Summary

Broadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.

Threat Topography

• Threat Type: Critical Vulnerabilities
• Industry: Virtualization
• Geolocation: Global

Overview

X-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities affect various VMware products, including vCenter Server, vRealize Operations Manager, and vCloud Director.

These vulnerabilities could allow attackers to launch various types of nefarious actions, potentially leading to data breaches, system compromise, and unauthorized access. Broadcom has patched the vulnerabilities with a new version of the affected products, urging users to update their systems as soon as possible.

Recommendations

Organizations using VMware products are advised to:

1. Immediately patch their systems with the latest version of the affected products.

2. Monitor system logs for any signs of suspicious activity.

3. Implement additional security measures, such as network segmentation and access controls.

References

1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25390

2. https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/

3. https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html

The post FYSA — VMware Critical Vulnerabilities Patched appeared first on Security Intelligence.

Look at any article with advice about best practices for cybersecurity, and about third or fourth on that list, you’ll find something about applying patches and updates quickly and regularly. Patching for known vulnerabilities is about as standard as it gets for good cybersecurity hygiene, right up there with using multi-factor authentication and thinking before you click on links in emails from unknown senders.

So imagine my surprise when attending Qualys QSC24 in San Diego to hear a number of conference speakers say that patching shouldn’t be an automatic reaction. In fact, they say, there are times when it is better not to patch at all.

No, you don’t need to fix everything, says Dilip Bachwani, Chief Technology Officer with Qualys.

“It’s not practical,” Bachwani adds. “Even if there is a vulnerability, it may not apply in your environment.” It could be an application that isn’t an internet-facing asset or something secured through other controls.

Knowing your risk factor

The knee-jerk reaction when a new patch is released is to get it installed as quickly as possible to prevent a vulnerability from turning into a cyber incident. However, Bachwani and his Qualys colleagues stress that security teams need to take a step back and evaluate their organization’s risk threshold.

What that evaluation will first discover is a lot of vulnerabilities across their infrastructure. A study by Coalition expects the total number of common vulnerabilities and exposures (CVEs) to increase by 25% in 2024 to 34,888 vulnerabilities, or nearly 3,000 per month.

“New vulnerabilities are published at a rapid rate and growing,” Tiago Henriques, Coalition’s Head of Research, says. “Most organizations are experiencing alert fatigue and confusion about what to patch first to limit their overall exposure and risk.”

With the steady increase in the number of CVEs, it is easy to think that every vulnerability is critical — and if every vulnerability is given an equal risk value, patching becomes overwhelming. The researchers at Qualys recommend prioritizing the risk involved with each vulnerability so that you can determine what should be patched first and what might not need to be patched at all.

How to prioritize your organization’s vulnerabilities

To prioritize vulnerabilities, it requires knowing all of your assets across the organization and identifying and monitoring the attack surface. However, Qualys research found that only 9% of companies are actively monitoring 100% of their attack surface. Shadow IT, third-party vendors and risks, a digital transformation made too quickly and without an assessment of technologies and assets added and not recognizing emerging threat vectors are just some of the reasons why organizations are unable to properly monitor their attack surface.

Deploying an attack surface management program will identify what technologies are attached to your network and where and what assets need protection. The critical requirements of an attack surface management program are:

• Visibility across hybrid IT
• Dynamic cybersecurity needs with rapid identification
• Unauthorized software tracking in real-time
• Finding and remediating blind spots

The more familiar you become with the systems accessing your network, the easier it will be to know your corporate assets and prioritize their importance. When levels of risk tolerance are assigned to these assets, it will then be easier to prioritize critical and non-critical vulnerabilities to be patched or, in some cases, not patched.

When to slow down the patching process

Patching protocols should be unique to your organization, based on your internal measures of mission-critical and risk tolerance. Whereas one organization may decide that the most critical vulnerabilities must be patched immediately, another may find that seven days is the ultimate time frame to reduce risk for the most important assets. Patch management programs will tier their assets, beginning with the most critical and can’t afford downtime if something goes wrong and down through secondary tiers with longer wait times.

