Tag Archive for: Schwachstellenmanagement

Joseph Lee

March 2025 Threat Report: Who Do You Trust?

When it comes to protecting your organization from digital threats, who should you trust? Reality dictates that high-resilience IT security is forged from a network of strong partnerships, defense in depth; layered security controls, and regular auditing. Defensive posture needs to be monitored, measured and continuously improved. While vulnerability management has always been a core security control, it is nonetheless a fast moving target. In 2025, continuous and prioritized mitigation of security threats can have a big impact on security outcomes as adversarial time-to-exploit diminishes.

In March 2025’s monthly Threat Report, we will highlight the importance of vulnerability management and Greenbone’s industry leading vulnerability detection by reviewing the most recent critical threats. But these new threats only scratch the surface. In March 2025, Greenbone added 5,283 new vulnerability tests to our Enterprise Feed. Let’s jump into some of the important insights from a highly active threat landscape.

The US Treasury Breach: How Did It Happen?

In late December 2024, the U.S. Treasury Department disclosed that its network was breached by Chinese state-backed hackers and subsequently leveraged sanctions in early January 2025. Forensic investigations have tracked the root-cause to a stolen BeyondTrust API key. The vendor has acknowledged 17 other customers breached by this flaw. Deeper investigation has revealed that the API key was stolen via a flaw in a PostgreSQL built-in function for escaping untrusted input.

When invalid two-byte UTF-8 characters are submitted to a vulnerable PostgreSQL function, only the first byte is escaped, allowing a single quote to pass through unsanitized which can be leveraged to trigger an SQL Injection [CWE-89] attack. The exploitable functions are PQescapeLiteral(), PQescapeIdentifier(), PQescapeString() und PQescapeStringConn(). All versions of PostgreSQL before 17.3, 16.7, 15.11, 14.16, and 13.19 are affected as well as numerous products that depend on these functions.

CVE-2024-12356, (CVSS 9.8) and CVE-2024-12686, (CVSS 7.2) have been issued for BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) and CVE-2025-1094 (CVSS 8.1) addresses the flaw in PostgreSQL. The issue is the subject of several national CERT advisories including Germany’s BSI Cert-Bund (WID-SEC-2024-3726) and the Canadian Centre for Cybersecurity (AV25-084). The flaw has been added to CISA’s known exploited vulnerabilities (KEV) list, and a Metasploit module that exploits vulnerable BeyondTrust products is available, increasing the risk. Greenbone is able to detect the CVEs (Common Vulnerabilities and Exposures) discussed above both in BeyondTrust products or instances of PostgreSQL vulnerable to CVE-2025-1094.

Advanced fined 3.1 Million Pound for Lack of Technical Controls

This month, the UK’s Information Commissioner’s Office (ICO) imposed a 3.07 million Pound fine on Advanced Computer Software Group Ltd. under the UK GDPR for security failures. The case is evidence of how the financial damage caused by a ransomware attack can be further exacerbated by regulatory fines. The initial proposed amount was even higher at 6.09 million Pound. However, since the victim exhibited post-incident cooperation with the NCSC (National Cyber Security Centre), NCA (National Crime Agency) and NHS (National Health Service), a voluntary settlement of 3,076,320 Pound was approved. While operational costs and extortion payments have not been publicly disclosed, they likely add between 10 to 20 million Pound to the incident’s total costs.

Advanced is a major IT and software provider to healthcare organizations including the NHS. In August 2022, Advanced was compromised, attackers gained access to its health and care subsidiary resulting in a serious ransomware incident. The breach disrupted critical services including NHS 111 and prevented healthcare staff from accessing personal data on 79,404 individuals, including sensitive care information.

The ICO concluded that Advanced had incomplete MFA coverage, lacked comprehensive vulnerability scanning and had deficient patch management practices at the time of the incident – factors that collectively represented a failure to implement appropriate technical and organizational measures. Organizations processing sensitive data must treat security controls as non-negotiable. Inadequate patch management remains one of the most exploited gaps in modern attack chains.

Double Trouble: Backups Are Critical to Ransomware Mitigation

Backups are an organization’s last defense against ransomware and most sophisticated advanced persistent threat (APT) actors are known to target their victim’s backups. If a victim’s backups are compromised, submission to ransom demands is more likely. In 2025, this could mean multi-million Dollar losses. In March 2025, two new significant threats to backup services were revealed; CVE-2025-23120, a new critical severity flaw in Veeam was disclosed, and campaigns targeting CVE-2024-48248 in NAKIVO Backup & Replication were observed. Identifying affected systems and patching them is therefore an urgent matter.

In October 2024, our threat report alerted about another vulnerability in Veeam (CVE-2024-40711) being used in ransomware attacks. Overall, CVEs in Veeam Backup and Replication have a high conversion rate for active exploitation, PoC (Proof of Concept) exploits, and use in ransomware attacks. Here are the details for both emerging threats:

  • CVE-2024-48248 (CVSS 8.6): Versions of NAKIVO Backup & Replication before 11.0.0.88174 allow unauthorized Remote Code Execution (RCE) via a function called getImageByPath which allows files to be read remotely. This includes database files containing cleartext credentials for each system that NAKIVO connects to and backs up. A full technical description and proof-of-concept is available and this vulnerability is now tracked as actively exploited.
  • CVE-2025-23120 (CVSS 9.9): Attackers with domain user access can trigger deserialization of attacker-controlled data through the .NET Remoting Channel. Veeam attempts to restrict dangerous types via a blacklist, but researchers discovered exploitable classes (xmlFrameworkDs and BackupSummary) not on the list. These extend .NET’s DataSet class – a well-known RCE vector – allowing arbitrary code execution as SYSTEM on the backup server. The flaw is the subject of national CERT alerts globally including HK, CERT.be, and CERT-In. As per Veeam’s advisory, upgrading to version 12.3.1 is the recommended way to mitigate the vulnerability.

Greenbone is able to detect vulnerable NAKIVO and Veeam instances. Our Enterprise Feed has an active check [1] and version check [2] for CVE-2024-48248 in NAKIVO Backup & Replication, and a remote version check [3] for the Veeam flaw.

