Tenable Blog

An analysis of Tenable telemetry data shows that the vulnerabilities being exploited by Chinese state-sponsored actors remain unremediated on a considerable number of devices, posing major risk to the organizations that have yet to successfully address these flaws.

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC).

On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network.

Is this activity associated with Salt Typhoon?

The CSA states that the associated activity “partially overlaps” with Salt Typhoon (also known as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor and more), however, it does not specifically attribute this activity to any one threat actor.

We published a blog post in January 2025 about Salt Typhoon, analyzing the vulnerabilities used by this threat actor. The overlap between the CVEs confirmed to be used by Salt Typhoon and this CSA includes a pair of Ivanti Connect and Policy Secure vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which are used as part of an exploit chain.

As the threat activity discussed in the recent CSA is more generally attributed to PRC state-sponsored actors, we recommend reviewing the blogs we have published on Volt Typhoon and the top 20 CVEs exploited by PRC state-sponsored actors. These blogs include CVEs known to be used by PRC actors, notably including Fortinet firewalls, Microsoft Exchange server and other applications and devices that are referenced in the CSA.

What are the vulnerabilities known to have been exploited in these attacks?

According to the CSA, the Chinese state-sponsored threat actors are having “considerable success exploiting publicly known common vulnerabilities and exposures (CVEs)” with the following CVEs being listed as used by these threat actors to gain initial access:

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 29 and reflects VPR at that time.

Are there proofs-of-concept (PoCs) available for/these vulnerabilities?

Yes, all of the vulnerabilities referenced in the CSA have PoCs available.

Are patches or mitigations available for these CVEs?

Yes, each of the vendors for these products has released patches and, in many cases, mitigation guidance that may be used if immediate patching is not feasible. However, given that these vulnerabilities have been exploited in the wild, many of them over several years, full remediation of these vulnerabilities should be completed as soon as possible.

Advisory

Cisco Talos Blog

How many devices remain vulnerable to these six CVEs?

From an analysis of Tenable telemetry data, we found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks.

In our analysis, we found that Cisco devices had surprisingly significant counts of unpatched devices. For CVE-2023-20273 and CVE-2023-20198, 40% of devices remain unmitigated, while 58% of devices scanned remain vulnerable to CVE-2018-0171.

In stark contrast, only around 14% of devices have yet to remediate CVE-2024-21887 and CVE-2023-46805. For Palo Alto devices, only around 3% of devices have yet been patched for CVE-2024-3400.

Given the mixed remediation rates amongst these six CVEs, it’s imperative that organizations quickly mitigate these threats and ensure their devices are fully up to date. As the CSA notes, these threat actors are not reliant on zero-day vulnerabilities, but rather continue to target known and exploitable vulnerabilities on edge devices in order to gain initial access to their victims' networks.

Have any of these CVEs been classified under Tenable’s Vulnerability Watch?

Yes, we have classified several of the CVEs referenced in this CSA under our Vulnerability Watch:

CVE-2023-20273 and CVE-2023-20198 were not classified prior to the publication of this CSA, as we began our Vulnerability Watch classifications at the start of 2024. We have been publishing Cyber Exposure Alert content since late 2018, and published a blog post for CVE-2023-20198 and CVE-2023-20273 on the same day the advisory was released. We recently added CVE-2018-0171 following an FBI alert.

As a result of this CSA, we have classified all six CVEs as Vulnerabilities Being Monitored. For more information about Vulnerability Watch, please visit our blog, Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.

Have any of these CVEs been added to the CISA KEV?

Yes, each of these CVEs has been featured in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

Has Tenable released any product coverage for these vulnerabilities?

Yes, plugin coverage is available for each of these CVEs. A list of Tenable plugins for these vulnerabilities can be found on their individual CVE pages:

• CVE-2024-21887
• CVE-2023-46805
• CVE-2024-3400
• CVE-2023-20273
• CVE-2023-20198
• CVE-2018-0171

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network. As noted in the CSA, disabling the Cisco Smart Install feature is highly recommended. In an update to the security advisory for CVE-2018-0171 on August 20, 2025, Cisco noted that they are ”aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible.”

Tenable Attack Path Analysis techniques

The following are a list of associated Tenable Attack Path Analysis techniques for the TTPs discussed in the CSA:

T1190_Aws

T1190_WAS

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

The following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:

C-ADM-ACC-USAGE

C-ADMIN-RESTRICT-AUTH

C-LAPS-UNSECURE-CONFIG

C-AAD-PRIV-SYNC

C-USERS-REVER-PWDS

APPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATION

ABILITY-OF-STANDARD-ACCOUNTS-TO-REGISTER-APPLICATIONS

C-EXCHANGE-VERSION

C-DANGEROUS-TRUST-RELATIONSHIP

C-ACCOUNTS-DANG-SID-HISTORY

C-GUEST-ACCOUNT

GUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTS

UNRESTRICTED-GUEST-ACCOUNTS

GUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLE

Additional MITRE ATT&CK Resources

• Joint CSA: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System
• Tenable blog: Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor
• Tenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
• Tenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
• Tenable Blog: CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
• Tenable Blog: Proof of Concept (and Patch) for Critical Cisco IOS Vulnerability: CVE-2018-0171
• Tenable Blog: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
• Tenable Blog: Top 20 CVEs Exploited by People's Republic of China State-Sponsored Actors (AA22-279A)

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Check out Anthropic’s unvarnished description of how a brazen attacker maliciously used its Claude Code product. Plus, the CSA tackles IAM in agentic AI systems. In addition, cyber agencies issue a stark warning about cyber espionage threat from China-backed APT groups. And get the latest on SBOMs, IoT security and secure software provisioning!

Here are six things you need to know for the week ending August 29.

Here’s a wild story, even by the standards of the artificial intelligence world.

AI vendor Antrophic this week detailed how a sophisticated cyber crook weaponized its Claude Code product to “an unprecedented degree” in a large-scale extortion and data-theft campaign.

Specifically, the attacker used this agentic AI coding tool to:

• Automate reconnaissance.
• Harvest victims’ credentials.
• Breach networks.
• Make tactical and strategic decisions, such as choosing which data to exfiltrate, and crafting “psychologically targeted” extortion demands.
• Crunch exfiltrated financial data to pick appropriate ransom amounts.
• Generate “visually alarming” ransom notes.

The incident, the company said, takes AI-assisted cybercrime to another level.

“Agentic AI has been weaponized. AI models are now being used to perform sophisticated cyberattacks, not just advise on how to carry them out,” Anthropic wrote in a blog post.

This evolution of agentic-AI abuse complicates AI security efforts because this type of tool by its very nature acts autonomously and as such adapts to defensive tactics in real time.
 

(Image generated by Tenable using Google Gemini)

By the time Anthropic shut down the attacker’s accounts, at least 17 organizations had been hit, including healthcare, emergency services, government and religious groups.

“We have also developed a tailored classifier (an automated screening tool), and introduced a new detection method to help us discover activity like this as quickly as possible in the future,” Anthropic wrote.

This incident, which Antropic labeled “vibe hacking,” is just one of 10 real-world use cases included in Anthropic’s “Threat Intelligence Report: August 2025” that detail abuses of the company’s AI tools.

Anthropic said it hopes the report helps the broader AI security community boost their own defenses.

“While specific to Claude, the case studies presented below likely reflect consistent patterns of behaviour across all frontier AI models. Collectively, they show how threat actors are adapting their operations to exploit today’s most advanced AI capabilities,” the report reads.

For more information about AI security, check out these Tenable Research blogs:

• “Frequently Asked Questions About DeepSeek Large Language Model (LLM)”
• “Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications”
• “Frequently Asked Questions About Vibe Coding”
• “AI Security: Web Flaws Resurface in Rush to Use MCP Servers”
• “CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison)” 

And speaking of agentic AI security: What happens when you give these autonomous AI systems the keys to your organization’s digital identities?

It’s a question that drove the Cloud Security Alliance (CSA) to come up with a proposal for how to better protect digital identities in agentic AI tools.

In its new paper "Agentic AI Identity and Access Management: A New Approach," the CSA argues that traditional approaches for identity and access management (IAM) fall short when applied to agentic AI systems.
 

“Unlike conventional IAM protocols designed for predictable human users and static applications, agentic AI systems operate autonomously, make dynamic decisions, and require fine-grained access controls that adapt in real-time,” the CSA paper reads.

The CSA proposes a new, adaptive IAM framework that pivots away from predefined roles and permissions and instead focuses on a continuous, context-aware approach. 

The framework is built on several core principles:

• Zero trust architecture
• Decentralized identity management
• Dynamic policy-based access control
• Continuous monitoring

“We then propose a comprehensive framework built upon rich, verifiable Agent Identities (IDs), leveraging Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs), that encapsulate an agent's capabilities, provenance, behavioral scope, and security posture,” the paper reads.

Key components of the framework include an agent naming service (ANS) and a unified global session-management and policy-enforcement layer.

For more information about IAM in AI systems:

• “A New Identity: Agentic AI boom risks busting IAM norms” (SC World)
• “A Novel Zero-Trust Identity Framework for Agentic AI: Decentralized Authentication and Fine-Grained Access Control” (Arvix.org)
• “Enterprises must rethink IAM as AI agents outnumber humans 10 to 1” (VentureBeat)

Patch known exploited vulnerabilities. Adopt centralized logging. Secure your network’s edge devices.

Those are basic but essential steps that critical infrastructure organizations should take immediately to protect themselves against ongoing and global cyber attacks from advanced persistent threat (APT) attackers backed by the Chinese government (PRC).

So said multiple U.S. and international government agencies in the joint advisory “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” published this week.

“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” Madhu Gottumukkala, Acting Director of CISA, said in a statement.
 

The advisory primarily covers attacks against the network infrastructure of large telecom providers that have been attributed to actors identified by names including Salt Typhoon, Operator Panda, RedMike, UNC5807 and GhostEmperor since 2021.

A common theme: For initial entry, the attackers look for low-hanging fruit, such as vulnerabilities that have been disclosed and for which patches exist, including these:

• CVE-2024-21887
• CVE-2024-3400
• CVE-2023-20273
• CVE-2023-20198
• CVE-2018-0171 

Once inside, the attackers try to avoid detection so that they can maintain a long-term, persistent presence in the victims’ networks for intelligence gathering. While telecoms are the most common target, other critical infrastructure sectors, such as the military and transportation, have also been hit.

Key tactics highlighted in the advisory include:

• Living off the land: The actors leverage legitimate, built-in network administration tools and protocols, such as FTP and TFTP, to blend in with normal traffic and move laterally across networks.
• Credential harvesting: They are adept at stealing and using valid credentials to maintain access and escalate privileges within compromised environments.
• Data staging: The advisory notes that attackers often use internal FTP servers as staging areas to aggregate data before exfiltration, a key indicator of compromise for network defenders to monitor.

Here’s a small sampling of the many mitigation recommendations included:

• Prioritize monitoring firmware and software integrity by performing hash verifications against vendor databases.
• Review network device logs for unusual activity, such as cleared logs, disabled log forwarding, or configuration changes from unexpected locations.
• Implement robust access controls and phishing-resistant multi-factor authentication.
• Prioritize patching publicly known vulnerabilities that represent the highest risk, and specifically the CVEs the advisory singles out.

To get a deep dive into this threat, read this blog from Tenable's Research Special Operations team: "Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks."

For more information about Salt Typhoon and related China-backed APT attacks against critical infrastructure, check out these Tenable blogs:

• “Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor”
• “Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors”
• “Telecoms May Face Tougher Regulations After Salt Typhoon Hacks”
• “New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers”
• “How to protect comms infrastructure from China-backed Salt Typhoon hackers”

Buying new software is a security gamble. To improve the odds, CISA released a free interactive tool that walks organizations through a security checklist questionnaire before they buy. 

The agency says it offers a simple way to vet a vendor's security practices, covering everything from supply chain integrity to vulnerability management.

The free “Software Acquisition Guide: Supplier Response Web Tool” covers five key software-security areas:

• Supplier governance and attestations
• Software supply chain
• Secure software development
• Secure software deployment
• Vulnerability management
   

(Image generated by Tenable using Google Gemini)

The tool is based on the CISA guide “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle,” published last year.

“Transforming the Software Acquisition Guide into an interactive format simplifies integrating cybersecurity into every step of procurement,” a CISA official said in a statement this week.

For example, the vulnerability management section covers topics including software vendors’ vulnerability disclosure and remediation policies; patching methods; granularity of vulnerability scanning; threat hunting techniques; and more.

While the tool is primarily aimed at government agencies, it is also available to the public.

For more information about vetting the security of software products prior to purchasing them:

• “Make simple software security checks part of your purchasing process” (CSO)
• “Choosing secure and verifiable technologies” (Australian Cyber Security Centre)
• “Security considerations when using open source software” (Canadian Centre for Cyber Security)

How do you stop your internet-of-things (IoT) devices from going rogue?

To help with that challenge, the U.S. National Institute of Standards and Technology (NIST) this week published guidance for capturing and documenting the network-communication behavior of IoT devices – an element that’s key for IoT cybersecurity.

“It enables the implementation of appropriate network access controls (e.g., firewall rules or access control lists) to protect the devices and the networks on which they are deployed,” reads the publication, titled “Methodology for Characterizing Network Behavior of Internet of Things Devices.”

Here’s the security challenge: The vast number of IoT devices and their dynamic and unpredictable communication patterns create a complex attack surface. An IoT device’s network activity can change based on user interaction, software updates or its current life cycle stage.
 

(Image generated by Tenable using Google Gemini)

Thus, identifying and understanding how IoT devices should behave on the network can provide insights for adjusting their ability to communicate based on security criteria, as well as for flagging those that start acting suspiciously.

Basically, NIST is offering a method for fingerprinting your IoT devices’ normal network behavior and establishing a baseline of expected activity.

According to NIST, IoT makers and users who gather this network-behavior information using its methodology can create files based on the Manufacturer Usage Description (MUD) specification to manage access to and from those IoT devices.

MUD, according to NIST, offers a standard way of specifying the network communications that an IoT device needs to operate effectively. This allows network operators and security tools to use these MUD profiles to create precise access control lists or firewall rules. That way, organizations can enforce a least-privilege model for IoT devices.

To further streamline this process, NIST also created MUD-PD, an open-source tool designed to assist in developing MUD files by automating the task of characterizing IoT devices’ network behavior and generating corresponding MUD files.

For more information about IoT security:

• “Top 15 IoT security threats and risks to prioritize” (TechTarget)
• “New industry-backed IoT security standards aim to improve device safety” (ITPro)
• “Thousands of medical devices and systems pose IoT security risk” (Healthcare IT News)
• “AI, automation, and the future of IoT security: Meeting compliance without sacrificing speed” (SC World)
• “8 best practices for IoT data management” (TechTarget)

Software bills of materials (SBOMs) have long been considered a key element for securing the software supply chain, and tools and practices associated with these software “lists of ingredients” continue to improve and evolve.

