CISA wants to change how organizations prioritize vulnerabilities

Federal authorities want to take the guesswork and manual decision making processes out of the messy world of vulnerabilities.

By Matt Kapko • Nov. 14, 2022

CISA warns unpatched Zimbra users to assume breach

Months after warnings to patch the Zimbra Collaboration Suite, government and private sector organizations are under attack from multiple threat actors.

By David Jones • Nov. 11, 2022

Citrix CVEs need urgent security updates, CISA says

Though there's no active exploitation yet, Tenable researchers warn they expect threat actors to target the Citrix systems in the near term.

By David Jones • Nov. 10, 2022

Microsoft finally releases security updates for ProxyNotShell zero days

The company linked a limited set of recent Exchange Server attacks to state-backed threat actors.

By David Jones • Nov. 8, 2022

OpenSSL releases patch for 2 high-severity vulnerabilities after prior warning

The organization pulled back on earlier warnings of a critical vulnerability, however still urged organizations to apply the upgrades.

By David Jones • Nov. 1, 2022

Critical OpenSSL vulnerability causes security industry to hold its breath

Researchers warn the vulnerability could be the most serious in the industry since 2014's Heartbleed. 

By David Jones • Nov. 1, 2022

GitHub vulnerability raises risk of open source supply chain attack

Researchers from Checkmarx said a flaw in the namespace retirement mechanism put thousands of packages at risk of being hijacked by outside threat actors.

By David Jones • Oct. 27, 2022

White House plans IoT security labeling program for spring 2023

Major connected device manufacturers, retailers and industry groups back efforts to boost cyber awareness.

By David Jones • Oct. 21, 2022

Apache urges users to upgrade Common Text version to block ‘Text4Shell’ vulnerability

Any connection to Log4j is misapplied, researchers said, because Log4j is a much more widely used Java library. 

By David Jones • Oct. 19, 2022

Critical vulnerability surfaces in Apache Commons Text library

Researchers warn an attacker can achieve remote code execution, but the vulnerability is not seen as potentially dangerous as Log4j.

By David Jones • Oct. 17, 2022

Fortinet attacks escalate as company warns large swath of customers to upgrade

The number of unique IPs using the exploit has gone from single digits when the vulnerability was originally announced to about 200. 

By David Jones • Oct. 17, 2022

CISA adds Fortinet CVE to vulnerability catalog after attacks escalate

A critical authentication bypass vulnerability in the company’s firewall and web proxy software allowed unauthenticated attackers to gain access.

By David Jones • Oct. 12, 2022

Microsoft struggles to mitigate Exchange Server CVEs as it races to complete patch

Security researchers have repeatedly called out the company on interim measures that were quickly bypassed.

By David Jones • Oct. 6, 2022

Microsoft updates guidance to prevent future Exchange server attacks

The company had to revise some of its guidance involving the URL Rewrite rule, while organizations continue to wait for a patch.

By David Jones • Oct. 5, 2022

CISA orders federal IT overhaul with automated asset inventory, software scanning

Civilian agencies will be required to check for vulnerabilities in a push to gain better visibility into IT networks.

By David Jones • Oct. 4, 2022

Microsoft warns of potential escalation for Exchange server zero days

The actor, which Microsoft says is state sponsored, installed Chopper web shells to gain hands-on-keyboard access, conduct Active Directory reconnaissance and exfiltrate data. 

By David Jones • Oct. 3, 2022

Microsoft investigating 2 zero-day vulnerabilities in Exchange Server

One vulnerability is a server-side request forgery, while the second allows remote-code execution when an attacker has access to PowerShell. 

By David Jones • Sept. 30, 2022

Strict security rules could push open source community out of federal work, expert says

Agency CISOs and development experts say federal agencies need to work collaboratively with open source community contributors.

By David Jones • Sept. 27, 2022

Organizations rapidly shift tactics to secure the software supply chain

Synopsys’ 13th annual BSIMM study shows rapid increases in automation and use of SBOMs among software producers and other organizations.

By David Jones • Sept. 22, 2022

White House guidance on third-party software seen as a major test of cyber risk strategy

The U.S. hopes that by forcing software producers to meet a set of minimum security standards for federal use, a new baseline strategy will be adopted industrywide. 

By David Jones • Sept. 19, 2022

Researchers warn older D-Link routers are under threat from Mirai malware variant

Attackers are leveraging vulnerabilities in the devices to build botnets and launch DDoS attacks, according to Palo Alto Networks research.

By David Jones • Sept. 8, 2022

CISA Director: Tech industry should infuse security at product design stage

Agency director Jen Easterly outlined a push for faster incident reporting and closer industry collaboration.

By David Jones • Sept. 7, 2022

Feds push for developers to take lead in securing software supply chain

The guidelines from CISA and the NSA come amid a growing movement to “shift left” and evaluate software security earlier in the development cycle. 

By David Jones • Sept. 2, 2022

SaaS sprawl amps up security challenges amid heightened risk

Two-thirds of businesses say they're spending more on SaaS applications year over year, Axonius data shows.

By Roberto Torres • Sept. 1, 2022

Growing cyber risks add to hospital cost squeeze, Fitch cautions

Cyber risk mitigation is becoming more expensive, but with hospitals' cost pressures mounting, spending on security may not be a priority, the ratings agency said.

By Susan Kelly • Aug. 31, 2022