But there are times when it is smart to slow down or even eliminate the patching process. They include:

• An important and time-sensitive project is in progress and requires uninterrupted computer time
• Reports of bugs in the patch or it creates compatibility problems with the application in a testing sample
• The vulnerable software is limited in scope within the organization and can be isolated
• Other mitigating controls can be put in place
• The application never uses the functions with the known vulnerability
• The costs of patching outweigh the benefits. If the code is outdated and needs to be rewritten, for example, then it doesn’t make sense to take the time and expense to apply the patch.

Cybersecurity insurance and patching

With the increase of CVEs and the always looming threat of a cyber incident, many organizations are looking at how to maximize their cybersecurity insurance. With the strict rules and audits in place to be eligible for cybersecurity insurance, is taking an approach to only patch when it is truly necessary going to downgrade your organization with insurance companies?

Bachwani says no. “I actually think a solution like this will enable cyber insurers to be more effective.”

The way the insurance marketplace works today is that it is less focused on the company’s internal data and more on the organization’s overall cybersecurity posture.

“If I’m able to clearly demonstrate that we internally have really good hygiene, my insurance should be lower,” says Bachwani.

To patch or not to patch?

In the end, the decision on whether or not to patch will come down to one singular issue: What is the value to the business by patching or not patching? And that is determined by the organization’s risk tolerance. Recognizing the consequences of downtime or a cyber incident will help prioritize critical vulnerabilities that require time and resources to patch. But also being willing to accept that you can’t patch everything will give your team the space to focus on bigger risk threats.

The post When you shouldn’t patch: Managing your risk factors appeared first on Security Intelligence.

Organizations today continuously face a number of fast-moving cyber threats that regularly challenge the effectiveness of their cybersecurity defenses. However, to keep pace, businesses need a proactive and adaptive approach to their security planning and execution.

Cyber threat exposure management (CTEM) is an effective way to achieve this goal. It provides organizations with a reliable framework for identifying, assessing and mitigating new cyber risks as they materialize.

The importance of developing cybersecurity resilience

Regardless of the industry, all organizations are subject to certain security risks. While various tools and solutions can help to reduce this risk, the only real way of maintaining a strong security posture is by developing a certain amount of cybersecurity resilience.

Cybersecurity resilience is the ability of a business to maintain its core operational state regardless of an attempted or even successful cyberattack. The key components of cybersecurity resilience include:

• Proactive risk management: It’s important to be able to identify and mitigate any potential threats before they have the opportunity to exploit known vulnerabilities. This requires regular risk assessments and strict security policies.

• Continuous monitoring and improvement: Monitoring systems and networks is critical to help identify suspicious network activity while informing the necessary stakeholders for mediation. Regularly reviewing logs and threat reports also allows organizations to improve their security efforts going forward.

• Incident response and recovery: In the event of a successful breach, organizations must be prepared to handle all necessary protocols for threat containment while executing critical recovery efforts to minimize operational disruption.

• Maintaining a progressive cybersecurity culture: While security tools and solutions are important, organizations looking to establish more cybersecurity resilience need to also build awareness with their employees on relevant threats and how they can help protect themselves and the business.

What is CTEM?

While establishing cybersecurity resilience on its own is important, the prevalence and severity of modern-day security threats mean organizations need to look for a more comprehensive approach to threat management.

CTEM relies on the use of automated routines spread across an organization’s entire infrastructure, designed to identify and assess any security gaps present. Unlike traditional vulnerability assessments, which are typically scheduled throughout the year, CTEM solutions enable real-time threat intelligence at all times.

When integrated across all of an organization’s IT assets, including on-premise and cloud networks, systems, applications and databases, CTEM solutions provide a much more proactive approach to strengthening an organization’s security posture.

