Jerry GamblinLondon bound next week (Dec 7–15)! 🇬🇧
I’ll be at #BlackHatEU giving my talk on the "Post-NVD Era" (Thurs Dec 11 @ 2:30 PM) and then hitting up #BSidesLDN for the weekend.
Offensive Sequence🚨 Microsoft’s Nov 2025 Patch Tuesday: 80 vulns, 5 CRITICAL. Actively exploited Windows Kernel (CVE-2025-62215) enables privilege escalation. GDI+, DirectX, Office also impacted. Prioritize patching & enhance monitoring! https://radar.offseq.com/threat/microsoft-patch-tuesday-for-november-2025-tue-nov--3fb8b7ea #OffSeq #Microsoft #PatchTuesday #VulnMgmt
⚠️ HIGH-severity operational risk: the remediation gap in multi-tool cloud environments delays fixing critical vulnerabilities. Solutions like Pentera Resolve automate and unify workflows, reducing exposure and ensuring compliance. More info: https://radar.offseq.com/threat/bridging-the-remediation-gap-introducing-pentera-r-0c2edfa6 #OffSeq #VulnMgmt #CloudSec
Sentinel Security⚠️ CVE-2025-53770
🧨 Critical Deserialization Vulnerability in on-prem Microsoft SharePoint Server
🌐 Exploitable remotely – lets attackers execute arbitrary code without auth!
🔍 Full details soon in our new Vulnerability Management Portal – launching shortly.
📡 Stay secure. Stay ahead.
#CVE2025 #SharePoint #Infosec #VulnMgmt
Joseph ZengOWASP Agentic AI Top 10 Vulnerability Scoring System (AIVSS) and OWASP AI testing guide
https://aivss.owasp.org/
https://github.com/OWASP/www-project-ai-testing-guide
🎯 Vulnerabilities are inevitable.
Being caught off guard isn’t.
With the right tools and processes, you turn CVEs from threats into tasks.
#ProactiveSecurity #VulnMgmt
Being caught off guard isn’t.
With the right tools and processes, you turn CVEs from threats into tasks.
#ProactiveSecurity #VulnMgmt
🧪 Vulnerability scans without context are like fire alarms with no location.
Get clear visibility on:
➡️ Business impact
➡️ Exploitability
➡️ Exposure
Prioritize with intelligence.
#SmartSecurity #VulnMgmt
Get clear visibility on:
➡️ Business impact
➡️ Exploitability
➡️ Exposure
Prioritize with intelligence.
#SmartSecurity #VulnMgmt
💣 A high CVSS score doesn’t always mean high risk.
➡️ Is it exploitable?
➡️ Is it exposed?
➡️ Is it in your attack path?
Sentinel decisions beat reactive patching.
#RiskBasedSecurity #VulnMgmt
➡️ Is it exploitable?
➡️ Is it exposed?
➡️ Is it in your attack path?
Sentinel decisions beat reactive patching.
#RiskBasedSecurity #VulnMgmt
🔍 Vulnerability Management ≠ Patch Everything.
It's about knowing what matters, where it lives, and how exposed it is.
Prioritize risk, not just CVSS scores.
#CyberSecurity #VulnMgmt
It's about knowing what matters, where it lives, and how exposed it is.
Prioritize risk, not just CVSS scores.
#CyberSecurity #VulnMgmt
Stephen Shaffer‼️ On Monday, March 17th 2025, EPSS v4 will be released and replace the current version (v3).
❓ What does this mean?
The model is being updated and expanded to include more data sources and is more accurate than v3. The Coverage/Efficiency Curve (Precision/Recall) indicates better performance at every threshold and therefore you get better risk management at all risk appetites.
➡️ Do I have to do anything to switch from v3 to v4?
No. The location of the data will remain the same. The API at FIRST will switch over to serving v4 scores automatically on Monday morning, and the CSV will remain accessible from Cyentia Institute, though there will be a redirect to Empirical Security.
⭐ Why is the model updating?
The v4 model is trained on more recent exploitation data. The v3 model was also experiencing degradation in accuracy, which is normal for models over time as reality shifts.
🎁 What's new in v4?
👾 Additional exploitation data sources, including Shodan, HackerOne Hacktivity, endpoint detections, and malware
🪄 More recent exploitation training data than v3
🎯 Recalibrating features (i.e. Twitter being dropped, CVE.org being added as a backup to NVD, and CVSS score changes over time)