IngressNightmare: Unauthenticated Takeover in 43% of Kubernetes Clusters

Kubernetes is the most popular enterprise container orchestration tool globally. Its Ingress feature is a networking component that manages external access to services within a cluster, typically HTTP and HTTPS traffic. A vulnerability dubbed IngressNightmare has exposed an estimated 43% of Kubernetes clusters to unauthenticated remote access – approximately 6,500 clusters, including Fortune 500 companies.

The root-cause is excessive default privileges [CWE-250] and unrestricted network accessibility [CWE-284] in the Ingress-NGINX Controller tool, based on NGINX reverse proxy. IngressNightmare allows attackers to gain complete unauthorized control over workloads, APIs or sensitive resources in multi-tenant and production-grade clusters. A full technical analysis is available from the researchers at Wiz, who pointed out that K8 Admission Controllers are directly accessible without authentication by default, presenting an appealing attack surface to hackers.

The full attack trajectory to achieve arbitrary RCE against an affected K8 instance requires exploiting Ingress-NGINX. First, CVE-2025-1974 (CVSS 9.8) to upload a binary payload as the request body. It should be larger than 8kb in size while specifying a Content-Length header larger than the actual content size. This triggers NGINX to store the request body as a file, and the incorrect Content-Length header means the file will not be deleted as the server waits for more data [CWE-459].

The second stage of this attack requires exploiting CVE-2025-1097, CVE-2025-1098, or CVE-2025-24514 (CVSS 8.8). These CVEs all similarly fail to properly sanitize input [CWE-20] submitted to Admission Controllers. Ingress-NGINX converts Ingress objects to configuration files and validates them with the nginx -t command, allowing attackers to execute a limited set of NGINX configuration directives. Researchers found the ssl_engine module can be triggered to load the shared library binary payload uploaded in the first stage. Although exploitation is not trivial and no public PoC code exists yet, sophisticated threat actors will easily convert the technical analysis into effective exploits.

The Canadian Centre for Cyber Security has issued a CERT advisory (AV25-161) for IngressNightmare. Patched Ingress-NGINX versions 1.12.1 and 1.11.5 are available and users should upgrade as soon as possible. If upgrading the Ingress NGINX Controller is not immediately possible, temporary workarounds can help reduce risk. Strict network policies can restrict access to a cluster’s Admission Controllers allowing access to only the Kubernetes API Server. Alternatively, the Admission Controller component of Ingress-NGINX can be disabled entirely.

Greenbone is able to detect IngressNightmare vulnerabilities with an active check that verifies the presence of all CVEs mentioned above [1][2].

CVE-2025-29927: Next.js Framework Under Attack

A new vulnerability in Next.js, CVE-2025-29927 (CVSS 9.4) is considered high risk due the framework’s popularity and the simplicity of exploitation [1][2]. Adding to the risk, PoC exploit code is publicly available and Akamai researchers have observed active scans probing the Internet for vulnerable apps. Several national CERTs (Computer Emergency Response Teams) have issued alerts for the issue including CERT.NZ, Australian Signals Directorate (ASD), Germany’s BSI Cert-Bund (WID-SEC-2025-062), and the Canadian Centre for Cyber Security (AV25-162).

Next.js is a React middleware framework for building full-stack web applications. Middleware refers to components that sit between two or more systems and handle communication and orchestration. For web-applications, middleware converts incoming HTTP requests into responses and is often also responsible for authentication and authorization. Due to CVE-2025-29927, attackers can bypass Next.js middleware authentication and authorization simply by setting a malicious HTTP header.

If using HTTP headers seems like a bad idea for managing a web application’s internal process flow, CVE-2025-29927 is the evidence. Considering user-provided headers were not correctly distinguished from internal ones, this vulnerability should attain the status of egregious negligence. Attackers can bypass authentication by simply adding the `x‑middleware‑subrequest` header to a request and overloading it with at least as many values as the MAX_RECURSION_DEPTH which is 5. For example:

`x-middleware-subrequest: middleware:middleware:middleware:middleware:middleware`

The flaw is fixed in Next.js versions 15.2.3, 14.2.25, 13.5.9 and 12.3.5, and users should follow the vendor’s upgrade guide. If upgrading is infeasible, it is recommended to filter the `x-middleware-subrequest` header from HTTP requests. Greenbone is able to detect vulnerable instances of Next.js with an active check and a version check.

Summary

The March 2025 threat landscape was shaped by vulnerable and actively exploited backup systems, unforgivably weak authentication logic, high-profile regulatory fines and numerous other critical software vulnerabilities. From the U.S. Treasury breach to the Advanced ransomware fallout, the theme is clear: trust doesn’t grow on trees. Cybersecurity resilience must be earned; forged through layered security controls and backed up by accountability.

Greenbone continues to play a vital role by providing timely detection tests for new emerging threats and standardized compliance audits that support a wide array of enterprise architectures. Organizations that want to stay ahead of cyber crime need to proactively scan their infrastructure and close security gaps as they appear.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

The CPU as a Weakness: how to Manage Hardware Risks with Confidence

Vulnerabilities in IT environments appear in different forms. The most common ones are likely software vulnerabilities that have not been patched. Then there are weak passwords, misconfigurations or network switches that have been EOL for five years. However, another type of security gap sometimes causes significant confusion during the scans: hardware vulnerabilities.

We have become accustomed to the continuous emergence of software vulnerabilities, and hopefully, it is now standard practice for every company to regularly scan its network for vulnerabilities and apply patches. Unfortunately, mistakes are not limited to software developers – CPU developers are not immune either. CPU vulnerabilities often arise from design flaws, allowing malicious actors to exploit unintended side effects to access sensitive data. Unlike software vulnerabilities, which can often be resolved through patches or updates, hardware vulnerabilities require either microcode updates or fundamental architectural changes in future processor designs.

Microcode Updates

The only way to mitigate CPU vulnerabilities is by applying microcode updates, which are typically distributed through the operating system or sometimes even through firmware (UEFI/BIOS). Microcode is a low-level software layer within the processor that translates higher-level machine instructions into specific internal operations.

