CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.
“Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability,” CISA said in an alert. “A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.”
Quelle: The hacker news / Bleeping Computer / Security Week / Broadcom
Link: https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html
Link: https://www.securityweek.com/cisa-adds-exploited-xwiki-vmware-flaws-to-kev-catalog/
CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.
“By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,” CISA said.
The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.
Quelle: The hacker news / Bleeping Computer / NSA Guidance / SANS internet storm center
Link: https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html
The Evolution of SOC Operations: How Continuous Exposure Management Transforms Security Operations
Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign.
Addressing the root cause of these blind spots and alert fatigue isn’t as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus – missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits.
While all of these tools are effective in their own right, they often fail because of the reality that attackers don’t employ just one attack technique, exploit just one type of exposure or weaponize a single CVE when breaching an environment. Instead, attackers chain together multiple exposures, utilizing known CVEs where helpful, and employing evasion techniques to move laterally across an environment and accomplish their desired goals. Individually, traditional security tools may detect one or more of these exposures or IoCs, but without the context derived from a deeply integrated continuous exposure management program, it can be nearly impossible for security teams to effectively correlate otherwise seemingly disconnected signals.
Quelle: The hacker news
Link: https://thehackernews.com/2025/11/the-evolution-of-soc-operations-how.html
Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching
An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.
KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies’ findings, warning IT admins of the increased risk given that a PoC exploit is already available.
Days later, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems after adding it to its catalog of security flaws that have been abused in attacks. The Shadowserver Internet watchdog group is now tracking over 2,600 WSUS instances with the default ports (8530/8531) exposed online, although it didn’t share how many have already been patched.
Quelle: Bleeping Computer
Microsoft: October Windows updates trigger BitLocker recovery
Microsoft has warned that some systems may boot into BitLocker recovery after installing the October 2025 Windows security updates.
BitLocker is a Windows security feature that encrypts storage drives to block data theft attempts. Windows computers typically enter BitLocker recovery mode after hardware changes or Trusted Platform Module (TPM) updates to regain access to protected drives.
According to a service alert seen by BleepingComputer, Microsoft stated that the bug primarily impacts Intel devices with support for Connected Standby (now known as Modern Standby), which enables the PC to remain connected to the network while in low-power mode.
Quelle: Bleeping Computer