Recognizing SBOM advancements, increased adoption and new use cases in recent years, CISA is circulating a draft update of its 2021 publication "Minimum Elements for a Software Bill of Materials (SBOM)" for public comment.

“SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks and several best practices have evolved significantly in recent years,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement.
 

An SBOM lists all of the components that make up a piece of software, providing transparency into its makeup. That way, they help security teams quickly identify where in their environment they have, say, an open source component afflicted with a recently disclosed and critical vulnerability.

By reflecting on the evolution of SBOM practices and tooling, the updated document aims to create a more robust and detailed baseline for software component information.

Key updates in the proposed guidance include:

• New elements: The draft introduces several new fields, such as component hash, license information, the tool used for generation, and the context of the SBOM's creation.
• Enhanced clarity: It provides clearer definitions for existing elements, including the SBOM author, the software producer, and the component version.

As organizations become more adept at consuming and utilizing SBOM data, they can now demand more granular information from their software suppliers. CISA's updated guidance is a direct response to this trend, aiming to help organizations to conduct more thorough due diligence and better manage supply chain risks.

“An SBOM alone is data about software components. Analysis of SBOMs transforms data into insights about associated risks,” the draft update reads. For example, such insights can come from vulnerability management tools that ingest and analyze SBOM data, and then map it to other data sources.

The public comment period is open until October 3, 2025. 

For more information about SBOMs:

• “7 Recommendations to Improve SBOM Quality” (Carnegie Mellon University)
• “How to create an SBOM: Example and free template” (TechTarget)
• “Strengthen Your Supply Chain Security with Effective SBOM Management” (SANS)

Check out highlights from the IDC white paper “Bridging Cloud Security and Exposure Management for Unified Risk Reduction,” which explains how CNAPPs help security teams tame the complexity of multi-cloud environments by shifting from a reactive, alert-driven model to a proactive exposure management strategy.

Organizations’ rapid expansion into the cloud has created a complex and thorny security landscape that often throws security teams into a counterproductive reactive cycle. As they breathlessly chase myriad alerts from a patchwork of fragmented tools, they struggle to piece together a coherent picture of their ever-expanding attack surface. This lack of visibility leads to a constant struggle to prioritize the most critical cyber threats.

If this sounds familiar, you're not alone. Traditional security models fall short when you need to manage security across dynamic, multi-cloud environments. The good news? There's a better way forward: Leveraging an integrated cloud native application protection platform (CNAPP) that is is part of an exposure management strategy.

A new white paper from industry analyst firm IDC, sponsored by Tenable and titled “Bridging Cloud Security and Exposure Management for Unified Risk Reduction,” sheds light on how CNAPPs offer a transformative approach to cloud security. 

“In this environment, cloud security can no longer be an isolated function. CNAPP represents a critical evolution in the enterprise security strategy — enabling teams to secure every layer of the cloud stack while unifying visibility, accelerating response, and reducing risk at scale,” the IDC white paper reads.

In this blog, we’ll outline key insights from the white paper, including why a CNAPP-centric strategy that incorporates exposure management has become essential for combating increasingly sophisticated and aggressive cyber attacks.

CNAPPs are a game-changer. As the IDC white paper explains, a CNAPP unifies multiple security disciplines into a single, integrated platform. Think of it as your central command center for cloud security, bringing together capabilities that include:

• Identifying and remediating misconfigurations (cloud security posture management, or CSPM)
• Protecting your virtual machines, containers, and serverless environments (cloud workload protection, or CWP)
• Managing identities and permissions (cloud infrastructure entitlement management or CIEM)
• Safeguarding your cloud data (data security posture management, or DSPM)
• Securing your cloud AI systems (artificial intelligence security posture management, or AI-SPM)
• Protecting your Kubernetes environments (Kubernetes security posture management, or KSPM)
• Managing your vulnerabilities from code to cloud, including infrastructure-as-code scanning

By breaking down the silos between these different security functions, a CNAPP provides a holistic view of your entire cloud estate, IDC explains. It allows you to see the connections between different types of risks, such as how a misconfiguration in one area could be exploited by an over-privileged identity to gain access to sensitive data. This contextual understanding is crucial for moving from a reactive to a proactive security posture.

These features, combined with a focus on exposure management, are what separate a truly effective CNAPP from a basic one. “Decision makers are encouraged to explore CNAPP solutions that integrate effectively with exposure management platforms, offering unified visibility and facilitating prioritized risk mitigation,” the IDC white paper reads.

At Tenable, we define exposure management as a strategic, business-centric approach to cybersecurity that you can use to proactively assess and remediate your most critical cyber risks. In our view, exposure management transcends traditional vulnerability management by unifying business and risk contexts with threat intelligence. That way, it helps you expose, prioritize and close vulnerabilities while reducing risk and shrinking your attack surface.

In fact, as the IDC chart below shows, CNAPPs and exposure management are very much on the radar of security managers looking for emerging technologies and solutions to improve their organizations’ security capabilities.
 

(n = 600; Source: IDC’s AP Security Survey, 2024. Notes: This is an IDC Syndicated Survey. Respondents were professionals who are managers and above.)

The message from the IDC white paper is clear: a CNAPP-centric approach is the future of cloud security. A CNAPP does more than just consolidate tools: It fundamentally enhances how you manage risk in the cloud. A CNAPP empowers your cybersecurity teams with the visibility, context and actionable insights they need to stay ahead of attackers.

“A cloud- and environment-agnostic CNAPP strategy – and particularly one that incorporates exposure management – facilitates seamless integration across platforms, empowering organizations to maintain control, optimize resource utilization, and fortify their security posture,” the IDC white paper reads.

CISOs also benefit, as their role evolves and security priorities shift towards automation, end-to-end visibility and real-time threat management. 

“Exposure management inclusive of cloud security aligns with these priorities by providing contextual risk insights into potential security gaps and facilitating timely interventions,” the IDC white paper reads.

The full IDC white paper goes into much greater detail on all of these topics, and more. It offers:

• a comprehensive look at the current cloud security landscape;
• a deep dive into the capabilities of a modern CNAPP; and
• a guide to what you should look for in a solution. 

It also provides an in-depth look at Tenable's approach to cloud security, highlighting how our Tenable Cloud Security CNAPP integrates with our Tenable One Exposure Management Platform. 

According to IDC, the combination of Tenable Cloud Security and Tenable One “eliminates blind spots across cloud and hybrid environments.” 

“This integration enables stakeholders to understand and mitigate cloud risks within the context of their broader IT and cloud landscape,” the IDC white paper reads.

The journey to cloud security maturity is challenging, but you can succeed by adopting a CNAPP-centric approach that integrates exposure management.

Don't let the complexity of the cloud leave you vulnerable. To get the full picture and start building your roadmap to a more secure cloud, download the IDC white paper “Bridging Cloud Security and Exposure Management for Unified Risk Reduction.”

Get a firsthand look at how 400 security and IT leaders are tackling today’s cyber risk challenges in this latest study from Tenable and Enterprise Strategy Group.

From budget allocation and prioritization methods to team structure, organizations are fundamentally rethinking how they manage cyber risk.

Why? Because threats, exposures and assets are multiplying at a pace that traditional methods simply can't match, leaving organizations exposed to growing risk.

Tenable partnered with Enterprise Strategy Group on a new research study, “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management,” to uncover the real-world challenges security teams face in reducing cyber risk in the modern era.

This study surveyed 400 IT and cybersecurity leaders across North America to uncover the biggest challenges, and the most promising opportunities, in today's threat and exposure management landscape.

The bottom line: The old playbook no longer works. It's time to shift from reactive, siloed efforts to a more unified, proactive approach that delivers real, measurable risk reduction.

According to the report, “Organizations are seeking threat and exposure management tools that enhance their prioritization and risk reduction capabilities through automated remediation and deeper analysis. What matters most to security teams is fixing the most important issues first and doing it as quickly as possible at scale.”

“Organizations are seeking threat and exposure management tools that enhance their prioritization and risk reduction capabilities through automated remediation and deeper analysis. What matters most to security teams is fixing the most important issues first and doing it as quickly as possible at scale.”

— The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management, Enterprise Strategy Group, August 2025

Nearly three-quarters of organizations (71%) say reducing risk is as hard or harder than it was two years ago, driven by cloud complexity (45%), manual processes (40%) and disconnected tools (40%).

Nearly half of organizations still rely on basic exploitability (26%) and severity scores (21%), neglecting business context and asset-specific data, which leads to inefficient prioritization and higher risk exposure.
 

Organizations are shifting their focus from simply finding weaknesses to effectively remediating them. Success is now measured by incidents prevented (59%), vulnerabilities eliminated (55%) and reduction in total risk (51%), demanding platforms that drive effective risk reduction.

Organizations recognize the growing difficulty of risk reduction and are allocating more budget to tackle the challenge head-on. The vast majority of organizations (88%) are increasing their exposure management budgets year over year, with 59% noting a slight increase and 29% reporting significant increases.

Organizational silos create significant friction, with 27% of respondents citing the use of different tools by different teams as the primary challenge to effective collaboration. Responsibility for exposure management is often fragmented, falling to the general IT operations team (76%) more often than a dedicated vulnerability or exposure management team (41%).

Download “The Evolution of Risk Reduction: Contextual Analysis and Automated Remediation in Threat and Exposure Management” for a deeper look at the challenges your peers are facing, and the future vision they’re building as they move from siloed, manual processes to a unified, automated exposure management program.

Download the full report

Google, with its unparalleled visibility into Gemini, recently alerted its legion of Gmail users about indirect prompt attacks, which exploit AI context sources like emails, calendar invites and files. Coming from a major AI vendor, the frank and direct public alert leaves no doubt that organizations face a tangible AI security threat from this type of attack against generative AI tools. 

While the risk from indirect prompt attacks has been discussed publicly for many months, we believe that a turning point in the conversation occurred when Google publicly and candidly warned its vast Gmail user base about this critical AI threat.

“As more governments, businesses, and individuals adopt generative AI to get more done, this subtle yet potentially potent attack becomes increasingly pertinent across the industry, demanding immediate attention and robust security measures,” Google alerted its users in the June blog “Mitigating prompt injection attacks with a layered defense strategy.”

That blog has generated ample discussion, due to the significance of a major AI vendor acknowledging such a widespread risk and emphasizing that the threat has never been more urgent.

Prompt injection is a type of attack where malicious instructions are inserted directly into an AI model’s input to override its intended behavior and achieve a malicious objective. A more manipulative variant, called indirect prompt injection, plants those instructions within external content - outside the user’s prompt such as files, emails, or web pages, that the model later uses as context. This allows attackers to manipulate the model’s outputs without the user’s awareness.

Anyone outside your organization can easily send an email, calendar invite, or file containing such adversarial prompts. Once processed by a generative AI tool such as Google’s Gemini AI, these malicious prompts can lead to data exfiltration, output manipulation, workflow hijacking, or even harmful content generation.

The most concerning aspect? Neither the user nor security teams may realize it’s happening. This is amplified by the fact that very few organizations have any semblance of AI security controls in place, so the industry is mostly relying on people and process to detect, prevent and address this type of attack.

Imagine this: a malicious calendar invite arrives from outside the organization. Hidden in the invite is a prompt injection directing the LLM to falsify the company’s revenue, multiplying it by 10x every time it’s queried.

Now imagine the C-suite, finance, and accounting teams relying on Gemini or a similar tool to prepare quarterly reports - a growing reality among Fortune 500 companies eager to accelerate operations. The result? The company could inadvertently publish fraudulent revenue numbers, triggering disastrous financial and reputational consequences.

This is not limited to Gemini. Any context-aware AI system is vulnerable.

An Outlook email may look like a standard push notification, but invisible characters could jailbreak the AI model when Microsoft Copilot references the email. The jailbreak could force the model to recommend a specific tool, regardless of its original purpose. That tool could then be abused to transfer money from a company account to an attacker’s account.

This is not just phishing. It’s the 2025 evolution of ransomware: AI-driven, invisible and context-based. This makes it critical to understand which AI systems are in your environment, which data is connected to them, what types of user interactions they involve, and which actions they can take. 

Context injection is uniquely challenging for several reasons:

• Answers seem legitimate: Users often believe they received the correct output.
• Agent actions are overlooked: Automated workflows appear normal and are rarely audited for the actual outcomes.
• Techniques vary widely: Prompt injections and jailbreaks evolve constantly, making pattern-based detection unreliable.
• Context dependency: Attacks adapt to the specific input data and desired outcome, making them even harder to anticipate. 

Google took a responsible step by warning its users about this threat, surfacing context-poisoning techniques and outlining concrete steps it’s taking to harden Gemini’s security. 

But history shows us that simpler adversarial techniques have repeatedly bypassed vendor guardrails. That’s where specialized solutions come in.

With Tenable AI Exposure, part of the Tenable One Exposure Management Platform, we scan AI context sources directly -- identifying injected data before it ever reaches the model. By preventing poisoned context from being processed in the first place, we stop severe security incidents before they happen.

Learn more about how Tenable protects your organization from context injection attacks.

Citrix has released patches to address a zero-day remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that has been exploited. Organizations are urged to patch immediately.

On August 26, Citrix published a security advisory for three vulnerabilities, including CVE-2025-7775, a zero-day vulnerability which has been exploited against its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances:

CVE-2025-7775 is a RCE vulnerability affecting NetScaler ADC and Gateway appliances. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code or cause a DoS condition on an affected device. According to the security advisory from Citrix, exploitation has been observed prior to the advisory and patches being made public.

While Citrix only confirmed exploitation of CVE-2025-7775, two additional vulnerabilities were patched as part of the same security advisory.

CVE-2025-7776 is a DoS vulnerability affecting NetScaler ADC and Gateway appliances. An authenticated attacker can trigger a memory overflow vulnerability in order to cause a DoS condition on an affected device. Devices that have been configured as a Gateway with a bounded PCoIP Profile are affected by this vulnerability.

CVE-2025-8424 is an improper access control vulnerability affecting NetScaler ADC and Gateway appliances. While no privileges are required to exploit this vulnerability, an attacker would need access to “NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access” in order to take advantage of this flaw.

ADC and Gateway Historically Targeted by Attackers

Citrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years. Vulnerabilities including CVE-2022-27518 and CVE-2019-19781 have been favored by attackers. This includes attacks from Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.