While end users do not traditionally update microcode themselves, manufacturers like Intel provide relevant updates to patch certain vulnerabilities without requiring a full hardware replacement. However, these updates often introduce performance loss, as they disable or modify certain CPU optimizations to prevent exploitation. In some cases, this can even lead to performance reductions of up to 50%.

Flaws on different levels

Since these vulnerabilities exist at the CPU level, tools like the Greenbone Enterprise Appliance detect and report them. However, this can lead to misconceptions, as users might mistakenly believe that the reported vulnerabilities originate from the operating system. It is crucial to understand that these are not OS vulnerabilities; rather, they are architectural flaws in the processor itself. The vulnerabilities are detected by checking for the absence of appropriate microcode patches when an affected CPU is identified. For example, if a scan detects a system that lacks Intel’s microcode update for Downfall, it will be reported as vulnerable. However, this does not mean that the OS itself is insecure or compromised.

Performance or safety?

In the end, mitigating CPU vulnerabilities always involves trade-offs, and users must decide which approach best suits their needs. In principle, there are three options to choose from:

  • Apply microcode updates and accept significant performance degradation in compute-heavy workloads.
  • Forego certain microcode updates and accept the risks if the probability of exploitation is low in their environment.
  • Replace the affected hardware with CPUs that are not vulnerable to these issues.

Ultimately, the decision depends on the specific use case and risk tolerance of the organization or individual responsibles.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

The “Perfect Storm” for Zyxel: EOL Routers and Ransomware Attacks

Every product has a due date, but customers often have little warning and no recourse when a vendor decides to sunset a product. Once a vendor designates a product as end-of-life (EOL) or end-of-service (EOS), managing associated risks becomes more complex. Risk is magnified when cyber criminals find and exploit vulnerabilities that will never be patched. If an EOL product becomes vulnerable in the future, its users need to implement additional security controls on their own.

Digital illustration of storm clouds and a trash bin with a router symbol, representing end-of-life IT products and increasing ransomware risks.

If the vendor is found to be still selling these vulnerable EOL products, it may be considered the “perfect storm” or the maximum disaster. In this article we will investigate several security alerts for Zyxel products including some designated EOL and another flaw exploited in ransomware attacks.

An Overview of Recent Vulnerabilities in Zyxel Products

CVE-2024-40891 (CVSS 8.8), a high severity Remote Code Execution (RCE) flaw in Zyxel’s telnet implementation has been known since mid-2024. Yet, almost six months later, Zyxel has not issued a patch, claiming the affected products are EOS and EOL. Early in 2025, Greynoise observed active exploitation of CVE-2024-40891 against vulnerable Zyxel CPE networking devices. That CVE (Common Vulnerabilities and Exposures) and another RCE flaw, CVE-2024-40890 (CVSS 8.8), were both added to CISA’s Known Exploited Vulnerabilities (KEV) list by mid-February. While both CVEs (Cybersecurity and Infrastructure Security Agency) were post-authentication RCE flaws, a third security gap, CVE-2025-0890 (CVSS 9.8), published on February 4th, provided the final piece to the puzzle: extremely weak default credentials for remotely accessible services – that is, on top of the already unencrypted Telnet authentication process.

Researchers at VulnCheck who originally discovered the flaws also pointed out that the vendor continues to sell the faulty devices despite being aware of active exploitation and having no intention to issue patches. As of February 25th, 2025, some of the affected products were still being sold from Zyxel’s official Amazon store [1][2]. On top of these, another vulnerability in Zyxel products, CVE-2024-11667, is being actively exploited in ransomware attacks by the Helldown threat actor.

In the telecom technologies sector, Zyxel holds an estimated market share of 4.19%, serving around 2,277 companies including the world’s biggest tech giants. Zyxel Group, headquartered in Hsinchu Science Park, Taiwan, is a prominent provider of networking solutions for both businesses and home users, operating globally in over 150 countries.

A Timeline of Events

  • 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in CPE series products.
  • 2024-07-31: VulnCheck published information about CVE-2024-40890 and CVE-2024-40891 on their blog.
  • 2025-01-28: Active exploitation of CVE-2024-40891 was reported by GreyNoise.
  • 2025-02-03: VulnCheck released further information highlighting the risk presented by Zyxel’s position and providing evidence that vulnerable devices were still being sold online by the vendor.
  • 2025-02-04: Zyxel released a security advisory labelling affected products as EOL and stating they will not receive updates.

Technical Descriptions of Recent Zyxel Vulnerabilities

Aside from Zyxel’s slow response to security researchers and their decision to continue selling EOL products with exploitable vulnerabilities, there are additional lessons to learn from a technical assessment of the flaws themselves. Namely, how product vendors continue to market products with unforgivable security flaws while skirting accountability.                                                                                

  • CVE-2024-40891 (CVSS 8.8 High): Authenticated users can exploit Telnet command injection due to improper input validation in `libcms_cli.so`. Commands are passed unchecked to a shell execution function, allowing arbitrary RCE. Aside from checking that the command string starts with an approved command, the `prctl_runCommandInShellWithTimeout` function has no filtering, allowing command chaining and arbitrary command injection.
  • CVE-2024-40890 (CVSS 8.8 High): A post-authentication command injection vulnerability in the CGI program of the legacy DSL Zyxel VMG4325-B10A firmware version 1.00(AAFR.4)C0_20170615 could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request.
  • CVE-2025-0890 (CVSS 9.8 Critical): Devices use weak default credentials such as usernames and passwords admin:1234, zyuser:1234, and supervisor:zyad1234. None of these accounts are visible via the web interface but can be found in the device’s `/etc/default.cfg` These default credentials are now well-known by attackers. The “supervisor” and “zyuser” accounts can both access devices remotely via Telnet. “supervisor” has hidden privileges, granting full system access, while “zyuser” can still exploit CVE-2024-40891 for RCE. Use of such default credentials violate CISA’s Secure by Design pledge and the EU’s upcoming Cyber Resilience Act (CRA).

