Microsoft Defender Vulnerability Management Blog articles

From Vulnerability Fatigue to Action: How SKF Operationalized MDVM with a Custom Dashboard

Ayelet_Artzi — Tue, 31 Mar 2026 18:38:08 GMT

In today’s rapidly evolving digital landscape, organizations must proactively manage security risk and stay ahead of emerging threats to keep systems and data secure. However, many teams face “vulnerability fatigue”; remediation doesn’t get easier as environments grow, Mean Time to Remediate (MTTR) increases, and Mean Time to Exploit continues to shrink. (References: CyberMindr, “Average Time-to-Exploit in 2025”; “MTTR: The Most Important Security Metric”).

Microsoft Defender Vulnerability Management (MDVM) transforms vulnerability management into a holistic, risk-based practice—with a single place to discover exposure, prioritize what matters most, and drive remediation.

MDVM surfaces a large volume of vulnerability data. To help customers focus time and resources effectively, it applies a risk-based approach that maps identified weaknesses to actionable security recommendations, prioritized by impact. Each recommendation includes practical remediation guidance.

How SKF Approaches Recommendations

SKF, a global enterprise with thousands of assets, has taken significant steps to strengthen its security posture by leveraging Microsoft Defender Vulnerability Management. MDVM is available as part of Microsoft Defender for Endpoint, which is deployed across SKF’s environment.

SKF’s patch management model spans multiple owning teams (for example, the Windows team, business application teams, and device owners responsible for patching non-managed applications). SKF uses the MDVM API together with its Configuration Management Database Application Portfolio Management (CMDB APM) to export vulnerability data—along with application name and owner—to external dashboards. These dashboards visualize the data in near real time, enabling each asset or application owner to see only what they own and take action on the recommendations assigned to them.

Figure 1: Vulnerability dashboard

In this blog, we will focus on the external dashboard SKF customized to meet its organizational needs.

Building a Vulnerability Dashboard

A dashboard is beneficial for organizations where remediation actions are the accountability of different departments or application owners outside of the security organization.

The dashboard is built using MDVM data, which is pulled via the MDVM API. It allows for exporting software vulnerabilities assessments per device through Microsoft Defender for Endpoint. Export software vulnerabilities assessment per device - Microsoft Defender for Endpoint | Microsoft Learn

SKF took the follow series of steps to build out this dashboard include:

Design: Identifying key metrics for the dashboard to address the vulnerability & defining the RBAC role of each category of user
Data Source Integration: Microsoft Defender API, Microsoft Graph API, CMDBAPM and Entra

CMDB allows connecting between application owners and device owners and share application vulnerabilities along with remediation steps to take

Integrated Data Modeling: Schema defined to map multiple variables & defined relationships between data points
Access Implementation: RBAC applied in Power BI& assigned roles for controlled exposure of data
Visualization and UX: Build interactive dashboards with dynamic filtering and contextual data displays to improve user engagement and data insights
Testing & Deployment: Persona based validation & Data integrity tested, verified & deployed

Solution Capabilities

The solution allows a dynamic, real-time, distributed, and visualized risk-based approach that correlates organizational weaknesses with accountable personas.

The solution supports:

Near real-time updates reflecting asset vulnerability status

CMDB integration to match devices to device owners, application names &application owners

CMDB has also been used to retrieve assets criticality information. Critical assets will be prioritized and will be handled in shorter SLA

An RBAC (Role-Based Access Control) model, ensuring that each manager, application owner, or department can view only their data

Dynamic filtering to refine data by application owners, location, device groups, CVE data, Business specific information etc.

While filtering on specific device group or owner, Risk exposure score will dynamically change and reflect the exposure of the selected devices. This enables each team owner or device owner to understand the risk on their assts

Comparative insights, allowing teams to benchmark their risk against organizational averages

Filters: Can be configured in the dashboard itself and in the Filters section

Figure 2: Data search by device type or device info.

SKF's Vulnerability Management Process

SKF is now advancing its vulnerability management strategy with automation-driven enhancements to reduce Mean Time to Remediate (MTTR) by activating the following:

Each application owner or device owner responsibility to log into the dashboard and view required actions to take

Automated email notification to asset owners for critical activities required

SLA enforcement- Defined SLA per vulnerability severity, this includes network enforcement in case the SLA is not met

Patch automation – there are various methods to implement automatic patch automation. This can be implement using Intune enterprise application management or any management system or using AI agent

Summary

Combining MDVM's risk-based prioritization model and clear RACI ownership helps organizations manage and remediate vulnerabilities more effectively. By translating exposure into concrete, actionable recommendations—and aligning those recommendations to the right teams—SKF improved coordination, accountability, and overall security outcomes. The following was observed at SKF:

Role-specific views of the data, so each audience sees only what is relevant to them

Non-security device and application owners can still prioritize remediation using business- and risk-context signals such as exposure score, exploitability, application criticality, and more

The custom dashboard also helps track and improve risk-reduction KPIs over time—at the individual level and across departments, regions, and the broader organization.

Appendix

Dashboard Required Permissions

Microsoft Defender for Endpoint API

Vulnerability.Read.All

Machine.Read.All

SecurityRecommendation.Read.All

Microsoft Graph API

User.Read.All

Group.Read.All

Directory.Read.All

MDVM Guidance for CVE-2025-53786: Exchange Hybrid Privilege Escalation

MotiBani — Tue, 12 Aug 2025 12:46:35 GMT

Executive Summary

Vulnerability Description

CVE-2025-53786 is an Elevation of Privilege (EoP) flaw in hybrid Microsoft Exchange Server deployments. Attackers with administrative rights on an on-premises Exchange Server can exploit the shared service principal trust to gain control of the connected Exchange Online environment.