More recently, Citrix NetScaler ADC and Gateway have been targeted by vulnerabilities known as CitrixBleed and CitrixBleed 2. CVE-2023-4966, known as CitrixBleed, was first disclosed in October 2023 after it was discovered as being exploited as a zero-day. Attacks continued to ramp up and the flaw was widely exploited by multiple ransomware groups and additional threat actors. CVE-2025-5777, known as CitrixBleed 2, was disclosed in June of this year. Multiple security researchers and outlets reported that CitrixBleed 2 was also exploited as a zero-day.

Due to the historical exploitation against NetScaler ADC and Gateway appliances, we strongly urge organizations to patch CVE-2025-7775 as soon as possible.

At the time this blog post was published, no public proof-of-concept (PoC) had been identified for any of these vulnerabilities. However, given the historical exploitation of Citrix NetScaler ADC and Gateway and the reported usage of CVE-2025-7775 as a zero-day, we anticipate that exploit code may become available soon.

Citrix has released patches for these vulnerabilities as outlined in the table below:

Note: NetScaler ADC and NetScaler Gateway version 12.1 and 13.0 are End Of Life (EOL). Customers are recommended to upgrade their appliances to a supported version that addresses these vulnerabilities.

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing NetScaler ADC and Gateway assets by using the following subscription:

• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424
• Tenable Blog: Frequently Asked Questions for CitrixBleed (CVE-2023-4966)
• Tenable Blog: CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

This recognition is about more than just our technology leadership — it reflects the real-world outcomes that the Tenable One Exposure Management Platform delivers.

1. Tenable is a Leader in the IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment (doc #US52994525, August 2025).
    
2. The IDC MarketScape vendor assessment provides an overview of the competitive fitness of technology and service suppliers in a given market.
    
3. Tenable is named a Leader for its ability to leverage a large repository of exposure data and its investments in AI-driven analytics, including generative AI for remediation guidance, attack path generation, and ownership detection.

The results are in, and it’s no surprise. Tenable has been named a Leader in the IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment (doc #US52994525, August 2025).

For us, this isn't just another report. It's a testament to the reasons tens of thousands of organizations across sectors choose us: Tenable is not just in the exposure management game, we're defining it. This recognition from a respected analyst firm validates our shared vision: to empower security leaders to move beyond the old, reactive cycle of firefighting and get ahead of attacks.

Being named a Leader in exposure management is about more than just technology — it's about the outcomes the Tenable One exposure management platform delivers. Michelle Abraham, senior research director, Security and Trust at IDC, states that “Proactive exposure management is the future as traditional vulnerability detection transforms into holistic risk management and remediation.”

For our customers, this means a fundamental shift from reactive to proactive security. It also means a move from the limited view available with siloed security tools to a more holistic view of risk.

The IDC MarketScape vendor assessment model provides an overview of the competitive fitness of technology and service suppliers in a given market. According to the MarketScape, “Exposure management solutions offer a different approach to managing device vulnerabilities, emphasizing the fusion of multiple exposure sources by bringing together CVEs, unknown assets, misconfigurations, and other types of exposure.”

According to the MarketScape, “Tenable One is particularly well-suited for enterprises aiming to consolidate siloed risk data integrating both Tenable-native and third-party data sources for a holistic, actionable risk posture.”

“Tenable One is particularly well-suited for enterprises aiming to consolidate siloed risk data integrating both Tenable-native and third-party data sources for a holistic, actionable risk posture.”
  — IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment

According to the IDC MarketScape, “There is also the problem of security silos. Since attack surfaces are expanding with AI being the latest surface, some organizations are using multiple security posture management tools, one for each attack surface. Security teams need to investigate solutions that unify exposures because each exposure does not exist in a vacuum. Exposures may be chained together for initial access or lateral movement; attack path analysis presents a visual communication of these issues.”

Instead of chasing endless alerts, Tenable customers gain a unified view of the entire attack surface — from IT assets, cloud resources, identity systems, operational technology (OT) devices and AI platforms. The recent launch of Tenable AI Exposure, built into Tenable One, helps you see, secure and manage how your teams use AI platforms like ChatGPT Enterprise and Microsoft Copilot.

Other key elements of exposure management include:

The MarketScape recommends that “those who are still prioritizing remediation work based on CVSS score or other single metrics, move to a solution with prioritization algorithms that account for the specifics in your organization.”

Tenable’s Vulnerability Priority Rating (VPR) leverages artificial intelligence, machine learning and real-world exploit data to predict which vulnerabilities attackers are most likely to weaponize, reducing wasted effort on low-risk issues. Combined with Tenable’s Asset Criticality Rating (ACR), which can be model-generated or user-defined, Tenable helps you pinpoint the most critical exposures that impact your unique environment. In addition, attack path analysis helps you understand how attackers see your organization so you know where to shore up your defenses.

The MarketScape “underscores the need for vendors to address security silos, expand third-party integrations, and innovate in areas like AI-driven analytics and attack path visualization.”

The result? You can anticipate attacker actions and shut down attack paths before they can be exploited. Our platform’s AI-driven analytics cut through the noise to show you exactly where you're exposed and what to fix first. This is the core of exposure management: seeing everything, predicting what matters and acting decisively.

We believe your security stack is unique, and your exposure management platform should make it stronger, not more complicated. The IDC MarketScape notes, “The [Tenable One] platform can ingest exposure data from a wide range of source types. This extensibility supports large-scale, complex environments and allows customers to tailor the platform to their unique technology stacks without heavy reliance on additional point solutions.”

The MarketScape advises technology buyers to “aggregate exposure into a solution that can unify them, so they are examined holistically and not in silos. Individual exposures may not be important issues when analyzed on their own; however, chaining them amplifies the priority of their remediation.”

This is critical. Our open platform and robust ecosystem, with over 300 integrations, mean that Tenable One doesn't just add another layer — it unifies your existing security tools. By ingesting data from across your technology stack, we provide the context you need to make better, faster decisions. This approach ensures you get more value from your current investments while building a single, holistic view of your risk.

The IDC MarketScape also notes, “Tenable leverages a large repository of exposure data and invests heavily in AI-driven analytics, including generative AI for remediation guidance, attack path generation, and ownership detection. These capabilities enhance risk prioritization and accelerate response.”

The IDC MarketScape recognition confirms what our customers already know: a proactive, unified approach is the only way to manage the complexity of the modern attack surface. We've been pioneering exposure management since 2017 and remain dedicated to empowering you to protect what matters most.

Here’s a breakdown of what we believe makes our platform a powerhouse:

• Holistic risk posture: unifying your defenses
  Tenable One is designed to break down the data silos that prevent a true understanding of risk. By integrating both Tenable-native and third-party data sources, the platform provides a single, consolidated view of your entire attack surface. This allows security teams to move from a reactive to a proactive stance, addressing exposures before they become business-impacting events.
• Comprehensive source types: extensibility for complex environments
  Modern enterprises are complex, with a diverse mix of technologies. Tenable One ingests data from a vast array of sources and normalizes it with holistic risk scoring across different types of assets and exposures. This helps inform decision-making and removes complexity, allowing customers to tailor the platform to their specific needs without relying on a patchwork of point solutions, ensuring complete and contextual visibility.
• AI-driven analytics: intelligent prioritization and response
  Tenable leverages its extensive exposure data to enhance its AI capabilities. Generative AI capabilities, such as pinpointed remediation guidance, attack path analysis to identify choke points and faster response with asset ownership detection empower teams to prioritize critical risks and expedite remediation efforts.

Tenable’s placement as a Leader in the IDC MarketScape Worldwide Exposure Management 2025 Vendor Assessment is the latest recognition of our market-leading product strategy and execution. Tenable Cloud Security was named a Major Player in the “IDC MarketScape: Worldwide Cloud-Native Application Protection Platform 2025 Vendor Assessment (doc #US53549925, June 2025.” We’re the only vendor named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Vulnerability Assessment. And we’re a Leader in The Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025. Visit Tenable Awards & Recognitions to see all of our accomplishments.

If you need to unify visibility across IT, cloud, OT/IoT, identity, and AI environments for a holistic, actionable risk posture, Tenable is a strong choice.

The IDC MarketScape vendor assessment model is designed to provide an overview of the competitive fitness of technology and service suppliers in a given market. The research utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each supplier’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of technology suppliers can be meaningfully compared. The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective suppliers.

According to the MarketScape, “Exposure management solutions offer a different approach to managing device vulnerabilities, emphasizing the fusion of multiple exposure sources by bringing together CVEs, unknown assets, misconfigurations, and other types of exposure. Exposure management often encompasses standalone cybersecurity asset management and attack surface management tools, integrating data from diverse sources for a comprehensive risk analysis. With holistic exposure management solutions, organizations can aggregate, deduplicate, and analyze data from a variety of sources to provide a more accurate assessment of an organization's risk posture.

“For this analysis, exposure management must incorporate device vulnerability management scan results. Device vulnerability management involves network-based or host-based scanners/agents that scan servers, workstations, other devices, and applications to uncover security vulnerabilities in the form of known security holes (vulnerabilities) or configuration settings that can be exploited. They can have credentialed access (using usernames and passwords) into devices or provide an uncredentialed look at a device. The scan data may come from internal or third-party scanners.”

• Access an excerpt of the IDC MarketScape: Worldwide Exposure Management 2025 Vendor Assessment.

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In the second of a two-part blog series, Tenable CSO Robert Huber shares how exposure management has helped him reduce risk and better align with the business. You can read the entire Exposure Management Academy series here.

Last week, I explored the critical shift from traditional vulnerability management to a comprehensive exposure management approach. I explored the limitations of siloed security tools and the overwhelming deluge of data that often leaves security teams and business leaders wondering what they can do. 

In this post, I’ll dig deeper on the practical application of exposure management, illustrating how, as CSO for Tenable's own information security organization, I have implemented this philosophy internally to drive tangible improvements in risk reduction and business alignment.

My team can tell you not only the revenue associated with a particular product but also the aggregated risk posed to it by various security issues across multiple tools.

The core challenge for any organization grappling with cybersecurity is prioritization. Imagine a CISO presented with hundreds of tickets across various security domains. If you’re a CISO (or know one), you probably don’t really have to imagine it because it happens every day. You probably see countless alerts about everything from vulnerabilities and misconfigurations to cloud security and beyond. 

But without a unified view and a clear understanding of business impact, all that data is useless. You simply can’t take action. 

This is where exposure management can be a real help in figuring out the interconnectedness and any potential impact on critical business assets and functions.

At Tenable, we’ve learned this lesson firsthand. Here are some of the ways we use exposure management in our own security practices:

• Tenable’s security team tags extensively to contextualize assets. This enables us to understand which assets belong to specific business units, product lines or even revenue-generating streams. The granularity transforms raw security data into actionable business intelligence.
• Internally, my team can tell you not only the revenue associated with a particular product but also the aggregated risk posed to it by various security issues across multiple tools.
• We use a visualization of how security used to look. I call it the "spaghetti chart" (see below) because that’s what it looks like, with a chaotic array of inputs from every corner of the enterprise, each with unique workflows. The only thing it’s missing is a side salad. As startling as the image is, it represents real life for those of us in cybersecurity, including everything from endpoint detection and response (EDR) vendors and bug bounty programs to vulnerability management scans, SOC findings and penetration test results. 

Source: Tenable, 2025

Next, you can see the after picture. It just eases the mind looking at it. It’s order, not chaos; calming, not frightening. That’s because an exposure management platform doesn't just collect this security data. Nope. It does a lot more. It normalizes, deduplicates and integrates every bit and byte. 

Source: Tenable, 2025

Although I work for Tenable, I want to emphasize a point: I’m not talking solely about our solutions. Internally, we pull in data from about 50 different inputs to determine the Red, Yellow, Green status of an asset. 

Although I work for Tenable, I want to emphasize a point: I'm not talking solely about our solutions. Internally, we pull in data from about 50 different inputs to determine the Red, Yellow, Green status of an asset. We then feed this centralized data into a powerful prioritization engine. Although most organizations still prioritize within their individual silos (e.g., a vulnerability management team using Tenable Vulnerability Priority Rating [VPR] or asset criticality rating specifically for their platform), we extend this prioritization logic across all capabilities within our exposure management platform. This is a significant leap beyond simply using common vulnerability scoring system (CVSS) scores, which, without temporal inputs or business context, offer no real way to prioritize.

Our overarching goal using exposure management in our internal security practices is to shrink the tool sprawl problem or the resulting data overload and fragmented reporting. By proactively taking in more data and performing better prioritization, we significantly reduce the number of reactive incidents. As security professionals, we know incidents will never go to zero, but a robust exposure management strategy helps us minimize the "firefighting" and shift resources towards more strategic, proactive security initiatives.

A key internal evolution at Tenable has been the transformation of our vulnerability management policy into an exposure management policy. More than just a name change, it represents a fundamental shift in scope for our vulnerability management team, which transformed into the exposure management team. That team manages and owns the collaboration and workflows with the lines of business teams that need to fix issues. Alongside that, our exposure management policy now encompasses all inputs that produce stateful information from every security tool. We’re talking misconfigurations, vulnerabilities, weaknesses and more. 

This comprehensive approach, which might overwhelm you because of the sheer volume of data, is made manageable by the Tenable One Exposure Management Platform's ability to handle data deduplication, normalization and centralized reporting. But I think the most important things the platform does are automated prioritization and workflows that meet the users where they are, no matter their workflow. This frees our security teams from the manual burden of these tasks so they can focus on in-depth analysis and asking the right questions.

Our internal journey has also redefined the roles of our security teams. Specialized teams like cloud security and application security still exist, but their focus has shifted. Instead of chasing down colleagues to fix specific issues, they can now concentrate on their core business functions, like securely deploying infrastructure in new environments. I knew we needed to unify policy and data reporting, so the redefined exposure management team handles the legwork of tracking SLAs and ensuring remediation, a process that is largely automated within the platform. This saves significant time and enables us to efficiently scale security resources.

The manifestation of this internal journey within our own Tenable One platform is evident in what’s become known as "Bob's simple metrics" — the Red, Yellow, Green I mentioned earlier. This direct visualization helps bridge the gap between technical security findings and business understanding. We can also set target SLAs, customizable by region or other tags, so teams can track their performance against these targets and make data-driven adjustments.

A significant area of focus for us is the automated identification of what I call "big rocks" or the underlying reasons for security posture deviations. 

For example, if we can’t patch a system running Amazon Linux 2 with ContainerD because of system instability, the platform should ideally flag this systemic issue rather than just listing individual vulnerabilities. This level of insight helps us present a clear picture to leadership, highlighting the root causes of risk and enabling strategic decisions on how to address them.

The recent acquisition of Vulcan Cyber, and the integration into Tenable One, has been instrumental in furthering our exposure management capabilities. As I mentioned, Tenable's internal security relies on data from a lot of different inputs, only a handful of which are Tenable solutions. The ability to ingest and integrate third-party data (including manual inputs like PDF pen test results or bug bounty reports) was a critical requirement for us. We can now centralize and prioritize data from a vast array of sources, providing a truly holistic view of risk.

