Over the past few weeks, VMware customers holding onto their perpetual licenses, which are often unsupported and in limbo, have reportedly begun receiving formal cease-and-desist letters from Broadcom. The message is as blunt as it is unsettling: your support contract has expired, and you are to immediately uninstall any updates, patches, or enhancements released since that expiration date. Not only that, but audits could follow, with the possibility of “enhanced damages” for breach of contract. This is a sharp escalation in an effort to push perpetual license holders toward VMware’s new subscription-only model. For many, it signals the end of an era where critical infrastructure software could be owned, maintained, and supported on long-term, stable terms. Now, even those who bought VMware licenses outright are being told that support access is off the table unless they sign on to the new subscription regime. As a result, enterprises are being forced to make tough decisions about how they manage and support one of the most foundational layers of their IT environments. VMware isn’t just another piece of enterprise software. It’s the plumbing. The foundation. The layer everything else runs on top of, which is precisely why many CIOs flinch at the idea of running unsupported. The potential risk is too great. A vulnerability or failure in your virtual infrastructure isn’t the same as a bug in a CRM. It’s a systemic weakness. It touches everything. This technical risk is, without question, the biggest barrier to any organization considering support options outside of VMware’s official offering. And it’s a valid concern.  But technical risk isn’t black and white. It varies widely depending on version, deployment model, network architecture, and operational maturity. A tightly managed and stable VMware environment running a mature release with minimal exposure doesn’t carry the same risk profile as an open, multi-tenant deployment on a newer build. The prevailing assumption is that support equals security—and that operating unsupported equals exposure. But this relationship is more complex than it appears. In most enterprise environments, security is not determined by whether a patch is available. It’s determined by how well the environment is configured, managed, and monitored. Patches are not applied instantly. Risk assessments, integration testing, and change control processes introduce natural delays. And in many cases, security gaps arise not from missing patches but from misconfigurations: exposed management interfaces, weak credentials, overly permissive access. An unpatched environment, properly maintained and reviewed, can be significantly more secure than a patched one with poor hygiene. Support models that focus on proactive security—through vulnerability analysis, environment-specific impact assessments, and mitigation strategies—offer a different but equally valid form of protection. They don’t rely on patch delivery alone. They consider how a vulnerability behaves in the attack chain, whether it’s exploitable, and what compensating controls are available.  Read more about VMware security Hacking contest exposes VMware security: In what has been described as a historical first, hackers in Berlin have been able to demo successful attacks on the ESXi hypervisor. No workaround leads to more pain for VMware users: There are patches for the latest batch of security alerts from Broadcom, but VMware users on perpetual licences may not have access. This kind of tailored risk management is especially important now, as vendor support for older VMware versions diminishes. Many reported vulnerabilities relate to newer product components or bundled services, not the core virtualization stack. The perception of rising security risk needs to be balanced against the stability and maturity of the versions in question. In other words, not all unsupported deployments are created equal. Some VMware environments—particularly older versions like vSphere 5.x or 6.x—are already beyond the range of vendor patching. In these cases, the transition to unsupported status may be more symbolic than substantive. The risk profile has not meaningfully changed.  Others, particularly organisations operating vSphere 7 or 8 without an active support contract, face a more complex challenge. Some critical security patches remain accessible, depending on severity and version, but the margin of certainty is shrinking.   These are the cases where enterprises are increasingly turning to alternative support models to bridge the gap—ensuring continuity, maintaining compliance, and retaining access to skilled technical expertise. Third-party support is sometimes seen as a temporary fix—a way to buy time while organizations figure out their long-term plans. And it can serve that purpose well. But increasingly, it’s also being recognized as a strategic choice in its own right: a long-term solution for enterprises that want to maintain operational stability with a reliable support partner while retaining control over their virtualization roadmap.What distinguishes third-party support in this context isn’t just cost control, it’s methodology.   Risk is assessed holistically, identifying which vulnerabilities truly matter, what can be addressed through configuration, and when escalation is genuinely required. This approach recognises that most enterprises aren’t chasing bleeding-edge features. They want to run stable, well-understood environments that don’t change unpredictably. Third-party support helps them do exactly that, without being forced into a rapid, costly migration or a subscription contract that may not align with their business needs.  Crucially, it enables organisations to move on their own timeline. Much of the conversation around unsupported VMware environments focuses on technical risk. But the longer-term threat may be strategic. The end of perpetual licensing, the sharp rise in subscription pricing, and now the legal enforcement of support boundaries all points to a much bigger problem: a loss of control over infrastructure strategy.  Vendor-imposed timelines, licensing models, and audit policies are increasingly dictating how organizations use the very software they once owned outright. Third-party support doesn’t eliminate risk—nothing can. But it redistributes and controls it. It gives enterprises more agency over when and how they migrate, how they manage updates, and where they invest. In a landscape shaped by vendor agendas, that independence is increasingly critical.  Broadcom’s cease-and-desist letters represent a new phase in the relationship between software vendors and customers—one defined not by collaboration, but by contractual enforcement. And for VMware customers still clinging to the idea of “owning” their infrastructure, it’s a rude awakening: support is no longer optional, and perpetual is no longer forever. Organizations now face three paths: accept the subscription model, attempt a rapid migration to an alternative platform, or find a support model that gives them the stability to decide their future on their own terms.  For many, the third option is the only one that balances operational security with strategic flexibility.  The question now isn’t whether unsupported infrastructure is risky. The question is whether the greater risk is allowing someone else to dictate what happens next. 

