September 26, 2024 at 07:51AM Businesses often rely on the Common Vulnerability Scoring System (CVSS) for vulnerability prioritization. However, CVSS does not factor in real-world threat data. In contrast, the Exploit Prediction Scoring System (EPSS) predicts the likelihood of a vulnerability being exploited in the next 30 days. EPSS offers a more efficient and effective … Read more
August 31, 2024 at 02:28PM An outdated series of IP cameras has been exploited to create a new Mirai botnet. Akamai reported the active campaign leveraging the remote code execution (RCE) vulnerability in AVTECH AVM1203 IP cameras, which have been discontinued since 2019. The botnet also exploits other old vulnerabilities, emphasizing the importance of maintaining … Read more
May 29, 2024 at 10:03AM The book “Freakonomics” applies economic principles to social phenomena, emphasizing the impact of incentives on decision-making. The rising number of reported software vulnerabilities (CVEs) raises concerns about the cybersecurity ecosystem and the incentive structure influencing vulnerability reporting. Issues include gaming the system for recognition, lack of accountability in submissions, and … Read more
May 9, 2024 at 08:57AM The US cybersecurity agency, CISA, has launched the Vulnrichment project to enhance CVE records with CPE, CVSS, CWE, and KEV data. The project aims to prioritize remediation efforts, spot trends, and prompt vendors to address entire classes of vulnerabilities. CISA has enriched 1,300 CVEs and encourages all CNAs to offer … Read more
April 3, 2024 at 10:12AM The Common Vulnerabilities and Exposures (CVE) List managed by MITRE and the National Vulnerability Database (NVD) overseen by NIST are no longer considered a single reliable source of vulnerability information. Challenges include missing vulnerabilities, false positives, and resource limitations. NIST, acknowledging the backlog, is seeking a consortium to improve vulnerability … Read more
February 21, 2024 at 01:15AM VMware has reported critical security flaws in the Enhanced Authentication Plugin (EAP), urging users to uninstall it. The vulnerability enables a malicious actor to manipulate service tickets and hijack sessions. Additionally, SonarSource disclosed cross-site scripting flaws in Joomla!. Salesforce’s Apex programming language also faces high-severity vulnerabilities. Users are advised to … Read more
November 7, 2023 at 03:52PM The latest version of the Common Vulnerability Scoring System (CVSS version 4.0) allows organizations to assess and manage the risk posed by security bugs more effectively. It introduces new metrics that enable a dynamic and context-sensitive evaluation of vulnerabilities. CVSS 4.0 provides a more tailored risk management approach and allows … Read more