Cyberveillecurated by Decio
Nuage de tags
Mur d'images
Quotidien
Flux RSS
  • Flux RSS
  • Daily Feed
  • Weekly Feed
  • Monthly Feed
Filtres

Liens par page

  • 20 links
  • 50 links
  • 100 links

Filtres

Untagged links
11 résultats taggé tenable  ✕
MCP Prompt Injection: Not Just For Evil https://www.tenable.com/blog/mcp-prompt-injection-not-just-for-evil
04/05/2025 13:54:57
QRCode
archive.org
thumbnail

MCP tools are implicated in several new attack techniques. Here's a look at how they can be manipulated for good, such as logging tool usage and filtering unauthorized commands.

Over the last few months, there has been a lot of activity in the Model Context Protocol (MCP) space, both in terms of adoption as well as security. Developed by Anthropic, MCP has been rapidly gaining traction across the AI ecosystem. MCP allows Large Language Models (LLMs) to interface with tools and for those interfaces to be rapidly created. MCP tools allow for the rapid development of “agentic” systems, or AI systems that autonomously perform tasks.

Beyond adoption, new attack techniques have been shown to allow prompt injection via MCP tool descriptions and responses, MCP tool poisoning, rug pulls and more.

Prompt Injection is a weakness in LLMs that can be used to elicit unintended behavior, circumvent safeguards and produce potentially malicious responses. Prompt injection occurs when an attacker instructs the LLM to disregard other rules and do the attacker’s bidding. In this blog, I show how to use techniques similar to prompt injection to change the LLM’s interaction with MCP tools. Anyone conducting MCP research may find these techniques useful.

tenable EN 2025 MCP Prompt-Injection LLM LLMs technique interface vulnerability research
Despite Recent Security Hardening, Entra ID Synchronization Feature Remains Open for Abuse https://www.tenable.com/blog/despite-recent-security-hardening-entra-id-synchronization-feature-remains-open-for-abuse
27/04/2025 12:04:03
QRCode
archive.org
thumbnail

Microsoft synchronization capabilities for managing identities in hybrid environments are not without their risks. In this blog, Tenable Research explores how potential weaknesses in these synchronization options can be exploited.

Synchronizing identity accounts between Microsoft Active Directory (AD) and Entra ID is important for user experience, as it seamlessly synchronizes user identities, credentials and groups between on-premises and cloud-based systems. At the same time, Tenable Research shows the following synchronization options can introduce cybersecurity risk that extend beyond hybrid tenants:

the already known Directory Synchronization Accounts Entra role
the new On Premises Directory Sync Account Entra role
the new Microsoft Entra AD Synchronization Service application
In 2024, Microsoft introduced two new security hardening measures for hybrid Entra ID synchronization. However, despite these improvements, both the Directory Synchronization Accounts and the new On Premises Directory Sync Account roles retain access to critical synchronization APIs. Moreover, the new 'Microsoft Entra AD Synchronization Service' application exposes the privileged ADSynchronization.ReadWrite.All permission, introducing another potential attack path that security teams must watch closely.

In this technical blog, we break down the changes Microsoft made to each of its synchronization options, explore where new risks were introduced and provide guidance on how Tenable Identity Exposure can help you monitor and secure your hybrid synchronization environment.

tenable EN 2025 Microsoft Entra-ID risks weaknesses
Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor https://www.tenable.com/blog/salt-typhoon-an-analysis-of-vulnerabilities-exploited-by-this-state-sponsored-actor?is=e4f6b16c6de31130985364bb824bcb39ef6b2c4e902e4e553f0ec11bdbefc118
29/01/2025 11:11:31
QRCode
archive.org
thumbnail

Salt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has breached at least nine U.S.-based telecommunications companies with the intent to target high profile government and political figures. Tenable Research examines the tactics, techniques and procedures of this threat actor.

