FAQ About IngressNightmare Vulnerabilities (CVE-2025-1974...
FAQ About IngressNightmare Vulnerabilities (CVE-2025-1974 and more) On March 24, the Kubernetes team published a blog post and patches to address a series of vulnerabilities in the Ingress NGINX Controller for Kubernetes. CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 CVE-2025-24514 Collectively, these flaws are being referred to as IngressNightmare. Of the five vulnerabilities, CVE-2025-1974 is considered the most severe, as it was assigned a CVSSv3 score of 9.8 and the only critical flaw. However, the five flaws combined create a toxic combination (exploit chain) that could allow an attacker to access cluster secrets, which could lead to a cluster takeover. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our FAQ blog.
VMware vRealize Network Insight Advisory (CVE-2022-31702)...
VMware vRealize Network Insight Advisory (CVE-2022-31702) Post published on behalf of Ciarán Walsh VMware has patched two vulnerabilities found in vRealize Network Insight (vRNI), one of which was given a rating of "Critical". The more severe of these vulnerabilities, CVE-2022-31702, is a command injection vulnerability in the vRNI REST API. The vulnerability has been given a CVSSv3 score of 9.8. When exploited, the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary commands on vulnerable devices. According to VMware, exploitation of this vulnerability has not been detected and there is no publicly available proof-of-concept code as of yet. However, due to the critical rating of the vulnerability and low attack complexity, organizations should prioritize patching this flaw. CVE-2022-31703 is a directory traversal vulnerability also in vRNI REST API that received a CVSSv3 score of 7.5. Threat actors with network access can leverage this vulnerability to read files from the server. VMware has issued patches for both vulnerabilities, and has provided guidance on which versions need remediation.Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs (CV
Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs (CVE-2022-41073) Microsoft patched 62 CVEs in the November 2022 Patch Tuesday update, including nine rated as critical, and 53 rated as important. Four of the vulnerabilities patched this month have been observed exploited in the wild as zero days. Microsoft also released patches for the two zero-day vulnerabilities in Microsoft Exchange Server (CVE-2022-41040 and CVE-2022-41082) disclosed at the end of September. CVE-2022-41049 is a security feature bypass vulnerability affecting Windows Mark of the Web that has been exploited in the wild and for which exploit code is publicly available. Microsoft also patched CVE-2022-41073, an elevation of privilege vulnerability affecting the Windows Print Spooler service. The vulnerability carries a CVSSv3 score of 7.8 and discovery was credited to Microsoft Threat Intelligence Center. For more information about this month's Patch Tuesday release, including Tenable product coverage, please visit our blog.
Update: Proof-of-Concept for Critical Apache Log4j Remote...
Update: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (CVE-2021-44228) Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for this vulnerability along with a tenable.sc dashboard and tenable.io dashboard and widgets. In addition, a list of Tenable plugins to identify this vulnerability will appear here as they’re released. Please note that in order to ensure the latest plugins are available on your scanner, you may want to manually update. Details on this process can be found in our blog. Organizations that don’t currently have a Tenable product can sign up for a free trial of Nessus Professional to scan for this vulnerability.Microsoft’s June 2020 Patch Tuesday Addresses 129 CVEs...
Microsoft’s June 2020 Patch Tuesday Addresses 129 CVEs Including Newly Disclosed SMBv3 Vulnerability (CVE-2020-1206) Microsoft continues its streak of patching over 100 CVEs, addressing 129 CVEs in June, including a fix for a new SMBv3 vulnerability dubbed SMBleed. For the fourth month in a row, Microsoft has patched over 100 CVEs, addressing 129 in the June 2020 Patch Tuesday release. The updates this month include patches for Microsoft Windows, Microsoft Edge, ChakraCore, Internet Explorer, Microsoft Office, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Visual Studio, Azure DevOps and Adobe Flash Player. For more information, including a list of some of the most notable CVEs this month, please check out our blog.
