CIS Security Advisories
CIS Security News
CISA News
ISACA SmartBrief
Cyber Security Advisories – MS-ISAC
- Multiple Vulnerabilities in VMware Aria Operations and VMware Tools Could Allow for Privilege Escalation 2025-10-01Multiple vulnerabilities have been discovered in VMware Aria Operations and VMware Tools, the most severe of which could allow for privilege escalation to root. VMware Aria is a multi-cloud management platform that provides automation, operations, and cost management for applications and infrastructure across private, public, and hybrid cloud environments. Successful exploitation of the most severe […]
- Multiple Vulnerabilities in Cisco Products Could Allow for Remote Code Execution 2025-09-25Multiple vulnerabilities have been discovered in Cisco products, the most severe of which could allow for remote code execution. Cisco is a leading technology company best known for its networking hardware and software, such as routers and switches, that form the backbone of the internet and enterprise networks. Successful exploitation of the most severe of […]
- A Vulnerability in Nx (build system) Package Could Allow for Sensitive Data Exfiltration 2025-09-25A vulnerability has been discovered in Nx (build system) Package, which could allow for sensitive data exfiltration. Nx is a smart, fast, and extensible build system designed for managing monorepos efficiently by providing features like dependency graph analysis, computation caching, distributed task execution, and codebase upgrades. Successful exploitation of this vulnerability could allow an attacker […]
- A Vulnerability in SolarWinds Web Help Desk Could Allow for Remote Code Execution 2025-09-23A vulnerability has been discovered in SolarWinds Web Help Desk, which could allow for remote code execution. SolarWinds Web Help Desk (WHD) is a web-based software that provides IT help desk and asset management functionality, allowing IT teams to manage service requests, track IT assets, and offer self-service options to end-users. Successful exploitation of this […]
- A Vulnerability in GoAnywhere Managed File Transfer (MFT) Could Allow for Command Injection 2025-09-19A vulnerability has been discovered in GoAnywhere Managed File Transfer (MFT) which could allow for Command Injection. GoAnywhere Managed File Transfer (MFT) is an enterprise-level software solution for securely automating, managing, and tracking all organizational file transfers, whether server-to-server or person-to-person. Successful exploitation of this vulnerability could allow an actor with a validly forged license […]
- A Vulnerability in WatchGuard Fireware OS Could Allow for Arbitrary Code Execution 2025-09-19A vulnerability has been discovered in WatchGuard Fireware OS, which could allow for arbitrary code execution. Fireware OS is the software that runs on WatchGuard Firebox firewalls. Fireware includes a Web UI that includes a way to manage and monitor each Firebox in your network. Successful exploitation of this vulnerability may allow a remote unauthenticated […]
- Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution 2025-09-19Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; […]
- Multiple Vulnerabilities in Mozilla Products Could Allow for Arbitrary Code Execution 2025-09-16Multiple vulnerabilities have been discovered in Mozilla products, the most severe of which could allow for arbitrary code execution.Mozilla Firefox is a web browser used to access the Internet.Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations.Mozilla Focus for iOS is a private mobile browser that automatically blocks […]
- Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution 2025-09-09Multiple vulnerabilities have been discovered in Adobe products, the most severe of which could allow for arbitrary code execution. Adobe Acrobat Reader is a free software for viewing, printing, and annotating PDF files.Adobe After Effects is a digital software program used to create and composite visual effects, motion graphics, and animations for film, television, web video, […]
- Multiple Vulnerabilities in Ivanti Products Could Allow for Remote Code Execution 2025-09-09Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution. Ivanti Endpoint Manager is a client-based unified endpoint management softwareIvanti Connect Secure is an SSL VPN solution for remote and mobile users.Ivanti Policy Secure (IPS) is a network access control (NAC) solution which provides network access […]
Blog Feed – Center for Internet Security
- Reasonable Cybersecurity: From Legal Theory to Practice 2025-09-24Explore how reasonable cybersecurity is evolving from a legal concept into a practical standard for protecting systems and consumer data.
- CIS Helps Strengthen Cybersecurity in Energy & Utilities 2025-09-23Discover how CIS Benchmarks and CIS Controls help energy and utility companies strengthen cybersecurity across IT and OT environments.
- CIS Benchmarks Monthly Update September 2025 2025-09-23The following CIS Benchmarks and CIS Build Kits have been updated or recently released. We've highlighted the major updates below.
- Qilin Top Ransomware Threat to SLTTs in Q2 2025 2025-09-11In Q2 2025, Qilin became the most active ransomware targeting U.S. SLTT government entities. Read the CIS CTI team's analysis to learn more.
- Top External Network Risks And How to Fix Them 2025-08-27Learn about the top external network risks and recommendations to harden configurations from the CIS Cyber Threat Intelligence team.
