2] increasing the risk of exploitation by low-skilled attackers.
  • CVE-2024-40591 (CVSS 8.8): Allows an authenticated administrator with Security Fabric permissions to escalate their privileges to super-admin by connecting the targeted FortiGate device to a malicious upstream FortiGate under their control.

Cisco Flaws Implicated as Initial Access Vectors in Telecom Hacks

In the past few months, China’s Salt Typhoon espionage group has routinely exploited at least two critical vulnerabilities in Cisco IOS XE devices to gain persistent access to telecommunications networks. Victims include Italian ISP, a South African telecom, and a large Thai telecom, and twelve universities worldwide including UCLA, Indonesia’s Universitas Negeri Malang and Mexico’s UNAM among others. Previously, Salt Typhoon had compromised at least nine U.S. telecoms, including Verizon, AT&T and Lumen Technologies. U.S. authorities claim Salt Typhoon’s goal is surveilling high-profile individuals, political figures and officials related to Chinese political interests.

CVEs exploited by Salt Typhoon include:

  • CVE-2023-20198 (CVSS 10): A privilege escalation flaw in Cisco IOS XE’s web interface. Used for initial access, allowing attackers to create an admin account.
  • CVE-2023-20273 (CVSS 7.2): Another privilege escalation flaw, used after gaining admin access to escalate privileges to root and establish a GRE (Generic Routing Encapsulation) tunnel for persistence.

Also, two other CVEs in Cisco products entered the radar in February 2025:

  • CVE-2023-20118 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers allows authenticated, remote attackers to execute arbitrary commands with root-level privileges by sending crafted HTTP requests. CISA added CVE-2023-20118 to its KEV catalog, indicating evidence of active exploitation.
  • CVE-2023-20026 (CVSS 7.2): A command injection vulnerability in the web-based management interface of Cisco Small Business Routers RV042 Series allows authenticated, remote attackers with valid administrative credentials to execute arbitrary commands on the device. The flaw is due to improper validation of user input within incoming HTTP packets. While CVE-2023-20026 is not known to be exploited in any active campaigns, Cisco’s Product Security Incident Response Team (PSIRT) is aware that PoC exploit code for this vulnerability exists.

Ivanti Patches Four Critical Flaws

Four critical vulnerabilities were identified, affecting Ivanti Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA). No reports of active attacks in the wild or PoC exploits have emerged yet. Ivanti advises users to promptly update to the newest versions to address these critical vulnerabilities.

Here is a brief technical summary:

  • CVE-2025-22467 (CVSS 8.8): Attackers with credentials can achieve remote code execution (RCE) due to a stack-based buffer overflow [CWE-121] flaw in ICS versions prior to 22.7R2.6.
  • CVE-2024-38657 (CVSS 9.1): Attackers with credentials can write arbitrary files due to an external control of file name vulnerability in ICS versions before 22.7R2.4 and IPS versions before 22.7R1.3.
  • CVE-2024-10644 (CVSS 9.1): A code injection flaw in ICS (pre-22.7R2.4) and IPS (pre-22.7R1.3), allows arbitrary RCE to authenticated administrators. ​
  • CVE-2024-47908 (CVSS 7.2): An operating system command injection vulnerability [CWE-78] in CSA’s admin web console (versions before 5.0.5), allows arbitrary RCE to authenticated administrators.

Summary

This month’s Threat Report highlights key cybersecurity developments, including the evolving tactics of ransomware groups like Black Basta and the pervasive critical threat to edge network devices. With the support of AI tools, attackers are exploiting vulnerabilities faster-sometimes within hours of disclosure. Organizations must remain vigilant by adopting proactive security measures, continuously updating their defenses and leveraging threat intelligence to stay ahead of emerging threats.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by