Vulnerability assessment identifies weaknesses or vulnerabilities in computer systems, networks, and software, along with the inherent risks they introduce. By using specialized tools like vulnerability scanners and manual methods, vulnerability assessment helps organizations figure out where they might be at risk. This process not only identifies potential problems but also helps prioritize them based on their severity level.

On August 17th, 2023, Juniper Networks released out-of-band fixes for multiple vulnerabilities that could be chained together to achieve unauthenticated remote code execution (RCE) on SRX and EX series devices. The vulnerabilities impact the J-Web component of Junos OS, the operating system running on the devices.

By now, the facts of the recent MOVEit breach are well known (although the victim total keeps climbing), but it never hurts to be reminded that these attacks do not take place in a vacuum and threat actors are more than happy to repeatedly use the same tactics if their targets remain vulnerable. Trustwave SpiderLabs, has tracked and documented these events explaining how threat actors were found to be exploiting three vulnerabilities, including a zero-day, (CVE-2023-34362, CVE-2023-35036.

We’re happy to announce the open beta availability of Snyk’s new Risk Score! Replacing the existing Priority Score, the new Risk Score was designed to help you prioritize more effectively by providing you with an accurate and holistic understanding of the risk posed by a given security issue.

Vulnerability management (VM) is the process of detecting, prioritizing, remediating, and auditing security vulnerabilities in systems and software. This critical process minimizes the organization’s “attack surface” by installing the most current software updates and properly hardening computer configuration.

The maintainers have already released an update fixing the issue. Versions before 0.7.5 are affected and thus vulnerable to Prototype Pollution. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., version 0.7.5 and above.We have found a new Prototype Pollution vulnerability in the JavaScript package tree-kit in all versions before 0.7.5. The maintainer of tree-kit has released an update that fixed the issue on 21 July 2023.

There are three vulnerabilities impacting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core: CVE-2023-35078 and CVE-2023-35082, which both enable authenticated bypass for unauthorized access; and CVE-2023-35081, which allows directory traversal with privilege escalation and arbitrary file write. These Ivanti EPMM vulnerabilities have been observed in active cyber attacks on systems using the affected versions.

As GenerativeAI expands its reach, the impact of software development is not left behind. Generative models — particularly Language Models (LMs), such as GPT-3, and those falling under the umbrella of Large Language Models (LLMs) — are increasingly adept at creating human-like text. This includes writing code.

Living Off the Land (LOTL) cyber attacks represent a growing and increasingly sophisticated threat within the cybersecurity landscape. The significance of LOTL attacks extends beyond mere technicalities; they pose substantial risks to global security, influencing everything from corporate stability to national defense mechanisms.

CVE-2023-0871 is an XML External Entity injection vulnerability in OpenNMS Horizon.