CyberSecurity news
FlagThis - #vulnerabilitymanagement
|
@www.first.org
//
Researchers from the U.S. National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have collaborated to develop a new security metric designed to better assess the likelihood of vulnerability exploitation. This metric aims to enhance the existing Exploit Prediction Scoring System (EPSS) and CISA's Known Exploited Vulnerabilities (KEV) catalog, providing a more refined approach to identifying vulnerabilities that are at high risk of being exploited in the wild. Peter Mell, formerly of NIST, and Jonathan Spring from CISA are credited with outlining this vulnerability exploit metric.
This new metric, detailed in a NIST White Paper titled "Likely Exploited Vulnerabilities," seeks to improve the accuracy with which vulnerabilities are prioritized for remediation. By augmenting the EPSS and KEV lists, the metric intends to provide a clearer understanding of a vulnerability's exploitability. The researchers propose this augmentation as a means to better express how likely a vulnerability is to be exploited, which can aid organizations in focusing their security efforts on the most critical threats. Meanwhile, CISA has recently added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, underscoring the importance of addressing actively exploited flaws. In a related development, Wiz Research has observed in-the-wild exploitation of CVE-2025-4427 and CVE-2025-4428, two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). These Ivanti EPMM vulnerabilities, which involve a chain of exploits leading to remote code execution, highlight the need for organizations to promptly apply security patches and mitigate potential risks.
Share:
References :
Classification:
Steve Zurier@scmagazine.com
//
The National Institute of Standards and Technology (NIST) has announced that it will mark all Common Vulnerabilities and Exposures (CVEs) prior to January 1, 2018, as ‘deferred.’ This decision stems from the agency being overwhelmed by the surging volume of newly disclosed vulnerabilities and the agency will no longer prioritize updating National Vulnerability Database (NVD) enrichment for these older CVEs because of their age. This impacts a substantial number of CVEs, with estimates suggesting that over 94,000, or 34% of all CVEs, could be affected by this change. Despite this shift, NIST has stated it will continue to accept and review requests to update the metadata for these CVE records and prioritize updates if new information indicates it's appropriate, as time and resources allow.
This move has sparked concerns within the cybersecurity community. Many prolific cyber incidents have exploited older CVEs, like WannaCry, NotPetya, and the Colonial Pipeline attack. With limited resources, prioritizing newer vulnerabilities might protect a larger number of organizations. However, older vulnerabilities that are on the known exploited vulnerabilities KEV list will continue to be updated and worked on. Experts are also worried about the potential for older CVEs to be revived using new AI-driven exploit techniques. Marc Gaffan, CEO of IONIX, noted the rapid advancement of AI capabilities and the concern that these techniques could catch organizations off guard, leaving them unprepared for re-emerging threats. Jon France, CISO at ISC2, emphasized the importance of keeping software patched and up-to-date. Despite the concerns, NIST's decision reflects the challenges of managing an ever-growing database of vulnerabilities with finite resources.
Share:
References :
Classification:
|