Key components of CTEM

CTEM frameworks operate by incorporating several key components across an organization’s entire infrastructure. These components include:

Threat intelligence

Leveraging real-time threat intelligence, CTEM references an organization’s location, industry type and digital structure to benchmark against similar organizations while recognizing and prioritizing likely threats. This helps businesses place their mitigation efforts in the right places while always being one step ahead of malicious attackers.

Vulnerability management

CTEM makes use of active vulnerability scanning and assessment tools to look for common vulnerabilities and exposures (CVEs) as well as misconfigurations in systems and networks that could lead to exploitation. Using automated routines, CTEM solutions will run continuous scans for these vulnerabilities and then prioritize them based on the most critical risks.

Security testing

Applying CTEM frameworks across an organization can often include making use of penetration testing services and establishing red teams to help simulate real-world attack scenarios. This helps organizations validate the effectiveness of their current cybersecurity solutions and helps to “stress-test” response capabilities.

Risk assessment

CTEM solutions apply various risk assessment methodologies to help evaluate the potential impact of discovered vulnerabilities. This includes considering various factors that can impact remediation efforts, including the types of assets at risk, how financially sensitive each asset is and the potential impact a successful breach could have on the long-term viability of an organization.

Breaking down the five stages of CTEM

CTEM deployments are an iterative process that involves continuous improvement and refinement. The five stages of CTEM include:

1. Scoping: The initial stage of CTEM involves establishing certain boundaries within which the solution will operate. This requires organizations to identify the relevant systems, applications or key data the solution will actively monitor. Another element of this stage is to outline any specific goals or objectives that need to be achieved to ensure the solution is properly calibrated.

2. Discovery: The discovery stage is when all digital assets are cataloged within the defined scope. While many assets may already be defined during initial scoping stages, the CTEM discovery process may also identify unknown assets, including SaaS solutions or other shadow IT elements that may have been missed. This stage is completed using a series of automated tools that scan and catalog new assets as they’re discovered.

3. Prioritization: After all assets are properly cataloged, the next step is to assess and prioritize all risks associated with each of them. To achieve this, CTEM solutions will apply risk assessment protocols and active threat intelligence to determine the most critical risks.

4. Validation: The validation stage makes sure that any identified vulnerabilities are legitimate and require an actual remediation process. This is designed to minimize or eliminate any false positives.

5. Mobilization: The final stage of CTEM is mobilization, which is any action necessary to remediate vulnerabilities and mitigate risks. This can include coordinated efforts between security teams, IT operations and business stakeholders to ensure that vulnerabilities are addressed effectively.

Start implementing CTEM in your organization

Implementing CTEM is a crucial step towards improving an organization’s cybersecurity resilience. Here are some steps your organization can follow to start benefiting from CTEM integrations:

1. Begin with a cybersecurity risk assessment: Take the time to conduct a comprehensive cybersecurity risk assessment with the help of a security services partner to identify any potential vulnerabilities in your organization.

2. Embrace automation: Leveraging automation tools to streamline various aspects of your CTEM program is critical to enable real-time threat mitigation. This can help to reduce manual security efforts, improve the accuracy of risk remediation efforts and accelerate incident response times.

3. Prioritize and validate: Prioritize any discovered vulnerabilities based on their potential impact on your organization and validate any potential attack vectors using techniques like penetration testing and red team simulations.

4. Establish clear communication channels: It’s important to ensure that security information is shared effectively between different teams and stakeholders. Regardless of the type of CTEM solution your organization chooses to implement, establishing clear communication channels and protocols is essential to ensure that security information is disseminated effectively and acted on in a timely manner.

Keep your business ready

Implementing a CTEM program for your organization is a critical step for organizations considering today’s increasing cyber threats. By taking a proactive and continuous approach to your risk management strategy, you can significantly minimize your digital attack surface while achieving a more resilient cybersecurity posture.

The post How CTEM is providing better cybersecurity resilience for organizations appeared first on Security Intelligence.