Latest news with #CVSS
Techday NZ
06-06-2025
- Business
- Techday NZ
Cobalt unveils platform updates to streamline pentesting workflows
Cobalt has announced a series of product enhancements within its Offensive Security Platform intended to assist customers in scaling security testing with greater clarity, automation, and control. The platform centralises access to security services provided by a team of pentesters, enabling organisations to identify and address vulnerabilities more efficiently across their environments. Features offered include faster pentest launches, real-time collaboration with testers, continuous scanning, and integration with remediation workflows. According to the company, these processes aim to support security teams in identifying critical issues and accelerating the mitigation of risks. The latest updates seek to provide customers with clearer risk prioritisation. Each finding within the platform now comes with standardised CVSS v3.1 scores alongside OWASP ratings, offering a measurable and objective understanding of vulnerability severity. Users are expected to be able to concentrate their remediation efforts on the most critical security issues first, potentially saving time and resources while maintaining their security posture. CVSS data are accessible via reports, CSV exports, the public API, and integrations. Deeper insight and increased trust in pentest results is also a focus of these enhancements. Final pentest reports now include a detailed Coverage Checklist with associated findings. This addition is designed to provide a comprehensive overview of testing scope and methodology, linking individual findings directly to test activities. This approach is intended to make it easier for users to analyse results and take appropriate action. For organisations dealing with recurring or retested vulnerabilities, workflow simplification is addressed through a new configuration option. Users can automatically associate findings carried over from previous reports with existing tracking tickets or generate new tickets for separate tracking. This is intended to save time and reduce confusion in vulnerability management processes. The process of launching a pentest has also been redesigned. The platform now provides an intuitive flow in which users can select from a range of pentest options, customise requirements - such as requesting a debrief call - and place their order in a matter of minutes. Cobalt describes this as making launching a pentest as simple as ordering a pizza, with the goal of improving the user experience and accelerating the initiation of testing. Boris Diebold, Chief Technology Officer at HeyJobs, commented, "These updates are all about delivering more impactful and efficient testing. The clearer reporting and streamlined workflows help us understand and address our security risk with more confidence and speed." Discussing the direction of the platform, Jason Lamar, SVP of Product at Cobalt, said, "These innovations mark the next chapter in the evolution of offensive security services. We're building toward a future where pentesting is continuous, deeply integrated into development workflows, and backed by data that drives real security outcomes - not just compliance. The Cobalt Platform is redefining what it means to test smarter, not harder." The enhancements are intended to make pentesting more actionable and transparent, whether an organisation is launching a test in a short timeframe, integrating insights directly into development pipelines, or supporting compliance reporting. The platform continues to prioritise usability, integration capabilities, and the timely remediation of vulnerabilities, as it serves security and development operations teams dealing with changing and emerging security threats.
Techday NZ
22-05-2025
- Business
- Techday NZ
Picus launches tool for real-time validation of exploitable risks
Picus Security has introduced a new capability designed to help security teams determine which vulnerabilities in their environments are actually exploitable. The new feature, called Picus Exposure Validation, uses real-time attack simulations to provide evidence-based assessments of vulnerability risks within a specific organisation's environment. This approach aims to address the challenge of large numbers of vulnerabilities that are often identified but not all requiring immediate attention or remediation. With more than 40,000 new Common Vulnerabilities and Exposures (CVEs) disclosed in 2024 - with 61% ranked as high or critical - security teams often struggle to respond effectively, as traditional vulnerability management methods can lead to inefficient allocation of resources. Picus Security says the new capability assists security teams in distinguishing between vulnerabilities that can actually be exploited in their unique systems and those that can be safely deprioritised. Traditional vulnerability management is typically driven by severity metrics such as Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS), which provide generalised risk indicators but may not account for an individual organisation's existing security controls and asset criticality. Picus Exposure Validation aims to fill this gap with the Picus Exposure Score, an evidence-based, context-aware metric intended to reflect actual risk, according to the company. The system continuously tests security controls using real-world attack techniques to determine whether known vulnerabilities can be exploited given the organisation's current defences. The findings are automatically updated and presented in transparent reports, enabling quicker and more confident decision-making in response to new security threats. Volkan Ertürk, Co-Founder and Chief Technology Officer at Picus Security, commented: "The challenge today isn't finding vulnerabilities, it's knowing which ones matter in your unique environment. CVSS, EPSS and KEV offer theoretical risk signals. Picus Exposure Validation delivers proof by testing threats against your production defenses in real time. It replaces assumptions with evidence so security teams can focus on vulnerabilities that are actually