Published May 26, 2025 10:00am EDT close Smart routers offer more parental control over social media In the ongoing debate over regulating social media, one company is urging parents to take matters into their own hands. We stay on top of updates for our phones and laptops. Some of us even make sure our smartwatches and security cameras are running the latest firmware. But routers often get overlooked. If it's working, we assume it's fine, but that mindset can be risky.Now, the FBI has issued a warning that cybercriminals are actively exploiting old, unpatched and outdated routers. The alert, released in May 2025, explains how aging network devices with known flaws are being hijacked by malware and used to power anonymous cybercrime operations. A forgotten device in your home can silently become a tool for attackers. A router (Kurt "CyberGuy" Knutsson)The FBI alertThe FBI's Internet Crime Complaint Center published a public service announcement on May 7, 2025, cautioning both individuals and organizations that criminals are taking advantage of outdated routers that no longer receive security patches.Devices manufactured around 2010 or earlier are especially vulnerable, as vendors have long ceased providing firmware updates for them. According to the FBI, such end-of-life routers have been breached by cyber actors using a variant of the "TheMoon" malware, allowing attackers to install proxy services on the devices and conduct illicit activities anonymously.In essence, home and small-office routers are being quietly conscripted into proxy networks that mask the perpetrators' identities online. The alert notes that through networks like "5socks" and "Anyproxy," criminals have been selling access to the infected routers as proxy nodes. In these schemes, paying customers can route their internet traffic through unwitting victims' routers, obscuring their own location while the victim's device (and IP address) bears the blame. A router (Kurt "CyberGuy" Knutsson)Which routers are affected?The FBI bulletin even names specific router models as frequent targets, including:Cisco M10Cisco Linksys E1500Cisco Linksys E1550Cisco Linksys WRT610NCisco Linksys E1000Cradlepoint E100Cradlepoint E300Linksys E1200Linksys E2500Linksys E3200Linksys WRT320NLinksys E4200Linksys WRT310NAll of these devices are roughly a decade or more old and have known security vulnerabilities that were never patched once support ended. With their firmware updates long discontinued, any still in use are soft targets for attackers.How hackers exploit these routersMany recent infections stem from devices with remote administration exposed to the internet. Attackers scan for such routers, exploiting known firmware flaws without needing passwords. A single crafted web request can trick an older device into running malicious code. Once inside, malware often alters settings, opening ports or disabling security features, to maintain control and connect to external command-and-control servers.One prominent threat is TheMoon, a malware strain first seen in 2014 that exploited flaws in Linksys routers. It has since evolved into a stealthy botnet builder, transforming infected routers into proxy nodes. Instead of launching direct attacks, TheMoon reroutes third-party traffic, masking hackers' identities behind everyday home networks. Cybercrime platforms like Faceless and 5socks sell access to these infected routers as "residential proxies," making them valuable assets in the digital underground.For users, a compromised router means slower connections, exposure to phishing and spyware, and potential legal trouble if criminals abuse their IP address. For businesses, the risk is even higher: Outdated routers can be exploited for deeper network intrusions, data theft and ransomware attacks. In critical sectors, the consequences can be severe, affecting safety and compliance. A woman working on her laptop (Kurt "CyberGuy" Knutsson)6 ways to stay safe from router hackersGiven the serious threats posed by outdated and compromised routers, taking proactive measures is essential. Here are six practical steps you can follow to protect your network and