367 CVE Records + severity scores when available in CISA’s Vulnerability Summary bulletin for the week of May 26, 2025
https://cisa.gov/news-events/bulletins/sb25-153
#CVE #CVEID #CVSS #CWE #Vulnerability #VulnerabilityManagement #HSSEDI #CISA
“CNA Enrichment Recognition” - 229 CNAs on the list for June 2, 2025
Published monthly, this list recognizes those CVE Numbering Authorities (#CNAs) actively providing #CVSS and #CWE vulnerability data in their #CVE Records
https://medium.com/@cve_program/vulnerability-data-enrichment-for-cve-records-229-cnas-on-the-enrichment-recognition-list-for-june-36af70a086c3
Minutes from the CVE Board teleconference meeting on May 14 are now available
https://cve.mitre.org/community/board/meeting_summaries/14_May_2025.pdf
#cve #vulnerability #vulnerabilitymanagement #hssedi #cisa #infosec #cybersecurity
Qualcomm rilascia patch per tre vulnerabilità critiche Adreno
#Aggiornamenti #Android #CVE #CyberSecurity #ExploitZeroDay #Firmware #Google #GPUAdreno #Notizie #PatchDiSicurezza #Qualcomm #TechNews #Tecnologia #Vulnerabilità
https://www.ceotech.it/qualcomm-rilascia-patch-per-tre-vulnerabilita-critiche-adreno/
Jen Ellis of NextJenSecurity has joined the CVE Board https://www.cve.org/Media/News/item/news/2025/06/03/New-CVE-Board-Member-NextJenSecurity
#cve #vulnerability #vulnerabilitymanagement #informationsecurity #cybersecurity
Teradyne Robotics is now a CVE Numbering Authority (CNA) assigning CVE IDs for all products released by Teradyne Robotics subsidiaries, Universal Robots (UR) and Mobile Industrial Robots (MiR), including both actively supported and end-of-life/end-of-service products, as well as vulnerabilities in third-party software identified by Teradyne Robotics that are outside the scope of another CNA
https://www.cve.org/Media/News/item/news/2025/06/03/Teradyne-Robotics-Added-as-CNA
#cve #cna #vulnerability #vulnerabilitymanagement #cybersecurity
@CVE_Program we are adults. We can face problems. Talk to us as such. Put hard facts on the table, and let's work on this. Or fade away.
#cve
pour celles et ceux qui ont déployé des roundcube il va falloir faire la mise à jour rapidement
https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html
New on the #CVE Blog:
“CVE Program Report for Quarter 1 Calendar Year (Q1 CY) 2025”
https://medium.com/@cve_program/cve-program-report-for-quarter-1-calendar-year-q1-cy-2025-0e84776ee5c5
#VulnerabilityManagement #Vulnerability #InformationSecurity #Cybersecurity
A BIG WELCOME to these 5 CVE Numbering Authority (#CNA) partners that joined the #CVE Program in May!!!
* Erlang Ecosystem Foundation
* Extreme Networks, Inc.
* Harborist
* SCHUTZWERK GmbH
* Stackable GmbH
Join: https://cve.org/PartnerInformation/Partner#HowToBecomeAPartner
883 CVE Records + severity scores when available in CISA’s Vulnerability Summary bulletin for the week of May 19, 2025
https://www.cisa.gov/news-events/bulletins/sb25-147
#CVE #CVEID #CVSS #CWE #Vulnerability #VulnerabilityManagement #HSSEDI #CISA
Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis:
Auch wenn im aktuellen Fall nicht von Vorsatz auszugehen ist, lässt das erneute Auftreten einer
Schwachstelle mit CVSS >8 (die dritte in 3 Jahren) Zweifel an der Qualitätskontrolle innerhalb des XZ-Projektes aufkommen. Dabei ist zu berücksichtigen, dass diese ubiquitäre Softwarekomponente im Wesentlichen von einem einzelnen Maintainer in seiner Freizeit gepflegt wird. Die verfügbaren
personellen Ressourcen stehen damit in keinem Verhältnis zur hohen Verbreitung der Bibliothek. Dies trifft auf eine große Anzahl von Open-Source-Software-Komponenten zu, die oft auch in proprietärer Software integriert sind, ohne hier offensichtlich zu werden. Zudem handelt es sich dabei um einen sehr frühen Punkt in der Lieferkette einer Softwarekomponente, die extrem weit verbreitet ist.
