Secure your data with the 15 best IAM software solutions. Find practical tools to manage user access and prevent identity attacks effectively.
The post Best Identity and Access Management (IAM) Software appeared first on Security Boulevard.
via the geologic humor & dry-as-the-taiga wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Coastline Similarity’ appeared first on Security Boulevard.
Security investigators from Google said UNC6395 hackers spent several months running through Salesloft and Drift systems before launching a data breach campaign that some security researchers say has targeted hundreds of technology and other companies.
The post UNC6395 Hackers Accessed Systems via a GitHub Account, Salesloft Says appeared first on Security Boulevard.
In total, including third-party CVEs, in this Patch Tuesday edition, Microsoft published 86 CVEs, including 5 republished CVEs. Overall, Microsoft announced 2 Zero-Day, 9 Critical, and 73 Important vulnerabilities. From an Impact perspective, Escalation of Privilege vulnerabilities accounted for 44%, while Remove Code Execution for 27% and Information Disclosure for 16%. Patches for this month …
The post Patch Tuesday Update – September 2025 appeared first on Security Boulevard.
See how using Q-Compliance to adhere to NIST 800-53 controls would help you and your organization ensure that all the core components for a robust User and Entity Behavior Analytics (UEBA) program are in place. This includes setting up proper data collection, managing access, and establishing a clear incident response framework.
The post Ensuring Behavioral Analysis Data Integrity first appeared on Qmulos.
The post Ensuring Behavioral Analysis Data Integrity appeared first on Security Boulevard.
As enterprises adopt AI agents at scale, security must evolve beyond policies and human oversight. From protecting enterprise data and preventing prompt injection to enforcing permission boundaries and agent guardrails, platform providers—not customers—must embed security into AI systems.
The post Securing Agents Isn’t the Customer’s Job, it’s the Platform’s appeared first on Security Boulevard.
At this very moment, there are at least 16 billion recently stolen login credentials available to hackers in various dark corners of the internet. That is, according to the Cybernews researchers who uncovered the massive breach, “a blueprint for mass exploitation…. account takeover, identity theft, and highly targeted phishing.” While account takeover (ATO) attacks can […]
The post How to Protect Your Enterprise Against Account Takeover Attacks appeared first on Security Boulevard.
We’ve all heard the promises about agentic AI transforming business operations. The reality? Most enterprise AI agent projects never make it past the pilot stage, and it’s not because the technology doesn’t work.
The post The Agentic Identity Sandbox — Your flight simulator for AI agent identity appeared first on Strata.io.
The post The Agentic Identity Sandbox — Your flight simulator for AI agent identity appeared first on Security Boulevard.
In this episode, David Redekop and co host Francios Driessen interview Aditi Patange from Microsoft. The conversation focuses on the evolution of cybersecurity, on the development and importance of zero trust DNS and on Aditi’s journey from computer engineering to a mission to protect the digital world. This is a powerful reminder that the best technology is built by people with a purpose.
Aditi explains that zero trust DNS, a new enterprise security feature in Windows 11, blocks all outbound connections by default and only allows connections resolved by a trusted DNS server or those explicitly configured as trusted by an IT administrator. The motivation for this effort, she says, began in 2021 with the U.S. government’s executive order on cybersecurity, which aimed to secure government networks without TLS termination. The guests discuss how many legacy applications that use direct IP address connections or host files broke during the testing of this new feature. Aditi believes this “breaking” is a positive outcome as it forces organizations to modernize and secure their applications.
Understanding Microsoft Zero Trust DNS with Aditi Patange | The Defender's Log
TL;DRView it on YouTube: https://www.youtube.com/watch?v=-BkZ0WKjEzI
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/2wTsh6kBha7jRzxULoplMs
Amazon Music
https://a.co/d/dllrGs5
ADAMnetworks
https://adamnet.works
David: Welcome back to the Defender’s Log. I am so enthusiastic to have Aditi Patange from Microsoft, as well as Francois Driessen right here from ADAMnetworks. It’s going to be a three-way version of the Defender’s Log today. Welcome, Francois. Welcome, Aditi.
David: On this podcast, I really enjoy speaking and interviewing folks who live in the defender space. We’ve had some really cool guests. Aditi, the reason we asked you to come on here is because we got to know you at Microsoft. In fact, we met at RSA regarding Microsoft Zero Trust DNS. And this is an exciting space, obviously, for all of us.