The internal deployment of this capability was remarkably swift: We integrated 15 different third-party feeds within 48 hours and we built most of our custom reporting in the 24 hours after that. This rapid integration and automation drastically reduced manual report creation and prioritization. It delivered immense value. 

This doesn’t just benefit those of us at Tenable. The integration of Vulcan into the Tenable One platform, as Tenable Connectors, is now rolling out in phases to customers, currently supporting 300 third-party integrations, which will further enhance their exposure management capabilities.

The aim of exposure management is to change the conversation with stakeholders. 

Instead of presenting overwhelming reports of unaddressed issues, we can now provide a clear process, workflow and data-driven expectations. Planning will be easier and business leaders will be able to ask that crucial question: "What do you want me to do?" Only now they’ll receive a concise, prioritized list of actions that genuinely reduce risk.

Our internal experience with exposure management has been a no BS journey. We’re working through this internally and it’s evolving how we operate. 

Some regulations and industry requirements are very specific about vulnerability management policies and CVSS usage, so we do face a few challenges. Nonetheless, we are actively working to shift the conversation from mere SLA compliance to a comprehensive risk reduction approach. You're never going to fix everything and you'll miss some SLAs. But are you effectively managing risk? That’s the critical question.

The board reporting I discussed in the first part of this series, How Tenable Moved From Siloed Security to Exposure Management, now reflects this shift. We present a clear, Red, Yellow, Green status of our critical areas, with concise notes explaining the transitions. This context is crucial, especially when factors like company acquisitions can temporarily impact security posture. Our goal is to uplevel all our conversations to align with the business, demonstrating the impact of security on revenue, services and overall business objectives.

More than a mere buzzword, exposure management is a necessary evolution of how organizations approach cybersecurity. 

Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.

Check out the FBI’s alert on Russia-backed hackers infiltrating critical infrastructure networks via an old Cisco bug. Plus, MITRE dropped a revamped list of the most important critical security flaws. Meanwhile, NIST rolled out a battle plan against face-morphing deepfakes. And get the latest on the CIS Benchmarks and on vulnerability prioritization strategies!

Here are five things you need to know for the week ending August 22.

Heads up, critical infrastructure orgs: Russia-backed hackers are gunning for industrial control systems (ICS) by breaching networks via a years-old Cisco bug.

For the past year, a Russian Federal Security Service unit has been hijacking network devices to surveil industrial networks. Its goal? To find a foothold in the operational technology (OT) that runs everything from power grids to manufacturing plants.

This intel comes from the Federal Bureau of Investigation (FBI), which this week said that the group, also known as Berserk Bear, Dragonfly and Static Tundra, is exploiting critical vulnerability CVE-2018-0171 in the Cisco Smart Install (SMI) software.

So far, the group has collected thousands of configuration files from hacked networking devices, while scanning critical infrastructure networks in search of ICS protocols and applications.
 

(Image created by Tenable using Google Gemini)

The group has been hacking networking devices for a decade. It targets devices that rely on older, unencrypted protocols.

For a deep dive into this threat, check out the blog “Russian state-sponsored espionage group Static Tundra compromises unpatched end-of-life network devices” from Cisco Talos, Cisco’s threat intelligence team. 

It offers a detailed analysis of the threat, along with mitigation recommendations, including, of course, applying the patch for CVE-2018-0171 or disabling Smart Install.

In related news, Norway’s government officially blamed Russian hackers for the April hack of a dam’s water flow system and spilling about two million gallons of water into a river. Norwegian Police Security Chief Beate Gangås made the allegation during Norway’s annual national forum Arendalsuka. Russia has denied the charge.

For more information about securing OT systems in critical infrastructure environments, check out these Tenable resources:

• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)
• “The Invisible Bridge: Recognizing The Risk Posed by Interconnected IT/OT/IoT Environments” (on-demand webinar)
• “How to Remediate Risk to Critical OT/IoT Systems without Disrupting Operations” (blog)
• “Blackbox to blueprint: a security leader’s guide to managing OT and IT risk” (ebook)
• “Identity Security Is the Missing Link To Combatting Advanced OT Threats” (blog)
• “Unlock advanced IoT visibility to better secure your OT environment” (on-demand webinar)

For the first time in almost five years, MITRE has revised its list of the main security weaknesses impacting hardware devices, giving security pros a refreshed roadmap to tackle today’s biggest hardware risks.

The "2025 CWE Most Important Hardware Weaknesses" (MIHW) list is the first to mesh comprehensive weakness data from the CVE program, security advisories, conferences and research papers with opinions from hardware security experts. 

With the new list, MITRE aims to help organizations prevent hardware security issues through enhanced mitigation prioritization, design practices and decision-making throughout the hardware lifecycle.

“The 2025 CWE MIHW represents a refreshed and enhanced effort to identify and educate the cybersecurity community about critical hardware weaknesses,” reads a MITRE paper.

These are MITRE’s top hardware security weaknesses, with new ones in bold:

• CWE-226: Sensitive Information in Resource Not Removed Before Reuse
• CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
• CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
• CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks
• CWE-1247: Improper Protection Against Voltage and Clock Glitches
• CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
• CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
• CWE-1262: Improper Access Control for Register Interface
• CWE-1300: Improper Protection of Physical Side Channels
• CWE-1421: Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
• CWE-1423: Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

In a separate list labeled “Expert Insights: Weaknesses Beyond Data Trends,” MITRE highlights five additional weaknesses that experts believe also warrant special attention:

• CWE-1231: Improper Prevention of Lock Bit Modification
• CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection
• CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
• CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition
• CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Here’s a table correlating the hardware weaknesses with MITRE’s hardware categories.
 

(Source: MITRE, August 2025)

The list can be useful for a variety of security stakeholders, including:

• Security architects and designers to prioritize key weaknesses
• Design teams to build review checklists
• Test engineers to focus testing efforts
• Security researchers to direct their investigative and mitigation efforts
• Electronic design automation tool vendors to enhance tool support for industry-prioritized weaknesses
• Educators to align course materials with major, real-world hardware vulnerabilities

To get more details, check out the “CWE Most Important Hardware Weaknesses” home page.

For more information about hardware security flaws:

• “Hardware Security Failure Scenarios” (NIST)
• “39 hardware vulnerabilities: A guide to the threats” (CSO)
• “Hardware Hacking? New Study Raises Alarm On 98 Cyber Risks” (Forbes)
• “New CISA advisories urge swift action on ICS flaws impacting energy, manufacturing, transportation systems” (Industrial Cyber)

Is your organization prepared to detect identity scams perpetrated via face morphing — a growing deepfake threat?

It should, according to the National Institute of Standards and Technology (NIST), which this week published guidelines to combat identity fraud that uses this image-manipulation technique.

Face morphing is the combination of two facial photographs — one of the legitimate owner of, say, a passport or an employee ID card, and the other of a fraudster.

Face-morphing software aims to produce a synthesized image that will resemble the fraudster enough to deceive face-recognition systems and humans tasked with verifying the person’s identity. 
 

(Image created by Tenable using Google Gemini)

That way, the “morphed” image can be used in multiple passports, employee ID cards, drivers’ licenses and more. 

“The main threat associated with morphs is that if the submitted photograph is put on an identity document such as a passport, then both individuals will be able to use that document,” reads NIST’s 26-page document “Face Analysis Technology Evaluation (FATE) MORPH.” 

Sometimes a morphed image is generated from photos of more than two people.

NIST’s publication aims to offer practical guidance for organizations to adopt and use morph-detection methods in scenarios such as passport application reviews and border crossings.

“It’s important to know that morphing attacks are happening, and there are ways to mitigate them,” NIST official Mei Ngan said in a statement.

Modern morph-detection algorithms have improved significantly, according to NIST. The guidelines detail two primary methods of detection: 

• Single-image morph attack detection (S-MAD), which analyzes a single suspicious photo
• Differential morph attack detection (D-MAD), which compares the questionable photo with a known genuine image of the individual 

S-MAD can be highly accurate if the software has been trained on the specific morphing tool used to create the image. However, its effectiveness can decrease substantially when encountering images created with unfamiliar software. In contrast, D-MAD provides more consistent accuracy, with success rates ranging from 72% to 90%.

Meanwhile, human examiners that suspect a morph can perform several checks:

• Visual inspection: Look for inconsistencies or anomalies around the eyes, nose, and mouth, as well as in skin texture and color.
• Feature comparison: Compare the suspected morph with a trusted photo, looking for the absence or difference of features like scars, moles, or ear structures.
• Metadata analysis: Inspect the image file's metadata for clues, such as the software used to create or modify the image.

The NIST publication also recommends ways to configure detection software for different situations and offer procedures for investigating flagged photos. The ideal approach involves a combination of automated tools and human review. 

A key preventative measure is to stop morphed photos from entering systems. “The most effective way is to not allow users the opportunity to submit a manipulated photo for an ID credential in the first place,” Ngan said.

For more information about detecting deepfakes:

• “Prevent Cyber Attacks with Deepfake Detection Technology – A Complete Guide” (Cyberdefense Magazine)
• “Why detecting dangerous AI is key to keeping trust alive in the deepfake era” (World Economic Forum)
• “A Framework for Detection in an Era of Rising Deepfakes” (Carnegie Mellon University)
• “Deepfake disruption: A cybersecurity-scale challenge and its far-reaching consequences” (Deloitte)
• “Deepfakes and LLMs: The Cybersecurity Frontier We Can't Ignore” (ISC2)

During our recent webinar “Tenable Announces AI-Powered Breakthrough in Vulnerability Prioritization,” we polled attendees on their preferred vulnerability prioritization criteria. We also asked them which new Tenable Vulnerability Priority Rating (VPR) drivers they expect to use the most. Check out what they said.

(141 webinar attendees polled by Tenable, August 2025)


(101 webinar attendees polled by Tenable, August 2025)

Watch the on-demand webinar to learn how Tenable Vulnerability Management’s AI-powered, context-rich approach transforms risk scoring, enhances prioritization, improves efficiency and boosts clarity.

Time for a configuration check-up. The Center for Internet Security (CIS) just dropped a batch of new and updated Benchmarks to help you harden key systems against attack.

Specifically, these secure-configuration recommendations were updated in July:

• CIS AWS End User Compute Services Benchmark v1.2.0
• CIS Cisco IOS XE 17.x Benchmark v2.2.1
• CIS Docker Benchmark v1.8.0
• CIS ExtremeNetworks SLX-OS-20.X.X Benchmark v1.0.1
• CIS Microsoft Windows Server 2019 Stand-alone Benchmark v3.0.0
• CIS Microsoft Windows Server 2019 STIG Benchmark v4.0.0
   

In addition, CIS released these brand new Benchmarks: CIS Cisco NX OS Switch RTR STIG Benchmark; CIS DigitalOcean Foundations Benchmark v1.0.0; and CIS DigitalOcean Services Benchmark v1.0.0.

Organizations can use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, the guidelines include more than 100 Benchmarks for 25-plus vendor product families in categories including: 

• cloud platforms
• databases
• desktop and server software
• mobile devices
• operating systems

To get more details, read the CIS blog “CIS Benchmarks August 2025 Update.” 

For more information about the CIS Benchmarks list, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In the first of a two-part blog series, Tenable CSO Robert Huber shares how he and his team have guided the company to unified exposure management. You can read the entire Exposure Management Academy series here.

If you’re in cybersecurity, you’ve probably heard or said these words more than a few times: "I don't need more tools." In quiet moments, I often take a deep breath and repeat them like a mantra. 

But tool sprawl underscores a significant challenge our industry created. We've become accustomed to a seemingly endless proliferation of security solutions, each designed to address a specific policy or threat vector. The result hasn’t simplified our lives. On the contrary, we’re buried in a dizzying array of tools and an overwhelming flood of alerts — all of which led to a fundamental disconnect between security efforts and business outcomes. 

Alarmingly, a typical large enterprise might juggle 70 or more technology vendors, each offering a "solution" to a perceived security need. At Tenable, my team manages around 50 different tools. Although some are our own, the sheer volume underscores the pervasive problem. 

As one security leader told me, "I don't want to buy more alerts." 

We've diligently crafted policies for areas like cloud security, network security and vulnerability management. Often, the central assumption is that for us to adhere to these policies, we need yet another tool. 

This creates a vicious cycle: New policies lead to new tools, which generate more alerts, without a corresponding increase in the headcount needed to address them.

The consequence is security teams drowning in data. 

Whether from endpoint detection and response, cloud-native application protection platforms or vulnerability management, the sheer volume of alerts is unmanageable. As one security leader told me, "I don't want to buy more alerts." 

The reality is that organizations don't have the personnel to triage and respond to every notification. This creates an unfortunate bottleneck, with valuable insights lost under a mountain of noise.

Security teams often find themselves generating endless spreadsheets, pivot tables and dashboards for various stakeholders, such as heads of engineering, CIOs and other organizational leaders. And, like audience members at The Oprah Winfrey Show, nobody goes home empty-handed! "You get a report! You get a report! Everybody gets a report!" 

This approach, while well-intentioned, is incredibly inefficient. 

Leaders are left with multiple streams of information, without any clear sense of what's most important or what actions they should prioritize. Instead of having a clear remit, they come back asking, "OK — so, what do you want me to work on?"

This challenge is not theoretical. It's a lived reality even within my company. 

Our vulnerability management team, once singularly focused on vulnerability management, has increasingly become a wrangler of alerts and reports as we've added more tools to their arsenal. And there are no signs of this slowing down. 

The emergence of new technological frontiers, such as artificial intelligence, only makes the problem worse. When leadership and the board inquire about securing AI, a couple of questions come up immediately: 

• Do we have the people?
• Do we have the controls?
• What risk does the use of AI introduce?
• How do we manage that risk?

The answer is often "no" to the first two questions, which leads to the inevitable acquisition of more tools, more alerts, more data and more things to prioritize.

This endless cycle of tool acquisition and alert fatigue highlights a fundamental flaw in our current approach to cybersecurity. We've focused on generating data, but failed to effectively translate that data into actionable insights for the business. 

When discussing cybersecurity with leadership, the conversation shouldn't revolve around the number of assets or findings. Those are operational metrics that generally hold little interest for the C-suite. What they truly want to know is: How does this impact the business? What is the security posture of a revenue-generating or service-providing entity?

Our job as security professionals is to communicate risk to the board. But silos make connecting the metrics to the business a challenge. We need to translate the myriad assets, events and alerts into a business context but there has been no simple way to do that. 

