Infosec teams rely on metrics and frameworks to prioritize vulnerabilities and understand their potential impact as part of their vulnerability management programs. These metrics are crucial for organizations to assess the impact of any vulnerabilities identified during any type of vulnerability assessment. One such framework widely used by penetration testing organizations and security tools is the Common Vulnerability Scoring System (CVSS).

Open source code is a vital aspect of modern development. It allows developers to increase their application’s functionality, while reducing overall development time. However, the system isn’t perfect. The nature of third party software and it’s dependencies often creates opportunity for security vulnerabilities to lurk in libraries and downloads.

As part of our ongoing commitment to conducting original research and maintaining an up-to-date Hacker’s Playbook, the SafeBreach Labs team is dedicated to uncovering new threats. My recent research focused on searching for vulnerabilities and design issues in the API security domain in line with this objective. As a result, we discovered a security vulnerability in the popular HR information system (HRIS) platform called HiBob.

The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach.

In quick succession at the end of May into mid-June, software developer Progress released three advisories that any customers using its popular managed file transfer (MFT) solution MOVEit should immediately update to the latest release. In this time, they were made aware of three critical vulnerabilities, CVE-2023-34362 on May 31, CVE-2023-35036 on June 9, and CVE-2023-35708 on June 15.

In the December of last year, we reported CVE-2022-1471 to you. This unsafe deserialization problem could easily lead to arbitrary code execution under the right circumstances. In the deep-dive blog post “Unsafe deserialization vulnerability in SnakeYaml (CVE-2022-1471)”, I explained the problems in this library and how it could be executed. The gist of the problem was that by default SnakeYaml parsed the incoming yaml to the generic object type.

On June 15, 2023, Progress Software announced a critical vulnerability in the MOVEit file transfer software (CVE-2023-35708). This was the third vulnerability impacting the file transfer software (May 2023: CVE-2023-34362; June 9: CVE-2023-35036). The vulnerabilities have been fixed, and all MOVEit Transfer customers are strongly urged to immediately apply all applicable patches.

After a wave of zero-day attacks targeting widely used security and networking appliances, the Cybersecurity & Infrastructure Security Agency (CISA) is taking new measures to protect Internet-exposed networking equipment.

In our final OT:ICEFALL report, Forescout Vedere Labs presents three new vulnerabilities and concludes the project after one year of research following the original disclosure. The OT:ICEFALL research, including 61 vulnerabilities affecting 13 vendors, has yielded three key insights into the current state of OT product security.

Kubernetes “crossed the adoption chasm” in 2021 after 5.6 million developers used it to orchestrate their containers, according to the Cloud Native Computing Federation (CNCF). The annual CNCF survey recorded that an impressive 96% of organizations were either contemplating or outright using Kubernetes. However, Kubernetes becomes more appealing to hackers and malefactors as it becomes more popular.