When you first encounter CVSS (Common Vulnerability Scoring System), it’s easy to think this is the perfect tool for triaging and prioritizing vulnerabilities. A higher score must mean a more critical vulnerability, right? In reality, that approach doesn’t quite work out. Every year, we see an increasing number of vulnerabilities with high CVSS scores. Security teams just can’t patch them all in time, but the vast majority of these flaws are never actually exploited in real-world attacks. Meanwhile, attackers are constantly leveraging less flashy vulnerabilities with lower scores. There are other hidden pitfalls too — ranging from purely technical issues like conflicting CVSS scores to conceptual ones like a lack of business context.

These aren’t necessarily shortcomings of the CVSS itself. Instead, this highlights the need to use the tool correctly, as part of a more sophisticated and comprehensive vulnerability management process.

CVSS discrepancies

Do you ever notice how the same vulnerability might have different severity scores depending on the available source? One score from the cybersecurity researcher who found it, another from the vendor of the vulnerable software, and yet another from a national vulnerability database? It’s not always just a simple mistake. Sometimes, different experts can disagree on the context of exploitation. They might have different ideas about the privileges with which a vulnerable application runs, or whether it’s internet-facing. For instance, a vendor might base its assessment on its recommended best practices, while a security researcher might consider how applications are typically configured in real-world organizations. One researcher might rate the exploit complexity as high, while another deems it low. This isn’t an uncommon occurrence. A 2023 study by Vulncheck found that 20% of vulnerabilities in the National Vulnerability Database (NVD) had two CVSS3 scores from different sources, and 56% of those paired scores were in conflict with each other.

Common mistakes when using CVSS

For over a decade, FIRST has advocated for the methodologically correct application of CVSS. Yet organizations that use CVSS ratings in their vulnerability management processes continue to make typical mistakes:

1. Using the CVSS base score as the primary risk indicator. CVSS measures the severity of a vulnerability — not when it will be exploited or the potential impact of its exploitation on the organization under attack. Sometimes, a critical vulnerability is harmless within a specific company’s environment because it resides in insignificant and isolated systems. Conversely, a large-scale ransomware attack might begin with a seemingly innocuous information leak vulnerability with a CVSS score of 6.
2. Using the CVSS Base score without Threat/Temporal and Environmental adjustments. The availability of patches, public exploits, and compensatory measures significantly influences how and how urgently a vulnerability should be addressed.
3. Focusing only on vulnerabilities above a certain score. This approach is sometimes mandated by government or industry regulators (“remediate vulnerabilities with CVSS score above 8 within one month”). As a result, cybersecurity teams face a continuously growing workload that, in reality, doesn’t make their infrastructure more secure. The number of vulnerabilities with high CVSS scores identified annually has been rapidly increasing over the past 10 years.
4. Using CVSS to assess the likelihood of exploitation. These metrics are poorly correlated: only 17% of critical vulnerabilities are ever exploited in attacks.
5. Using only the CVSS rating. The standardized vector string was introduced in CVSS so that defenders could understand the details of a vulnerability and independently calculate its importance within their own organization. CVSS 4.0 was specifically revised to make it easier to account for business context using additional metrics. Any vulnerability management efforts based solely on a numerical rating will largely be ineffective.
6. Ignoring additional sources of information. Relying on a single vulnerability database and analyzing only CVSS is insufficient. The absence of data on patches, working proofs of concept, and real-world exploitation cases makes it difficult to decide how to address vulnerabilities.

What CVSS doesn’t tell you about a vulnerability

CVSS is the industry standard for describing a vulnerability’s severity, the conditions under which it can be exploited, and its potential impact on a vulnerable system. However, beyond this description (and the CVSS Base score), there’s a lot it doesn’t cover:

• Who found the vulnerability? Was it the vendor, an ethical researcher who reported the flaw and waited for a patch, or was it a malicious actor?
• Is there an exploit publicly available? In other words, is there readily available code to exploit the vulnerability?
• How practical is it to exploit in real-world scenarios?
• Is there a patch? Does it cover all vulnerable software versions, and what are the potential side effects of applying it?
• Should the organization address the vulnerability? Or does it affect a cloud service (SaaS) where the provider will automatically fix the defects?
• Are there signs of exploitation in the wild?
• If there are none, what’s the likelihood attackers will leverage this vulnerability in the future?
• Which specific systems within your organization are vulnerable?
• Is the exploitation practically accessible to an attacker? For example, a system might be a corporate web server accessible to anyone online, or it could be a vulnerable printer physically connected to a single computer that has no network access. A more complex example might be a vulnerability in a software component’s method, where the specific business application using that component never actually calls the method.
• What would happen if the vulnerable systems were compromised?
• What’s the financial cost of such an event to the business?