keep hackers at bay.1) Replace your old router if it's no longer supported: If your router is more than five to seven years old, or if you can't find any recent updates for it on the manufacturer's website, it might be time to upgrade. Older routers often stop getting security fixes, which makes them an easy target for hackers. To check, look at the label on your router for the model number, then search online for "[model number] firmware update." If the last update was years ago, consider replacing it with a newer model from a trusted brand.If you're not sure which router to get, check out my list of top routers for the best security. It includes models with strong security features and compatibility with VPN services.2) Keep your router's firmware updated: Your router runs software called firmware, which needs to be updated just like your phone or computer. To do this, open a web browser and type your router's IP address (often 192.168.0.1 or 192.168.1.1), then log in using the username and password (usually found on a sticker on the router). Once inside, look for a section called "Firmware Update," "System" or "Administration," and check if an update is available. Apply it if there is one. Some newer routers also have apps that make this even easier.3) Turn off remote access: Remote access lets you control your router from outside your home network, but it also opens the door for hackers. You can turn this off by logging into your router's settings (using the same steps as above), then finding a setting called "Remote Management," "Remote Access" or "WAN Access." Make sure this feature is disabled, then save the changes and restart your router.4) Use a strong password for your router settings: Don't leave your router using the default login, like "admin" and "password." That's the first thing hackers try. Change it to a long, strong password with a mix of letters, numbers and symbols. A good example would be something like T#8r2k!sG91xm4vL. Try to avoid using the same password you use elsewhere. You can usually change the login password in the "Administration" or "Security" section of the router settings. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed password managers of 2025 here.5) Look out for strange behavior and act quickly: If your internet feels unusually slow, your devices randomly disconnect or your streaming buffers more than usual, it could mean something is wrong. Go into your router settings and check the list of connected devices. If you see something you don't recognize, it could be a sign of a breach. In that case, update the firmware, change your passwords and restart the router. If you're not comfortable doing this yourself, call your internet provider for help.6) Reporting to authorities: The FBI asks that victims or those who suspect a compromise report incidents to the Internet Crime Complaint Center, which can help authorities track and mitigate broader threats.Kurt's key takeawayThis isn't just about asking everyone to upgrade their old gear. It's about the bigger issue of who's actually responsible when outdated devices turn into security risks. Most people don't think twice about the router sitting in a corner, quietly doing its job years past its prime. But attackers do. They see forgotten hardware as easy targets. The real challenge isn't just technical. It's about how manufacturers, service providers and users all handle the long tail of aging tech that still lives on in the real world.Should manufacturers be held accountable for keeping routers secure against cyber threats? Let us know by writing us atCyberguy.com/Contact.For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.Follow Kurt on his social channels:Answers to the most-asked CyberGuy questions:New from Kurt:Copyright 2025 CyberGuy.com. All rights reserved. Kurt "CyberGuy" Knutsson is an award-winning tech journalist who has a deep love of technology, gear and gadgets that make life better with his contributions for Fox News & FOX Business beginning mornings on "FOX & Friends." Got a tech question? Get Kurt’s free CyberGuy Newsletter, share your voice, a story idea or comment at CyberGuy.com.