Meet the GuestsDavid: But, I really would like to just start today by having a little bit of background on you. Who is Aditi?
Aditi: Thank you for the space, David. I’m really happy and excited to be here with you. It’s always a pleasure to talk to you and Francois and hear about the awesome, cool things that you’re doing and how we can collaborate to defend this space. Like you talk about in your previous blogs, it is really a defender’s place, so I’m really excited to learn more, work with people, and really feel honored to be here with you to talk about this.
Aditi: A little bit of background on myself. I am Aditi. I did my bachelor’s in computer engineering. I’ve always been excited about computers and how they work and programming. I used to be a software engineer.
Chapter 2: The Defender’s Journey Getting into Technology: A Family AffairDavid: So let’s do a little bit more of the human element here, Aditi. Why is it that you got into technology? What was the first time that you realized, “Hey, there’s a future for me, and it’s somehow involved with ones and zeros?”
Aditi: Wow. I wish there was a very good story for this, but both of my parents are computer scientists, so I grew up in a household where both of my parents are writing code. And as soon as my school started offering a CS class, they were like, “You should sign up for this.” I come from an Indian family where the only two career options are either you become a doctor or you become an engineer. Those are the only two options we ever get.
Aditi: And, I don’t think I’m cut out for a doctor, so engineer it was. When I took my first CS class, it was mind-blowing. We started out with assembly, and just seeing that assembly code being put out, it actually does edit some bits, and then you see something do an addition on a machine. You see it subtract some things. Even those basic things, working with those processors, I was excited. I was like, “Oh, this is cool.”
Aditi: I started writing in C and C++, and that was great. But then when I moved to Python, I was like, “Wow, this is mind-blowing. I can do so many more things with such little code.” Throughout that summer, I just fell in love with it before realizing that I was in love with it.
From Software Engineer to Cybersecurity DefenderDavid: At what stage did you become a defender? I mean, you’re sitting smack-bang in the middle of probably one of the most powerful security aspects ever added to Windows. At what stage did your life take a turn for you to end up right in the middle of the core of what could be security for the Windows world?
Aditi: I do have to say a lot of it was definitely luck. When I was trying to switch roles and become a product manager, this happened to be the first role that I interviewed for. I spoke to Tommy Jensen, who was my first interviewer and later became my mentor and good friend, and he really sold me on it.
Aditi: Even within our first interview, he helped me understand the importance of networking. He spoke about zero trust, DNS, and what it does. I was like, “Okay, this sounds cool. This seems interesting. This seems important.” I always knew that I wanted to work on something important. For me, it’s very important to understand the “why” behind something. If I don’t understand the why, I’m not as motivated to work on it. And I think he did a phenomenal job of selling me on it.
Aditi: Still, it was like, how much do you really know about a position when you’re interviewing? When I got here, I thanked my stars that I landed in this place. It’s been a few years, but it still feels very recent. I transitioned into product management, and that was also the time when I ventured into the space of cybersecurity and network security. I started just learning so much more about it. It has been exciting.
The Mission: Securing Our Digital WorldAditi: I really like this space because I think it really gives me a mission to work towards. Everything in this world is getting to a digital space. You talk to any governments, you talk to enterprises, everybody wants to go digital. But when you keep someone’s data in a data center, when you’re transmitting data from one device to the other, what if it gets into the wrong hands? What happens?
Aditi: There was this one realization one day that my mentor, Tommy Jensen, gave me. He gave me this analogy that really made me think about how important this work is. He told me that if networks go down in a hospital, how bad could that be? So when we are making sure that we are securing the networks, we’re making sure that they function, we are actually saving lives. And we don’t know that, but we are.
Francois: It’s really cool to hear that you have a similar thing that gets you up out of bed in the morning, to know you get to do something that really affects people out in the real world.
David: I had never actually considered the importance of it to that level, but you’re not wrong.
Chapter 3: Deep Dive into Zero Trust DNS What is Zero Trust DNS?David: On this topic of zero trust, I’m really curious what you found would be needing special attention because it broke things.
Aditi: A lot of things break. I think a lot of people hearing this may not be familiar with it, so I’ll dive into Zero Trust DNS, the feature I work on, slightly a bit more before I dive into what broke.