Affected Products and Versions:

- Microsoft Exchange Server 2016 (Hybrid deployments)
- Microsoft Exchange Server 2019 (Hybrid deployments)

Severity: CVSS v3.1 score 8.0 (High)

Exploit Status: No active exploitation observed yet

This vulnerability illustrates how a trusted hybrid connection can be weaponized for total domain compromise. To mitigate:

Use MDVM to detect, track, and prioritize remediation
Patch promptly with April 2025 hotfix or newer patch
Deploy dedicated hybrid app and reset shared credentials reliably
Isolate or disconnect unsupported servers

Detection

Defender Vulnerability Management solution provides comprehensive vulnerability assessment across all your devices. You can search for this vulnerability in the search bar or navigate directly to the CVE page to view the detailed list of the exposed devices within your organization:

You can use Advanced Hunting in MDVM to find devices vulnerable to CVE-2025-53786, focusing on those in hybrid configurations that are missing the required hotfixes:

DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2025-53786" | summarize by DeviceName, CveId

Use this link to run it directly in your environment: https://security.microsoft.com/v2/advanced-hunting?query=H4sIAPVzmGgAA12OuwrCUBBETy34D8FaQZSojZWxsLFR0vu4YiBRSKJB8eM9BgSRZe4Ms8vMTQjcyTjIW1XBhisnahp2lLopN3IuqlJn720uahGoiOjS4SU3nNuboF6YFFhxVM-diJ5eypIBI4YiVsWMmTJj4vabUtlWOJ_ujGebtufhm_z8dO2-kPt_XW8LsZnWzgAAAA&timeRangeId=month

Mitigation and Best Practices

Patch and Upgrade

Install the April 2025 Hotfix (or newer) to enable the Dedicated Exchange Hybrid App or upgrade to the latest cumulative update:

Microsoft Exchange Server 2019 Cumulative Update 14 - Update
Microsoft Exchange Server 2016 Cumulative Update 23- Update
Microsoft Exchange Server 2019 Cumulative Update 15- Update
Microsoft Exchange Server Subscription Edition RTM - Update

Reconfigure Hybrid Trust

Goal: Replace the legacy shared service principal trust with the Dedicated Exchange Hybrid App in Entra ID, then remove the leftover trust.

Deploy and Enable the Dedicated Hybrid App

Recommended script:

.\ConfigureExchangeHybridApplication.ps1 -FullyConfigureExchangeHybridApplication

Or split steps:

.\ConfigureExchangeHybridApplication.ps1 -CreateExchangeHybridApplication .\ConfigureExchangeHybridApplication.ps1 -EnableExchangeHybridApplication

Alternative via Hybrid Configuration Wizard (HCW):
Run the updated HCW to create the dedicated app, then enable it manually.

Reference: https://aka.ms/ConfigureExchangeHybridApplication-Docs

Remove the Legacy Shared Trust

After the dedicated app is active, run the script in clean-up mode:

.\ConfigureExchangeHybridApplication.ps1 -ResetFirstPartyServicePrincipalKeyCredentials

Details: https://aka.ms/ConfigureExchangeHybridApplication-Docs#service-principal-clean-up-mode

Verify

Confirm the dedicated app is enabled for on-prem servers and that the shared service principal no longer has your key credentials. Re-run clean-up if HCW is executed again.

Conclusion

CVE-2025-53786 is a high-impact vulnerability in the hybrid trust model. While no exploitation has been confirmed, the potential for full domain compromise requires immediate action:

Apply the latest patches
Enable the dedicated hybrid app
Remove shared trust keys
Verify configuration

Use MDVM to continuously surface lagging servers, track remediation, and monitor for regressions such as HCW re-execution. Embed these steps into standard procedures to prevent future exposure.

Supporting CVSS V4 score for CVE for Enhanced Vulnerability Assessment

Yuval_Fisher — Thu, 20 Mar 2025 17:06:46 GMT

Why transition to CVSS v4?

The Common Vulnerability Scoring System (CVSS) is the global standard for assessing vulnerability severity. As leading institutions like the National Vulnerability Database (NVD) transition to CVSS v4, Microsoft is embracing this enhanced scoring model to ensure better alignment and more actionable insights.

CVSS v4 addresses the limitations of its predecessor, CVSS v3, introducing features that provide a more granular and accurate assessment of vulnerabilities. For an in-depth overview, refer to the CVSS v4.0 Specification.

Benefits of CVSS v4 for organizations using Defender Vulnerability Management

CVSS v4 offers significant improvements over CVSS v3, including:

Enhanced Exploitability Assessment

o Introduction of the Attack Requirements (AR) metric, distinguishing vulnerabilities that require specific conditions (e.g., configurations) versus those that don’t.

o More nuanced User Interaction (UI) values:

Passive (P): Normal user actions.
Active (A): Unusual actions or those subverting security protocols.
None (N): No conditions

Refined Impact Metrics

o Replacement of the Scope metric with separate impact metrics for:

Vulnerable Systems: Confidentiality, Integrity, and Availability impacts.
Subsequent Systems: Granular downstream effects.

These changes allow for a more detailed and precise analysis of vulnerability impact and exploitability.

Important Considerations

While CVSS v4 improves scoring precision, it is critical to account for additional contextual insights available in the Defender Vulnerability Management portal, such as:

EPSS (Exploit Prediction Scoring System) scores: Predicting the likelihood of exploitation in the near future.
Threat Intelligence: Insights into known exploits and active attacks in the wild, leveraging Microsoft vast proprietary knowledge.
Exposure Metrics: Includes the number of critical devices affected and whether vulnerabilities are Internet-facing.

| Best Practice: Use CVSS v4 scores alongside EPSS and Threat Intelligence data to prioritize vulnerabilities effectively and manage your exposure risk. See more info in the additional resources below.

