Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A critical security vulnerability (CVE-2025-10035) has been identified in GoAnywhere MFT, a widely used file transfer solution developed by Fortra. This software is commonly deployed to securely transfer sensitive data such as financial records, HR files, legal documents, and personally identifiable information (PII). Currently, CVE-2025-10035 is rated at a 10.0 (critical) on the CVSS scale and a 9.23 out of 10 on Bitsight’s Dynamic Vulnerability Exploit (DVE) scale.

One unmanaged machine identity—whether a TLS certificate, SSH key, code signing certificate, or API secret—that’s all it takes to crash your website, halt transactions, and leave customers complaining about you in the comments. No one is immune. In fact, 83 percent of organizations have experienced a certificate-related outage in the past 24 months. Even tech giants recently made headlines after expired renewals triggered hours of downtime and millions in lost revenue.

Back before live security video feeds in homes, people would walk around at night checking to make sure they locked every window and door. They took these precautions because they knew that a single open lock gave burglars an opportunity to steal from them. For organizations, vulnerability management programs are a way to lock the doors against cybercriminals.

No principle is more frequently praised yet ignored than the principle of least privilege in cybersecurity. It’s the equivalent of locking your server room but handing everyone the master key “just in case.” Considering the current threat landscape, which is rife with credential leaks, ransomware, insider incidents, and careless automation, complacency is not only costly but also dangerous. And above all, reckless.

Ben Reardon, Lead Researcher Corelight Labs / NOC crew I'm a researcher on the Labs team at Corelight and, for me, working in the Black Hat Network Operations Center (NOC) at the USA show in Las Vegas is up there as one of the most interesting and intense activities on the calendar.

I’ve been to several Black Hat conferences (seven in the last two and a half years, alone) to be a threat hunter in the Network Operations Center (NOC), so I didn’t expect to be surprised by much at this year’s Black Hat USA.

If there’s one lesson security teams should take from recent disclosures, it’s this: AI agent attack techniques don’t disappear - they resurface, across vendors and platforms, with only small variations. What researchers called out months ago is showing up again, now in Salesforce as the ForcedLeak vulnerability.

Let's have a look at how to integrate NHI Governance with AWS IAM to get detailed security insights into your dashboard.