The affected products include Zyxel VMG1312-B Series (VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A) and two Zyxel Business Gateway Series routers (SBG3300, and SBG3500). The Zyxel CPE (Customer Premises Equipment) series devices are designed for home and small business internet connectivity, such as DSL, fiber and wireless gateways. As such, they are typically installed at a customer’s location to connect them to an Internet  Service Provider’s (ISP) network and are therefore not easily protected from the Internet by firewalls. Considering the nature of Zyxel CPE devices and the vulnerabilities in question, it would not be surprising if tens of thousands or more Zyxel devices were participating in malicious botnet activity.

Greenbone is able to detect EOL Zyxel devices that are vulnerable to the aforementioned CVEs.

CVE-2024-11667: Zyxel Firewalls Exploited in Ransomware Attacks

CVE-2024-11667 (CVSS 9.8 Critical), published in late December 2024, is a path traversal flaw [CWE-22] in the web-management console of Zyxel ATP and USG FLEX firewall series. The vulnerability is known to be exploited by the Helldown threat actor in ransomware attacks and the subject of several national cybersecurity advisories [1][2].

The Helldown ransomware group emerged in August 2024 as a notable threat actor in the cybersecurity landscape. This group employs a double extortion strategy, wherein they exfiltrate sensitive data from targeted organizations and subsequently deploy ransomware to encrypt the victims’ systems. If the ransom demands are not met, Helldown threatens to publicly release the stolen data on their data leak site. In addition to exploiting these Zyxel flaws, Helldown is known to exploit Windows OS vulnerabilities, VMware ESX,  and Linux environments, often using compromised VPN credentials to move laterally within networks.

Zyxel has released an advisory acknowledging the ransomware attacks and patches for affected products. Greenbone is able to detect Zyxel products affected by CVE-2024-11667 with three separate product specific version detection tests [1][2][3].

Summary

The situation with Zyxel seems to be a perfect storm leading to an important question: What recourse do customers have when a vendor fails to patch a security gap in their product? Zyxel’s EOL networking devices remain actively exploited, with vulnerabilities that can be combined for unauthorized arbitrary RCE and other unauthorized actions. CVE-2024-40891, CVE-2024-40890, and CVE-2025-0890 are now in CISA’s KEV list, while CVE-2024-11667 has been linked to ransomware attacks. The researchers from VulnCheck, who discovered several of these CVEs, have criticized Zyxel for poor communication and further for selling unpatched EOL devices. Greenbone detects affected products enabling a proactive approach to vulnerability management and the opportunity for users to mitigate exposure.

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Greenbone Detects CVE-2025-0994: Actively Exploited Flaw in Trimble Cityworks

Trimble Cityworks, an enterprise asset management (EAM) and public works management software is actively under attack. The campaign began as an unknown (zero-day) vulnerability, but is now tracked as ​​CVE-2025-0994 with a CVSS of 8.6. The vulnerability is a deserialization flaw [CWE-502] that could allow an authenticated attacker to execute arbitrary code remotely (Remote Code Execution; RCE). Greenbone includes detection for CVE-2025-0994 in the Enterprise Feed.

Active exploitation of CVE-2025-0994 is a real and present danger. Trimble has released a statement acknowledging the attacks against their product. Thanks to the vendor’s transparency, CISA (Cybersecurity and Infrastructure Security Agency) has added CVE-2025-0994 to their catalog of Known Exploited Vulnerabilities (KEV), published an ICS advisory as well as a CSAF 2.0 document. CSAF 2.0 advisories are machine readable advisory documents for decentralized sharing of cybersecurity intelligence.

Although many media reports and some threat platforms indicate that a public proof-of-concept (PoC) exists, the only search result for GitHub is simply a version detection test. This means it is less likely that low-skilled hackers will easily participate in attacks. The misinformation is likely due to poorly designed algorithms combined with lack of human oversight before publishing threat intelligence.

Who Is at Risk due to CVE-2025-0994?

Trimble Cityworks is designed for and used primarily by local governments and critical infrastructure providers including water and wastewater systems, energy, transportation systems, government industrial facilities and communications agencies. Cityworks enhances Geographic Information Systems (GIS) by integrating asset management and public works solutions directly with Esri ArcGIS. The software is meant to help organizations manage infrastructure, schedule maintenance and improve operational efficiency. In addition to CISA, several other government agencies have issued alerts regarding this vulnerability including the US Environment Protection Agency (EPA), the Canadian Centre for Cyber Security and New York State.

Trimble Cityworks has reported serving over 700 customers across North America, Europe, Australia and the Middle East in 2019. While specific numbers for municipal governments in the U.S., Canada and the EU are not publicly disclosed, a Shodan search and Censys map both reveal only about 100 publicly exposed instances of Cityworks. However, the application is considered to have a high adoption rate by local governments and utilities. If publicly exposed, CVE-2025-0994 could offer an attacker initial access [T1190]. For attackers who already have a foothold, the flaw is an opportunity for lateral movement [TA0008] and presents an easy mark for insider attacks.

A Technical Description of CVE-2025-0994

CVE-2025-0994 is a deserialization vulnerability [CWE-502] found in versions of Trimble Cityworks prior to 15.8.9 and Cityworks with Office Companion versions prior to 23.10. The vulnerability arises from the improper deserialization of untrusted serialized data, allowing an authenticated attacker to execute arbitrary code remotely on a target’s Microsoft Internet Information Services (IIS) web server.

Serialization is a process whereby the software code or objects are encoded to be transferred between applications and then reconstructed into the original format used by a programming language. When Trimble Cityworks processes serialized objects, it does not properly validate or sanitize untrusted input. This flaw allows an attacker with authenticated access to send specially crafted serialized objects, which can trigger arbitrary code execution on the underlying IIS server. Deserializing data from unauthenticated sources seems like a significant design flaw in itself, but failing to properly sanitize serialized data is especially poor security.