May 22, 2025Ravie LakshmananVulnerability / Software Security Cybersecurity researchers have uncovered multiple critical security vulnerabilities impacting the Versa Concerto network security and SD-WAN orchestration platform that could be exploited to take control of susceptible instances. It's worth noting that the identified shortcomings remain unpatched despite responsible disclosure on February 13, 2025, prompting a public release of the issues following the end of the 90-day deadline. "These vulnerabilities, when chained together, could allow an attacker to fully compromise both the application and the underlying host system," ProjectDiscovery researchers Harsh Jaiswal, Rahul Maini, and Parth Malhotra said in a report shared with The Hacker News. The security defects are listed below - CVE-2025-34025 (CVSS score: 8.6) - A privilege escalation and Docker container escape vulnerability that's caused by unsafe default mounting of host binary paths and could be exploited to gain code execution on the underlying host machine CVE-2025-34026 (CVSS score: 9.2) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to access heap dumps and trace logs by exploiting an internal Spring Boot Actuator endpoint via CVE-2024-45410 CVE-2025-34027 (CVSS score: 10.0) - An authentication bypass vulnerability in the Traefik reverse proxy configuration that allows an attacker to access administrative endpoints, which could then be exploited to achieve remote code execution by exploiting an endpoint related to package uploads ("/portalapi/v1/package/spack/upload") via arbitrary file writes Successful exploitation of CVE-2025-34027 could allow an attacker to leverage a race condition and write malicious files to disk, ultimately resulting in remote code execution using LD_PRELOAD and a reverse shell. "Our approach involved overwriting ../../../../../../etc/ld.so.preload with a path pointing to /tmp/hook.so," the researchers said. "Simultaneously, we uploaded /tmp/hook.so, which contained a compiled C binary for a reverse shell. Since our request triggered two file write operations, we leveraged this to ensure that both files were written within the same request." "Once these files were successfully written, any command execution on the system while both persisted would result in the execution of /tmp/hook.so, thereby giving us a reverse shell." In the absence of an official fix, users are advised to block semicolons in URL paths and drop requests where the Connection header contains the value X-Real-Ip. It's also recommended to monitor network traffic and logs for any suspicious activity. The Hacker News has reached out to Versa Networks for comment, and we will update the story if we hear back. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Continuous Integration and Continuous Delivery/Deployment (CI/CD) refers to practices that automate how code is developed and released to different environments. CI/CD pipelines are fundamental in modern software development, ensuring code is consistently tested, built, and deployed quickly and efficiently. While CI/CD automation accelerates software delivery, it can also introduce security risks. Without proper security measures, CI/CD workflows can be vulnerable to supply chain attacks, insecure dependencies, and insider threats. To mitigate these risks, organizations must integrate measures for continuous monitoring and enforcing security best practices at every pipeline stage. Securing CI/CD workflows preserves the software delivery process's confidentiality, integrity, and availability. Security challenges and risks in CI/CD workflows While CI/CD workflows offer benefits in terms of automation and speed, they also bring unique security challenges that must be addressed to maintain the integrity of the development process. Some common challenges and risks include: Lack of visibility and inadequate security monitoring: CI/CD workflows involve multiple tools and stages, which make it challenging to maintain security visibility into potential threats. Vulnerabilities, especially in third-party libraries or containerized applications, can introduce security risks that go undetected if not correctly managed. Without centralized monitoring, real-time threat detection and response become difficult. Manual, reactive incident response increases the risk of exploitation. Compliance requirements: Meeting regulatory standards such as GDPR or HIPAA while maintaining fast deployment cycles can be challenging. Organizations must balance enforcing security policies, data protection, and compliance requirements without slowing down their CI/CD workflows.Code and dependency vulnerabilities: Unpatched or outdated dependencies in the workflow can introduce significant security risks. Third-party libraries or outdated packages can become attack vectors if not regularly updated and monitored for vulnerabilities. These risks are increased by the fast pace of CI/CD, where vulnerabilities may go untreated.Container vulnerabilities and image security: While containers are mainly used in CI/CD workflows, they are not safe from security risks. Vulnerabilities in container images, such as outdated software versions, misconfigurations, or insecure base images, present a risk in CI/CD workflows and can be exploited by attackers. Without proper scanning and validation, these weaknesses can propagate through the pipeline.Misconfiguration of CI/CD tools: Improper configuration of CI/CD tools can leave the workflow open to unauthorized access or unintentionally expose sensitive code. Misconfigurations in access control settings can increase the likelihood of privilege escalation or code exposure. Additionally, hardcoded credentials or mismanaged environment variables introduce a risk of being extracted by attackers, which could lead to data breaches.Supply chain attacks: Compromised third-party dependencies can introduce malicious packages or vulnerabilities into the workflow. These vulnerabilities can spread throughout the entire pipeline and infect production environments, primarily when third-party tools or libraries are not sufficiently validated.Insider threats: Insider threats in CI/CD workflows involve authorized users such as developers, DevOps engineers, system administrators, or third-party contractors, who may intentionally or unintentionally compromise the pipeline. Weak authentication mechanisms, inadequate access controls, and a lack of monitoring can increase the risk of unauthorized changes, credential theft, or the introduction of malicious code into the workflow.Enhancing CI/CD workflow security with Wazuh Wazuh is an open source security platform that offers unified XDR and SIEM capabilities for on-premises, containerized, virtualized, and cloud-based environments. Wazuh provides flexibility in threat detection, compliance, incident handling, and third-party integration. Organizations can implement Wazuh to address the challenges and mitigate the risks associated with CI/CD workflow security. Below are some ways Wazuh helps improve security in CI/CD workflows. Log collection and system monitoring Wazuh provides log collection and analysis capabilities to ensure the components of your CI/CD environment are continuously monitored for security threats. It collects and analyzes logs from various CI/CD pipeline components, including servers, containerization and orchestration tools such as Docker and Kubernetes, and version control systems like GitHub. This allows security teams to monitor for unusual activities, unauthorized access, or security breaches across the CI/CD environment. Additionally, the Wazuh File Integrity Monitoring (FIM) capability can detect unauthorized changes in code or configuration files. By monitoring files in real time or on a schedule, Wazuh generates alerts for security teams about file activities like creation, deletion, or modification. Figure 1: Wazuh dashboard showing File Integrity Monitoring (FIM) alerts. Custom rules and streamlined security monitoring Wazuh allows users to create custom rules and alerts that align with a pipeline's security requirements. Organizations can create custom rules matching their specific security needs, such as monitoring code changes, server configurations, or container images. This flexibility allows organizations to enforce granular security controls tailored to their CI/CD workflow. For instance, the Center for Internet Security (CIS) Docker Benchmark provides guidelines for securing Docker environments. Organizations can automate the compliance checks against CIS Docker Benchmark v1.7.0 using the Wazuh Security Configuration Assessment (SCA) capability. Figure 2: Wazuh dashboard showing Wazuh Security configuration assessment (SCA) results. Integration with third-party security tools Wazuh can integrate with various security tools and platforms, including container vulnerability scanners and CI/CD orchestration systems. This is particularly important in CI/CD workflows, where multiple tools may be used to manage the development lifecycle. Wazuh can pull in data from various sources, which helps to provide a centralized view of security across the pipeline. For instance, Wazuh integrates with container vulnerability scanning tools Trivy and Grype, which are commonly used to scan container images for vulnerabilities, insecure base images, or outdated software versions. By scanning container images before they are deployed into production, organizations can ensure that only secure, up-to-date images are used in the deployment processes. You can configure the Wazuh Command module to run a Trivy scan on an endpoint hosting container images and display any detected vulnerabilities in the Wazuh dashboard. This helps to ensure that insecure images are identified and prevented from being pushed into production. Figure 3: Wazuh dashboard displaying vulnerabilities discovered on container images from a Trivy scan. Automated incident response The speed of CI/CD workflows means that threats must be detected and mitigated quickly to minimize the risk of breaches or downtime. Wazuh provides incident response capabilities that help organizations respond to security incidents as soon as they occur. The Wazuh Active Response module can automatically take action when a security threat is detected. For example, suppose a malicious IP address is detected trying to access a system that runs CI/CD processes. In that case, Wazuh can automatically block the IP address and trigger predefined remediation actions. This automation ensures fast response, reduces manual intervention, and prevents potential threats from escalating. Conclusion Securing CI/CD workflows is important for maintaining a reliable and safe software development process. By using Wazuh, organizations can detect vulnerabilities early, monitor for anomalies, enforce compliance, and automate security responses while maintaining the speed and efficiency of CI/CD workflows. Integrating Wazuh into your CI/CD workflow ensures that security keeps pace with development speed. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Join our daily and weekly newsletters for the latest updates and exclusive content on industry-leading AI coverage. Learn More Unpatched systems are a ticking time bomb. Fifty-seven percent of cyberattack victims acknowledge that available patches would have prevented breaches, yet nearly one-third admit failing to act, compounding the risk. Ponemon research shows organizations now take an alarming average of 43 days to detect cyberattacks, even after a patch is released, up from 36 days the previous year. According to the Verizon 2024 Data Breach Investigations Report, attackers’ ability to exploit vulnerabilities surged by 180% from 2023 to 2024. Chronic firefighting makes manual or partially automated patching overly burdensome, further pushing patching down teams’ priority lists. Relying on manual or partially automated patching systems is considered too time-consuming, further reducing patching to the bottom of a team’s action item list. This is consistent with an Ivanti study that found that the majority (71%) of IT and security professionals think patching is overly complex, cumbersome and time-consuming. When it comes to patching, complacency kills Attackers aggressively exploit legacy Common Vulnerabilities and Exposures (CVEs), often ten or more years old. A sure sign of how effective attackers’ tradecraft is becoming at targeting legacy CVEs is their success with vulnerabilities in some cases, 10-plus years old. A sure sign that attackers are finding new ways to weaponize old vulnerabilities is reflected in the startling stat that 76% of vulnerabilities leveraged by ransomware were reported between 2010 and 2019. The misalignment between IT and security teams compounds delays, with 27% lacking cohesive patch strategies and nearly a quarter disagreeing on patch schedules. One of the unexpected benefits of automating patch management is breaking the impasse between IT and security when it comes to managing the patch workload.    “Typically, on average, an enterprise may patch 90% of desktops within two to four weeks, 80% of Windows servers within six weeks and only 25% of Oracle Databases within six months from patch release date”, writes Gartner in their recent report, “We’re not patching our way out of vulnerability exposure.” The report states that “the cold, hard reality is that no one is out patching threat actors at scale in any size organization, geography or industry vertical.” Ring deployment: proactive defense at scale Every unpatched endpoint or threat surface invites attackers to exploit it. Enterprises are losing the patching race, which motivates attackers even more. In the meantime, patching has become exponentially more challenging for security and IT teams to manage manually. Approximately a decade ago, ring deployment began to rely on Microsoft-dominated networks. Since then, ring deployments have proliferated across on-premise and cloud-based patch and risk management systems. Ring deployment provides a phased, automated strategy, shrinking attacker windows and breach risks. Ring deployment rolls out patches incrementally through carefully controlled stages or “rings:” Test Ring (1%): Core IT teams quickly validate patch stability. Early Adopter Ring (5–10%): A broader internal group confirms real-world compatibility. Production Ring (80–90%): Enterprise-wide rollout after stability is conclusively proven. Ivanti’s recent release of ring deployment is designed to give security teams greater control over when patches will be deployed, to which systems and how each sequence of updates will be managed. By addressing patching issues early, the goal is to minimize risks and reduce and eliminate disruptions. Gartner’s ring deployment strategy escalates patches from internal IT outward, providing continuous validation and dramatically reducing deployment risk. Source: Gartner, “Modernize Windows and Third-Party Application Patching,” p. 6. Ring deployment crushes MTTP, ends reactive patching chaos Relying on outdated vulnerability ratings to lead patch management strategies only increases the risk of a breach as enterprises race to keep up with growing patch backlogs. That’s often when patching becomes cybersecurity’s endless nightmare, with attackers looking to capitalize on the many legacy CVEs that remain unprotected. Gartner’s take in their recent report “Modernize windows and third-party application patching” makes the point brutally clear, showing how traditional patching methods routinely fail to keep pace. In contrast, enterprises embracing ring deployment are getting measurable results. Their research finds ring deployment achieves a “99% patch success within 24 hours for up to 100,000 PCs,” leaving traditional methods far behind. During an interview with VentureBeat, Tony Miller, Ivanti’s VP of enterprise services, emphasized that “Ivanti Neurons for Patch Management and implementing Ring Deployment is an important part of our Customer Zero journey.” He said the company uses many of its own products, which allows for a quick feedback loop and gives developers insight into customers’ pain points. Miller added: “We’ve tested out Ring Deployment internally with a limited group, and we are in the process of rolling it out organization-wide. In our test group, we have benefited from deploying patches based on real-world risk, and ensuring that updates don’t interrupt employee productivity–a significant challenge for any IT organization.” VentureBeat also spoke with Jesse Miller, SVP and director of IT at Southstar Bank, about leveraging Ivanti’s dynamic Vulnerability Risk Rating (VRR), an AI-driven system continuously recalibrated with real-time threat intelligence, live exploit activity, and current attack data. Miller stated clearly: “This is an important change for us and the entire industry. Judging a patch based on its CVSS now is like working in a vacuum. When judging how impactful something can be, you have to take everything from current events, your industry, your environment and more into the equation. Ultimately, we are just making wiser decisions as we are not disregarding CVSS scoring; we are simply adding to it.” Miller also highlighted his team’s prioritization strategy: “We have been able to focus on prioritizing Zero-Day and Priority patches to get out first, as well as anything being exploited live in the wild. Using patch prioritization helps us eliminate our biggest risk first so that we can reduce our attack surface