Our job as security professionals is to communicate risk to the board. But silos make connecting the metrics to the business a challenge. We need to translate the myriad assets, events and alerts into a business context but there has been no simple way to do that. 

To bridge this gap, at Tenable, we conduct an annual "Cyber Screen" survey, engaging 5% of the company to identify the most critical business functions, assets and services. This user-centric approach helps us understand what's truly essential to the business, including what needs to be operational 24/7 and what processes cannot fail. 

We combine this with business impact assessments, audits and enterprise-wide events to place our most important functions in buckets. This forms the basis of our internal "scorecard" for the board.

We designed this scorecard for simplicity, with well-understood Red, Yellow and Green areas. 

Simply put, Red signifies a critical risk, Yellow are things that need attention and Green indicates a good security posture. 

This simple, intuitive framework enables leaders to quickly grasp the actual exposure and business impact, regardless of whether they generate revenue. 

This business-centric view is paramount. And, although operational metrics are still valuable for justifying headcount and budget internally, the overarching goal is to provide business leaders and board members with a clear, concise understanding of the enterprise's security impact. They want to know: Is it Red, Yellow or Green? And naturally, their focus will be on the red items.

The industry hasn't yet solved this problem of data overload and fragmented reporting. 

The industry has excelled at selling more alerts and data, but it hasn't adequately helped organizations wrangle that data into meaningful, actionable intelligence. This has led many organizations to build their own "cyber data lakes" and employ dedicated cyber data analysts. It’s a commendable effort but an inefficient use of scarce cyber resources. These individuals should be solving cyber problems, not spending their time on data analytics that should be provided by vendors.

Building these custom data lakes is a significant undertaking. It often starts with seemingly "free" solutions, only to quickly escalate into substantial investments in infrastructure, expertise and countless integrations and workflows. The reality is that many large organizations have taken this path because a consolidated solution hasn't been available. 

Try as it might, the industry has not solved this problem. Attempts to figure out pieces of the problem, like Cyber Asset Attack Surface Management (CAASM) for unified asset inventory, haven’t been effective in unifying assets, risk data and context. This is where exposure management comes in. Tenable pioneered exposure management to solve the unification and context problem we defined earlier. The paradigm is shifting. And it’s shifting to exposure management.

In the next part of this blog series, I’ll look closer at how exposure management can address these very challenges, shrink the tool sprawl problem and enable a more unified, effective approach to cybersecurity.

Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.

CISA stresses that an asset inventory is the foundation for OT security. Meanwhile, NIST has finalized cryptographic algorithms for resource-constrained devices. The agency is also developing control overlays for AI systems. Plus, a report reveals that security budget growth has slowed to a five-year low due to economic uncertainty. And much more!

Here are five things you need to know for the week ending August 15.

Struggling to track your operational technology (OT) wares? Check out a new playbook for how to structure, manage and update an inventory of your OT assets.

Published this week, the new guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has a clear message: an OT asset inventory is the bedrock of any OT security architecture.

“An OT asset inventory – an organized, regularly updated list of an organization’s OT systems, hardware, and software – is foundational to designing a modern defensible architecture,” the document reads. 

Organizations lacking an OT asset inventory have no visibility into their OT wares and consequently can’t secure them, CISA added in the guidance titled “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators.” 

The guide, aimed at OT system owners and operators from all critical infrastructure sectors, recommends inventorying all hardware, software and network components, including each asset’s vendor, model, firmware version, physical location and more. 

But OT operators shouldn’t stop there.

They also must create a taxonomy, because of the diversity of assets in OT environments, such as legacy systems, specialized devices, sensors and instrumentation – along with their usual variety of proprietary communication protocols.

“Owners and operators need context on a component’s role in monitoring and control of the physical process; this may require owners and operators to physically review and inspect assets and associated process areas,” the document reads.

The benefits of classifying OT assets by function and importance are significant:

• Prioritize what matters most.
• Sharpen risk identification and vulnerability management.
• Boost incident response.

Steps To Build An OT Asset Taxonomy

(Source: CISA)

The document, which CISA created in collaboration with multiple U.S. and international government agencies, also details how to continuously maintain and improve OT asset inventories and taxonomies.

The guidance’s ultimate goal is to help critical infrastructure organizations shift from a reactive to a proactive security posture via full asset visibility and thus attain a more resilient and secure OT environment.

“As cyber threats continue to evolve, CISA through this guidance provides deeper visibility into OT assets as a critical first step in reducing risk and ensuring operational resilience,” CISA Acting Director Madhu Gottumukkala said in a statement.

For more information about OT security, check out these Tenable resources:

• “Mind the Gap: A Roadmap to IT/OT Alignment” (white paper)
• “Unlock Advanced IoT Visibility in your OT Environment Security” (on-demand webinar)
• “Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)
• “Fortifying Your OT Environment: Vulnerability and Risk Mitigation Strategies” (on-demand webinar)
• “Identity Security Is the Missing Link To Combatting Advanced OT Threats”

Here’s one for teams tasked with securing IoT devices.

The National Institute of Standards and Technology (NIST) has finalized a new standard for lightweight cryptography to protect electronic devices with limited computational resources. 

“We encourage the use of this new lightweight cryptography standard wherever resource constraints have hindered the adoption of cryptography,” NIST computer scientist Kerry McKay, who co-led the project, said in a statement this week.

The standard was built for protecting the billions of devices that lack the power for conventional encryption. Think smart appliances, medical implants and industrial sensors that don't have the processing muscle for heavy security.
 

(Credit: Image generated by Tenable using Google Gemini)

Detailed in NIST Special Publication 800-232, the standard is built around the Ascon family of cryptographic algorithms and includes four specific algorithms designed for different security needs.

• ASCON-128 AEAD: Encrypts data and proves it hasn't been tampered with.
• ASCON-Hash 256: Creates a digital fingerprint to detect alterations.
• ASCON-XOF 128 and ASCON-CXOF 128: Allow developers to fine-tune security to match devices’ capabilities.

This new standard is designed for straightforward implementation and offers better protection against "side-channel attacks," where adversaries analyze a device's power consumption or timing to glean information. 

NIST has indicated that this is a foundational standard, with plans to add more features in the future based on community feedback. The goal is to provide a robust and adaptable security solution that can evolve as technology and cyber threats advance.

“There are additional functionalities people have requested that we might add down the road, such as a dedicated message authentication code,” McKay said.

For more information about IoT security:

• “How to Remediate Risk to Critical OT/IoT Systems without Disrupting Operations” (Tenable)
• “What is IoT security?” (TechTarget)
• “How to Unlock Advanced IoT Visibility for Cyber-Physical Systems” (Tenable)
• “Disaster Awaits if We Don’t Secure IoT Now” (IEEE)
• “Top 15 IoT security threats and risks to prioritize” (TechTarget)

Just as cyber threats get worse and security teams get more responsibility, CISOs' budgets are being squeezed due to macroeconomic headwinds.

That’s a key takeaway from the "2025 Security Budget Benchmark Report" published by IANS Research and Artico Search.

"Once again, we find that security budgets are not immune to macro conditions," Steve Martano, IANS Faculty and Partner at Artico Search, said in a statement.

"Despite most companies identifying cyber as a top five business risk, most CISOs are not receiving budget increases commensurate with the increase in security program scope,” he added.

Specifically, year-over-year average growth in security budgets has fallen to a five-year low of 4%, a steep decline from the 8% growth seen in 2024, as companies become more cautious with their spending due to economic unpredictability.

The report, based on a survey of 587 CISOs, blames global market volatility, including geopolitical tensions, tariff uncertainty and fluctuating economic indicators. 

Other key findings include:

• Budgets aren't keeping pace: Security's slice of the total IT budget fell from 11.9% to 10.9%.
• Hiring has slowed: Security staffing growth is down to 7%, the lowest in four years.
• Teams are stretched thin: Only 11% of CISOs say their teams are adequately staffed.

(Source: "2025 Security Budget Benchmark Report" from IANS Research and Artico Search, August 2025)

So what should CISOs do? The report offers three recommendations:

• Align every project with clear business goals.
• Prioritize ruthlessly to protect the organization’s crown jewels.
• Be realistic with your budget asks, and prove the ROI.

For more information about cybersecurity budget strategies:

• “Blown the cybersecurity budget? Here are 7 ways cyber pros can save money” (CSO)
• “Cybersecurity budget justification: A guide for CISOs” (TechTarget)
• “5 steps to prioritize cybersecurity in your 2025 budget” (CFO)
• “How to create an enterprise cloud security budget” (TechTarget)
• “2025 will be the year of CISO fiscal accountability” (VentureBeat)

NIST is building a set of "control overlays" to help organizations lock down their AI systems, and it’s looking for feedback about the initiative. 

NIST outlined the project this week in the document “NIST SP 800-53 Control Overlays for Securing AI Systems Concept Paper,” and also launched a Slack channel for collaborators.

“The control overlays are an implementation-focused series of guidelines that address use cases involving different types of AI systems and specific AI system components,” reads the Control Overlays for Securing AI Systems (COSAiS) project home page.
 

(Credit: Image generated by Tenable using Google Gemini)

The goal of the overlays is to protect the “confidentiality, integrity, and availability” of the users and data for these proposed use cases:

• Using generative AI to create content
• Fine-tuning predictive AI to make better decisions
• Deploying AI agents to automate tasks
• Building secure AI systems from the ground up

The ultimate goal is to offer organizations a “library of overlays” that they can use to reduce the risks of their AI use and development.

NIST is putting out the call for feedback on these use cases. It wants to know if they reflect how AI is really being adopted and which ones to prioritize. NIST is also open to adding use cases to the project. 

NIST foresees releasing a draft of the first use case in early 2026.

For more information about AI security, check out these Tenable resources:

• “The AI Security Dilemma: Navigating the High-Stakes World of Cloud AI” (blog)
• “Tenable Cloud AI Risk Report 2025” (research report)
• “Introducing Tenable AI Exposure: Stop Guessing, Start Securing Your AI Attack Surface” (blog)
• “Mitigating AI-Related Security Risks: Insights and Strategies with Tenable AI Aware” (on-demand webinar)
• “Expert Advice for Boosting AI Security” (blog)

Individuals and organizations that have lost money in crypto scams are being targeted by cyber crooks posing as lawyers.

The warning comes courtesy of the FBI's Internet Crime Complaint Center (IC3), which issued a public service announcement this week, updating a similar one it published last year.

The cyber scammers are now combining multiple exploitation tactics, making their schemes more sophisticated and harder to detect.

“Contact with scammers impersonating law firms continue to pose many risks, including the theft of personal data and funds from unsuspecting victims to the reputational harm of actual lawyers being impersonated,” reads the PSA.
 

(Credit: Image generated by Tenable using Google Gemini)

New information in this updated advisory includes red-flag indicators and due-diligence recommendations.

Red-flag indicators include:

• Scammers using the names and letterhead of real lawyers
• Claims of affiliation with government agencies
• Demands for payment in crypto or prepaid gift cards
• Detailed knowledge of the scams victims suffered, such as exact amounts stolen and wire transfer service used

Due-diligence recommendations include:

• Trust no one, especially alleged law firms that contact you out of the blue.
• Demand proof. Ask for a law license and notarized ID.
• Verify employment if someone claims to work for the government. Call the agency’s local office yourself.

If you believe you have been targeted, file a report with the IC3 at www.ic3.gov.

For more information about cryptocurrency cyber scams:

• “What To Know About Cryptocurrency and Scams” (FTC)
• “Cryptocurrency Investment Fraud” (FBI)
• “Cryptocurrency Scams: How to Spot, Report, and Avoid Them” (Investopedia)

The Tenable One Exposure Management Platform provides a single source of truth for cyber risk, helping Canadian security teams shift from reactive patching to proactive risk reduction. With native support for Canadian data residency and alignment with frameworks like ITSG-33, Tenable One helps Canadian organizations simplify compliance and strengthen their security posture.

The cybersecurity landscape in Canada is becoming more challenging by the day. Threats are evolving, digital transformation is accelerating and regulations are tightening. Canadian organizations – from federal government agencies to local partners and service providers – need visibility, prioritization and remediation strategies so that they can reduce cyber risk and maintain compliance without slowing down operations.

They don’t need another cybersecurity tool. They need a unified strategy.

Enter the Tenable One Exposure Management Platform, which supports these goals by radically unifying security visibility, insight and action across the entire attack surface. With native support for Canadian data residency, localized scanning infrastructure, compliance mapping to Canadian frameworks like ITSG-33, and capabilities spanning vulnerability, cloud, identity and attack surface management, Tenable One is helping Canadian customers and partners operationalize exposure management programs.

Exposure management programs are a pragmatic, risk-based approach to reducing cyber exposure. Its continuous cycle of scoping, discovery, prioritization, validation and mobilization shift security operations from reactive patching to proactive risk reduction.

In Canada, exposure management programs are essential due to:

• The evolving regulatory landscape, especially for public sector and critical infrastructure organizations
• Larger attack surfaces driven by hybrid work, cloud adoption and SaaS sprawl
• Limited cybersecurity talent, requiring greater automation and context-driven workflows
• An emphasis on data residency and trust in the handling of sensitive data

Tenable One addresses these challenges through a unified platform that consolidates and correlates exposures across assets, vulnerabilities, misconfigurations, entitlements and attack paths – and provides Canadian organizations with local infrastructure and compliance support.

Canadian organizations, especially in the public sector, must ensure that their sensitive data remains within national borders. Tenable One is designed with data residency in mind. When customers opt in to the Canadian region, all data associated with Tenable Vulnerability Management and other components of Tenable One is stored in data centers located in Canada.

This support for data localization is not a future roadmap item – it's available today. It’s critical for federal, provincial, and regulated private sector customers.

With Tenable One’s Canada-hosted cloud scanners, customers can reduce latency, improve performance and ensure that scan data stays within Canadian jurisdiction.

Allowing Tenable One customers to choose scanner locations in Canada offers a major advantage to decentralized organizations and MSSPs that need to enforce compliance while serving multiple clients across the country.

The Government of Canada's ITSG-33 is a cornerstone of security compliance for public sector organizations. It provides a lifecycle-based framework for IT security risk management.

Tenable One supports ITSG-33 alignment by providing visibility into:

• Vulnerabilities and misconfigurations across hybrid environments
• Identity exposures and misused privileges
• External attack surfaces, including shadow IT and third-party risks

These insights help organizations assess risk against defined threat models, implement appropriate security controls and support ongoing assessment and authorization phases of ITSG-33. By enabling continuous monitoring and automated reporting, Tenable One simplifies compliance workflows and helps security teams focus on what matters most.

Tenable One also includes Tenable Cloud Security, a cloud-native application protection platform (CNAPP) that is actively in use by Canadian federal customers. As cloud adoption continues to expand across government departments and Crown corporations, it’s critical to detect and remediate misconfigurations, overprivileged identities and lateral movement risks in cloud environments.

