Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

RSA Conference 2025 in San Francisco was a breath of fresh air, literally and figuratively. The city felt more vibrant and welcoming, and the conference buzzed with genuine excitement. Unlike previous years, which were dominated by hype and theoretical discussions, this year’s focus was on tangible (not yet game-changing!) AI applications in cybersecurity. AI extended throughout the conference, from the keynotes through the track sessions and into the exhibition hall.

Recently, industry analyst Jon Oltsik outlined a critical shift underway in cybersecurity: the move toward a threat-informed defense. As Oltsik describes, organizations are beginning to strengthen the intersection of vulnerability scanning and threat intelligence, using AI to bolster asset classification and risk scoring. This evolution is essential as enterprises seek to move beyond fragmented security practices and build a more cohesive exposure management strategy.

On May 7, 2025, watchTowr publicly disclosed technical details and a proof-of-concept (PoC) exploit for a pre-authenticated Remote Code Execution (RCE) chain affecting SysAid On-Premises, a self-hosted IT service management (ITSM) platform used by organizations to manage IT support tasks. Although the vulnerabilities were patched in March 2025, they had not been assigned Common Vulnerabilities and Exposures (CVE) identifiers and were disclosed for the first time with watchTowr’s publication.

Software vulnerabilities are an unfortunate reality of enterprise IT. New vulnerabilities are being discovered all the time, and while most will never be exploited by an adversary, without a program to quickly discover and remediate high-priority vulnerabilities, organizations are putting themselves at risk.

CVE-2024-38475 is a critical vulnerability in the Apache HTTP Server’s mod_rewrite module that permits arbitrary file read operations under specific configurations. This flaw arises from inadequate sanitization of user-controlled input passed to RewriteRule directives, which allows attackers to traverse the filesystem by manipulating server variables and regex capture groups.

Let’s explore the critical role of Modbus in energy and manufacturing systems, then demonstrate real-world exploitation techniques using Docker-based simulations and the custom-built Python tool M.A.T.R.I.X. The danger here is an attacker who gains unauthorized access to a misconfigured Modbus TCP server can send malicious write commands to turn coils ON or OFF, thereby illegally activating or deactivating physical devices.