Aditi: So, Zero Trust DNS is a new feature within Windows 11. It’s an enterprise security feature that blocks all outbound connections by default. It only allows connections that were resolved by your trusted DNS server or things that were explicitly configured as trusted or allowed by your IT admin.
Breaking Things to Make Them BetterDavid: I think we’ve lived in this space where when you apply zero trust in the real world, at first, you break more things than you prevent from breaking. And that’s not to say that it’s not worth it, because sometimes things have to get momentarily worse to get better.
Aditi: When we do something like this, we’re inherently relying on DNS resolutions as being the point of discovery for any given endpoint. What we learned in the process was a lot of legacy applications shoot straight by IP address connections. We’re like, “Why?” And those are the first ones that broke.
Aditi: There were many others that were using host files to discover IP addresses. And as a part of the design, we wanted to make it very transparent and very secure. So we said, “No, we don’t look at host files. You can’t do that anymore.” And people were like, “Are you serious?”
Aditi: So those were some things we saw breaking, but we were also very happy with it. It was nice that all of those legacy applications were brought up to the surface. People had a chance to review them and modernize them in a way that they work well in our new networks and they’re more secure. So I think breaking sometimes can be good. Like you said, it needs to break before it becomes better.
The Rationale: No More Host FilesDavid: I love the fact that you chose on purpose to not honor the host’s file or any other source because the whole concept of zero trust is that there is one source of truth. And if that means that an attacker that may attempt to modify the local host file now has that avenue neutered, I mean, that is wonderful. That is a good thing.
David: I can also see how a lot of application vendors or even end users or lazy IT admins might not have liked that because now their band-aid is effectively ripped off. Now it hurts. Now it’s bleeding. Like, “What do I do about this?” And our answer is, “Well, let it heal properly so that you don’t need a band-aid anymore.”
David: I’m sure you’ve had a few conversations with folks around that. Did you have anybody that remained resistant at all?
Aditi: I think people are usually in two extremes of the spectrum. I find people who really care about security and who are all in on the zero trust game. So they’re like, “Oh wow, you don’t look at host files anymore. That is great. That’s one less thing for me to worry about and one less attack vector that I have to consider in my zero trust architecture.”
Aditi: And then there are others who would, like you said, be concerned about host files, but then those people are already just using port 53 DNS, so they haven’t even moved on to encrypted DNS, and then Zero Trust DNS would be a step beyond that. So for them, it’s very, very early in the journey, and they probably haven’t even thought about it enough to have such questions.
A New Security PostureDavid: What you’re actually doing with Zero Trust DNS is you are taking a number of security posture steps all at once. It’s like you’ve got this staircase ahead of you. At the top, it’s more security. At the bottom is your current state. And then you gotta basically be very, very tall, have very long legs, or be very agile so that you can take all those steps at the same time.
David: Someone has to be enthusiastic, or someone has to be forced to do that today. But I think as time goes on and as attacks continue to happen, this will change. I suspect you guys are probably doing the same thing that we’re doing. Every time we see a well-publicized attack, we’re like, “Well, how would we have prevented that?”
Chapter 4: The Real-World Impact Analyzing Attacks and Preventing BreachesDavid: Is there any one particular well-publicized attack that you’ve looked at and just been shaking your head?
Aditi: For our team, every time I come across a phishing attack, I would say that is very exciting to me. It’s like, “Oh yeah, if I had this phishing email with ZTDS enabled on my device, the link wouldn’t have worked.” The straight IP address connection would be blocked, or my server would know that it’s not supposed to resolve this name, and this attack would’ve been prevented.
Aditi: So I think phishing is always one that gets me. I can’t believe even in today’s world, with all the tools we have, so much of that is happening. And I always see phishing as the first gateway for people to get into your machine and then broaden their reach within your environment. So, I always look at that as the first step, and it’s very nice to see that, yeah, we could have prevented it if only you started using us and thinking about security.
Solving the Phishing ProblemDavid: I am very curious if you had the same experience that we had. When you sit down with a CISO and you tell them, “Hey, we solved phishing,” what did their faces look like?
Aditi: They’re like, “Oh, okay, can you tell me more?” What is always funny is because the concept of Zero Trust DNS, we can explain it in two or three sentences, which is not too difficult. It’s very easy to understand and grasp. The beauty of the solution is that it’s so simple. And even a CISO who may not be very into networking, who may not have a very deep knowledge of networking, is able to understand that.
