L'agence de cybersécurité américaine s'inquiète de la capacité des pirates à tirer parti d'une vulnérabilité sévère affectant Commvault pour voler des secrets d'environnements applicatifs SaaS dont Microsoft 365. La CISA enjoint les entreprises à appliquer les correctifs disponibles.
Régulièrement, la CISA lance des avertissement sur des failles exploitées. Selon un avis de l'agence de cybersécurité américaine, des acteurs malveillants pourraient avoir accédé à des secrets de clients à partir de la solution de sauvegarde Metallic Microsoft 365 de Commvault hébergée dans Azure. L'accès non autorisé à ces secrets a été réalisé grâce à un exploit zero day. En février, Microsoft a averti Commvault de l'existence d'une grave faille non spécifiée (répertoriée en tant que CVE-2025-3928) affectant sa solution Web Server. Par ailleurs, un acteur bénéficiant d'un soutien étatique l'exploitait activement pour accéder aux environnements Azure. Thomas Richards, directeur de la pratique de sécurité des infrastructures chez Black Duck, a déclaré que les flux SaaS sont intrinsèquement vulnérables. « Si les solutions SaaS déchargent les entreprises des tâches administratives liées à l'hébergement et à l'infrastructure, le revers de la médaille est que les sociétés n'ont aucun moyen de sécuriser ou de contrôler ces environnements », a-t-il déclaré. « Lorsque Commvault a été compromis, les victimes n'étaient même pas conscientes de l'existence d'une faille. »
Une CVE-2023-3928 sévère
Dans son avis, la CISA indique qu'elle soupçonne l'exploitation de CVE-2025-3928 de faire partie d'une campagne plus large visant les applications SaaS avec des paramètres par défaut et des autorisations de haut niveau. Commentant la note de la CISA, James Maude, Field CTO chez BeyondTrust, a déclaré : « Cela met en évidence les risques liés au fait de permettre à des tiers d'accéder de manière privilégiée à votre environnement, leur violation devenant votre violation [...] Alors que de nombreuses entreprises disposent de contrôles solides pour émettre et gérer l'accès aux comptes humains utilisés par les entrepreneurs et les tiers, l'histoire est souvent très différente lorsqu'il s'agit d'identités non humaines et de secrets qui permettent des interactions machine-machine. » D'après l'enquête de Commvault, les acteurs étatiques ont obtenu, par le biais d'un abus zero-day de CVE-2025-3928, un sous-ensemble d'identifiants d'applications que certains clients de Commvault utilisaient pour authentifier leurs environnements M365.
The Likely Exploited Vulnerabilities (LEV) equations can help augment KEV- and EPSS-based remediation prioritization.
Researchers from CISA and NIST have proposed a new cybersecurity metric designed to calculate the likelihood that a vulnerability has been exploited in the wild.
Peter Mell of NIST and Jonathan Spring of CISA have published a paper describing equations for what they call Likely Exploited Vulnerabilities, or LEV.
Thousands of vulnerabilities are discovered every year in software and hardware, but only a small percentage are ever exploited in the wild.
Knowing which vulnerabilities have been exploited or predicting which flaws are likely to be exploited is important for organizations when trying to prioritize patching.
Known Exploited Vulnerabilities (KEV) lists such as the one maintained by CISA and the Exploit Prediction Scoring System (EPSS), which relies on data to estimate the probability that a vulnerability will be exploited, can be very useful. However, KEV lists may be incomplete and EPSS may be inaccurate.
LEV aims to enhance — not replace — KEV lists and EPSS. This is done through equations that take into account variables such as the first date when an EPSS score is available for a specified vulnerability, the date of the most recent KEV list update, inclusion in KEV, and the EPSS score for a given day (measured across multiple days).
LEV probabilities can be useful for measuring the expected number and proportion of vulnerabilities that threat actors have exploited.
It can also be useful for estimating the comprehensiveness of KEV lists. “Previously, KEV maintainers had no metric to demonstrate how close their list was to including all relevant vulnerabilities,” the researchers explained.
In addition, LEV probabilities can help augment KEV- and EPSS-based vulnerability remediation prioritization — in the case of KEV by identifying higher-probability vulnerabilities that may be missing, and in the case of EPSS by finding vulnerabilities that may be underscored.
While in theory LEV could turn out to be a very useful tool for vulnerability prioritization, the researchers pointed out that collaboration is necessary, and NIST is looking for industry partners “with relevant datasets to empirically measure the performance of LEV probabilities”.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
CVE-2025-3248 Langflow Missing Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Affected staff say more than 100 employees working to protect U.S. government networks were ‘axed’ with no prior warning
The secretary of Defense has ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions, sources tell Recorded Future News.
Recent incidents indicate US is no longer characterizing Russia as a cybersecurity threat, marking a radical departure: ‘Putin is on the inside now’
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
#CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
FBI and CISA officials have advised Americans to use encrypted call and messaging apps to protect their communications from threat actors.
This guide provides network engineers and defenders of communications infrastructure with best practices to strengthen their visibility and harden their network
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day.
Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
CISA has tagged another critical Ivanti security vulnerability, which can let threat actors create rogue admin users on vulnerable Virtual Traffic Manager (vTM) appliances, as actively exploited in attacks.
Write better code, urges Jen Easterly. And while you're at it, give crime gangs horrible names like 'Evil Ferret'
The nation’s top cyber watchdogs urged federal agencies to either remove or upgrade an Ivanti appliance that is no longer being updated and has been exploited in attacks.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
At the Black Hat cybersecurity conference on Thursday, National Cyber Director Harry Coker, Jr. said his office is working with the Department of Treasury’s federal insurance office as well as officials at the Cybersecurity and Infrastructure Security Agency (CISA) on the effort.
An advisory by CISA and multiple international cybersecurity agencies highlights the tactics, techniques, and procedures (TTPs) of APT40 (aka
The agency found no evidence that hackers exfiltrated information but noted the intrusion “may have resulted in the potential unauthorized access” to security plans, vulnerability assessments and user accounts within a national system to protect the chemicals sector.
CISA publicly released an emergency directive issued to federal agencies earlier this month, detailing how a breach at Microsoft could have affected the government.