exploitable." Key features highlighted by the company include the ability for security teams to more accurately prioritise remediation work, safely deprioritise less urgent vulnerabilities, and reduce manual workloads through the use of automated validation processes. The solution is said to include tailored recommendations to quickly improve the effectiveness of security controls, offering an alternative when immediate patching is not feasible. A global industrial firm reported that, upon deploying Picus Exposure Validation, it was able to reduce its list of critical patches by 85%. Based solely on CVSS ratings, 63% of the vulnerabilities in the organisation's systems were initially classified as critical. However, after applying Picus Exposure Validation, it was found that only 9% of those were truly high risk and required prioritisation. This reduction reportedly saved the organisation thousands of hours on patching activity and allowed the security team to focus resources more efficiently. The company positions Picus Exposure Validation as a new methodology for combining data about vulnerabilities with automated attack simulation to create an organisation-specific analysis of exploitability. This approach, according to Picus, offers security teams a more focused view on where to deploy efforts for mitigation and remediation and thereby enables more effective closing of security gaps. The Picus Exposure Validation feature is now available to organisations seeking enhanced vulnerability validation for their own environments. Follow us on: Share on:
Yahoo
21-05-2025
- Business
- Yahoo
Attaxion Becomes the First EASM Platform to Integrate ENISA's EU Vulnerability Database (EUVD)
DOVER, Del., May 21, 2025 /PRNewswire/ -- Attaxion, the external attack surface management (EASM) vendor with industry-leading asset coverage, announces the integration of the European Vulnerability Database (EUVD) into its platform. Operated by the European Union Agency for Cybersecurity (ENISA), the EUVD is a publicly accessible vulnerability repository developed in response to the NIS2 Directive. It entered beta testing in mid-April 2025. The database takes a multi-stakeholder approach, assigning unique EUVD identifiers, cross-referencing CVEs, aggregating input from CSIRTs and other sources, and publishing actionable information such as mitigation measures and exploitation status. With the recent nearly avoided CVE funding crisis and the growing backlog of vulnerabilities yet to be processed by NIST, many organizations started to look for additional sources of truth for their vulnerability management efforts. Attaxion data shows that only 30% of discovered vulnerabilities have a CVE identifier assigned to them. EUVD emerges as a key resource in addressing these problems. Every vulnerability in an organization's external attack surface identified by Attaxion will now display its corresponding EUVD ID, where available, providing security teams with broader coverage and context for vulnerability prioritization. Figure 1 - EUVD ID appearing in the vulnerability name and as a tag in issue reports. The EUVD integration enhances Attaxion's ability to correlate and enrich vulnerability data with authoritative European intelligence. Each mapped EUVD ID brings additional metadata such as exploitation confirmation, affected products, and references — details that may not appear in other global sources. This layered context enables faster triage, risk-based prioritization, and supports compliance with regulations such as the NIS2 Directive and the upcoming Cyber Resilience Act. In parallel, EUVD data is now presented alongside existing vulnerability indicators such as CVSS scores and CISA KEV inclusion within the Attaxion platform. This unified view helps security teams evaluate issues based on severity, exploitability, and regulatory relevance, ultimately supporting better prioritization and remediation decisions. The update is part of an ongoing effort to consolidate diverse threat intelligence into a streamlined operational workflow. Figure 2 - EUVD IDs in vulnerability lists alongside CVSS and CISA KEV data. "We're constantly working to improve our vulnerability coverage and deliver more meaningful context to our users," said Max Beatty, Head of Growth & Strategy at Attaxion. "The integration of a second independent scoring system with EUVD data not only expands the range of vulnerabilities we uncover but also enhances their analytical depth. With trusted, region-specific insights at the source, we're helping organizations make better-informed decisions and provide their users with meaningful data, spanning diverse geographies and regulatory environments." As the first EASM platform to integrate EUVD, Attaxion also sets a precedent for aligning external attack surface management with emerging public-sector threat intelligence efforts. The move underscores a broader industry shift toward interoperability between commercial platforms and government-backed datasets — bridging gaps between security operations and regulatory intelligence at scale. About Attaxion Attaxion helps organizations discover, monitor, and secure their internet-facing assets. The platform combines automated discovery, continuous assessment, and guided remediation to deliver 97% greater asset visibility and AI-driven vulnerability prioritization — making robust cyber defense accessible to teams of every size. To support early evaluation and integration, Attaxion is available with a 30-day free trial. ContactPR TeamAttaxion LLCpress@ Photo - - - View original content to download multimedia: SOURCE Attaxion Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
21-05-2025
- Business
- Yahoo
Attaxion Becomes the First EASM Platform to Integrate ENISA's EU Vulnerability Database (EUVD)