Aditi: Whereas I’ve seen many other solutions out there in the market which sound so complex. It sounds like a bunch of marketing jargon put together, but you don’t really know it. It feels like a black box. So in my conversations with CISOs, it has been so effective because they’re able to understand what we are doing under the hood. And that really helps me earn their trust.
Simplicity, Elegance, and Adoption ChallengesDavid: I can’t forget this episode where we were at Billington. We met Sammy Curry there, a senior official for cybersecurity with the government of Canada. He knows his space. He gave us 30 seconds. I explained to him the Zero Trust DNS approach, and his response was, “It’s so simple. It’s so elegant. Why doesn’t everybody do this?”
David: And that is the typical response that we get over and over again from people who have that light switch turned on for them. And then somehow after that, there’s a voice in them that says, “But wait a minute, we would be seeing this everywhere by now if this was real.” And so we’re still dealing with that phase when a new idea comes to market. But your competition, so to speak, is, “But we’ve always done it this way,” which gets in the way. It takes time.
Chapter 5: The Genesis of Zero Trust DNS at Microsoft Motivation from the U.S. GovernmentDavid: Tell us about what the motivation was to begin with by Microsoft to do this.
Aditi: That’s a great question. This effort actually started back in 2021, I want to say, by my mentor, Tommy Jensen, who is actually the main person behind Zero Trust DNS. It was his idea, and it started with the U.S. Government’s Executive Order on cybersecurity. They were really keen on trying to secure their government networks.
Aditi: Following up in 2022, more prescriptive guidance around what is expected from DNS came out as a part of M-22-09. Since then, our team kept talking with CISA and trying to clarify the requirements, and it turned out they wanted to do a couple of things.
Aditi: That was the interesting bit because until then, back in 2022, when we researched if there was any existing solution that could give them all of this, the answer turned out to be no. So that kind of led to the genesis of Zero Trust DNS. Every solution we could find at that point did the first three things by terminating TLS.
David: Why do you think it was such a big issue for them to not have TLS termination?
Aditi: I can aggregate a bunch of different conversations that I had, and it all comes down to this point: if you are terminating TLS connections on one node within your deployment that is not the actual source or destination endpoint, then you’re essentially creating a honeypot situation. For an attacker, if they compromise that one node, they know absolutely everything that is happening in your network. We call that a hyper-valuable target.
Aditi: It’s sad that I see so many solutions still doing that. Even though at a policy level people are able to understand it, at a practical level, it is becoming very difficult because a lot of IT admins don’t want to move away from it. As you said earlier, they’re conditioned to “this is how things have been done.” It’s a mindset shift that needs to happen.
From Government Mandate to Enterprise ValueAditi: So it started with the U.S. government, but then a lot of enterprises also started seeing value in this because, like you said, David, it’s simple. It’s elegant. And because it is baked right into Windows, it’s something that doesn’t even require them to install any new agents. It’s all integrated into the operating system.
Aditi: But that did come with its own set of questions, like, “Okay, we like this idea, but it only works on Windows, and we have other devices. We have Apple, we have Google devices. What do we do with those?” And because we built it for Windows, we didn’t have a good answer for that. Speaking with you, it was always great to know, hey, maybe if they couple that with Don’t Talk to Strangers, then they can have this level of protection across their fleet.
Chapter 6: Byproducts and Future Challenges Unexpected Benefits: Ad Blocking and P2P NeutralizationDavid: Have you had any particular instances where you saw an additional value of doing Zero Trust DNS that you hadn’t considered before?
Aditi: I’m pretty sure that some of the big techs may not like this answer, but when I used ZTDS and I set my trusted DNS server as an ad-blocking server, my searches became so beautiful. It’s like, no ads. Are you really kidding me? For me, Zero Trust always came with a security value, and then it was like, “Oh wow, ad blocking could be a feature.”
David: Another byproduct for us was that pesky peer-to-peer (P2P) networking, that otherwise was difficult to block, was solved. As cool as the innovation is, when it gets used more by bad guys than good guys, then you start questioning the overall value.
The Roadmap: Integration and InteroperabilityDavid: If we can switch gears for just a moment, Aditi, I was wondering if you have had any experience with trying to prioritize or make it interoperate with other endpoint protection that’s a third party, like MDR or your own antivirus, Windows Defender?
