Aggregator

For August 2025 Patch Tuesday, Microsoft has released security updates resolving 100+ security vulnerabilities in its various solutions, including a relative path traversal flaw in Windows Kerberos (CVE-2025-53779) that allows an authorized attacker to elevate privileges over a network as part of a BadSuccessor attack. The vulnerability, discovered by Akamai researcher Yuval Gordon, exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025 and can be used to compromise any … More →

The post Microsoft fixes “BadSuccessor” Kerberos vulnerability (CVE-2025-53779) appeared first on Help Net Security.

A critical authentication bypass vulnerability in FortiWeb allows unauthenticated remote attackers to impersonate any existing user on affected systems.  The vulnerability, tracked as CVE-2025-52970 with a CVSS score of 7.7, affects multiple FortiWeb versions and stems from improper parameter handling in the cookie parsing mechanism. Key Takeaways1. CVE-2025-52970 lets attackers bypass authentication to log in […]

The post FortiWeb Authentication Bypass Vulnerability Let Attackers Log in As Any Existing User appeared first on Cyber Security News.

You must login to view this content

CISA, along with the National Security Agency, the Federal Bureau of Investigation, Environmental Protection Agency, and several international partners, released comprehensive guidance to help operational technology (OT) owners and operators across all critical infrastructure sectors create and maintain OT asset inventories and supplemental taxonomies. 

An asset inventory is a regularly updated, structured list of an organization's systems, hardware, and software. It includes a categorization system—a taxonomy—that classifies assets based on their importance and function. This guidance explains how OT owners and operators can create, maintain, and use asset inventories and taxonomies to identify and safeguard their critical assets. 

Following this guidance, organizations may gain deeper insights into their architecture, optimize their defenses, better assess and reduce cybersecurity risk in their environments, and enhance incident response planning to ensure service continuity.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

• CVE-2025-8875 N-able N-central Insecure Deserialization Vulnerability
• CVE-2025-8876 N-able N-central Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.