All these factors significantly influence the decision of when and how to remediate a vulnerability — or even if remediation is necessary at all.

How to amend CVSS? RBVM has the answer!

Many factors that are often hard to account for within the confines of CVSS are central to a popular approach known as risk-based vulnerability management (RBVM).

RBVM is a holistic, cyclical process, with several key phases that repeat regularly:

• Inventorying all IT assets of your business. This includes everything from computers, servers and software, to cloud services and IoT devices.
• Prioritizing assets by importance: identifying your crown jewels.
• Scanning assets for known vulnerabilities.
• Enriching the vulnerability data. This includes refining CVSS-B and CVSS-BT ratings, incorporating threat intelligence, and assessing the likelihood of exploitation. Two popular tools for gauging exploitability are EPSS (another FIRST rating that provides a percentage probability of real-world exploitation for most vulnerabilities), and consulting databases like CISA KEV, which contains information about vulnerabilities actively exploited by attackers.
• Defining the business context: understanding the potential impact of an exploit on vulnerable systems, considering their configurations and how they’re used within your organization.
• Determining how the vulnerability can be neutralized through either patches or compensatory measures.
• The most exciting part: assessing the business risk and setting priorities based on all the gathered data. Vulnerabilities with the highest probability of exploitation and possible significant impact on your key IT assets are prioritized. To rank vulnerabilities, you can either calculate CVSS-BTE — incorporating all collected data into the Environmental component, or use alternative ranking methodologies. Regulatory aspects also influence prioritization.
• Setting deadlines for each vulnerability’s resolution based on its risk level and operational considerations, such as the most convenient time for updates. If updates or patches aren’t available, or if their implementation introduces new risks and complexities, compensatory measures are adopted instead of direct remediation. Sometimes, the cost of fixing a vulnerability outweighs the risk it poses, and a decision might be made not to remediate it at all. In such cases, the business consciously accepts the risks of the vulnerability being exploited.

In addition to what we’ve discussed, it’s crucial to periodically analyze your company’s vulnerability landscape and IT infrastructure. Following this analysis, you need to introduce cybersecurity measures that prevent entire classes of vulnerabilities from being exploited or significantly boost the overall security of specific IT systems. These measures can include network micro-segmentation, least privilege implementation, and adopting stricter account management policies.

A properly implemented RBVM process drastically reduces the burden on IT and security teams. They spend their time more effectively as their efforts are primarily directed at flaws that pose a genuine threat to the business. To grasp the scale of these efficiency gains and resource savings, consider this FIRST study. Prioritizing vulnerabilities using EPSS alone allows you to focus on just 3% of vulnerabilities while achieving 65% efficiency. In stark contrast, prioritizing by CVSS-B requires addressing a whopping 57% of vulnerabilities with a dismal 4% effectiveness. Here, “efficiency” refers to successful remediation of vulnerabilities that have actually been exploited in the wild.

Kaspersky official blog – ​Read More

Cisco Talos is aware of the ongoing exploitation of CVE-2025-53770 and CVE-2025-53771 in the wild. These are path traversal vulnerabilities affecting SharePoint Server Subscription Edition, SharePoint Server 2016, and SharePoint Server 2019. According to Microsoft, these vulnerabilities do not affect SharePoint Online in Microsoft 365 and only apply to on-premises SharePoint servers.  

Microsoft has also released security updates and mitigation guidance for multiple affected products. At the time of this writing, no updated security patches are currently available for SharePoint Server 2016.  

These two vulnerabilities, CVE-2025-53770 / CVE-2025-573771, are related to CVE-2025-49704 and CVE-2025-49706, which were featured in the July Microsoft Patch Tuesday updates. The new updates that Microsoft has published provide more comprehensive protection against exploitation attempts targeting these vulnerabilities. In addition to installing the updates provided by Microsoft, they are also recommending users rotate the SharePoint Server ASP.NET machine keys to ensure data integrity. The Cybersecurity Infrastructure Security Agency (CISA) has also released additional details and technical indicators associated with ongoing exploitation attempts targeting unprotected SharePoint servers between July 18 – 19, 2025.  