What to Expect?

No action is required on your part. Once the transition is complete:

Existing CVEs with available CVSS v4 scores, likely affecting your environment) will automatically use the updated scoring standard.
This will likely cause a one-time adjustment to your organization’s Exposure Score, reflected as a single event in the Exposure Score Trend and the Event Timeline.

We apologize for any inconvenience caused and appreciate your understanding as we enhance our scoring capabilities.You can view the CVSS version and vector string in the CVE side panel. The large majority of CVEs added in the future will display CVSS v4 scores by default.

Additional resources:

Guidance for CVE-2024-0012, CVE-2024-9474 affecting PAN-OS using Microsoft Security capabilities

BrjannBrekkan — Tue, 26 Nov 2024 18:11:49 GMT

A new critical vulnerability affecting PAN-OS has been identified and published last week, putting organizations using Palo Alto Networks’ firewalls at risk. In this blog post, we will demonstrate how you can use Microsoft Security tools discover assets in your organization that are vulnerable to the new critical unauthenticated Remote Code Execution (RCE) flaws in PAN-OS and provide guidelines on remediation. Additionally, we will show you how to use the capabilities of Attack Path analysis together with the Microsoft Security tools to identify how attackers could potentially gain access and reach critical assets in your organizations.

Severity	CVSS V4 B: 9.3 (CVSS V3: 9.8)
Description of vulnerability	An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to obtain administrator privileges, modify configurations, or exploit other vulnerabilities such as CVE-2024-9474
Does it have an Exploit?	Yes, Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability.
Affected Versions	This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Impact

These vulnerabilities pose significant risks to organizations using PAN-OS. The authentication bypass vulnerability could allow unauthorized access to sensitive data and systems, while the privilege escalation vulnerability could enable attackers to gain higher-level permissions, potentially leading to full system compromise. When combined, these vulnerabilities can be particularly dangerous, as an attacker could first gain access through the authentication bypass and then escalate their privileges, maximizing the potential damage. It is crucial for organizations to promptly assess and mitigate these vulnerabilities to protect their network infrastructure and maintain security integrity.

Recommendations for Mitigation and Best Practices

Upgrade to the latest version of PAN-OS
Secure Management Interface Access - Restrict access to the management interface to trusted IP addresses only, enhancing security by limiting potential attack vectors. Use features like JIT (just in time access) for reducing the risk of exploitation. Read more
Minimize Exposure: JIT access ensures that the management interface is not continuously exposed, reducing the risk of unauthorized access

Mapping CVE-2024-0012 and CVE-2024-9474 vulnerabilities in your organization

The first step in managing an incident is to identify and map affected software within your organization’s assets.

Using Microsoft Defender Vulnerability Management

Defender Vulnerability Management solution provides a comprehensive vulnerability assessment across all your devices. You can search the vulnerability by either searching for the CVE or for Pan-OS in the search function of Vulnerability Management weaknesses page, and then view the detailed list of the affected software within your organization

Find the vulnerabilities in weaknesses page

Using Advanced Hunting

To map the presence of CVE-2024-0012 or CVE-2024-9474 in your environment, you can use the following KQL query or this link. This query searches software vulnerabilities related to the specified CVE and summarizes them by device name, OS version and device ID:

DeviceTvmSoftwareVulnerabilities | where CveId in ("CVE-2024-0012", "CVE-2024-9474") | summarize by DeviceName, DeviceId, strcat(OSPlatform, " ", OSVersion), SoftwareName, SoftwareVersion

Using Defender for Cloud

Cloud Security Explorer

You can use the Cloud Security Explorer feature within Defender for Cloud to perform queries related to your posture across Azure, AWS, GCP, and code repositories. This allows you to investigate the specific CVE, identify affected machines, and understand the associated risks.

We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:

Searching cloud security explorer for the two CVEs

Defender for Cloud Attack path’s:

Using attack path analysis, you can easily find all your exposed machines that are also potentially accessible for attackers. Use the following attack path title to filter the view only for exposed machines:

Internet exposed Azure VM with PAN-OS vulnerabilities (CVE-2024-0012, CVE-2024-9474)

Note: These attack path updates are rolling out and should be available for all customers within hours

Recommendations for Mitigation and Best Practices

Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:

Apply Patches and Updates: Regularly update all software to fix known vulnerabilities. Use Defender Vulnerability Management for monitoring and enforcing patch compliance.
Application Blocking: Use Defender Vulnerability Management to block vulnerable or malicious software when a CVE is assigned. Available only in Defender Vulnerability Management premium plans. (learn more).
Remediate vulnerabilities: Follow Defender for Cloud’s recommendations to fix affected VMs and containers across your multi-cloud environment. (learn more).
The "Emerging Threat" risk factor: Utilize Defender for Cloud’s risk factor to prioritize patching vulnerable resources. This factor is regularly updated to stay relevant.
Exposure Management: Adopt a proactive security mindset by learning how Exposure Management can help you gain cross organizational visibility of your attack surface and any attack paths that come up due to new threats or vulnerabilities.
- Keep monitoring your environment using attack path analysis to block possible attack routes, using either the visualization tool under Exposure Management in Security.microsoft.com portal or the ‘graph-match’ KQL command (learn more).
- Proactively use Vulnerability Assessment security initiative in Exposure Management to aid in prioritization of critical assets. (learn more)

Conclusion

By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment. While the preceding process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.

Guidance for handling CUPS remote code execution vulnerability using Microsoft Security capabilities

Efrat Kliger — Sun, 06 Oct 2024 09:56:42 GMT

A new critical Remote code execution (RCE) vulnerability affecting CUPS (Common Unix Printing System) has been identified published last week, putting at risk organizations with Unix (Linux, Gnu and other systems). In this blogpost we will demonstrate how you can easily discover if your organization is vulnerable to the new critical unauthenticated RCE flaws in CUPS printing systems and view guidelines on remediation.