Exploitation CVE-2025-0994 could lead to:

  • Unauthorized access to sensitive data
  • Service disruption of critical infrastructure systems
  • Potential full system compromise of the affected IIS web server

Mitigating CVE-2025-0994 in Trimble Cityworks

Trimble has released patched versions of Cityworks that address the deserialization vulnerability. These patches include Cityworks 15.8.9 and Cityworks 23.10. On-premise users must immediately upgrade to the patched version, while Cityworks Online (CWOL) customers will receive these updates automatically.

Trimble noted that some on-premise deployments are running IIS with overprivileged identity permissions, which increases the attack surface. IIS should not have local or domain-level administrative privileges. Follow Trimble’s guidance in the latest Cityworks release notes to adjust IIS identity configurations properly.

Users of on-premises Trimble Cityworks should:

  • Update Cityworks 15.x versions to 15.8.9 and 23.x versions to 23.10.
  • Audit IIS identity permissions to ensure that they align with the principle of least privilege.
  • Limit attachment directory root configuration to only folders which only contain attachments.
  • Use a firewall to restrict IIS server access to trusted internal systems only.
  • Use a VPN to allow remote access to Cityworks rather than publicly exposing the service.

Summary

CVE-2025-0994 represents a serious security risk to Trimble Cityworks users, which largely comprise government and critical infrastructure environments. With active exploitation already observed, organizations must prioritize immediate patching and implement security hardening measures to mitigate the risk. Greenbone has added detection for CVE-2025-0994 to the Enterprise Feed, allowing customers to gain visibility into their exposure.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Exciting New Features Arrive for Greenbone Enterprise Appliances

We’re excited to announce the release of several feature updates to our Greenbone Operating System (GOS), the software stack behind our physical and virtual Enterprise Appliances. The updates introduce new front-end features to enhance enterprise vulnerability management capabilities, and performance enhancing back-end features. The newest updates to the Greenbone Operating System (GOS), version 24.10, reflect Greenbone’s commitment to empowering fundamental cybersecurity best practices and enabling organizations to prioritize and close security gaps faster than ever before.

In this post, we’ll delve into the latest features and improvements that make our line of Enterprise Appliances even more powerful tools for exposure management and cybersecurity compliance.

GOS 24.10 Brings All New Features

The Greenbone Security Assistant (GSA) is the IT administrator’s doorway into security visibility. From a high-level vantage, the GSA web-interface has a totally new look. The updated version features a modern minimalist look and feel, emphasizing utility and usability, while keeping Greenbone’s capabilities within reach. But the new look is just scratching the surface. Let’s review some deeper changes on the horizon.

The New Compliance Audit Report View

Cybersecurity compliance is increasingly important. New regulations across the EU such as the Digital Operational Resilience Act (DORA), the Network and Information Security Directive 2 (NIS2) and the Cyber Resilience Act (CRA) require organizations to take more proactive actions to protect digital infrastructure. Other forces such as cybersecurity insurance, the need for stronger third party oversight and accountability to customers are impacting how companies oversee their cybersecurity operations.

The GOS 24.10 update includes a brand new compliance-focused view designed to enhance insight into regulatory and policy alignment. The updated user-interface allows greater visibility into cybersecurity risks, supporting alignment with IT governance goals. It hosts compliance audit reports, new dashboard displays and filtering options. This helps keep compliance-focused data distinct from regular scan reports. Delta audit reports also highlight compliance progress with visual indicators and tooltips for easy identification.

EPSS Support Adds AI-Based Prioritization

As the number of new CVEs (Common Vulnerabilities and Exposures) continues to increase, prioritizing vulnerabilities to focus on the most high-impact threats is critical. The Exploit Prediction Scoring System (EPSS) is an AI-driven metric that estimates the likelihood of a CVE being exploited in the wild. EPSS applies machine learning (ML) to historical data to predict which new CVEs are at highest risk of active attack.

EPSS data is now integrated into our Enterprise Appliances. Regularly updated exploitation probabilities for every active CVE are not available in the Greenbone platform. Administrators can leverage up-to-date exploit probability scores and percentiles in addition to the traditional CVSS severity, empowering them to focus on the most critical pressive vulnerabilities in their operations.

More Adaptable CSV and JSON Report Exporting Capabilities

Greenbone’s approach has always centered on simplicity and flexibility. As such, the solutions fit a wide spectrum of unique operational needs. GOS 24.10 introduces JSON formatted report exporting. Users can also now customize the fields in exported CSV and JSON reports. This allows reports to be customized directly from Greenbone to more precisely match report requirements and focus on what’s essential for analysis, compliance or decision-making.

Additional Backend Optimizations

To enhance the flexibility and accuracy of vulnerability matching, Greenbone has introduced several backend optimizations focused on CPE (Common Platform Enumeration) handling and feed management. Here is a look at what’s new:

  • The backend can convert CPEv2.3 strings to CPEv2.2 URIs, storing both versions for more reliable affected product matching. Future development may include advanced, on-the-fly matching, bringing even more precision to vulnerability assessments.
  • Greenbone Enterprise Appliances now support JSON-based CVE, CPE, EPSS, and CERT feeds and gzip data compression.

Summary

With the release of a new round of updates, Greenbone is strengthening the flagship Greenbone Enterprise Appliances. The updates introduce a modernized GSA web-interface, a compliance-focused audit report view for improved visibility, and enhanced CSV and JSON exporting capabilities give users control over report data. We’ve also added AI-based EPSS to the available options for vulnerability risk prioritization. Finally, backend optimizations ensure seamless compatibility with new CPE formats and JSON-based feeds. Together, these features add to Greenbone’s adaptable vulnerability management capabilities allowing organizations to stay ahead of emerging threats with industry leading vulnerability detection and prioritization.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

#GreenboneGoesGlobal: Strong Presence at ITASEC 2025 in Bologna

ITASEC, Italy’s most important conference for cyber security, takes place in Bologna from February 3 to 8, 2025. As a platinum sponsor, Greenbone is sending a strong signal for European cooperation and digital security. This step demonstrates our commitment to a global presence and direct customer interaction.

