FAQ About IngressNightmare Vulnerabilities (CVE-2025-1974...
FAQ About IngressNightmare Vulnerabilities (CVE-2025-1974 and more) On March 24, the Kubernetes team published a blog post and patches to address a series of vulnerabilities in the Ingress NGINX Controller for Kubernetes. CVE-2025-1097 CVE-2025-1098 CVE-2025-1974 CVE-2025-24513 CVE-2025-24514 Collectively, these flaws are being referred to as IngressNightmare. Of the five vulnerabilities, CVE-2025-1974 is considered the most severe, as it was assigned a CVSSv3 score of 9.8 and the only critical flaw. However, the five flaws combined create a toxic combination (exploit chain) that could allow an attacker to access cluster secrets, which could lead to a cluster takeover. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our FAQ blog.
Update: Proof-of-Concept for Critical Apache Log4j Remote...
Update: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (CVE-2021-44228) Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for this vulnerability along with a tenable.sc dashboard and tenable.io dashboard and widgets. In addition, a list of Tenable plugins to identify this vulnerability will appear here as they’re released. Please note that in order to ensure the latest plugins are available on your scanner, you may want to manually update. Details on this process can be found in our blog. Organizations that don’t currently have a Tenable product can sign up for a free trial of Nessus Professional to scan for this vulnerability.
TL;DR: The Tenable Research 2020 Threat Landscape...
TL;DR: The Tenable Research 2020 Threat Landscape Retrospective Tenable’s Security Response Team (SRT) is tasked with looking at the threat landscape on a day-to-day basis and, while that provides us with the ability to see things in the moment, it’s only when we look back at the year that was that we can see the bigger picture. In the Tenable Research 2020 Threat Landscape Retrospective, the SRT takes a look back at the major vulnerability and cybersecurity news of 2020 to develop insight and guidance for defenders. The Tenable Research 2020 Threat Landscape Retrospective begins with an overview of the vulnerability landscape in 2020 in which 18,358 new CVEs were assigned. The report progresses to explore the threat landscape in 2020. How were attackers leveraging the vulnerabilities disclosed in 2020, and several that were significantly older? The final section of the report offers a digest of the key vulnerabilities in 2020 including their technical details, whether and how they’ve been exploited, all categorized by vendor or product. The landing page giving access to the report can be found here and an accompanying blog post can be found here.New WordPress SEO plugin vulnerability could allow...
New WordPress SEO plugin vulnerability could allow unauthenticated attackers to give guest accounts admin access. Wordfence released an advisory today detailing two new vulnerabilities, but they do no have assigned CVEs at this time. The most critical vulnerability when exploited allows an unauthenticated remote attacker to change the permission levels of registered users. The Second vulnerability would allow an attacker to redirect traffic away from the affected site, causing a site to cease function. The critical vulnerability is largely dangerous for site owners that allow guest account registration, as that attacker would then register a new account, and change the user permissions to a WordPress admin. The redirect vulnerability could be used to cause a full denial of service to an affected site. Users of the WordPress SEO plugin are encouraged to update to version 10.0.41 to fix this flaw. Tenable does not have direct vulnerability detection plugins for these vulnerabilities, but users can use our WordPress Detection Plugin and the WordPress Outdated Plugin Detection to identify WordPress sites that require updates.