as quickly as possible.” By combining ring deployment and dynamic VRR technology, Ivanti Neurons provides enterprises with structured visual orchestration of incremental patch rollouts. This approach sharply reduces Mean-Time-to-Patch (MTTP), accelerating patches from targeted testing through full deployment and significantly decreasing the exposure windows that attackers exploit. Caption: The Ivanti Neurons interface visually manages deployment rings, success thresholds, patching progress and streamlining operational clarity. Source: Ivanti Neurons Comparing Ivanti Neurons, Microsoft Autopatch, Tanium and ServiceNow: Key strengths and gaps When selecting enterprise patch management solutions, apparent differences emerge among leading providers, including Microsoft Autopatch, Tanium, ServiceNow and Ivanti Neurons. Microsoft Autopatch relies on ring deployment but is restricted to Windows environments, including Microsoft 365 applications. Ivanti Neurons expands on this concept by covering a broader spectrum, including Windows, macOS, Linux and various third-party applications. This enables enterprise-wide patch management for organizations with large-scale, diverse infrastructure. Tanium stands out for its robust endpoint visibility and detailed reporting features, but its infrastructure requirements typically align better with resource-intensive enterprises. Meanwhile, ServiceNow’s strength lies in workflow automation and IT service management integrations. Executing actual patches often demands significant additional customization or third-party integrations. Ivanti Neurons aims to differentiate by integrating dynamic risk assessments, phased ring deployments and automated workflows within a single platform. It directly addresses common enterprise challenges in patch management, including visibility gaps, operational complexity and uncertainty about vulnerability prioritization with real-time risk assessments and intuitive visual dashboards. Caption: Ivanti Neurons provides real-time patch status, vulnerability assessments, and risk exposure metrics, ensuring continuous visibility. Source: Ivanti Neurons Transforming patch management into a strategic advantage Patching alone cannot eliminate vulnerability exposure. Gartner’s analysts continue to stress the necessity of integrating compensating controls, including endpoint protection platforms (EPP), multifactor authentication, and network segmentation to reinforce security beyond basic patching. Combining ring deployment with integrated compensating controls that are part of a broader zero-trust framework ensures security, allows IT teams to shrink exposure windows, and better manage cyber risks. Ivanti’s approach to ring deployment incorporates real-time risk assessments, automated remediation workflows, and built-in threat management, directly aligning patch management with broader business resilience strategies. The design decision to make it part of Neurons for Patch Management delivers the scale enterprises need to improve risk management’s real-time visibility.   Bottom line: Integrating ring deployment with compensating controls and prioritization tools transforms patch management from a reactive burden to a strategic advantage. Daily insights on business use cases with VB Daily If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI. Read our Privacy Policy Thanks for subscribing. Check out more VB newsletters here. An error occured.

It’s no surprise to me that financial services organisations missed the 17 January2025 deadline to be in compliance with the European Union’s Digital Operational Resilience Act (DORA). I personally have not met a CIO or CISO who thought this deadline was realistic. Even back in January, research from Orange Cyberdefense saw 43% of respondents in the industry admit they would not be compliant by the deadline. In March, Clear Junction revealed 86% of financial services organisations were not fully compliant and more worryingly Skillcast’s DORA readiness report showed huge variation in the resilience of these institutions’ IT infrastructures. The banking and lending subsector stood out as the least prepared for compliance while the financial transaction processing subsector was the most vulnerable to cyber threats. Given we have known this deadline was coming, why such inconsistency when it comes to readiness? The reality is that cyber security strategies are always dealing with moving targets. Today, your organisation could feel secure and in compliance with DORA, but tomorrow the vulnerability landscape could change. New threats are introduced all the time. For example, you could implement a new supplier technology which could create new vulnerabilities in the supply chain, or the regulations themselves could change. In the UK, we are still expecting the Cyber Security and Resilience Bill at some point this year. The Government has announced its proposals but it is still to be confirmed when it will come into effect. The reality is that many companies are still unsure what measures they need to take to establish DORA compliance, and it requires a significant amount of vigilance across IT infrastructures to understand your exposure. One area commonly overlooked or discounted is the Java environment. Given Java comprises 51% of the software code in the financial sector, companies should make sure to give their Java applications the appropriate consideration as this is where many compliance and security risks lie dormant. Azul’s 2025 State of Java Survey & Report revealed that 41% of respondents encounter critical production security issues within their Java ecosystems on a weekly or daily basis. While three years after the Log4j incident, 49% are still experiencing security weaknesses in production from the remote code execution (RCE) vulnerability. Financial institutions