Street scene in the old town of Bologna with a view of the medieval 'Due Torri' towers, venue of the IT security conference ITASEC 2025

The “Due Torri”, two medieval towers, shape the image of the historic old town of Bologna. (Photo: Markus Feilner, CC-BY 2016)

 

New Perspectives in Italy and Worldwide

“At Greenbone, we are increasingly realizing how important our vulnerability management is for customers throughout Europe and how important it is for these customers to be able to communicate with us directly on site,” explains Chief Marketing Officer Elmar Geese. To meet this demand, Greenbone has established the Italian subsidiary OpenVAS S.R.L. At the same time, Greenbone is expanding into other regions. A new subsidiary in the Netherlands and an increased engagement in the Asian market are on the agenda.

We will not only be present at ITASEC with a booth, but will also contribute to the content: Dirk Boeing, Senior Consultant and cybersecurity expert at Greenbone, will speak on February 6th at 11:00 a.m. on the panel “Security Management in the NIS2 Era”.

Visit Us in Bologna!

The annual ITASEC takes place on the campus of the “Alma Mater Studiorum Università di Bologna”, the oldest university in Europe, which has been writing science history since 1088 – an ideal place for a conference dedicated to security in the digital future. The fair is organized by the CINI Cybersecurity National Lab, with a special focus in 2025 on the topic of security and rights in cyberspace. This is also reflected in the cooperation with the SERICS conference (Security and Rights in the Cyber Space), which is supported by the SERICS foundation as part of the almost 200 billion euro Italian „National Recovery and Resilience Plan“ (NRRP).

ITASEC at the University of Bologna offers an excellent opportunity to experience Greenbone live and learn more about our solutions. And this is just the beginning: in 2025 we will be in Italy, for example, at CyberSec Italia in Rome on March 5 and 6. And from March 18 to 19, Greenbone will be at the „Digitaler Staat“ congress in Berlin, and from March 19 at secIT in Hanover. We look forward to your visit!

Contact Test Now Buy Here Back to Overview

/by
Joseph Lee

Patch Now! Cleo Products Actively Exploited in Ransomware Attacks

An actively exploited RCE (Remote Code Execution) with system privileges vulnerability that does not require user-interaction is as bad as it gets from a technical standpoint. When that CVE impacts software widely used by Fortune 500 companies, it is a ticking time bomb. And when advanced persistent threat actors jump on a software vulnerability such as this, remediation needs to become an emergency response effort. Most recently, CVE-2024-50623 (also now tracked as CVE-2024-55956) affecting more than 4,200 users of Cleo’s MFT (Managed File Transfer) software met all these prerequisites for disaster. It has been implicated in active ransomware campaigns affecting several Fortune 500 companies taking center stage in cybersecurity news.

In this cybersecurity alert, we provide a timeline of events related to CVE-2024-50623 and CVE-2024-55956 and associated ransomware campaigns. Even if you are not using an affected product, this will give you valuable insight into the vulnerability lifecycle and the risks of third-party software supply chains. 

CVE-2024-50623 and CVE-2024-55956: a Timeline of Events

The vulnerability lifecycle is complex. You can review our previous article about next-gen vulnerability management for an in depth explanation on how this process happens. In this report, we will provide a timeline for the disclosure and resolution of CVE-2024-50623 and subsequently CVE-2024-55956 as a failed patch attempt from the software vendor Cleo was uncovered and exploited by ransomware operators. Our Greenbone Enterprise Feed includes detection modules for both CVEs [1][2], allowing organizations to identify vulnerable systems and apply emergency remediation. Here is a timeline of events so far:

  • October 28, 2024: CVE-2024-50623 (CVSS 10 Critical) affecting several Cleo MFT products was published by the vendor and a patched version 5.8.0.21 was
  • November 2024: CVE-2024-50623 was exploited for data exfiltration impacting at least 10 organizations globally including Blue Yonder, a supply chain management service used by Fortune 500 companies.
  • December 3, 2024: Security researchers at Huntress identified active exploitation of CVE-2024-50623 capable of bypassing the original patch (version 5.8.0.21).
  • December 8, 2024: Huntress observed a significant uptick in the rate of exploitation. This could be explained by the exploit code being sold in a Malware as a Service cyber crime business model or simply that the attackers had finished reconnaissance and launched a widespread campaign for maximum impact.
  • December 9, 2024: Active exploitation and proof-of-concept (PoC) exploit code was reported to the software vendor Cleo.
  • December 10, 2024: Cleo released a statement acknowledging the exploitability of their products despite security patches and issued additional mitigation guidance.
  • December 11, 2024: Wachtowr Labs released a detailed technical report describing how CVE-2024-50623 allows RCE via Arbitrary File Write [CWE-434]. Cleo updated their mitigation guidance and released a subsequent patch (version 5.8.0.24).
  • December 13, 2024: A new name, CVE-2024-55956 (CVSS 10 Critical), was issued for tracking this ongoing vulnerability, and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, flagged for use in ransomware attacks.

Cleo Products Leveraged in Ransomware Attacks

The risk to global business posed by CVE-2024-50623 and CVE-2024-55956 is high. These two CVEs potentially impact more than 4,200 customers of Cleo LexiCom, a desktop-based client for communication with major trading networks, Cleo VLTrader, a server-level solution tailored for mid-enterprise organizations, and Cleo Harmony for large enterprises.

The CVEs have been used as initial access vectors in a recent ransomware campaign. The Termite ransomware operation [1][2] has been implicated in the exploitation of Blue Yonder, a Panasonic subsidiary in November 2024. Blue Yonder is a supply chain management platform used by large tech companies including Microsoft, Lenovo, and Western Digital, and roughly 3,000 other global enterprises across many industries; Bayer, DHL, and 7-Eleven to name a few. Downtime of Blue Yonder’s hosted service caused payroll disruptions for StarBucks. The Clop ransomware group has also claimed responsibility for recent successful ransomware attacks.

In the second stage of some breaches, attackers conducted Active Directory domain enumeration [DS0026], installed web-shells [T1505.003] for persistence [TA0003], and attempted to exfiltrate data [TA0010] from the victim’s network after gaining initial access via RCE. An in-depth technical description of the Termite ransomware’s architecture is also available.