Tenable Cloud Security delivers:

• Agentless visibility into multi-cloud environments
• Mapping of misconfigurations and risks to compliance frameworks
• Integration with CI/CD pipelines to prevent drift and enforce policy

This makes it an ideal solution for cloud-smart strategies while maintaining visibility, governance and risk reduction at scale. For departments leveraging Government of Canada (GC) data centres, including end-state data centres (EDCs), Tenable Cloud Security also provides exposure management capabilities for self-hosted Kubernetes clusters.

We’re invested in the success of our Canadian partners. Tenable One’s multi-tenant capabilities, open APIs and integration with popular SIEM, SOAR and ITSM tools make it easy for managed service providers, systems integrators and resellers to build scalable, differentiated exposure management offerings for customers.

Tenable's investment in Canadian infrastructure, localization support, culture of transparency and compliance alignment helps partners win and retain business in regulated verticals such as:

• Federal, provincial and municipal governments
• Healthcare and public health agencies
• Financial services
• Energy and utilities

By building their exposure management services on Tenable One, partners reduce operational overhead while providing tangible security outcomes for clients.

Tenable One enhances the tools you already own. With pre-built connectors, the platform ingests asset data and associated weaknesses from your ecosystem to:

• Centralize risk data for complete, contextualized visibility.
• Reveal hidden relationships between vulnerabilities, misconfigurations and entitlements, and to expose toxic risk combinations.
• Identify remediation choke points that, if addressed, can dramatically reduce overall business risk.

By building on existing security investments, this approach helps Canadian organizations accelerate their exposure management program maturity.

At the heart of Tenable One is its ability to unify data from disparate sources and present prioritized, risk-based actions to reduce exposure. Unlike siloed tools that deliver point-in-time assessments, Tenable One delivers:

• Asset inventory across cloud, on-prem and OT environments
• Continuous vulnerability assessment
• Identity exposure management
• External attack surface discovery
• Threat-informed risk scoring and predictive analytics

Canadian organizations gain a single source of truth that is compliant with local laws, actionable within ITSG-33 frameworks, and scalable across hybrid environments.

Facing increasing regulatory scrutiny, distributed attack surfaces, and resource constraints, Canadian organizations need more than just vulnerability management. They need exposure management – delivered through a platform that supports data residency, simplifies compliance, and enables continuous, measurable improvement.

Tenable One is delivering on that promise. From data residency and local scanners to support for federal compliance frameworks, the platform empowers security teams to turn exposure management programs into a core operational advantage.

To learn more about how Tenable One supports exposure management initiatives, visit tenable.com/products/tenable-one.

• What is Exposure Management?
• What is CTEM?
• The role of exposure assessment platforms (EAPs) in CTEM
• Data Security FAQ | GDPR Alignment
• ITSG-33 Audit Details Dashboard
• ITSG-33 Audit Details Report
• Cloud-Smart Strategies
• A lifecycle approach (ITSG-33)
• MSSP Partner Program

Exploit code is reportedly available for a critical command injection vulnerability affecting Fortinet FortiSIEM devices.

On August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM.

CVE-2025-25256 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests.

According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised.

Historical Exploitation of Fortinet Devices

Fortinet vulnerabilities have historically been common targets for cyber attackers, with 20 CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.

At the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this blog was published.

The following table details the affected and fixed versions of Fortinet devices for CVE-2025-25256:

Fortinet’s security advisory advises if immediate patching is not able to be performed, they recommend limiting access to the phMonitor port of 7900. We strongly recommend reviewing the advisory for updates as well as the latest on mitigation or indicators of compromise (IoCs).

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-25256 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:

• Fortinet FG-IR-25-152 Security Advisory

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Find out how adopting a proactive approach to secure your operational environments can help you reduce risk and eliminate downtime.

For a long time, operational technology (OT) environments were considered isolated and "air-gapped," supposedly immune to the cyber threats plaguing the IT world. In reality, that hasn't been the case for many years. IT and OT systems are inextricably linked.

Sophisticated cyber attacks on critical infrastructure, manufacturing, power grids, data centers and other sectors demonstrate that securing OT isn't just a best practice — it's a national and economic imperative. Most attacks originate on the IT side, and often go undetected by traditional, siloed OT security tools.

It can be daunting for CISOs and SecOps teams to find themselves responsible for OT security. You’re inheriting responsibility for systems you don’t fully understand — programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, industrial control networks. All with their unique terminology, devices, protocols and operational practices. Additionally, you’re working with operations teams who are focused on maintaining operational continuity and “keeping-the-machines-running” 24x7. They can’t afford any downtime.

Perhaps you're new to the world of OT, or you've recently joined a team where OT security is now a core part of your responsibilities. You might be asking yourself, "What even is a PLC?" or "How can I improve my OT security knowledge?" You're not alone. Many security professionals are navigating the unique challenges of securing operational environments for the first time.

We understand that organizations need fewer, more integrated tools, and not a proliferation of them. To bridge this gap and address the evolving threat landscape, Tenable is helping organizations fundamentally shift their OT security approach.

We continuously invest in “deep core” OT security capabilities for asset discovery, risk-based vulnerability management, continuous monitoring, and more. All of our solutions, including Tenable OT Security, are backed by Tenable Research and industry-leading vulnerability intelligence, many years of experience and thousands of networks secured.

But we're always looking ahead to the future, paving the way forward with Tenable One. Looking to empower security teams with a unified platform to assess, prioritize and remediate risk across the entire attack surface — from cyber-physical systems (OT, IT, IoT), identities, web apps and cloud to AI tools, and everything in between.

Let’s start with a scenario that is all too familiar for security teams concerned with OT risk:

A security analyst identifies a critical vulnerability or a misconfiguration already on a PLC that controls a key part of the production line. In line with typical procedures, they go to the operations team to request the device be taken down soon for patching.

The response? “No way! We’re not doing that.”

The operations team simply cannot afford unplanned downtime. This creates a dangerous stalemate: the security team faces a known risk on a critical asset that can’t be immediately remediated, and the operations team is forced to accept the risk to keep business-critical systems online. As a result, risk remains, and the production line, supply chain and overall operational continuity are all at risk.

As shown in the graphic below, attackers look to move laterally through your environment anywhere they can gain a foothold in your IT and OT systems, including by exploiting unpatched IT-side vulnerabilities (e.g., CVEs, misconfigurations) or taking advantage of identity exposures to gain access downstream to critical assets, data and processes.

It’s not just about being proactive; it’s about finding an efficient way to reduce risk quickly without disrupting operational continuity. To do this, security teams need the right tools and processes in place to identify and fix the root cause of OT risk earlier in the attack chain — often on the IT side of the house.

The goal is to answer the most pressing question: "How can you reduce my risk exposure today without disrupting critical operations and physical processes?"

Traditional, siloed security tools simply aren't equipped for proactive security. They provide fragmented views that make it difficult to connect the dots between IT and OT risk, and everything in between.

That’s where exposure management comes in. It transcends silos, giving you a unified view of your entire attack surface — so you can focus on addressing the cyber risks that are most likely to be exploited in your environment. With exposure management, you can proactively address the preventable, exploitable and most impactful risks much earlier.

A proactive exposure management approach, aligned with the Tenable Exposure Management Lifecycle shown below, enables you to identify and mitigate critical cyber exposures before they’re exploited, unlike reactive approaches that only alert you after a threat manifests.

Unlock a stronger security posture with the Tenable Exposure Management Lifecycle, which combines Strategy, Visibility, Insight and Action to continuously identify, prioritize and remediate your organization's most critical exposures.

Remember that risk alert we were talking about on a PLC? With traditional siloed security tools your only option would be to wait for the next scheduled maintenance interval (probably in several months) to address the issue. With Tenable, you can trace potential attack paths from that vulnerable PLC to other systems in your environment and take immediate action to cut off their exposure, reducing risk well before that scheduled maintenance window.

Built-in capabilities such as Attack Path Analysis, MITRE ATT&CK Mapping and Network Maps allow you to instantly visualize the entire attack chain:

• The PLC is connected to an engineering workstation.
• That workstation has a known, exploitable vulnerability and is misconfigured.
• The workstation can be accessed by a “remote access user group.”
• One of the users on that group is a domain administrator account whose credentials were recently compromised.

Suddenly, you can see the full blast radius. The problem isn't just a vulnerability on a PLC; it's a clear, exploitable path from an IT identity compromise to the potential shutdown of your core operations. You've found the IT-side choke point that you can fix now.

Now, instead of burdening your OT team with unplanned downtime, you've mitigated the risk while giving them cover to keep systems up and running until the next scheduled maintenance window. Even better: next time, the operations team won't cringe when you contact them about a vulnerability — they’ll appreciate the essential coverage the security team provides.

Additionally, AI-powered security recommendations help surface timely insights and automate time-consuming investigations by delivering immediate, intelligent answers and one-click guidance. This simplifies a complex investigation down to a clear, actionable remediation plan.

For example, looking at the attack path, a SecOps analyst can ask simple, direct questions:

• "What is this PLC device and what does it do?”
• “Who was trying to attack it? And how?"
• “Has the Cybersecurity and Infrastructure Security Agency (CISA) flagged this device model vulnerability or advisory?"
• “What actions can I take right now to break this attack path and reduce risk today?"

See Tenable AI Aware in action →

Adopting a unified approach to managing exposure does a lot more than reduce risk; it fundamentally changes the dynamic between security and operational teams. The two groups often feel like they don’t speak the same language. Exposure management provides a powerful bridge, creating a shared language of immediate and timely risk reduction.

The conversation changes from:

Security: "You have to take down this critical asset right now."

Operations: "No."

To a collaborative partnership:

Security: "We found a critical risk to a PLC. We have already mitigated the immediate threat by fixing a problem on our side. The asset is protected for now, but let's work together to schedule a patch during the next maintenance window."

Operations: "Excellent news, we’ll buy the pizza this time!”

With exposure management, security teams are empowered with a faster triage and clear and faster remediation paths, while operational teams benefit because they can maintain operational continuity.

Without deep visibility into your OT environment, your security strategy is incomplete. You're essentially flying blind in a significant portion of your operational landscape. True cyber resilience comes from a holistic understanding of your attack surface. That’s why our vision for exposure management includes OT security as a key pillar of our product portfolio.

Tenable has an unmatched framework for reducing tool sprawl and delivering a complete, unified view of risk. This is vital if you want to assess and mitigate risk across your entire organization. By unifying data from IT, OT, IoT, cloud and identities, we’re able to deliver a seamless workflow, complete asset inventory and context-aware prioritization that legacy OT security tools and point solutions can’t match. And with more than 300 third-party integrations, we’ve built the industry’s most open platform for exposure management to date.

Explore all Tenable integrations →

By focusing on exposure and providing a unified platform to see, predict and act on threats, we’re helping our customers move beyond the limitations of the past and safeguard their most critical assets from the threats of tomorrow.

• Dive deeper into the challenges and solutions for securing OT with our eBook “Blackbox to blueprint: a security leader’s guide to managing OT and IT risk”.
• Learn more about Tenable OT Security and how it fits into your cybersecurity roadmap.
• Explore our complete Tenable One Exposure Management Platform, offering scalable security solutions for the entire attack surface.

1. 13Critical
2. 91Important
3. 2Moderate
4. 1Low

Microsoft addresses 107 CVEs, including one zero-day vulnerability that was publicly disclosed.

Microsoft patched 107 CVEs in its August 2025 Patch Tuesday release, with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low.

This month’s update includes patches for:

• Azure File Sync
• Azure OpenAI
• Azure Portal
• Azure Stack
• Azure Virtual Machines
• Desktop Windows Manager
• GitHub Copilot and Visual Studio
• Graphics Kernel
• Kernel Streaming WOW Thunk Service Driver
• Kernel Transaction Manager
• Microsoft 365 Copilot's Business Chat
• Microsoft Brokering File System
• Microsoft Dynamics 365 (on-premises)
• Microsoft Edge for Android
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office PowerPoint
• Microsoft Office SharePoint
• Microsoft Office Visio
• Microsoft Office Word
• Microsoft Teams
• Remote Access Point-to-Point Protocol (PPP) EAP-TLS
• Remote Desktop Server
• Role: Windows Hyper-V
• SQL Server
• Storage Port Driver
• Web Deploy
• Windows Ancillary Function Driver for WinSock
• Windows Cloud Files Mini Filter Driver
• Windows Connected Devices Platform Service
• Windows DirectX
• Windows Distributed Transaction Coordinator
• Windows File Explorer
• Windows GDI+
• Windows Installer
• Windows Kerberos
• Windows Kernel
• Windows Local Security Authority Subsystem Service (LSASS)
• Windows Media
• Windows Message Queuing
• Windows NT OS Kernel
• Windows NTFS
• Windows NTLM
• Windows PrintWorkflowUserSvc
• Windows Push Notifications
• Windows Remote Desktop Services
• Windows Routing and Remote Access Service (RRAS)
• Windows SMB
• Windows Security App
• Windows StateRepository API
• Windows Subsystem for Linux
• Windows Win32K GRFX
• Windows Win32K ICOMP

Elevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 32.7%.

CVE-2025-53779 is an EoP vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment.

This is a patch for a zero-day vulnerability dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor.

CVE-2025-49712 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.

This RCE follows on the heels of the ToolShell vulnerabilities that were disclosed in the July 2025 Patch Tuesday release and exploited in the wild as zero-days.

CVE-2025-53778 is an EoP vulnerability affecting Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated as critical. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM. This flaw was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

This marks the second critical EoP affecting Windows NTLM in 2025, following CVE-2025-21311 which was patched in the January 2025 Patch Tuesday release.

CVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). While three of these four CVEs (CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145) were assigned CVSSv3 scores of 8.8 and rated as important, CVE-2025-50177 was assigned a CVSSv3 score of 8.1 and rated as critical. Similarly, CVE-2025-50177 was assessed as “Exploitation More Likely,” while the other three were assessed as “Exploitation Less Likely.”

In order to exploit these CVEs, an attacker would need to send a crafted MSMQ packet to a vulnerable server in order to achieve code execution.

A list of all the plugins released for Microsoft’s August 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

• Microsoft's August 2025 Security Updates
• Tenable plugins for Microsoft August 2025 Patch Tuesday Security Updates

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The recent exploitation of Microsoft SharePoint vulnerabilities highlights a critical gap in traditional, reactive cybersecurity strategies. Learn how a proactive exposure management approach empowers federal agencies to reduce risk, streamline operations and stay secure.

Weeks ago, Microsoft disclosed four vulnerabilities affecting on-premises versions of SharePoint servers and warned about active exploit campaigns. So far, hundreds of organizations globally have been impacted, including the U.S. National Nuclear Security Administration (NNSA). Attackers include Chinese nation-state groups.

