Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Organizations are increasingly recognizing that threats can emerge from various external-facing assets, including web applications, cloud infrastructure, APIs, and even shadow IT. This necessitates a robust Attack Surface Management (ASM) strategy, supported by specialized software solutions.

SysAid has patched a critical XML External Entity (XXE) flaw that lets unauthenticated attackers turn a routine /mdm check-in request into full administrator compromise—and, when chained with a newly disclosed command-injection bug, into remote code execution (RCE). The vulnerability, tracked as CVE-2025-2775, affects all SysAid On-Prem deployments up to 23.3.40 and is now fixed in 24.4.60.

For financial institutions in New York, the NYDFS Cybersecurity Regulation (23 NYCRR 500) is a vital mandate that requires a strong and comprehensive cybersecurity framework. This regulation outlines numerous requirements aimed at safeguarding customer data and maintaining the integrity of financial systems.

We admit it – we’ve had our heads in the clouds recently. Since we started working with Wiz as one of their integration partners, we’ve been spending even more time thinking about cloud assets. And these assets are everywhere! Gartner predicts double digit growth across all cloud segments in 2025.

One of the foundational security practitioners’ mantra “you can’t protect what you can’t see” has become a security gospel. As enterprises expanded from hundreds of physical assets to thousands of devices including ephemeral workloads, a troubling reality has emerged: visibility alone does not equal security. In this article.

On April 24th, 2025, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability (CVSS 10.0) affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. This vulnerability fails to restrict file upload content, allowing unauthenticated remote attackers to achieve full remote code execution (RCE) on affected servers.

SAP has released an out-of-band patch for a critical unrestricted file-upload flaw, CVE-2025-31324, in the NetWeaver Visual Composer “Metadata Uploader.” A missing authorization check allows unauthenticated attackers to upload arbitrary files (e.g., JSP, WAR) and instantly execute code on the SAP Java stack. If left unpatched, the weakness can expose sensitive ERP data and disrupt core business workflows across finance, HR, and manufacturing systems. In this article.

Cloud-Native Application Protection Platforms (CNAPPs) combine tools that scan your code, check your open-source libraries, protect your cloud workloads, and monitor your cloud configurations. But CNAPPs aren’t a silver bullet. They lack external active testing and blackbox cloud asset discovery, two capabilities that can leave exploitable vulnerabilities undetected. CNAPPs depend on APIs and deployment hooks to see what’s running.

Kubernetes ingress-nginx has disclosed a cluster of critical vulnerabilities—CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514—impacting all controller releases prior to v1.11.5 / v1.12.1. The flaws stem from insufficient sanitization of Ingress annotations and admission-webhook inputs, allowing attackers to inject arbitrary NGINX directives into the auto-generated nginx.conf.

Erlang/OTP ships with an SSH daemon that many telecom, IoT, Elixir/Phoenix, RabbitMQ and CouchDB deployments leave running for convenience. A flaw in how that daemon parses pre-authentication SSH protocol messages enables an attacker to break out of the key-exchange state machine and open an arbitrary channel before credentials are verified.