Aditi: Yeah, so that’s on our roadmap. We are very early in our journey for Zero Trust DNS; it is still in public preview. We are excited about expanding and integrating with different solutions. We are thinking about getting it integrated with different SIEMs so that you can have aggregated logs and intelligence in one place. We want to make sure that if people use it with SASEs, that works.
Aditi: We have a long list of items on our radar, but we have very limited funding to make that happen. So at least in the initial V1 design that we have, those are out of scope, but definitely something that keeps me up at night. Without all of those integrations, it’s going to feel like a standalone feature that works in its own silo. To actually function in an enterprise setting, it needs to be able to integrate with existing solutions that IT admins are using.
Under the Hood: Kernel-Mode ImplementationDavid: Does this in any way reduce the need for deep kernel hooks, or how did you handle that concern?
Aditi: It is getting harder to write new kernel-mode drivers in Windows, but ZTDS is definitely implemented using the Windows Filtering Platform. It is a net new kernel-mode driver. This is going all the way down to the kernel just because of the way we need it to work and the level of granularity we need to have to be able to block everything that’s leaving a device. It’s just difficult to do anything of that sort from the user mode.
Aditi: Although at Microsoft, we do have an effort where we are actively hearing about the migration from kernel to user mode, and that is something that we are actively working on.
The Weight of Responsibility: 1.4 Billion DevicesDavid: It makes sense that the larger the risk and the larger the user base is, the more careful you have to be.
Aditi: That is so true. Internally, we have this very extensive mechanism for trying to ship code because we have to be careful. Any one line of code that is messed up can bring down the internet for 1.4 billion Windows devices.
Aditi: So we have a sense of responsibility. Like they say, with great power comes great responsibility, and our team feels that every single day. If something goes wrong, then imagine the world coming crashing down. We have rigorous mechanisms to ensure everything we do is tested internally across Microsoft’s massive organization. Then we still have flighting rings in which we slowly roll it out to the entire world. But we do make sure that whatever we write, it continues to work.
Chapter 7: Personal Reflections and a Call to Action The Core Driver: Protecting PeopleFrancois: What’s the core driver for you? What’s the primary aim that you are chasing with the ZTDS team?
Aditi: My goal is to make sure that the internet continues working in a secure fashion on all of these devices. I think about mundane daily scenarios when my grandma is using her laptop. I want to make sure that she’s protected, and I want to make sure that bad actors aren’t trying to exploit her. They’re not trying to exfiltrate her financial information. They’re not trying to steal her health records.
Aditi: And at a broader scale, we think about government agencies, hospitals, financial agencies, and armies that have very critical data. I want to make sure that within the purview of my work, I don’t create any loopholes for bad actors to get in, exploit this, and put everybody at risk. To know that my work will be able to protect people against threats, to know that anything good I do would be running at that level of scale and provide protection to my near and dear ones, my neighbors, my fellow citizens… that is very heartwarming. That really keeps me going every single day.
A Message for the World: Don’t Take Infrastructure for GrantedDavid: Is there any one message that Aditi would like the world to know?
Aditi: Wow, that’s a tough question. I would say that I want the world to not take infrastructure for granted. I want them to understand that the fundamentals are everything. When we build a house, we really secure the foundation of the house. Our network is that foundation. When we think about flashy technologies, let’s not forget about that foundation. Let’s make sure that the foundation is still solid, that it works, and it’s secure because otherwise, anything you build on top of it is just going to come crashing down like a house with a weak foundation.
A Message for Defenders: It’s Time to EvolveFrancois: And the message that you have for CISOs or defenders out there that need the technology that you guys are building? What would you say to them?
Aditi: Talk to me. No, but honestly, if you’re using Port 53 DNS, really do reconsider how you are deploying your networks today. You’re really exposing yourself to a lot of risk there, with bad actors having full visibility into your network. So please do consider moving on to thinking about encrypted DNS. I’m sure that the first step is moving to encrypted DNS, and then once you are able to do that, then there’s a wide variety of things like Zero Trust DNS. But honestly, if you’re on Port 53, it’s high time to move to some form of encrypted DNS.
Chapter 8: Conclusion Final Thoughts and Future CollaborationDavid: Well, I couldn’t have said it better. Aditi, thank you so much for joining us today, and we look forward to collaborating with you and Microsoft in the future.
