On May 4th, 2022, F5 announced their internal discovery of a remote code execution (RCE) vulnerability, CVE-2022-1388, that affects all firmware versions of their BIG-IP product.
NIST assigned Spring4Shell a score of 9.8, most likely out of concern of a similar blast radius to Log4Shell, which was trivial to exploit and very common.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.
Over the years, pen tests have increasingly become a mandated component of regulatory and compliance standards. The Payment Card Industry Data Security Standard (PCI DSS) requiring pentests be performed in card data environments (CDEs) grew this need for compliance-based pen testing.
Despite the best efforts of automation and AI, we will always need people to prevent hackers from stealing data and wreaking havoc on computer networks essential for most businesses today. In essence, a domino effect over the last two years of Covid-19 has led to the “Great Resignation” and the “Great Retirement.”
Exploit Intelligence offers an end-to-end solution that prioritizes which risks to remediate immediately, before they are exploited, by proactively discovering external assets, testing vulnerabilities, and providing expert threat- plus risk-based insight.
Imagine a cybersecurity team that is working hard with the usual tools and best practices. All seems on course for protecting the enterprise attack surface.
Business risks lurk in many places. For cybersecurity, the worst risks are often the ones you never saw coming. A Real World Example To illustrate, consider this real example: A manufacturing conglomerate has an engineer build a Javascript connector for remote access to a mainframe but inadvertently exposes it to the internet. How do you discover this risk and its potential damage? A penetration test will not help unless you happen to be testing that particular machine among hundreds or thousands of servers. A vulnerability scan also will not help, as the risk will be invisible because it is not…