Vulnerability details 

These are both unauthenticated remote code execution vulnerabilities related to CVE-2025-47904 and CVE-2025-49706. One of the key features of the previous vulnerabilities is that the user needed to be authenticated to obtain a valid signature by extracting the ValidationKey from memory or configuration. In the case of CVE-2025-53770 and CVE-2025-53771, attackers have managed to eliminate the need to be authenticated to obtain a valid signature, resulting in unauthenticated remote code execution. 

Patches have already been provided by Microsoft for most versions of SharePoint Server. However, as of the time of this publishing, SharePoint Server 2016 remains unpatched. As an alternative option, Microsoft has recommended that the Antimalware Scan Interface (AMSI) is turned on and configured correctly with the associated antivirus solution. 

Once patches are applied, Microsoft also recommends that users rotate their SharePoint Server ASP.NET machine keys in case the signing keys were compromised in the attack. This can be done both manually via Powershell and via Central Admin. 

Coverage 

As part of our coverage of the July Microsoft Patch Tuesday release on July 8, 2025, Talos previously published Snort SID 65092 to provide detection for exploitation attempts targeting CVE-2025-49704. We have investigated the new details provided by Microsoft as well as open-source information related to ongoing reports of exploitation activity targeting these vulnerabilities and have confirmed that the existing coverage remains effective at this time. Additionally Talos has published Snort SID 65183 to provide detection for the webshell being deployed in the current campaigns.  

Related existing BP Rules: 

Malicious Process Creation By Microsoft Exchange Server lIS triggers on creation of the webshell payload 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Snort SIDs for this threat are 65092 (Vulnerability). 65183 (Webshell).  

Cisco Talos Blog – ​Read More

What’s Inside the Report

Over 15,000 companies across finance, healthcare, government, and other industries analyze suspicious files and URLs inside ANY.RUN’s Interactive Sandbox to ensure early threat detection. The data from these analyses becomes freely available through Threat Intelligence Lookup, helping other organizations enrich their investigations with fresh threat context, accelerate response, and strengthen proactive defense. 

Each quarter, we dive into the last three months of this data to spotlight key trends that shape strategic planning of numerous organizations for the next quarter. ANY.RUN’s Malware Trends Report provides a comprehensive breakdown of the cyber threat landscape. The report saves organizations hours of research with actionable insights to boost security resilience. 

Key threats covered in the report:

• Malware families and types
• Advanced Persistent Threats (APTs)
• Phishing kits
• Tactics, Techniques, and Procedures (TTPs)
• Additional cybersecurity trends

Previous Reports

ANY.RUN publishes quarterly malware trends reports along with the final annual report. Below are links to reports from 2024 and 2025:

• Q1, 2025 Malware Trends Report
• 2024 Malware Trends Report
• Q4, 2024 Malware Trends Report
• Q3, 2024 Malware Trends Report
• Q2, 2024 Malware Trends Report
• Q1, 2024 Malware Trends Report

To see reports for 2023, please click here. 

Learn all about the most recent malware trends to keep track of growing threats and stay alert to protect your organization. 

About ANY.RUN

ANY.RUN’s services are used by SOC teams and companies across different industries, including finance, manufacturing, healthcare, and technology.

The Interactive Sandbox helps businesses ensure fast and accurate analysis of threats targeting Windows, Linux, & Android systems. It provides capabilities for hands-on and in-depth investigations of complex malware and phishing scenarios.

Threat Intelligence Lookup enables organizations to enrich their knowledge on active cyber attacks, while TI Feeds allow businesses to expand threat coverage and detection.

Integrate ANY.RUN to level up your cyber resilience →

The post Malware Trends Report, Q2 2025: Know the Key Risks to Your Business appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.

Burnout is a real issue for people in cybersecurity. We protect the systems that allow modern life to function. Our hours are long, our sense of responsibility real and occasionally heavy. Everyone notices when we have a bad day and an attack evades our protections, but nobody notices our best days when complex threats are detected and neutralized. Our failures are very visible, while our successes are imperceptible to others. This, coupled with a professional propensity to always consider negative outcomes, is a recipe for poor mental health – not to mention that we most of our waking hours sitting in front of screens, engaging with machines.