Affected versions:

CVE-2024-47176: cups-browsed binds on UDP port 631, accepting packets from any source. (cups-browsed ≤ 2.0.1)
CVE-2024-47076: libcupsfilters does not validate IPP attributes, allowing attacker-controlled data (libcupsfilters ≤ 2.1b1)
CVE-2024-47175: libppd does not sanitize IPP attributes, enabling data injection. (libppd ≤ 2.1b1)
CVE-2024-47177: foomatic-rip allows arbitrary command execution via the FoomaticRIPCommandLine PPD parameter. (cups-filters ≤ 2.0.)*

* Coverage for this vulnerability is expected shortly.

Impact

A remote attacker can replace or install printers with malicious IPP URLs, leading to arbitrary command execution when a print job is started.

We will demonstrate how organizations can harness the capabilities of Attack Path analysis together with Microsoft Defender suite of products to pinpoint and neutralize threats arising from such events. Our examination will center on: mapping vulnerabilities, evaluating affected assets, gauging potential impact via blast radius analysis, and implementing efficacious mitigations.

Recommendations for Mitigation and Best Practices

Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:

Update the CUPS package.
Disable and remove the cups-browsed service if not needed.
Block traffic to UDP port 631 and DNS-SD traffic if not necessary.

Mapping the CUPS vulnerability in Your Organization:

The first step in managing an incident is to map affected software within your organization’s assets. Defender Vulnerability Management solution provides a comprehensive vulnerability assessment across all your devices.

You can also use the following KQL query or this link, this query searches software vulnerabilities related to the specified CVEs and summarizes them by device name, OS version and device ID:

DeviceTvmSoftwareVulnerabilities | where CveId has_any ("CVE-2024-47176", "CVE-2024-47076", "CVE-2024-47175") | summarize by DeviceName, DeviceId, OS=strcat(OSPlatform, "-", OSVersion), SoftwareName, SoftwareVersion

Using Cloud Security Explorer

We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:

Understanding potential impact with Microsoft Security Exposure Management

Attack paths:

Automated attack path analysis maps out potential attacks starting from exposed resources and tracing the possible routes an attacker might take to compromise critical assets. The analysis identifies exposed cloud compute resources, such virtual machines and Kubernetes containers, that are vulnerable to remote code execution vulnerabilities and the possible lateral movement steps the adversary might take in the environment. The attack paths are presented for all the supported cloud environments (Azure, AWS and GCP). To present the paths filter the view by the following example titles:

Internet exposed Azure VM with RCE vulnerabilities
Internet exposed GCP compute instance with RCE vulnerabilities
Internet exposed AWS EC2 instance with RCE vulnerabilities

Attack path analysis is available both in Microsoft Security Exposure Management and Microsoft Defender for Cloud.

Critical assets:

It is also advisable to filter for critical assets (devices that were identified as sensitive by the Critical Asset Protection rule engine) that are affected by the vulnerabilities, using the following query or this link:

ExposureGraphNodes | where NodeProperties has 'criticalityLevel' | where NodeLabel in ('microsoft.compute/virtualmachines', 'compute.instances', 'ec2.instance', 'device', 'container-image', 'microsoft.hybridcompute/machines') | join kind=inner (ExposureGraphEdges | where SourceNodeName in ('CVE-2024-47076', 'CVE-2024-47175', 'CVE-2024-47176', 'CVE-2024-47177')) on $left.NodeId == $right.TargetNodeId

Asset exposure:

Asset Exposure provides a complementary perspective by revealing all the routes leading to vulnerable entities. Using this capability according to the guidelines provided here, enables to identify potential areas of the attack surface that can lead to vulnerable resources. Strengthening the attack surface reduces the risk of internal vulnerable resources being discovered and exploited.

Conclusion

By following these guidelines and utilizing end-to-end integrated Microsoft Security products, organizations can better prepare for, prevent and respond to attacks, ensuring a more secure and resilient environment. While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.

Research Analysis and Guidance: Ensuring Android Security Update Adoption

michaelpeck — Tue, 27 Aug 2024 15:53:44 GMT

Microsoft researchers analyzed anonymized and aggregated security patch level data from millions of Android devices enrolled with Microsoft Intune to better understand Android security update availability and adoption across Android device models. In this post, we describe our analysis, and we provide guidance to users and enterprises to keep their devices up to date against discovered vulnerabilities.

Mobile devices are today’s most prevalent end-user computing platform, and their unique attributes (portability, ubiquitous network connectivity, frequent physical proximity to their owner, sensors such as microphone, camera, GPS) make them valuable targets. Threat actors use mobile devices as attack vectors to pivot into access to enterprise systems and resources. Microsoft brings its expertise, visibility, and resources to provide end-to-end threat protection, including to the broad range of endpoint platforms.

Android security patch lifecycle concerns are often raised in mobile security discussions. Android is an extensible platform with a diversity of devices from many original equipment manufacturers (OEMs), bringing security update complexities. Just as with any popular endpoint platform, security vulnerabilities are discovered in Android. If devices are not patched, these vulnerabilities can potentially be exploited. Others in the security community have previously examined Android security update adoption, and in this post, we contribute to this important discussion by analyzing data from Intune-enrolled Android devices.