This attack highlights a growing reality: reactive cybersecurity practices are no longer sufficient in the face of today’s persistent and well-resourced adversaries.

In this blog, we’ll explore why these SharePoint vulnerabilities and attacks should serve as a wake-up call for federal agencies and how a proactive exposure management approach can help mitigate risk, increase efficiency, reduce costs and accelerate modernization initiatives. 

The SharePoint vulnerabilities underscore the risks of traditional, reactive security models that focus primarily on detection and response. The Chinese threat actor groups exploiting the vulnerabilities frequently use stolen credentials to establish persistent backdoors. This means that while patching a vulnerability is critical, it may not be enough. Once attackers gain access, they could maintain persistent footholds within agency environments, long after the original flaw has been addressed. On-premises servers, like the SharePoint servers affected by these vulnerabilities, are often popular targets for hackers, because organizations often set them up and then fail to regularly update them and patch their vulnerabilities. (SharePoint Online in Microsoft 365 isn’t affected.)

Look no further than the high-severity Microsoft Exchange vulnerability (CVE-2025-53786), which Microsoft disclosed last week and prompted CISA to issue Emergency Directive (ED 25-02). This elevation-of-privilege vulnerability allows attackers with administrative privileges to on-prem Exchange Servers to escalate privileges and compromise connected cloud environments.

“For on-premises software like SharePoint, which is deeply integrated into the Microsoft identity stack, there are multiple points of exposure that need to be continuously monitored in order to know, expose and close critical gaps.”

 - Robert Huber, Chief Security Officer, Tenable, speaking to Wired

Historically, many agencies have relied on perimeter defense and reactive detection mechanisms to address threats after the fact. This approach leaves security blind spots, particularly in complex agency environments where on-prem, cloud, OT and identity systems intersect. 

When attackers can exploit a single vulnerability to steal credentials and navigate laterally across a network, agencies need a better way to anticipate and prioritize risk before adversaries act. Accelerating response times is key. When working with IT teams to patch hundreds of vulnerable instances, it’s critical to start with the highest risk exposures, such as those with domain privileges, external-facing systems, or assets connected to critical attack paths, then work down from critical to low exposure. This target approach ensures resources are focused where they can have the greeted impact, faster. 

A preventative approach to cybersecurity focuses on identifying and eliminating exposures before they’re exploited. This is where exposure management becomes critical. It provides visibility across your entire environment, prioritizing risk based on context and guiding action before attackers can take advantage. Just as importantly, it accelerates response times, empowering teams to move quickly by focusing first on the exposure that poses the greatest risk. 

Exposure management enables agencies to:

• Understand your attack surface: Agencies gain a holistic view of all assets including cloud, IT, OT, IoT, identities and apps.
• Pinpoint preventable risks: Because exposure management can detect vulnerabilities, misconfigurations and excessive privileges, you’ll quickly identify high risk assets.
• Accelerate response and remediation: Prioritize and address exposures that are externally facing, linked to privileged access or part of critical attack paths. This reduces dwell time and minimizes impact.
• Connect with mission goals: Group assets by business function using asset tagging and track exposure changes with cyber exposure scores.
• Shift focus from vulnerabilities to risk: Go beyond volume by understanding exploitability, asset value and business impact and mapping attack paths to critical assets.
• Understand true your risk exposure: Consolidate siloed data from multiple tools into a single platform, reducing complexity and enabling faster, more informed decisions. 

Federal agencies face a unique set of cybersecurity challenges: complex hybrid environments, aging infrastructure, siloed systems and increasing pressure to comply with evolving mandates like zero trust and Federal Information Security Management Act (FISMA) modernization. Exposure management platforms help agencies overcome these challenges by providing the following benefits.

Exposure management delivers a single, continuous view of all assets across IT, cloud, OT/IoT, web apps and identity systems, so agencies can eliminate blind spots and uncover hidden risks. For example, in the case of the recent SharePoint vulnerabilities, agencies can leverage external attack surface management (ASM) to discover previously unknown, internet-facing SharePoint instances that could be exposed to threat actors.

Agencies can shift from reactive alert fatigue to proactive risk reduction by focusing on exposures most likely to be exploited based on asset criticality, business impact and potential attack path. In the case of the SharePoint vulnerabilities, agencies can quickly isolate SharePoint assets with toxic risk combinations, such as those that are internet-facing or have excessive privileges, so teams can take immediate action instead of trying to boil the ocean.

Exposure management ties asset and identity insights together to help agencies enforce zero trust principles like least privilege, continuous validation and segmentation. In the case of SharePoint, this approach could have enabled agencies to quickly pinpoint which vulnerable instances were externally accessible or had elevated domain privileges, knowledge that is critical for limiting lateral movement and enforcing access controls

Instead of relying on multiple siloed tools to manage assets and vulnerabilities across the attack surface, exposure management unifies these capabilities under one platform. This reduces complexity, improves response times and cuts overhead costs. In response to the Sharepoint vulnerabilities, for example, agencies could eliminate the need to toggle between endpoint, network, cloud and identity tools so that analysts can streamline investigations and quickly identify and prioritize impacted systems.

By automating asset discovery, risk prioritization and remediation workflow, exposure management allows security teams to respond quickly and effectively, even with limited resources. For example, when the SharePoint vulnerabilities emerged, agencies could have immediately surfaced affected assets, prioritize those with toxic risk combinations and initiated guided response actions, all in a single platform with centralized visibility and reporting. 

To meet federal mandates and demonstrate mission aligned outcomes, agencies need clear metrics and reporting. Exposure management enables agencies to track compliance with service level agreements, visualize risk reduction over time and generate consolidated reports that span IT, cloud, identity and OT environments. In the context of SharePoint, this means standing up focused remediation initiatives with measurable impact and clearly showing progress to leadership and auditors alike. 

With an exposure management platform, federal agencies not only improve security outcomes, they simplify operations, reduce costs and accelerate strategic initiatives like zero trust and broader IT modernization.

Tenable’s FedRAMP-authorized Tenable One Exposure Management Platform gives federal agencies the visibility and insight they need to stay ahead of threats like the SharePoint vulnerability. 

• Tenable Research Blog: CVE-2025-5337: Frequently Asked Questions About Zero Day SharePoint Vulnerability Exploitation
• Tenable eBook: Protecting federal government infrastructure and data from cyber attacks
• Datasheet: Tenable One FedRAMP

Most breaches don’t happen because of one glaring issue. They happen when multiple, seemingly low-risk factors silently combine. Learn how invisible risk combinations evade siloed security tools and how an exposure management program gives defenders the context they need to stop attacks before they start.

We often hear that cybersecurity is a game of cat and mouse. But the reality is far more alarming: attackers are playing a different game entirely, and they’re winning. Not because their methods are better, but because their perspective is.

While most security teams still operate in silos, attackers view your environment as one interconnected system. They don’t see isolated issues. They see opportunities in the invisible risk combinations hidden across your environment.

Let’s face it, most security organizations are structured around specific domains — vulnerability management, cloud security, application security, identity and access management (IAM), operational technology (OT) security and more. Each domain has its own tools, its own data and its own separate workflows. And while specialization is important, this siloed approach creates major blind spots when it comes to understanding real risk exposure.

Even with countless security tools scanning every corner of your environment and generating endless findings, your teams are likely still missing the bigger picture. When you assess risk in isolation, without understanding how different asset types or seemingly unrelated weaknesses can connect, it’s almost impossible to see how attackers can actually move through your environment.

Consider this real-world example from a leading U.S. bank — an organization that had invested heavily in security. They had dozens of tools, followed best practices and checked all the boxes. Yet, despite all that, they suffered a major breach that exposed the personal data of over 100 million of their customers.

The fallout?

$650 million in fines and settlements, not to mention the long-term damage to their reputation.

So, what went wrong?

The breach traced back to a single, low-priority misconfigured firewall. To the team responsible, it was just one item in a backlog of thousands. Nothing urgent, nothing unusual.

But that seemingly minor misconfiguration became the entry point for an attacker. It enabled a server-side request forgery (SSRF) attack, which allowed access to temporary IAM credentials from Amazon Web Services’ (AWS) metadata service. From there, the attacker gained access to Simple Storage Service (S3) buckets containing sensitive customer data.

The issue wasn’t a lack of alerts. It was a lack of context.

Without the technical insight to understand how the assets were connected — or the business perspective to recognize that the path led directly to sensitive data — no one could see how the pieces fit together.

This is what we mean by invisible combinations of risk: the kinds of connections attackers see, but your security team doesn’t.

Security isn’t just about identifying vulnerabilities; it’s about understanding them in context. Without that context, even the most advanced tools can create a false sense of security. A weakness might seem low priority on a dashboard, but could pose a serious risk when connected to other issues. On the other hand, weaknesses that don’t pose a real existential threat to the organization can be flagged as critical, flooding teams with alerts that are hard to prioritize.

To stay ahead of modern threats, you need to move beyond siloed, reactive practices and adopt a proactive, unified strategy that mirrors how attackers think and operate.

This is where exposure management comes in. It brings together all the essential elements of a modern, risk-based strategy, allowing you to:

• Close your visibility gaps: Eliminate blind spots and uncover hidden risks and critical overlaps across your entire attack surface.
• Expose possible attack paths: See how your assets, users and systems interconnect to uncover potential routes for lateral movement.
• Protect what matters most: Understand where your business-critical assets and sensitive data reside, so you can direct resources to what matters most to your organization.
• Cut through alert noise: Prioritize weaknesses for remediation based on real-world attacker behavior and likelihood of exploitation, reducing alert fatigue.
• Stop attackers in their tracks: Spot choke points to break the chain before an attack can even begin.

This is the core of exposure management — a strategy anchored by a platform that unifies all the essential context to reduce risk in a way that reflects how real-world attacks play out in your environment.

Tenable One, one of the world’s leading AI-driven exposure management platforms, is purpose-built to break down data and organizational silos. It serves as the central hub to reduce risk across your entire attack surface. With built-in attack path analysis, Tenable One helps you see your environment the way an attacker would: identifying likely entry points, visualizing lateral movement across assets, understanding the potential business impact and pinpointing choke points where risk can be cut off at the root.

You can explore these attack paths interactively — click into any asset for details, get an instant AI-generated summary of the attack techniques involved and even chat with our AI assistant for answers to everything from asset context to step-by-step remediation guidance.

By shifting from fragmented tools to unified exposure insight, your team can move from reactive to proactive, staying ahead of a breach instead of scrambling to respond after it happens.

Learn more about Tenable One >>

Within just 24 hours of the release of OpenAI’s GPT-5, Tenable Research successfully managed to jailbreak the model by getting it to share detailed instructions for how to build an explosive. Our finding is concerning, given that OpenAI described GPT-5's prompt safety technology as significantly more sophisticated than the one used by its predecessors.

OpenAI officially unveiled GPT-5 on August 7, 2025, positioning it as their most advanced language model to date and a “significant step along the path to AGI.” Boasting expert-level capabilities across writing, coding, math and science, OpenAI says GPT-5 delivers enhanced speed, accuracy, and contextual understanding, while significantly reducing hallucinations. 

OpenAI also promised significant enhancements in the area of prompt safety, saying that GPT-5 has a more sophisticated method of assessing whether and how to respond to prompts. AI models such as GPT-5 are designed with built-in guardrails to ensure responsible usage, including preventing the model from being used for illegal or harmful purposes.

Specifically, GPT-5 no longer uses its predecessors’ “refusal-based safety training” but rather a new method called “safe completions” that OpenAI describes as more nuanced and smarter, as explained in OpenAI’s article “From hard refusals to safe-completions: toward output-centric safety training” and its eponymous research paper.

With that being promised, just 24 hours after its release we were able to successfully jailbreak this “more responsible” model and convince it to provide detailed instructions for how to build a Molotov cocktail.

That’s why our prompt below and the resulting advice from GPT-5 raises alarm bells. 

Using an implementation of the crescendo technique, we managed to get the full recipe for a Molotov cocktail using just four questions.

This is how it happened:

1. We became a “history student.” 

    

2. We showed interest in the historical aspects of it.
    

    

3. Now we got super interested in the recipe itself and we got the details on the materials needed.
    

    

4. We wanted to be an expert and that’s how we got the full step-by-step guide to mixing a Molotov cocktail. 
    

Unfortunately, it’s clear that misusing ChatGPT-5 for malicious purposes isn’t that complicated, despite OpenAI’s attempts to beef up the product’s safety features. Our successful jailbreak of GPT-5 is far from the only one. Multiple other researchers and regular users in recent days have documented a variety of problems with the quality of GPT-5’s prompt responses, including jailbreaks and hallucinations.

In response, OpenAI has said that it is implementing fixes. However, your employees may already be using the model and potentially introducing risk into your organization.

This provides further evidence that solutions like Tenable AI Exposure are vitally important for getting control over the AI tools your organization uses, consumes and builds in-house -- in order to ensure your AI use is responsible, secure, ethical and compliant with regulations and laws around the world.

Click here to learn more about Tenable AI Exposure

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, we learn about life before and after exposure management, from members of Tenable’s own security team. You can read the entire Exposure Management Academy series here.

If you’re a cybersecurity pro, you know the drill: You log in to face a deluge of alerts from a dozen (or more!) different tools. Armed with little more than a cup of coffee and a protein bar, you forge ahead into the sea of red.

One system flags a cloud misconfiguration. Another finds a critical vulnerability. Oh, and all the while, the vulnerability management dashboard is still glowing scarlet. Like you need that reminder.

Recently, two members of the Tenable cybersecurity team, Saeed Elahi, Head of Cyber Risk and Assurance, and Arnie Cabral, Senior Staff Information Security Engineer, joined a webinar, How Tenable Optimized Security Effectiveness and Efficiency with Exposure Management, to share their journey from the kind of security chaos we just described to the clarity that comes with exposure management.

Elahi and Cabral described the initial state of their cybersecurity program. If you’re in cybersecurity, the story will ring a few bells. Like many of their peers, their security organization was built around silos. There were dedicated teams for identity management, application security and cloud infrastructure. They operated pretty well within their own domains. But each used specialized tools. 

Elahi described this structure as creating “organizational drag,” with inefficient communication and challenges aligning priorities across the organization.

A visualization of the organization looked like a plate of spaghetti. But rather than a delectable Bolognese, this was a chaotic web, with data from a dozen security tools flowing from various engineering and IT teams. A lack of central aggregation made getting a unified view of the organization’s risk posture an impossibility. 