Making a difference and stopping the bad guys means being in cybersecurity for the long haul. Experience is built with each new deployment and each resolved incident. Sometimes the worst incidents are in retrospect the best learning experiences. Professional experience is gained through many years of struggle. Losing a team member through burnout or being unable to continue with a career in the domain is a personal tragedy and a loss of experience to the entire cybersecurity community.

Various factors contribute to the high stress loads felt by cybersecurity teams. Many of these, such as the nature and frequency of attacks, are outside of our control. Others, such as budget approval or the appropriate prioritisation of projects, often appear close to being under control before somehow getting derailed.

We might not be able to control external factors, but we can manage our own responses to the stress that we face. Firstly, set boundaries and stick to them. Once your shift is over, stop working – and that includes thinking about it. This is easier said than done, but unless there is a real emergency, practice stepping away from work at the end of the day. Leaving work at work allows you to destress during your free time. 

Second, prioritize fun activities that don’t involve work or computers. Set aside time during your week to do something that you enjoy. Having many different activities and pastimes in your life helps provide balance. If one aspect of your life is particularly tough, then balance that with another part of your life which is going well. Personally, I find joy and escape in trail running. Finding myself deep in the countryside as far away from computer screens as possible provides me with time to recharge and recover.

Detecting threats and stopping the bad guys requires more than technical prowess. We must be committed to looking after ourselves, and each other, and to disconnecting from our passion for the work to continue doing it for years to come. 

The one big thing  

Cisco Talos identified a Malware-as-a-Service (MaaS) operation in early 2025 that used the Emmenhtal loader and Amadey malware to deliver malicious payloads targeting Ukrainian entities, often via public GitHub repositories. Talos worked with GitHub to remove these malicious accounts and recommends security solutions to prevent similar threats. 

Why do I care?  

This operation shows how easily adversaries can use trusted platforms like GitHub to deliver malware, making it more difficult for organizations to detect and block threats — especially if GitHub access is required for legitimate purposes.   

So now what?

Organizations should review their security policies around GitHub access, deploy advanced security controls and remain vigilant for phishing campaigns and malware leveraging public repositories to minimize the risk of compromise.

Top security headlines of the week  

Four arrested in connection with M&S and Co-op cyber-attacks 
The National Crime Agency (NCA) says a 20-year-old woman was arrested in Staffordshire, and three males – aged between 17 and 19 – were detained in London and the West Midlands. (BBC)

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb  
The flaw allows unauthenticated attackers to execute remote code by writing malicious files to the server’s filesystem, potentially leading to full remote code execution. (Security Affairs)

Train brakes can be hacked over radio — and the industry knew for 20 years 
“Successful exploitation… could allow an attacker to send their own brake control commands to the end-of-train device, causing a sudden stoppage of the train which may lead to a disruption of operations, or induce brake failure,” CISA said. (SecurityWeek)

Episource is notifying millions of people that their health data was stolen 
The breach affects more than 5.4 million people, making it one of the largest healthcare breaches of the year so far. The attacker stole personal information and protected health data. (TechCrunch)

Can’t get enough Talos? 

The significance of timeliness in incident response 
Cisco Talos IR compares two real-world ransomware engagements and shares how the organizations’ response times made all the difference in the outcome of an attack.

Talos Takes: Why attackers love your remote access tools
Attackers are increasingly abusing the same remote access tools that IT teams rely on every day. In this episode, Hazel sits down with Talos security researcher Pierre Cadieux to unpack why these legitimate tools have become such an effective tactic for adversaries.

TTP: The next phase of LLM abuse 
Talos researcher Jaeson Schultz explores how cybercriminals are starting to integrate LLMs into full attack workflows, and even experiment with manipulating the data these models rely on.

Upcoming events where you can find Talos  

• NIRMA (July 28 – 30) St. Augustine, FL 
• Black Hat USA (Aug. 2 – 7) Las Vegas, NV

Most prevalent malware files from Talos telemetry over the past week   

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
MD5: 2915b3f8b703eb744fc54c81f4a9c67f 
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 
Typical Filename: VID001.exe 
Claimed Product: N/A 
Detection Name: Win.Worm.Coinminer::1201

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
MD5: 7bdbd180c081fa63ca94f9c22c457376 
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details 
Typical Filename: IMG001.exe  
Claimed Product: N/A 
Detection Name: Simple_Custom_Detection

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details 
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More