Mitigating CVE-2024-50623 and CVE-2024-55956

Instances of Cleo products version 5.8.0.21 are still vulnerable to cyber attacks. The most recent patch, version 5.8.0.24 is required to mitigate exploitation. All users are urged to apply updates with urgency. Additional mitigation and best practices include disabling the autorun functionality in Cleo products, removing access from the Internet or using firewall rules to restrict access to only authorized IP addresses, and blocking the IP addresses of endpoints implicated in the attacks.

Summary

Cleo Harmony, VLTrader, and LexiCom prior to version 5.8.0.24 are under active exploitation due to critical RCE vulnerabilities (CVE-2024-50623 and CVE-2024-55956). These flaws have been the entry point for successful ransomware attacks against at least 10 organizations and impacting Fortune 500 companies. Greenbone provides detection for affected products and affected users are urged to apply patches and implement mitigation strategies, as attackers will certainly continue to leverage these exploits.

Contact Test Now Buy Here Back to Overview

/by
Greenbone AG

Greenbone Audits CIS Google Chrome Benchmarks

Web browsers are a primary gateway to business and consequently they are also a primary gateway for cyber attacks. Malware targeting browsers could gain direct unauthorized access to a target’s network and data or social engineer victims into providing sensitive information that gives the attacker unauthorized access, such as account credentials. In 2024, major browsers (Chrome, Firefox, and Safari) accounted for 59 Critical severity (CVSS3 ³ 9) and 256 High severity (CVSS3 between 7.0 and 8.9) vulnerabilities. 10 CVEs (Common Vulnerabilities and Exposures) in the trifecta were added to the KEV (Known Exploited Vulnerabilities) catalog of CISA (Cybersecurity & Infrastructure Security Agency). Browser security should therefore be top-of-mind for security teams.

In light of this, we are proud to announce the addition of CIS Google Chrome Benchmark v3.0.0 Level 1 auditing to our list of compliance capabilities. This latest feature allows our Enterprise feed subscribers to verify their Google Chrome configurations against the industry-leading CIS compliance framework of the CIS (Center for Internet Security). The new Google Chrome benchmark tests will sit among our other CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1] [2].

CIS Google Chrome Benchmark for Windows

The CIS Google Chrome Benchmark v3.0.0 Level 1 is now available in the Greenbone Enterprise Feed. It establishes a hardened configuration for the Chrome browser. For Windows, implementing the controls involves setting Windows registry keys to define Chrome’s security configuration. Continuous attestation is important because if modified at the user level Chrome becomes more vulnerable to data-leakage, social engineering attacks or other attack vectors.

Our Enterprise vulnerability feed uses compliance policies to run tests on target endpoints, verifying each requirement in the CIS benchmark through one or more dedicated vulnerability tests. These tests are grouped into scan configurations which can be used to create scan tasks that access groups of target systems to verify their security posture. When aligning with internal risk requirements or mandatory government policies, Greenbone has you covered.

The Importance of Browser Security

Much of the critical information flowing through the average organization is transmitted through the browser. The rise of a remote workforce and cloud-based web-applications means that web browsers are a primary interface for business activities. Not surprisingly, in the past few years, Internet browsers have been a hotbed for exploitation. National cybersecurity agencies such Germany’s BSI [3] [4], CISA [5] [6], and the Canadian Centre for Cyber Security [7] have all released advisories for addressing the risks posed by Internet browsers.

Browsers can be exploited via technical vulnerabilities and misconfigurations that could lead to remote code execution, theft of sensitive data and account takeover, but are also a conduit for social engineering attacks. Browser security must be addressed by implementing a hardened security profile and continuously attesting it and by regularly applying updates to combat any recently discovered vulnerabilities. Greenbone is able to detect known vulnerabilities for published CVEs in all major browsers and now with our latest CIS Google Chrome Benchmark certification, we can attest industry standard browser compliance.

How Does the CIS Google Chrome Benchmark Improve Browser Security?

Every CIS Benchmark is developed through a consensus review process that involves a global community of subject matter experts from diverse fields such as consulting, software development, auditing, compliance, security research, operations, government, and legal. This collaborative process is meant to ensure that the benchmarks are practical and data-driven and reflect real-world expertise. As such, CIS Benchmarks serve as a vital part of a robust cybersecurity program.

In general, CIS Benchmarks focus on secure technical configuration settings and should be used alongside essential cyber hygiene practices, such as monitoring and promptly patching vulnerabilities in operating systems, applications and libraries.

The CIS Google Chrome Benchmark defines security controls such as:

  • No domains can bypass scanning for dangerous resources such as phishing content and malware.
  • Strict verification of SSL/TLS certificates issued by websites.
  • Reducing Chrome’s overall attack surface by ensuring the latest updates are automatically applied periodically.
  • Chrome is configured to detect DNS interception which could potentially allow DNS hijacking.
  • Chrome and extensions cannot interact with other third party software.
  • Websites and browser extensions cannot abuse connections with media, the local file system or external devices such as Bluetooth, USB or media casting devices.
  • Only extensions from the Google Chrome Web Store can be installed.
  • All processes forked from the main Chrome process are stopped once the Chrome application has been closed.
  • SafeSites content filtering blocks links to adult content from search results.
  • Prevent importing insecure data such as auto-fill form data, default homepage or other configuration settings.
  • Ensuring that critical warnings cannot be suppressed.

Greenbone Is a CIS Consortium Member

As a member of the CIS consortium, Greenbone continues to enhance its CIS Benchmark scan configurations. All our CIS Benchmarks policies are aligned with CIS hardening guidelines and certified by CIS, ensuring maximum security for system audits. Also, Greenbone has added a new compliance view to the Greenbone Security Assistant (GSA) web-interface, streamlining the process for organizations seeking to remove security gaps from their infrastructure to prevent security breaches.

