Marcel Böhme’s Post

A new update of the OWASP Top 10 has been published (2025), outlining the key changes and improvements compared to the 2021 edition. The main updates are summarized as follows: 1- “Vulnerable and Outdated Components” was renamed to “Software Supply Chain Failures” to reflect a broader scope of potential compromises and moved from Rank 6 to Rank 3. 2- “Security Misconfiguration” has moved up from Rank 5 to Rank 2, highlighting its increasing prevalence and impact. 3- A new category was introduced: “Mishandling of Exceptional Conditions”, which enters the list at Rank 10. 4- The SSRF (Server-Side Request Forgery) vulnerability, previously Rank 10 in 2021, has been merged into “Broken Access Control.” 5- The following three vulnerabilities were downgraded in rank: -> “Cryptographic Failures” → From Rank 2 to 4 -> “Injection” → From Rank 3 to 5 -> “Insecure Design” → From Rank 4 to 6 6- Two categories were renamed for clarity and consistency: -> “Identification and Authentication Failures” → “Authentication Failures” -> “Security Logging and Monitoring Failures” → “Logging and Alerting Failures” Link : https://lnkd.in/eiVSKuDx

Maintaining Active Directory is complex, but certificate-based authentication is often overlooked compared to passwords. The result? Misconfigurations in Active Directory Certificate Services (ADCS) have created an ever-growing attack surface. The latest threat research from Cato CTRL led by Ofek Vardi from my team, breaks down privilege escalation techniques and outlines protections for enterprises. 💪👏 Learn more: https://bit.ly/4qqdyW2

MCP Security isn’t just about protecting data "it’s about safeguarding trust between agents, tools, and the external world". In this article, we try to understand the exploit playbook threatening MCP-based systems: from prompt injections to supply-chain rugpulls and outline architectural defenses like MCP Gateways and context sanitation that can secure next-gen AI agents. Special Thanks to Sir Vitor Balocco, Cofounder - Runlayer LINK: https://lnkd.in/g56zsQMS

A growing social engineering technique called ClickFix has emerged as one of the most successful methods for distributing malware in recent months. This attack tricks users into copying and running commands directly into their operating systems command line interface, ultimately installing dangerous information-stealing software. The technique has proven remarkably effective because it bypasses traditional email […] https://lnkd.in/gvRdyEya

Most CISOs still measure success in patch counts and alerts. But your board doesn’t care about tickets closed — they care about risk reduced. Discover the 5 metrics that actually move the needle 👉 https://lnkd.in/eRCVZCPn

I’ve gotten a few questions about the “security is free” line in my last post. Let me rephrase. It's not 'free'; it's a zero-cost abstraction. My operational model’s security is enforced at compile time, so there's no runtime performance penalty.

📺 Live Webcast: Fixing a Broken System — Why Legacy Vuln Management Tools Can’t Keep Up 📅 Oct 29 • 2PM ET/7pm GMT For decades, vuln management has been the backbone of enterprise security. But today’s tools can’t keep pace. Coverage gaps mean 25–40% of enterprise assets remain invisible, and attackers are exploiting what scanners miss. Join HD Moore and Tod Beardsley of runZero, with Adrian Sanabria of The Defenders Initiative, for a candid discussion on: 🔎 Why legacy scanners leave blind spots ⚠️ How authenticated scans, agents, and aggregation fall short 🛡️ What’s next: attacker-informed, continuous exposure management 👉 Save your seat: https://lnkd.in/ey97NfNy