tenable EN 2025 Salt-Typhoon Analysis vulnerabilies State-Sponsored
Compromising Microsoft's AI Healthcare Chatbot Service https://www.tenable.com/blog/compromising-microsofts-ai-healthcare-chatbot-service
13/08/2024 15:33:44
QRCode
archive.org
thumbnail

Tenable finds privilege-escalation issues in Azure Health Bot via an SSRF, which allowed access to cross-tenant resources.

tenable en 2024 azure azure-health-bot tenable-research ssrf vulnerability cross-tenant-access artificial-intelligence ai-security
D-Link D-View 8 Unauthenticated Probe-Core Server Communication https://www.tenable.com/security/research/tra-2023-43
03/01/2024 12:31:36
QRCode
archive.org

A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inventory of the D-View service. This could result in the disclosure of info

tenable EN 2023 D-Link D-View vulnerability disclosure
Unauthorized Access to Cross-Tenant Applications in Microsoft Power Platform https://www.tenable.com/security/research/tra-2023-25
04/08/2023 09:35:57
QRCode
archive.org

A researcher at Tenable has discovered an issue that enables limited, unauthorized access to cross-tenant applications and sensitive data (including but not limited to authentication secrets). Background The issue occurred as a result of insufficient access control to Azure Function hosts, which are launched as part of the creation and operation of custom connectors in Microsoft’s Power Platform (Power Apps, Power Automation).

tenable 2023 EN cross-tenant Cloud Microsoft-Power Platform
Microsoft…The Truth Is Even Worse Than You Think https://www.linkedin.com/pulse/microsoftthe-truth-even-worse-than-you-think-amit-yoran/
04/08/2023 09:35:37
QRCode
archive.org
thumbnail

Last week, Senator Ron Wyden sent a letter to the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Justice and the Federal Trade Commission (FTC) asking that they hold Microsoft accountable for a repeated pattern of negligent cybersecurity practices, which has enabled Chine

Amit-Yoran Microsoft tenable transparency Azure complaint Cloud
Microsoft’s April 2023 Patch Tuesday Addresses 97 CVEs (CVE-2023-28252) https://www.tenable.com/blog/microsofts-april-2023-patch-tuesday-addresses-97-cves-cve-2023-28252
12/04/2023 09:58:46
QRCode
archive.org
thumbnail

Microsoft addresses 97 CVEs, including one that was exploited in the wild as a zero day

tenable EN 2023 PatchTuesday april zero-day microsoft list
Microsoft’s March 2023 Patch Tuesday Addresses 76 CVEs (CVE-2023-23397) https://www.tenable.com/blog/microsofts-march-2023-patch-tuesday-addresses-76-cves-cve-2023-23397
14/03/2023 22:50:06
QRCode
archive.org
thumbnail

Microsoft’s March 2023 Patch Tuesday Addresses 76 CVEs (CVE-2023-23397)Microsoft addresses 76 CVEs including two zero-days exploited in the wild, one of which was publicly disclosed.

tenable EN 2023 0-day PatchTuesday zero-days March
SQL Injection in Multiple WordPress Plugins https://www.tenable.com/security/research/tra-2023-2
16/01/2023 17:43:25
QRCode
archive.org
  • Paid Memberships Pro : CVE-2023-23488 - Unauthenticated SQL Injection

  • Easy Digital Downloads: CVE-2023-23489 - Unauthenticated SQL Injection

  • Survey Maker: CVE-2023-23490 - Authenticated SQL Injection

tenable 2023 EN WordPress Plugins Advisory CVE-2023-23488 CVE-2023 CVE-2023-23490-23489
CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy https://www.tenable.com/blog/cve-2022-40684-critical-authentication-bypass-in-fortios-and-fortiproxy
07/10/2022 19:38:56
QRCode
archive.org
thumbnail

Fortinet has patched a critical authentication bypass in its FortiOS and FortiProxy products that could lead to administrator access.

tenable EN 2022 CVE-2022-40684
4261 links
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service par la communauté Shaarli - Theme by kalvn - Curated by Decio