must ensure their Java footprint, and that of their third-party providers or services, complies with DORA regulations. As a result, investing in detection tools and post-breach response preparedness can help significantly reduce breach costs for financial firms and their customers. Together, they will have to take an inventory of the risks associated with their applications to ensure compliance and security. That risk could be amplified if organisations use unsupported versions of Java (and the underlying open source project for the Java programming language called Open Java Development Kit (or OpenJDK for short). In highly regulated industries, like financial services, where systems run on Java are supporting mission-critical applications, not ensuring your core systems are supported is highly risky, particularly as it exposes you to non-compliance with regulations like DORA. Read more about DORA We look at the new EU regulation for cyber resiliency, the role of IT asset management in auditing and third-party risks. Compliance regulations come into force on 17 January, but many in the financial services community are not ready. To guarantee compliance, players in the financial services industry must address these five pillars: Guarantee ICT risk management: Unsupported OpenJDK distributions can expose financial institutions to significant risks, such as unpatched security vulnerabilities and performance issues. It is necessary to have an OpenJDK distribution capable of providing security patches to ensure Java applications remain resilient and compliant with management requirements. Report incidents quickly: Not all OpenJDK distributions provide security updates and critical patch updates (CPU’s) at the same time leading to unreported and unnoticed incidents that can lead to non-compliance. Industry players must equip themselves with tools capable of providing continuous monitoring for vulnerabilities and unused or dead code in production. This allows organisations to quickly and accurately detect, report and remediate vulnerabilities. Carry out regular and rigorous penetration and security tests: Using outdated or vulnerable updates of Java may not accurately reflect production environments, leading to false security assumptions. It is therefore important to have up-to-date and tested Java distributions, including legacy versions like Java 6 and 7 and architectures like Windows x86 32-bit, enabling reliable and accurate testing environments for financial institutions. Strengthen third-party risk management. Affiliating with unsupported OpenJDK distributions by third parties increases the risk of security vulnerabilities and operational failures. It is necessary to ensure that third-party applications and services based on Java meet the highest security and performance standards, thereby reducing third-party risks. Participate in sharing information on cyber threats.  Using unsupported OpenJDK distributions may result in a lack of awareness about updates and security patches, relegating these applications and services to becoming a weak link in the information sharing chain. Organisations must ensure they are aware of the latest vulnerabilities and can share relevant threat intelligence with other entities to improve collective cyber security resiliency. Cyber security is essential for stable and high-performance business operations today. By ensuring a secure Java distribution, promptly addressing vulnerabilities, and continuously monitoring their Java environment, companies can make a large portion of their IT assets DORA-compliant and strengthen their resilience against cyberattacks. James Johnston is vice president of EMEA at Java specialist Azul. He is responsible for growing Azul's software revenues across EMEA. Prior to joining Azul, James has held a number of leadership positions with Cloudera, Fujitsu and HPE.  James has an honours degree in business studies from UWE.

May 14, 2025Ravie LakshmananVulnerability / Malware Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild. The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw. "Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary files as system authority," according to an advisory for the flaw. It's worth noting that CVE-2025-4632 is a patch bypass for CVE-2024-7399, another path traversal flaw in the same product that was patched by Samsung in August 2024. CVE-2025-4632 has since been exploited in the wild shortly after the release of a proof-of-concept (PoC) by SSD Disclosure on April 30, 2025, in some instances to even deploy the Mirai botnet. While it was initially assumed that the attacks were targeting CVE-2024-7399, cybersecurity company Huntress first revealed the existence of an unpatched vulnerability last week after finding signs of exploitation even on MagicINFO 9 Server instances running the latest version (21.1050). In a follow-up report published on May 9, Huntress revealed that three separate incidents that involved the exploitation of CVE-2025-4632, with unidentified actors running an identical set of commands to download additional payloads like "srvany.exe" and "services.exe" on two hosts and executing reconnaissance commands on the third. Users of the Samsung MagicINFO 9 Server are recommended to apply the latest fixes as soon as possible to safeguard against potential threats. "We have verified that MagicINFO 9 21.1052.0 does mitigate the original issue raised in CVE-2025-4632," Jamie Levy, director of adversary tactics at Huntress, told The Hacker News. "Any machine that has versions v8 - v9 21.1050.0 will still be affected by this vulnerability. We've also discovered that upgrading from MagicINFO v8 to v9 21.1052.0 is not as straightforward since you have to first upgrade to 21.1050.0 before applying the final patch." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    