Hersteller von umsatzstarken Produkten bzw. Dienstangeboten teilen oftmals auch nicht die Erlöse
mit den bzw. mit allen im Unterbau genutzten Software-Projekten. Durch derartige Projekte sind im Laufe der letzten 30 Jahre eine Vielzahl an höchst wertvollen Software-Gütern entstanden, von denen das Funktionieren der heutigen IT-Welt abhängig ist, die jedoch trotz ihrer wirtschaftlichen Verwertung nicht ansatzweise mit Ressourcen ausgestattet wurden, die der damit erzielten Wertschöpfung entspricht. Perspektivisch sollte diesem strukturellen Problem mehr Aufmerksamkeit geschenkt werden.
Allen, die noch Windows 10 nutzen, empfiehlt das Bundesamt für Sicherheit in der Informationstechnik (BSI), ein Upgrade durchzuführen bzw. auf ein anderes Betriebssystem umzusteigen. Das können etwa Windows 11, ein Unix-basiertes Betriebssystem wie macOS oder ein Linux-basiertes Betriebssystem sein.
The hackathon FIRSTCON25 takes place physically at 37th ANNUAL FIRST CONFERENCE on Sunday 22nd June in Copenhagen.
GCVE.eu topic has been added to the hackathon.
About the hackathon https://discourse.ossbase.org/c/hackathon-firstcon25/12 GCVE.eu topic https://discourse.ossbase.org/t/gcve-eu-processes-standards-bcp-and-tooling/95 Registration https://pretix.eu/circl/hackathonfirst25/
159 CVEs exploited in Q1 2025 — 28.3% within 24 Hours of Disclosure.
As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024. "We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure," VulnCheck said.
![This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The IT-security company VulnCheck said a majority of the exploited vulnerabilities have been identified in content management systems [CMSes], followed by network edge devices, operating systems, open-source software and server software.
The breakdown is as follows:
• Content Management Systems [CMS] (35)
• Network Edge Devices (29)
• Operating Systems (24)
• Open Source Software (14)
• Server Software (14)](https://nerdculture.de/system/media_attachments/files/114/613/682/698/969/812/original/15cb334906affac5.jpeg "This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year.
The IT-security company VulnCheck said a majority of the exploited vulnerabilities have been identified in content management systems [CMSes], followed by network edge devices, operating systems, open-source software and server software.
The breakdown is as follows:
• Content Management Systems [CMS] (35)
• Network Edge Devices (29)
• Operating Systems (24)
• Open Source Software (14)
• Server Software (14)")
![[ImageSource: VulnCheck]
The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4) and TOTOLINK Routers (4).
"On average, 11.4 KEVs were disclosed weekly, and 53 per month," VulnCheck said. "While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation."
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new "Deferred" status.](https://nerdculture.de/system/media_attachments/files/114/613/689/347/931/234/original/4981ae91f83110e1.jpeg "[ImageSource: VulnCheck]
The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4) and TOTOLINK Routers (4).
\"On average, 11.4 KEVs were disclosed weekly, and 53 per month,\" VulnCheck said. \"While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation.\"
Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new \"Deferred\" status.")
![[ImageSource: VulnCheck]
According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions.
<https://www.verizon.com/about/news/2025-data-breach-investigations-report>
Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector.
<https://services.google.com/fh/files/misc/m-trends-2025-en.pdf>
"For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability," Mandiant said. "This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%."
⚠️That said, despite attacker’s efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023.⚠️](https://nerdculture.de/system/media_attachments/files/114/613/689/766/988/430/original/d907eb56b29dd212.jpeg "[ImageSource: VulnCheck]
According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions.
<https://www.verizon.com/about/news/2025-data-breach-investigations-report>
Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector.
<https://services.google.com/fh/files/misc/m-trends-2025-en.pdf>
\"For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability,\" Mandiant said. \"This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%.\"
⚠️That said, despite attacker’s efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023.⚠️")
May’s #Tumbleweed update rolled out #QEMU 10.0 for improved virtualization 
and #OpenSSL 3.5.0 with post-#quantum #crypto 
Security got serious with #CVE fixes 
#openSUSE https://news.opensuse.org/2025/06/02/tw-monthly-update-may/
#OT #Advisory VDE-2025-020
WAGO: Switches affected by year 2k38 problem
#CVE CVE-2025-1235
https://certvde.com/en/advisories/VDE-2025-020
#CSAF https://wago.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-020.json
All of the videos from “CVE/FIRST VulnCon 2025” are now available on YouTube!
https://www.youtube.com/playlist?list=PLWfD9RQVdJ6cm3kSvz-Sk87CawSzn5Ep0
#CVE #FIRST #VulnerabilityManagement #Vulnerability #Cybersecurity #InformationSecurity