Aditi: Absolutely. It was such a pleasure being here. Thank you for inviting me, David. It’s always a pleasure talking to you and Francois, so thank you for having me, and I am also excited to see all of the new things that we can do together.
David: Thank you. Okay, bye for now.
1 post - 1 participant
The post TDL004 | Understanding Microsoft Zero Trust DNS with Aditi Patange appeared first on Security Boulevard.
The post 10 Questions CISOs Should Be Asking About File Security appeared first on Votiro.
The post 10 Questions CISOs Should Be Asking About File Security appeared first on Security Boulevard.
Contrast customers get certainty in moments when everyone else is guessing. When a code dependency supply-chain attack hits, they do not waste hours asking if they might be exposed. They know immediately whether their applications are running compromised code, and they can act with confidence.
The post How ADR Secures Against NPM Supply Chain Attacks | Application Detection and Response | Contrast Security appeared first on Security Boulevard.
Cisco at its Splunk .conf conference today added a series of artificial intelligence (AI) agents to its cybersecurity portfolio in addition to now making two editions of the Splunk Enterprise platform available. Ryan Fetterman, senior manager for AI security research at the Foundation AI arm of Cisco, said AI agents will play a significant role..
The post Cisco Adds Bevy of AI Agents to Splunk Security Platform appeared first on Security Boulevard.
SaaS supply chain attacks exploit SaaS-to-SaaS connections using stolen OAuth tokens. Get practical steps to reduce your risk and protect business data.
The post How New Supply Chain Attacks Challenge SaaS Security: Lessons from UNC6395, UNC6040, and ShinyHunters appeared first on AppOmni.
The post How New Supply Chain Attacks Challenge SaaS Security: Lessons from UNC6395, UNC6040, and ShinyHunters appeared first on Security Boulevard.
Creator, Author and Presenter: Rob King
Our deep appreciation to Security BSides - San Francisco and the Creators, Authors and Presenters for publishing their BSidesSF 2025 video content on YouTube. Originating from the conference’s events held at the lauded CityView / AMC Metreon - certainly a venue like no other; and via the organization's YouTube channel.
Additionally, the organization is welcoming volunteers for the BSidesSF Volunteer Force, as well as their Program Team & Operations roles. See their succinct BSidesSF 'Work With Us' page, in which, the appropriate information is to be had!
The post BSidesSF 2025: There And Back Again: Discovering OT Devices Across Protocol Gateways appeared first on Security Boulevard.
By integrating SonarQube's industry-leading automated code review with JFrog's new AppTrust governance platform, together we are providing the essential framework for software engineering teams to embrace AI-driven speed without compromising on control.
The post Analysis evidence from SonarQube now available in JFrog AppTrust appeared first on Security Boulevard.
By integrating SonarQube's industry-leading automated code review with JFrog's new AppTrust governance platform, together we are providing the essential framework for software engineering teams to embrace AI-driven speed without compromising on control.
The post Analysis evidence from SonarQube now available in JFrog AppTrust appeared first on Security Boulevard.
Microsoft addresses 80 CVEs, including eight flaws rated critical with one publicly disclosed.
Microsoft addresses 80 CVEs in its September 2025 Patch Tuesday release, with eight rated critical, and 72 rated important. Our counts omitted one vulnerability reported by VulnCheck.
This month’s update includes patches for:
Elevation of Privilege (EoP) vulnerabilities accounted for 47.5% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 27.5%.
Important CVE-2025-55234 | Windows SMB Elevation of Privilege VulnerabilityCVE-2025-55234 is an EoP vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available.
CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers.
CVE-2025-55234 is the fifth Windows SMB vulnerability patched in 2025 and the third Windows SMB EoP disclosed this year. In the June 2025 Patch Tuesday release, Microsoft patched CVE-2025-33073, another publicly disclosed Windows SMB EoP vulnerability. A day after the June 2025 Patch Tuesday release, researchers from RedTeam Pentesting GmbH, one of many researchers credited with reporting the flaw to Microsoft, released a blog post detailing the vulnerability, including proof-of-concept details.
Critical CVE-2025-54918 | Windows NTLM Elevation of Privilege VulnerabilityCVE-2025-54918 is an EoP vulnerability in Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated critical. It was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM.