Overall, we conclude that security updates for popular Android device models are typically made available and installed in a timely manner. Based on our analysis, we recommend these best practices for ensuring that Android devices are kept up to date with the latest security updates:

When users and enterprises are choosing makes and models of Android devices to purchase, we recommend ensuring that the OEM has committed to provide security updates on a timely basis until a defined End-of-Life date. Several examples for informational purposes without endorsement:
Enterprises should consider blocking or limiting access (for example, using Conditional Access) from devices, both personal-owned and enterprise-owned, when the security patch level is out-of-date by a defined time or longer. Intune provides the ability to define a minimum security patch level compliance policy.
Available security updates should be installed as quickly as feasible. Users or enterprises that delay updates should carefully consider the risks of leaving devices susceptible to exploitation by publicly known vulnerabilities. Intune allows you to minimize disruption caused by update rollouts in your organization, through device restrictions policies or additional update management controls for supported OEMs.
Users and enterprises should replace devices that are End-of-Life or are otherwise known to no longer be receiving security updates.

Highlights of our analysis:

The majority of the top 100 (by Intune enrollment) device models had security updates made available during the month of Google's Android security bulletin release or the following month.
The majority of these Intune-enrolled devices had the updates installed during the same or following month that they became available from the OEM. However, for some device models, despite a recent update appearing to be available, many devices had not been recently updated.
Device models for which the OEM had strongly committed to ensuring security updates (e.g., by participating in Google's Android Enterprise Recommended device program) were more likely to have the most recent Android security updates available & installed.

Vulnerability Management

As organizations increasingly rely on mobile devices, the importance of robust vulnerability management for these endpoints cannot be overstated. This is where Microsoft Defender Vulnerability Management Mobile support comes into play. Its comprehensive risk-based vulnerability management across an enterprise's assets alerts administrators to security posture issues, including those on mobile endpoints. Providing severity and exploit availability information enables informed risk decisions, thereby helping to prevent mobile devices—such as those running Android—from becoming attack vectors. In this blog, we take an in-depth look at Android security update availability and adoption.

Mobile device exploitation through device vulnerabilities is not just theoretical. Google’s Threat Analysis Group in February published a detailed report with numerous examples of Android and iOS device exploitation. Microsoft has investigated mobile malware samples such as KingsPawn, which targeted iOS and had indications of Android being targeted by the author as well. CISA’s Known Exploited Vulnerabilities (KEV) catalog includes Android vulnerabilities. Security updates are necessary to address vulnerabilities and prevent their exploitation.

Understanding The Android Security Update Lifecycle

Stakeholders involved in bringing Android devices to market and distributing updates may include Google, original equipment manufacturers (OEMs), and mobile carriers.

Although the base Android operating system is open source and anyone can build upon it, Google provides proprietary Google Mobile Services (GMS) components, such as the Google Play Store, for officially licensed Android devices.

Google has been releasing security bulletins and monthly security patches since at least 2015. The security bulletins describe the set of vulnerabilities that have been fixed not just within Android itself but may also include Linux kernel patches and patches from component manufacturers.

Each Android security bulletin released by Google contains a list of security vulnerabilities along with one or more security patch level dates. Device users and administrators can check the security patch level on their devices, which is an assertion by the OEM that the device has been patched against all corresponding vulnerabilities in the bulletins through that date. Microsoft Defender Vulnerability Management can help administrators understand known vulnerabilities that their unpatched devices may be susceptible to.

Each OEM must create device-specific builds using Google’s updates, which can introduce delays, despite OEMs receiving advance notice from Google before security bulletins are made public. In some cases, the OEM may no longer be supporting the device, and updates may not be forthcoming at all. Transparency into these practices may vary widely between OEMs, but these practices are critical for users and administrators to understand to make appropriate risk decisions.

OEMs and mobile carriers may add additional code to their devices, and vulnerabilities in this code may not be reflected in Google’s Android security bulletins. Users and administrators can consult the vendors for more information.

Over the last few years, Google has improved its ability to update some components of Android devices, even in cases where an OS update has not been installed (and hence the Android security patch level has not been updated). These updates provide some degree of protection, depending on the specifics of the vulnerabilities.

Analyzing Security Update Adoption Using Microsoft Intune Data

Microsoft Intune is used by enterprises to manage millions of devices, both personally owned and enterprise owned. By analyzing enrollment data in aggregate, without use of any user or enterprise unique identifiers, we can make statistically meaningful conclusions of security update adoption across manufacturers and models while maintaining Microsoft’s privacy commitments to our customers.

For each Android device in Google's supported device model list enrolled in Intune that checked in during a one-week period in January 2024, we gathered the reported OEM, model, OS version, and Android security patch level. We similarly gathered the model and OS version of all enrolled iOS/iPadOS devices for comparison. Our overall findings were validated by sampling data across several previous months.

There are several caveats to be aware of in our data analysis:

Intune enrolled devices do not represent the overall Android device population.
The Android security patch level may not account for OEM/carrier-specific vulnerabilities.
Android’s device diversity means that not all devices are susceptible to all vulnerabilities.
We did not check if individual devices are running unofficial firmware images, which could potentially provide incorrect version and patch level information.

We analyzed the data in several ways:

Latest Android Security Patch Level and median Android Security Patch Level across the top 100 (by Intune enrollment) device models – this gives an estimation of the most recent available update, as well as the rate of adoption of updates for the most popular devices.
Patch level comparison between “knowledge worker” and “rugged” Android Enterprise Recommended devices (AER) and enrolled Android devices overall. The AER program requires devices to “meet an elevated set of specifications" for security updates.
iOS/iPadOS version adoption for comparison.

Android Security Patch Levels of Top Devices

For each unique Play Protect certified device model, we examined both the latest patch level (the most recent patch level reported by devices, with outlying patch levels reported by three or fewer devices excluded) and the median patch level, normalizing each patch level date to the first day of the month. The results highlight the importance of ensuring that device OEMs provide a documented commitment to security updates, and that users and enterprises stop using devices that are beyond the advertised security update support period.