Summary

CIS Controls are critical for safeguarding systems and data by providing clear, actionable guidance on secure configurations. The CIS Google Chrome Benchmark is especially vital at the enterprise level, where browsers impact many forms of sensitive data. It’s exciting to announce that Greenbone is expanding the industry leading vulnerability detection capabilities with a new compliance scan: the CIS Google Chrome Benchmark v3.0.0 Level 1. With this certification, Greenbone continues to strengthen its position as a trusted ally in proactive cybersecurity. This latest feature reflects our dedication to advancing IT security and protecting against evolving cyber threats.

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

BSI: More Vulnerability Reports from Healthcare

There are health data attractive to attackers in hospitals, doctors’ offices, laboratories and consumers’ devices. The latest security report from the German BSI shows that stealing these data is increasingly becoming a main target of attackers and attacks.

For several years now, the “Network and Information Security Directive“ (NIS) and the KRITIS legislation has required German institutions in eleven sectors to apply stronger and more precise security measures, including reporting obligations, risk analyses and resilience plans. And this is already having its impact on the healthcare sector: according to a recent BSI study, the healthcare sector ranks second in terms of the number of reported data leaks in 2024 – showing clear evidence that now is the time to act.

Almost Every Fifth Incident Report from the Healthcare Sector

Of the 726 reports received by the BSI last year, a quarter came from the transport and traffic sector, while almost 20 % originated in the healthcare sector. Close behind: Energy (18.8 %), Finance and Insurance with 16.5 %, ranking fourth. The threat level is high, especially for hospitals and facilities – even if the reported figures should be treated with caution. Whether banks, for example, are just as motivated to report intrusions and failures as much as hospitals are, seems debatable.

On the other hand, the fact that healthcare data is only ranked eighth in the list of leaked data in the BSI report should not detract from the threat itself. For one thing, the leaked data are sorted according to frequency, and almost every more frequently leaked information also occurs in other contexts (possibly with the exception of social security numbers). However, payment data, names and addresses are information that is likely to be much more attractive to attackers than “naked” health data.

Provisions of the KRITIS Umbrella Law

Meanwhile, the cabinet of the German government launched the KRITIS umbrella law just before the end of the existing coalition. At the beginning of November, the details of the law were agreed, which is intended to act as a kind of protective umbrella over various sectors as an analogous complement to NIS2. It is not yet clear when the Bundestag will pass the law, but chances are high that it will.

According to these plans, the healthcare sector must also introduce operational resilience management, which includes setting up operational risk and crisis management, carrying out risk analyses and assessments, drawing up resilience plans and implementing suitable measures (technical, personnel and organizational) – all measured and organized with the help of Business Continuity Management Systems (BCMS) and Information Security Management Systems (ISMS).

BCMS and ISMS implementations are measured on the basis of maturity levels ( from 1 to 5; the higher, the better). In the BSI report mentioned above, their implementation in the healthcare sector is still mixed, as everywhere. Healthcare institutions are in the middle of the pack, most have implemented ISMS and BCMS, but only a few regularly check them for effectiveness or even improve them.

In the case of the mandatory systems for attack detection, most players have already started implementation and implemented the mandatory (Must) requirements, but only a small proportion have also established target (Should) requirements. Only a few have implemented a continuous improvement process.

Specific Threats in the Healthcare Sector

The same rules and experiences apply to hospitals, doctors’ surgeries and other institutions: For them, the IT security magazine CSO online reports 81 % more ransomware attacks in recent years, with over 91 percent of “malware-related security breaches” in 2024 involving ransomware. According to CSO, only “multi-factor authentication and detection and response technologies”, such as those offered by Greenbone with its vulnerability management, can protect against this. Clouds are not immune to this either: 53 % of administrators in the healthcare sector told CSO that they had “experienced a cloud-related data breach in the last year”. Furthermore, attackers are increasingly targeting websites, botnets, phishing campaigns, and the growing number of vulnerable IoT devices, both in the consumer sector and at the network edge.

Contact Test Now Buy Here Back to Overview

/by
Dirk Boeing

Innovation Meets Resonance: Greenbone Successful at SICW

The Singapore International Cyber Week (SICW) is one of the most important cybersecurity events worldwide. We were able to present our solutions to an international audience – and recieved great interest, inspiring discussions and valuable feedback. Three successful days in Singapore and an important step in strengthening our international presence!

Greenbone team and partners taking a group photo together at the stand at Singapore International Cyber Week 2024.

Since its launch, SICW has been bringing together leading companies, start-ups, government organizations and security authorities from around the world every year. The aim is to share knowledge, promote partnerships and present innovative solutions that meet the growing challenges in the field of cybersecurity. The event, organized by the Cyber Security Agency of Singapore (CSA), was launched in 2016 and has been held annually in Singapore ever since.

This year, Greenbone had the honor of being present at SICW as a technology partner of Huawei. During three exciting days, we presented our Enterprise Appliances to an international audience and were thrilled by the response.

Great Interest in Greenbone Solutions

We were overwhelmed by the positive feedback from visitors to our solutions – for us a strong signal that our cybersecurity solutions are also very important for the Asian market. In numerous discussions, we repeatedly noticed how great the interest is in a vulnerability scanner with excellent feed that focuses on the essentials while also allowing connection to other systems via its API.

VIP Visitors and Inspiring Talks

We were particularly pleased to welcome prominent personalities to our booth. A real highlight was the visit of John Tan, Commissioner of Cybersecurity and Chief Executive of the Cybersecurity Agency of Singapore. His interest and the numerous discussions with potential customers and partners have encouraged us to further expand our presence in Asia.

Conversation between stand visitors in front of the Greenbone display with world map and product information at SICW 2024.

Not entirely unexpected star of our appearance was “the Beast”, our company logo as a plush toy. It put a smile on the faces of many visitors to our stand and often served as a friendly icebreaker, facilitating lively and valuable discussions. 

Conclusion: Momentum for the Future

SICW was a great success for Greenbone. We were not only able to present our solutions to a broad audience, but also establish valuable connections and noticeably increase interest in the Asian market. The great popularity and high demand for our “Beast” shows that our brand is also very well received emotionally – and we look forward to continuing to build on this momentum.

Contact Test Now Buy Here Back to Overview

/by