This is the second month in a row that a critical NTLM EoP vulnerability was patched and the third in 2025. In the August 2025 Patch Tuesday release, Microsoft patched CVE-2025-53778, and CVE-2025-21311 in the January 2025 Patch Tuesday release.
Important CVE-2025-54916 | Windows NTFS Remote Code Execution VulnerabilityCVE-2025-54916 is a RCE in Microsoft Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated important and assessed as “Exploitation More Likely.” An attacker that successfully exploits this flaw would gain RCE on the targeted system. According to the advisory, any authenticated attacker could leverage this vulnerability.
Since 2022, the bulk of NTFS vulnerabilities patched across Patch Tuesday have been EoP or Information Disclosure vulnerabilities. However, this is the second NTFS RCE vulnerability since 2022 and the second in 2025. The first, CVE-2025-24993, patched in the March 2025 Patch Tuesday release, was exploited in the wild as a zero-day.
Critical CVE-2025-54910 | Microsoft Office Remote Code Execution VulnerabilityCVE-2025-54910 is a RCE in Microsoft Office. It was assigned a CVSSv3 score of 8.4 and is rated critical and assessed as “Exploitation Less Likely.” An attacker could exploit this vulnerability by convincing a target to open a specially crafted Office document. Additionally, the advisory notes that exploitation is possible through Microsoft Outlook’s Preview Pane. Successful exploitation would grant the attacker RCE privileges on the target system. For users of Microsoft Office LTSC for Mac 2021 and 2024, the advisory states that updates are not yet available, but will be released soon.
Important CVE-2025-54897 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-54897 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important and assessed as “Exploitation Less Likely.” In order to exploit this flaw, an attacker would need to be authenticated as any user and privileged accounts, such as admin or other elevated privileges are not necessary to exploit this flaw. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.
Critical CVE-2025-55224 | Windows Hyper-V Remote Code Execution VulnerabilityCVE-2025-55224 is a RCE in Windows Hyper-V. It was assigned a CVSSv3 score of 7.8, rated as critical and assessed as “Exploitation Less Likely.” According to the advisory, an attacker who is able to win a race condition could traverse from the guest hosts security boundary in order to execute arbitrary code on the Hyper-V host machine. While the attack complexity for this vulnerability is high, the impact would be significant for an attacker who is able to successfully exploit this vulnerability.
Important CVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 | Windows Hyper-V Elevation of Privilege VulnerabilitiesCVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 are EoP vulnerabilities in Windows Hyper-V, Microsoft’s virtualization product. CVE-2025-54091, CVE-2025-54092, CVE-2025-54098 were assigned a CVSSv3 score of 7.8 while CVE-2025-54115 was assigned a CVSSv3 score of 7.0. CVE-2025-54098 was assessed as “Exploitation More Likely” while the remaining three flaws were assessed as “Exploitation Less Likely.”
A local, authenticated attacker could exploit these vulnerabilities to elevate to SYSTEM privileges, though in order to exploit CVE-2025-54115, an attacker would first need to win a race condition, which is what contributed to its lower CVSS score.
Tenable SolutionsA list of all the plugins released for Microsoft’s September 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Get more informationJoin Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.202X Patch Tuesday release.
The post Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) appeared first on Security Boulevard.
Key Takeaways For years, European companies have faced a patchwork of national laws pushing them to take responsibility for human rights and environmental issues tied to their business operations. France passed its Duty of Vigilance law in 2017. Germany followed with the EU Supply Chain Act in 2021. Each aimed to hold companies accountable not […]
The post Understanding the EU Corporate Sustainability Due Diligence Directive (CSDDD): Why It Matters and How to Prepare appeared first on Centraleyes.
The post Understanding the EU Corporate Sustainability Due Diligence Directive (CSDDD): Why It Matters and How to Prepare appeared first on Security Boulevard.
O que o FireMon Insights revela sobre o risco da política de firewall e como corrigi-lo O gerenciamento de firewall é o herói não celebrado (ou vilão oculto) da segurança...
The post 60% falham. Você é um deles? appeared first on Security Boulevard.
A sophisticated npm supply chain attack compromised popular packages
The post NPM Supply Chain Attack: Sophisticated Multi-Chain Cryptocurrency Drainer Infiltrates Popular Packages appeared first on Security Boulevard.