We calculated the age of the patch levels by subtracting the patch level date from the first day of the current month (e.g., a patch issued during the current month would have an age of zero). Using this data, we can determine (assuming we have a large enough device population of that manufacturer/model enrolled in Intune) both when a security update was last issued for a particular manufacturer/model, and how widely the security update has been adopted.

In the figures below, we consider the 100 most popular Android device models enrolled in Intune. The top 100 models reflected 44% of the total number of Play Protect certified Android devices enrolled in Intune. Our data supports that most popular Android devices release security updates in a timely manner:

61 of the 100 models have a security update available with a patch level of one month ago or less.
81 of the 100 models have a security update available with a patch level of three months ago or less.

Some models have an age of zero for the latest patch level, meaning that there is a security update available from the current month. Some models have an age of -1, meaning some devices are running a security update dated next month (possibly an upcoming release being tested).

We examined in further detail the five device models in the top 100 where the latest observed patch level was at least 10 months old. For each device model, we searched online for any security update commitment made by the OEM:

For three of the device models (Device Models 9, 24, and 68), the OEM promised four years of security updates after release, and they met that commitment - the devices had been released over four years ago.
For the other two devices (Device Models 46 and 100), the newest updates we could find were 33 and 31 months respectively after the initial device releases (43 and 53 months ago). We could not find any documented OEM update commitment for those two devices.

Across the 100 device models, the adoption of updates (the median patch level) varies widely. This discrepancy can be seen on the graph as the difference between the orange bars (median patch level) and their corresponding blue bars (latest patch level):

32 device models have a difference of two months or more.
Six of those device models have a difference of 10 months or more.

At least three of the device models with a difference of 10 months or more are non-consumer models intended for use in commercial environments. We speculate that large differences between median and latest patch level are business-critical environments where update deployment is carefully controlled. Other reasons could include use in environments with unstable Internet connections and cases where mobile carriers manage the update but have not yet published it.

Android Enterprise Recommended (AER) Device Models

Google’s Android Enterprise Recommended (AER) program provides a list of devices that according to Google meet “an elevated set of specifications” for security updates and other properties. Originally, “[d]elivery of Android security updates within 90 days of release from Google, for a minimum of three years” was required, but the requirements have since changed. The AER device list is divided into two categories: “knowledge worker” and “rugged.”

Each AER device entry states an advertised End-of-Life (EoL) date that the vendor intends to provide updates until. In the most recent requirements (Android 12), knowledge worker device OEMs “must publish security update information on their websites” including an EoL date for updates, with no requirement to deliver updates in a specific timeframe and no specific EoL length requirement. Rugged device OEMs must support “90-day security updates” and the same EoL requirements as knowledge worker devices.

We analyzed the latest and median patch levels for the top 50 (by Intune enrollment) non-EoL knowledge worker and the top 25 non-EoL rugged device models.

AER Knowledge Worker Device Models

We analyzed the top 50 (by Intune enrollment) AER Knowledge Worker device models (representing 77% of the AER Knowledge Worker devices enrolled in Intune), finding that recent security updates were available for all. We identified a security update with a patch level of one month or newer available for 48 device models, and a security update with a patch level of two months ago for the remaining two device models.

Examining the difference between the median and latest patch levels for each model, we observed that for 47 out of 50 device models, the median device had updates applied within two months of release.

Beyond the top 50, we analyzed all 296 device models that had at least 1000 devices enrolled in Intune. For 290 of those device models, we identified a security update three months old or less, with the majority of device models (177) having a security update dated within the past month.

For the remaining 6 device models, we verified on either the OEM or mobile carrier websites that there did not appear to be recent security updates available, even though the device AER entries indicated they should still be supported with updates. Overall, device models on the AER list have good security update availability but some caution may still be appropriate.

AER Rugged Device Models

Our analysis shows much greater variation in both security update availability and security update deployment for the AER rugged device models. We included only the 25 AER rugged device models that have 1000 or more devices enrolled in Intune.

The variability may be due to the use of these device models in business-critical environments where the OEM may impose more requirements before publishing updates, and the device owner may impose requirements before deploying updates. Enterprises should take care to obtain assurances of security update availability and should carefully weigh the risks of delaying update deployments.

Comparing Android and iOS Update Adoption

In the below plots, we compare update adoption by showing across months the cumulative number of Intune-enrolled devices running an Android security patch level from that month, or for Apple mobile devices, an iOS/iPadOS version released during that month. We show all Play Protect-certified Android devices, all AER Knowledge Worker devices, and all iOS/iPadOS devices.

The data shows the rapid adoption of new versions of iOS/iPadOS versus Android overall, but it also shows that the gap is significantly narrowed for AER knowledge worker devices.

Conclusion

Our data shows that while security update availability and adoption vary, most popular Android device models have good security update practices. With proper precautions and care taken by users and enterprises when choosing devices to use, Android devices can likely be relied upon to have security updates available in a timely manner to provide protection from known vulnerabilities. Enterprises should consider enforcing minimum Android security patch levels for devices to access enterprise resources, with an understanding that this will exclude some device models.

Apurva Kumar and Michael Peck

Microsoft Threat Intelligence Community

Enhancing vulnerability prioritization with asset context and EPSS - Now globally available

Yael_Ben_Ari — Mon, 03 Mar 2025 18:34:54 GMT

Vulnerability prioritization is a critical component of an effective Vulnerability Risk Management (VRM) program.
It involves identifying and ranking security weaknesses in an organization's systems based on their potential impact and exploitability.
Given the vast number of potential vulnerabilities, it is impossible to address all of them at once. Effective prioritization ensures that the most critical vulnerabilities are addressed first, maximizing security efforts.
This approach is crucial for defending against cyberattacks, as it helps allocate resources effectively, reduce the attack surface, and protect sensitive data more efficiently.