DOVER, Del., May 21, 2025 /PRNewswire/ -- Attaxion, the external attack surface management (EASM) vendor with industry-leading asset coverage, announces the integration of the European Vulnerability Database (EUVD) into its platform. Operated by the European Union Agency for Cybersecurity (ENISA), the EUVD is a publicly accessible vulnerability repository developed in response to the NIS2 Directive. It entered beta testing in mid-April 2025. The database takes a multi-stakeholder approach, assigning unique EUVD identifiers, cross-referencing CVEs, aggregating input from CSIRTs and other sources, and publishing actionable information such as mitigation measures and exploitation status. With the recent nearly avoided CVE funding crisis and the growing backlog of vulnerabilities yet to be processed by NIST, many organizations started to look for additional sources of truth for their vulnerability management efforts. Attaxion data shows that only 30% of discovered vulnerabilities have a CVE identifier assigned to them. EUVD emerges as a key resource in addressing these problems. Every vulnerability in an organization's external attack surface identified by Attaxion will now display its corresponding EUVD ID, where available, providing security teams with broader coverage and context for vulnerability prioritization. Figure 1 - EUVD ID appearing in the vulnerability name and as a tag in issue reports. The EUVD integration enhances Attaxion's ability to correlate and enrich vulnerability data with authoritative European intelligence. Each mapped EUVD ID brings additional metadata such as exploitation confirmation, affected products, and references — details that may not appear in other global sources. This layered context enables faster triage, risk-based prioritization, and supports compliance with regulations such as the NIS2 Directive and the upcoming Cyber Resilience Act. In parallel, EUVD data is now presented alongside existing vulnerability indicators such as CVSS scores and CISA KEV inclusion within the Attaxion platform. This unified view helps security teams evaluate issues based on severity, exploitability, and regulatory relevance, ultimately supporting better prioritization and remediation decisions. The update is part of an ongoing effort to consolidate diverse threat intelligence into a streamlined operational workflow. Figure 2 - EUVD IDs in vulnerability lists alongside CVSS and CISA KEV data. "We're constantly working to improve our vulnerability coverage and deliver more meaningful context to our users," said Max Beatty, Head of Growth & Strategy at Attaxion. "The integration of a second independent scoring system with EUVD data not only expands the range of vulnerabilities we uncover but also enhances their analytical depth. With trusted, region-specific insights at the source, we're helping organizations make better-informed decisions and provide their users with meaningful data, spanning diverse geographies and regulatory environments." As the first EASM platform to integrate EUVD, Attaxion also sets a precedent for aligning external attack surface management with emerging public-sector threat intelligence efforts. The move underscores a broader industry shift toward interoperability between commercial platforms and government-backed datasets — bridging gaps between security operations and regulatory intelligence at scale. About Attaxion Attaxion helps organizations discover, monitor, and secure their internet-facing assets. The platform combines automated discovery, continuous assessment, and guided remediation to deliver 97% greater asset visibility and AI-driven vulnerability prioritization — making robust cyber defense accessible to teams of every size. To support early evaluation and integration, Attaxion is available with a 30-day free trial. ContactPR TeamAttaxion LLCpress@ Photo - - - View original content to download multimedia: SOURCE Attaxion Sign in to access your portfolio
Yahoo
20-05-2025
- Yahoo
Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities
This story was originally published on Cybersecurity Dive. To receive daily news and insights, subscribe to our free daily Cybersecurity Dive newsletter. Hackers have successfully breached a limited number of Ivanti Endpoint Mobile Manager users by chaining together medium and high-severity vulnerabilities in the suite of mobile device management software. The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, can allow an unauthenticated attacker to achieve remote code execution. Ivanti is urging customers to immediately upgrade to a fixed version of the software. The company also warned that the two vulnerabilities are linked to flaws in open-source libraries that are integrated into EPMM. Security researchers say those third-party flaws could have broader implications. Ivanti said it is working with security partners and with maintainers of the affected libraries to determine whether additional CVEs are warranted. There is some disagreement about the issue, however. Researchers at watchTowr raised questions about whether the issue should be legitimately blamed on a third-party library vulnerability. The researchers claim Ivanti misused a known dangerous function in the hibernate-validator library. Meanwhile, researchers at the Shadowserver Foundation reported 798 instances of CVE-2025-4427 were unpatched and considered vulnerable as of Sunday, down from 940 instances on Thursday. The exploit chain involves linking CVE-2025-4427, an authentication bypass in EPMM that allows an attacker to gain access to protected resources without proper credentials, with CVE-2025-4428, a remote-code-execution flaw that allows an attacker to execute arbitrary code on a target system. The vulnerabilities have CVSS scores of 5.3 (medium severity) and 7.2 (high severity), respectively. When chained together, researchers at Rapid7 said, an unauthenticated attacker could reach a web API endpoint to inject server-side template patterns and exploit the high-severity flaw. Rapid7 has tested proof-of-concept exploits and confirmed they work, but has not yet seen any confirmed exploitation in customer environments, according to security researcher Ryan Emmons. Emmons added that it's unclear which open-source libraries Ivanti is citing as the root cause of the flaw. A spokesperson for Ivanti was not immediately available for comment. The security issues were first reported to Ivanti by CERT-EU, the Cybersecurity Service for the Union Institutions. Sign in to access your portfolio