So… what if there was a radar system, like in submarines, but for the cyber world? That’s basically what Nmap feels like. I went through host discovery, port scanning types, version detection, timing controls, and all the little options that make scans practical in the real world. Here’s what I understood from the things nmap allows: Who’s listening? (Host discovery) First step: find which machines are alive on a network. Without this, your scan is blind. Nmap does this efficiently (ICMP, ARP, TCP probes) and tells you where to focus. What’s open and running? Different scan types (SYN, TCP connect, UDP) reveal different surfaces. Some are stealthier, some are noisier, so you have the pick of the lot. Once a port is open, Nmap can probe the service and pull version strings (e.g., nginx 1.18.0), which is gold for both attackers and defenders. Version extraction & fingerprints Service/version info helps you determine risk: outdated software = known exploits = priority to patch or monitor. Nmap’s version detection is like reading the version label on a device before you decide what to do next. Timing, verbosity & debugging Timing templates (-T0 … -T5) let you control speed vs. stealth. -T4 is fast for trusted lab work; -T2 or lower is better for cautious, real-world ops. Output formats & workflow Save raw .pcap or Nmap’s -oA (all formats) and open in Wireshark later, or add results to a SIEM. Always export. Why? Capture once, analyze many times. Blue-team takeaway Nmap = fast visibility. For defenders, it’s a diagnostic tool: discover what’s exposed, prioritize patches, and tune IDS/SIEM rules based on real service versions and ports. Use it responsibly: scanning has consequences on production networks, so please know your permissions and timelines. To people who are in various cyber security roles, I am curious if you're using Nmap in their day-to-day?

Triofox: where an external request with "localhost" gets you admin keys and a free helping of malware. Mandiant (part of Google Cloud) uncovered an unauthenticated Triofox flaw (CVE-2025-12480) that lets an attacker spoof the HTTP Host header as localhost to bypass access controls and reach the admin setup pages. They then run through the initial setup flow to create a native admin account. Not super subtle, however you're left with a wide door that becomes a nice staging platform for persistence and execution. The threat actors, UNC6485 began exploiting this as early as Aug 24, 2025, chaining the host-header bypass to abuse of Triofox’s builtin "antivirus" feature so the attacker could simply point the scanner to an attacker controlled script and have it run with SYSTEM privileges. The result: arbitrary code execution. Google identified installers dropped into the "C:\Windows\appcompat\" directory and RRM tooling (Zoho/AnyDesk) deployed on effected systems, all stemming from an unauthenticated web request. Key hunting signals you should care about right now:  Check for external requests containing a "Host: localhost" header to management pages (/management/AdminAccount.aspx), unexpected creation of admin accounts (look for Cluster Admin), suspicious antivirus engine paths or uploads to published shares and PowerShell download invokes saving payloads into "C:\Windows\appcompat\" or in "C:\Windows\Temp". Both were observed in the report. I spun up a behavioral detection for this on detections.ai which looks specifically for external requests with a localhost Host header targeting Triofox admin pages and flags the request when it originates from non-private IP space. If you run Triofox instances (or any self hosted file sharing appliance), patch to version 16.7.10368.56560, restrict access to management endpoints behind a VPN or trusted IPs and scan logs for that odd localhost header pattern which is unique to the exploit. Full report: Google Cloud Threat Intelligence (Mandiant): https://lnkd.in/gazK2wyC Detections and intel on detections.ai: https://lnkd.in/gwkvcq7t

On the last day of National Cybersecurity Awareness Month (and Halloween, fittingly!), we’re releasing something new: the Privy Security Handbook. Six modular litepapers written for builders, engineers, and product teams — unpacking how we engineer securely, grounded in defense in depth. Security doesn’t have to be scary. It has to be clear. Here’s what’s inside: 1️⃣ Privy’s Security Backbone – How TEEs and key sharding form the foundation of Privy’s architecture. 2️⃣ From Login to Signature – How custody is enforced across authentication, authorization, execution, and audit. 3️⃣ Progressive Security in Practice – How safeguards scale with user value and activity. 4️⃣ Designing Flexible Wallets – How different wallet deployments and custody models adapt to real-world use cases. 5️⃣ Security That Ships – Case studies of leading teams using Privy securely in production. 6️⃣ Audit Readiness and Incident Response – Our approach to validation, transparency, and resilience. Full technical documentation, including audits, attestations, and compliance frameworks live in our Trust Center. Get started with our litepapers today 👉 https://lnkd.in/gUZsgYRJ