- CIS Controls Ambassador Spotlight: Eric Woodard 2025-08-21The CIS Controls Ambassador program is an initiative of the CIS that focuses on enhancing the adoption of key cybersecurity best practices.
- CIS Benchmarks August 2025 Update 2025-08-19Here is an overview of the CIS Benchmarks that the Center for Internet Security (CIS) updated or released for August 2025.
- Critical Infrastructure Caught in a Botnet 2025-08-14Cyber threat actors frequently use a botnet in their efforts to target U.S. critical infrastructure. Read on for how to defend your networks.
- 5 Cyber Questions Sheriffs & Police Chiefs Should Ask 2025-08-14Cyber threat actors continue to target law enforcement agencies. Here are five cyber questions LE executives can ask to evaluate their defenses.
- Applying CIS Benchmarks to Harden Windows 11 VDI Systems 2025-08-13Learn how the CIS IT team successfully implemented CIS Benchmarks in a Virtual Desktop Infrastructure (VDI) environment—specifically focusing on Windows 11.
All CISA Advisories
- CISA Adds One Known Exploited Vulnerability to Catalog 2025-10-07CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the […]CISA
- CISA Releases Two Industrial Control Systems Advisories 2025-10-07CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-280-01 Delta Electronics DIAScreen ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.CISA
- Delta Electronics DIAScreen 2025-10-07View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.8 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: DIAScreen Vulnerabilities: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to write data outside of the allocated memory buffer. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Delta Electronics DIAScreen are […]CISA
- CISA Adds Seven Known Exploited Vulnerabilities to Catalog 2025-10-06CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability CVE-2021-43226 […]CISA
- Hitachi Energy MSM Product 2025-10-02View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: MSM Product Vulnerabilities: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Reachable Assertion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow HTML injection via the name parameter or an assertion failure in fuzz_binary_decode, resulting […]CISA
- Raise3D Pro2 Series 3D Printers 2025-10-02View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Raise3D Equipment: Pro2 Series Vulnerability: Authentication Bypass Using an Alternate Path or Channel 2. RISK EVALUATION Successful exploitation of this vulnerability could result in data exfiltration and compromise of the target device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following firmware […]CISA
- CISA Releases Two Industrial Control Systems Advisories 2025-10-02CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-275-01 Raise3D Pro2 Series 3D Printers ICSA-25-275-02 Hitachi Energy MSM Product CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.CISA
- CISA Adds Five Known Exploited Vulnerabilities to Catalog 2025-10-02CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2014-6278 GNU Bash OS Command Injection Vulnerability CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability These types of vulnerabilities are […]CISA
- OpenPLC_V3 2025-09-30View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.1 ATTENTION: Low attack complexity Vendor: OpenPLC_V3 Equipment: OpenPLC_V3 Vulnerability: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial of service, making the PLC runtime process crash. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of OpenPLC_V3 […]CISA
- Festo Controller CECC-S,-LK,-D Family Firmware 2025-09-30View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Festo Equipment: Controller CECC-S,-LK,-D Family Firmware Vulnerabilities: Exposure of Resource to Wrong Sphere, Untrusted Pointer Dereference, NULL Pointer Dereference, Files or Directories Accessible to External Parties, Out-of-bounds Write, Improper Privilege Management, Incorrect Permission Assignment for Critical Resource, Buffer Copy without Checking […]CISA
ISACA SmartBrief on Cybersecurity
- Each of us is born with a box of matches inside us but we can't strike them all by ourselves. 2025-10-08Laura Esquivel, writer, screenwriter Hispanic Heritage Month is Sept. 15 to Oct. 15
- Avnet reports breach of internal sales tool 2025-10-08Electronics giant Avnet has confirmed a data breach involving an internal sales tool used in the Europe, Middle East and Afri -More-
- AI's data demands clash with privacy laws 2025-10-08The hunger for material to train AI models challenges the principle of data minimization, a cornerstone of privacy laws such -More-
- Serverless Security Risks Are Real, and Hackers Know It 2025-10-08Serverless development appears to be an ideal solution for programmers. -More-
- Report: CISO turnover high amid stress, liability concerns 2025-10-08Chief information security officers have an average tenure of 18 to 26 months, shorter than the nearly five-year average for -More-
- Zimbra flaw exploited to target Brazil's military 2025-10-08Threat actors have exploited a zero-day cross-site scripting vulnerability in the Zimbra Collaboration Suite that uses a mali -More-
- Ransomware attack disrupts operations at Va. schools 2025-10-08Mecklenburg County Public Schools in Virginia confirmed that the Russian cybercrime group Qilin was behind a ransomware attac -More-
- Study: Y2K38 bug a current vulnerability, not future issue 2025-10-08Researchers have identified the Y2K38 bug as an immediate vulnerability, not just a future concern. -More-