Source: Tenable, 2025

Three significant challenges arose from the silos:

• Data overload: Alerts were unrelenting and impossible to wrangle, with multiple tools often flagging the same problem on the same asset. This added up to duplicate work and overwhelmed analysts.
• No attacker’s view: Cabral said that, although internal sensors were robust, the siloed data didn’t see the whole picture. He added that not being able to see things from the bad guy’s perspective put them at a disadvantage because they couldn’t see how an attacker could piece together disparate weaknesses or exploit shadow IT assets.
• Too many manual tasks: Engineers were consumed by low value tasks like pulling data, consolidating it in a spreadsheet and correlating the findings. Daily life was a struggle to balance the need to understand the piles of data streaming in with equally critical security work.

The turning point came when CSO Robert Huber issued a clear directive: Get everything into one place. And do it now!

The mandate forced a rethink. The old processes and technologies needed a thorough overhaul, and that meant the vulnerability management team went from managing about five tools to two- to three-times that number. 

Like many engineers, their first thought was to build a new solution themselves. So, using a business intelligence tool, they made a valiant effort to create a custom dashboard that would unify all their security data. There’s often nothing as bracing as a first effort that doesn’t quite work. That was the case here. It was simply not feasible. 

Cabral said the effort was "taking too long and costing too much money." Two months in, data was still siloed and all they’d done was some testing. 

Soon, Elahi and Cabral had a strategic realization. A security program shouldn’t turn its engineers into full-time software developers. Instead, with limited resources, the team needed to focus on securing the company. So they started looking for a dedicated platform. And the solution was right in front of them.

The team quickly moved to adopt a Continuous Threat Exposure Management (CTEM) program, in which an exposure assessment platform helped lead to a fundamental redesign of their workflow. They transformed that chaotic spaghetti diagram into an elegant, logical model with all security tools feeding into a single, intelligent system. 

Source: Tenable, 2025

Those pesky silos, including everything from vulnerability scanners to cloud security agents, were essentially a thing of the past.

With this unified platform in place, the team gained a few powerful capabilities:

• Complete visibility: The team said that the unified platform provided an immediate and complete picture of the attack surface. They discovered “thousands upon thousands” of assets they didn’t know existed.
• Smart deduplication: The way the platform is able to understand context changed the game for the team. When three tools flagged the same vulnerability on the same server, those findings were consolidated into a single alert.
• Automated workflow: The shift eliminated all that manual drudgery. Cabral said the platform now handles the “dirty work” of automatically correlating findings and prioritizes them based on factors like exploitability and asset criticality. It also creates a single, actionable JIRA ticket that automatically goes to the right team.

Talk about night and day, right? The old problem of more noise than signal was finally solved. That flood of alerts was reduced to a trickle. And finally, the security team had a short, clear list of exactly what needed to be fixed and why.

The results of the transition were immediate and quantifiable.

One dramatic metric jumped out. The team was able to reduce thousands of raw security alerts into just 10 actionable tickets. You read that right. It’s a pretty powerful demonstration of the value of exposure management. 

But the benefits didn’t end there. 

The team’s overall productivity doubled and reports that once took days of manual effort became available in seconds. 

The most significant (and positive!) impact was on the team itself. Freed from all the manual administrivia, engineers could finally be engineers again. They had time to focus on more specialized, engaging, high-value work like threat hunting. 

The journey of Tenable's cybersecurity team shows how security operations have evolved. By moving from a siloed, reactive model to unified exposure management, they were able to eliminate noise, increase efficiency and ultimately strengthen the company’s security posture.

Check out the Tenable exposure management resource center to discover the value of exposure management and explore resources to help you stand up a continuous threat exposure management program.

Check out what CISA found after it dissected malware from the latest SharePoint hacks. Plus, the U.K.’s cyber agency is overhauling its cyber framework to keep pace as threats escalate. In addition, CISA is sounding the alarm on a high-severity vulnerability impacting hybrid Exchange environments. And get the latest on the sophistication of cloud attacks and on a CISA report about a critical infrastructure org’s cyber flaws.

Editor's note: This blog was updated on Friday, August 8 with an item about CISA's Emergency Directive 25-02 regarding CVE-2025-53786, an elevation-of-privilege vulnerability impacting hybrid Microsoft Exchange environments.

Here are six things you need to know for the week ending August 8.

CISA has published an analysis of six malware files associated with SharePoint vulnerabilities that have been actively exploited in recent weeks.

Hackers are using the files – including web shells and a key stealer – to swipe cryptographic keys and exfiltrate data by running malicious code, CISA said in a statement this week.

“CISA encourages organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify malware samples,” reads the report titled “MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities.”
 

The vulnerabilities – CVE-2025-49706, CVE-2025-49704, CVE-2025-53770 and CVE-2025-53771 – impact on-premises versions of SharePoint Server: SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint 2016. SharePoint Online in Microsoft 365 isn’t affected. 

The first attacks were reported on July 19, as hackers linked CVE-2025-49706 and CVE-2025-49704 in an exploit chain dubbed “ToolShell.” The exploitation of CVE-2025-53770, a zero-day bug Microsoft described as a variant of CVE-2025-49706, soon followed. 

Although Microsoft has not confirmed it, it’s likely that CVE-2025-53771 has also been exploited, since it can be chained with CVE-2025-53770, according to CISA.

To get the details on these SharePoint vulnerabilities, check out the Tenable Research Special Operations team’s blog “CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation.”

Attackers exploiting these SharePoint vulnerabilities include, according to Microsoft, Chinese nation-state groups Linen Typhoon and Violet Typhoon, as well as China-based ransomware actor Storm-2603..

To get more information about these SharePoint vulnerabilities, check out:

• “Disrupting active exploitation of on-premises SharePoint vulnerabilities” (Microsoft)
• “Customer guidance for SharePoint vulnerability CVE-2025-53770” (Microsoft)
• “CVE-2025-53770: Frequently Asked Questions About Zero-Day SharePoint Vulnerability Exploitation” (Tenable)
• “SharePoint 0-day uncovered (CVE-2025-53770)” (Eye Security)
• ““Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities” (CISA)

In response to the growing sophistication of attacks impacting British critical service providers, the U.K.’s cyber agency has revamped its core cybersecurity framework.

Version 4.0 of the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework, published this week, features new and updated information in four key areas:

• Attacker methods and motivations
• Secure development of software used in essential services
• Cyber threat detection via security monitoring and threat hunting
• AI-related cyber risks
   

(Image generated by Tenable using Google Gemini)

For example, a new section about cyber risk management explains how policies, processes and procedures can help organizations better understand, assess and manage cybersecurity risks. Another new section focuses on supply chain risk in areas like software development and cloud services.

“Keeping pace with the evolution of attack methods is essential to close the widening gap between the escalated cyber threats to critical services, and our collective ability to defend against them,” the NCSC said in a statement.

“These two themes have driven our updates to the CAF to ensure the framework remains relevant, and that organisations' defences are up to date,” it added.

The Cyber Assessment Framework is designed to help organizations that provide critical services enhance their cyber resilience to prevent operational disruptions in areas such as energy, healthcare, government and transportation.

For more information about the benefits of adopting cybersecurity frameworks:

• “A Complete Guide to the NIST Risk Management Framework” (EC-Council)
• “A Comparison of Leading Security Frameworks: NIST, ISO 27001, and Zero Trust” (Quick and Dirty Tips)
• “Top 12 IT security frameworks and standards explained” (TechTarget)
• “Essential Cybersecurity Frameworks and Standards for Start-ups and Fast-Growing Tech Companies” (CTO Academy)
• “SOC2 vs NIST VS ISO: Understanding the Differences Between Cybersecurity Frameworks” (Security Scientist)

5 Cybersecurity Frameworks Every GRC Professional Needs To Know (GRC for Mere Mortals)

U.S. federal civilian agencies with cloud and on-premises versions of Microsoft Exchange must fix an elevation-of-privilege vulnerability that, if exploited, would open the door to potentially massive breaches.

So said CISA this week via Emergency Directive 25-02, which instructs agencies with hybrid Exchange environments to mitigate the vulnerability by no later than 9 am ET on Monday, August 11.

This post-authentication vulnerability – CVE-2025-53786 – could allow an attacker to move laterally from on-premises Exchange to Exchange Online in Microsoft 365, according to CISA. There have been no observed exploits of this vulnerability at this time.

“An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment,” reads Tenable Research Special Operations (RSO) team’s blog “CVE-2025-53786: Frequently Asked Questions About Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability.”

“This flaw exists due to Exchange Server and Exchange Online sharing ‘the same service principal in hybrid configurations,’” the Tenable blog adds.
 

While CISA’s directive applies only to Federal Civilian Executive Branch (FCEB) agencies, the agency is urging all organizations impacted by this Exchange vulnerability to address it immediately.

“The risks associated with this Microsoft Exchange vulnerability extend to every organization and sector using this environment. While federal agencies are mandated, we strongly urge all organizations to adopt the actions in this Emergency Directive,” CISA Acting Director Madhu Gottumukkala said in a statement.

Microsoft first disclosed CVE-2025-53786 on August 6, after “further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments,” according to the Tenable RSO blog.

In a LinkedIn post, Tenable Chief Security Officer Robert Huber said Microsoft should have stressed the urgency of this issue when it issued the hot fix months ago.

“This left a dangerous three-month window where organizations were exposed to a threat that strikes at the heart of the modern enterprise: Active Directory and the cloud,” Huber wrote in his post titled “The Exchange Vulnerability Is a Bigger Deal Than You Think.”

“This vulnerability provides a direct path for an attacker to escalate privileges from an on-premise server to the cloud, effectively handing them the keys to your kingdom,” Huber added.

To get more details, check out:

• CVE-2025-53786 (Tenable)
• “CVE-2025-53786: Frequently Asked Questions About Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability” (Tenable)
• “Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability” (Microsoft MSRC)
• “Exchange Server Security Changes for Hybrid Deployments” (Microsoft blog)
• “Released: April 2025 Exchange Server Hotfix Updates” (Microsoft blog)
• “Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments” (CISA)
• “ED 25-02: Mitigate Microsoft Exchange Vulnerability” (CISA)

“CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability” (CISA)

Hackers are sharpening their attacks on cloud environments with new advanced tactics – and inflicting disruptive damage. 

That’s a key takeaway from Google’s “Cloud Threat Horizons Report H2 2025,” published this week.

“Cloud environments face an increasingly sophisticated threat landscape as actors advance their methods for data exfiltration, identity compromise and supply chain attacks, while simultaneously improving evasion and persistence techniques,” reads the report.

Cloud hackers’ new playbook includes: 

• Wrecking your disaster recovery: Hitting backup systems first to cripple your safety net
• Bypassing multi-factor authentication: Stealing credentials and session cookies with slick social engineering to walk right past your defenses
• Hiding in plain sight: Planting malicious files – usually PDFs – inside legitimate cloud storage services

Still, their favorite entry points remain the good old methods of credential compromise and misconfiguration exploitation. Google’s advice? Double down on foundational cybersecurity, including solid identity and access management, and proactive vulnerability management.

H1 2025 Distribution of Initial Access Vectors Exploited by Threat Actors

(Source: Google’s “Cloud Threat Horizons Report H2 2025,” August 2025)

Specifically, the report recommends embracing a defense-in-depth strategy centered on: 

• identity security
• recovery mechanisms
• vigilance against sophisticated social engineering and deception tactics
• supply chain integrity

For more information about cloud security, check out these Tenable resources:

• “Identity is the New Perimeter: Why Your IdP Isn’t Enough” (blog)
• “Tenable Cloud Security Risk Report 2025” (report)
• “Why Your Cloud Data May Not Be Secure After All: Insights from Tenable Research” (on-demand webinar)
• “Tackling Shadow AI in Cloud Workloads” (blog)
• “The Future of Cloud Access Management: How Tenable Cloud Security Redefines Just-in-Time Access” (blog)

Plaintext passwords. Shared admin accounts. Unrestricted remote access.

These aren’t rookie mistakes. They’re real-world cybersecurity missteps found by CISA and the U.S. Coast Guard (USCG) during a recent threat hunt at an unnamed critical infrastructure organization.

While no active breach was discovered, the gaps put the organization at an elevated risk. The audit also revealed poor network segmentation between IT and operational technology (OT) environments, as well as insufficient logging.

“Critical infrastructure organizations are advised to review and implement the mitigations listed in this advisory to prevent potential compromises and better protect our national infrastructure,” reads the document, published this week.
 

(Image generated by Tenable using Google Gemini)

Mitigation recommendations include:

• Never store passwords or credentials in plain text. Instead, use tools such as encrypted password vaults and managed service accounts.
• Protect credentials by encrypting them at rest and in transit, and by adopting strong access controls. Conduct regular audits of scripts and tools that access credentials.
• Don’t share local admin account credentials. Rather, create unique, complex passwords for each account.
• Secure access to admin accounts and to remote access services with multi-factor authentication.
• Conduct granular and comprehensive logging across all systems, and ensure captured logs include authentication attempts and command-line executions.

The critical infrastructure organization asked CISA and USCG to conduct the threat hunt, and it participated in the drafting of the report.

To get more details, check out the full advisory “CISA and USCG Identify Areas for Cyber Hygiene Improvement After Conducting Proactive Threat Hunt at US Critical Infrastructure Organization.”

For more information about protecting critical infrastructure against cyber attacks:

• “Critical Infrastructure Security and Resilience” (CISA)
• “How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (Tenable)
• “Identity Security Is the Missing Link To Combatting Advanced OT Threats” (Tenable)
• “Cybersecurity of Critical Sectors” (EU Agency for Cybersecurity)
• “Critical Infrastructure Protection” (MITRE)

Tired of juggling a dozen siloed malware analysis tools? 

If so, you’re not alone, which is why CISA and Sandia National Laboratories have developed a new platform designed to unify and automate your malware analysis workflow. 

Called Thorium and announced this week, the free platform is designed to integrate and orchestrate different malware analysis tools. Thorium also allows users to modify their toolsets.

“By publicly sharing this platform, we empower the broader cybersecurity community to orchestrate the use of advanced tools for malware and forensic analysis,” CISA Associate Director for Threat Hunting Jermaine Roebuck said in a statement.

 

(Credit: CISA)

Thorium is built for high performance. It can ingest 10 million files per hour and schedule 1,700 jobs per second, and it integrates with commercial, custom and open-source tools.

It's designed to give cyber defenders the speed and scale needed to combat modern threats.

“The goal of Thorium is to enable cyber defenders to bring automation to their existing analysis workflows through simple tool integration and intuitive event-driven triggers,” reads the Thorium fact sheet.

Key Thorium features include: 

• the ability to integrate tools using Docker images
• filter results with tags and full-text searches
• manage access with group-based permissions
• scale operations with Kubernetes and ScyllaDB

To get more details, you can visit the Thorium GitHub page.