We are excited to announce the addition of three crucial factors to our prioritization process in Microsoft Defender Vulnerability Management, aimed at improving accuracy and efficiency. These factors include:

Information about critical assets (defined in Microsoft Security Exposure Management)
Information about internet-facing device
Exploit Prediction Scoring System (EPSS) score

In this article, you can learn more about each of these enhancements, how they contribute to a more robust vulnerability prioritization process, and how you can use them.

Critical devices

In Microsoft Security Exposure Management (preview), you can define and manage resources as critical assets.

Identifying critical assets helps ensure that the most important assets in your organization are protected against risk of data breaches and operational disruptions. Critical asset identification contributes to availability and business continuity. Exposure Management provides an out-of-the-box catalog of predefined critical asset classifications and ability to create your custom definitions, in addition to the capability to manually tag devices as critical to your organization. Learn more about critical asset management in this deep dive blog.

Now in preview, you can prioritize security recommendations, and remediation steps to focus on critical assets first.
A new column displaying the sum of critical assets for each recommendation has been added to the security recommendations page, as shown in figure 1.

Figure 1. New column in the recommendations page that displays the number of critical devices that are correlated to each recommendation (all criticality levels).

Additionally, in the exposed device lists (found throughout the Microsoft Defender portal), you can view device criticality, as shown in figure 2.

Figure 2. Exposed devices with their criticality level in the recommendation object.

You can also use the critical devices filter to display only recommendations that involve critical assets, as shown in figure 3.

Figure 3. Capability to filter and display only recommendations that involves critical assets.

The sum of critical assets (in any criticality level) for each recommendation is now consumable through the recommendations API.

This is the first factor we are incorporating from Exposure Management, and we plan to expand this feature to include more context from the enterprise graph for prioritization enhancements. This will enable a more comprehensive understanding and management of security risks, ensuring that critical areas are addressed with the highest priority.

Internet facing devices

As threat actors continuously scan the web for exposed devices to exploit, Microsoft Defender for Endpoint automatically identifies and flags onboarded, exposed, internet-facing devices in the Microsoft Defender portal. This critical information enhances visibility into your organization's external attack surface and provides insights into asset exploitability. Devices that are successfully connected via TCP or are identified as host reachable through UDP are flagged as internet-facing in the portal. Learn more about devices flagged as internet-facing.

The internet-facing device tag is now integrated into Defender Vulnerability Management experiences. This allows you to filter and see only weaknesses or security recommendations that impact internet-facing devices. The tag is displayed in the tags column, as shown in figure 4, for all relevant devices in the exposed device lists found throughout the Microsoft Defender portal.

Figure 4. Internet-facing tag on the CVE object and on the relevant device.

Exploit Prediction Scoring System (EPSS)

The Exploit Prediction Scoring System (EPSS) is a data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. EPSS uses current threat information from CVE and real-world exploit data. The EPSS model produces for each CVE a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited. Learn more about EPSS.

In the Microsoft Defender portal, you can see the EPSS score for each weakness, as shown in figure 5.

Figure 5. Screenshot showing EPSS score.

When the EPSS is greater than 0.9, the bug tip is highlighted to reflect the urgency of mitigation, as shown in figure 6.

Figure 6. On the weaknesses page: the bug tip is highlighted for this CVE as EPSS > 0.9.

EPSS is designed to help you enrich your knowledge of weaknesses, understand exploit probability, and enable you to prioritize accordingly. The EPSS score is also consumable through the Vulnerability API.

Note that if the EPSS score is smaller than 0.001, it’s considered to be 0.

Try the new capabilities

Incorporating asset context and EPSS into Defender Vulnerability Management marks a significant advancement in our vulnerability prioritization capabilities. These new features—critical asset identification, internet-facing device tagging, and EPSS scoring—provide a more accurate and efficient approach to managing security risks.

By leveraging these tools, you can better protect your organization’s most valuable assets, reduce their attack surface, and stay ahead of potential threats. We invite you to explore these new capabilities and see how they can help with prioritization and enhance your security posture.

For more information, see the following articles:

Using Export API with Defender Vulnerability Management

Ayelet_Artzi — Wed, 24 Jul 2024 08:24:53 GMT

Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment.

It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability.

Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.

In this blog, we will share guidance and best practices for using Defender Vulnerability Management Export API including:

Overview of the Export API
Available API methods using Export API
Using API Explorer
Managing large data sets and ensuring exports are up to date
Use Export API to build custom dashboards/reports
Defender Vulnerability Management data integrated in other tools

Overview of the Export API data types

Export API is used for publishing raw data of all known software vulnerabilities and their details for devices in the organization.

There are two export API methods: JSON response and files.

Method

Explanation

JSON response

Can be used to get Defender Vulnerability Management snapshot of all data in the organization or can be used to query delta changes in the last X days (where X is up to 15 days)
Delta export indicates per CVE record the CVE status (New, Updated or Resolved)
Can be saved as excel file, opened in Notepad or VScode, and can be extracted using different scripts

Files

Can be used to get Defender Vulnerability Management snapshot of all data in the organization
Recommended for large organizations with more than 100K devices
Each file contains 100K records
To get the next results batch, use skip token (@odata.nextLink field)
Result in files format is valid for 3 hours to download (sass URL)
The files also contain information about devices that are not yet onboarded to Defender

Export software vulnerabilities assessment filter options: RbacName, $skiptoken, $top, pageSize
Delta export software vulnerabilities assessment filter options: RbacName , $skiptoken, $top, pageSize, sinceTime

More details can be seen here: Export software vulnerabilities assessment per device | Microsoft Learn

Available API methods using Export API

via files:

API Method	Details
SoftwareVulnerabilitiesExport	Software vulnerabilities data by machine	Export software vulnerabilities assessment per device \| Microsoft Learn
SoftwareInventoryExport	software data by machine	Export software inventory assessment per device \| Microsoft Learn
InfoGatheringExport		Export information gathering assessment \| Microsoft Learn
SoftwareInventoryNonCpeExport	non cpe products by machine	Export non product code software inventory assessment per device \| Microsoft Learn
SecureConfigurationsAssessmentExport	SCA data by machine(configurations)	Export secure configuration assessment per device \| Microsoft Learn
HardwareFirmwareInventoryExport	firmware data by machine	Hardware and firmware assessment methods and properties per device \| Microsoft Learn
BrowserExtensionsInventoryExport	browser extensions by machine	Export browser extensions assessment \| Microsoft Learn
BaselineComplianceAssessmentExport	Baseline data by machine	Security baseline assessment methods and properties per device \| Microsoft Learn
CertificateAssessmentExport	certificates data by machine	Certificate assessment methods and properties per device \| Microsoft Learn

JSON response:


SoftwareVulnerabilitiesByMachine	vulnerabilities data by machine	Export software vulnerabilities assessment per device \| Microsoft Learn
SecureConfigurationsAssessmentByMachine	SCA data by machine(configurations)	Export secure configuration assessment per device \| Microsoft Learn
SoftwareVulnerabilityChangesByMachine	delta	Export software vulnerabilities assessment per device \| Microsoft Learn
SoftwareInventoryByMachine	software data by machine	Export software inventory assessment per device \| Microsoft Learn
SoftwareInventoryNoProductCodeByMachine	non cpe products by machine	Export non product code software inventory assessment per device \| Microsoft Learn
BrowserExtensionsInventoryByMachine	browser extensions by machine	Export browser extensions assessment \| Microsoft Learn
HardwareFirmwareInventoryByMachine	firmware data by machine	Hardware and firmware assessment methods and properties per device \| Microsoft Learn
BaselineComplianceAssessmentByMachine	baseline data by machine	Security baseline assessment methods and properties per device \| Microsoft Learn
CertificateAssessmentByMachine	certificates data by machine	Certificate assessment methods and properties per device \| Microsoft Learn

Using API Explorer from security portal

With the API Explorer, you can:

Run requests for any method and see responses in real-time
Quickly browse through the API samples and learn what parameters they support
Make API calls with ease

To start, Open Defender portal and navigate to ‘Endpoints-Partners and API-API Explorer ‘

Based on the required data to explore, add the suffix to the API call.

In the example, we will use software vulnerabilities:

https://api.security.microsoft.com/api/machines/SoftwareVulnerabilitiesExport

Run the query
To check its working and export to excel:
Copy one of the files URL from the results:

Open it in website and save the JSON file
Extract the JSON file
Open excel , click on ‘Data’ tab->get data->from file->from JSON and choose the file you saved above

Managing large data sets and ensuring exports are up to date

In case of large amounts of data, Organizations can use the below steps to avoid pulling all defender vulnerability management data every day and still ensure data in export is up to date:

1.Pull ‘Export software vulnerabilities assessment’ once a week

2.Pull ‘Delta export software vulnerabilities assessment’ once a day

3.Join the full snapshot with the delta file based on Device ID, Software name and version and CVE ID

4.Latest ‘Event time stamp’ indicate on the latest status of a specific CVE

Use Export API to build custom dashboards/reports

Using Defender Vulnerability Management Export API customers can build custom reports and dashboards per the organization needs. We have seen organizations build anything executive or management reports to detailed vulnerability management dashboards.

There are variety of methods to use the API such as Power-Automate, Power BI, , Advanced hunting using Python, Advanced hunting using PowerShell, Using OData queries.

One example to get started is to use Defender Vulnerability Management Power BI templates which enable out of the box reports such as Organization existing vulnerabilities, Software inventory, Missing Windows security updates and more.

You can download the templates here.

Defender Vulnerability Management data integrated in other tools

Defender Vulnerability Management data can be integrated in other security tools. Below examples of both Microsoft and non-Microsoft tools:

Microsoft Intune

Integration with Microsoft Intune allows customers to ‘Request Remediation’ to vulnerability security recommendations. This will create an Intune package deployment request and remediation activity item within the security portal, which can be used for monitoring the remediation progress for this recommendation.

ServiceNow Vulnerability Response

For organization using ServiceNow to manage assets, ServiceNow VR can import data from different resources such as assets information, vulnerabilities information and more.

ServiceNow integration synchronizes vulnerability findings from Defender Vulnerability Management and orchestrates the remediation workflow in ServiceNow.

To learn more, see blog describing the integration, Microsoft vulnerability management integrates with ServiceNow VR

Understanding the Microsoft Threat and Vulnerability Management Vulnerability integration (servicenow.com)

Microsoft Sentinel

Use Sentinel to store Defender Vulnerability Management history data. This can be used to integrate vulnerability data with other XDR workflows data, build a custom dashboard and as part of it reflect vulnerability management trends and more. To store Defender Vulnerability Management data, please follow the below:

Azure-Sentinel/DataConnectors/M365Defender-VulnerabilityManagement at master · Azure/Azure-Sentinel (github.com)

Please make sure any analytic rules/hunting queries/workbooks or any content that is related to Defender Vulnerability Management data is directed to the tables you have created.

Microsoft Security Exposure Management

Exposure Management integrates with Defender Vulnerability Management helping security managers to continuously assess and analyze vulnerabilities and misconfigurations across the organization's digital landscape. In the Vulnerability Assessment initiative users can actively identify, prioritize, track and delegate vulnerabilities within the IT infrastructure and the cloud. Users gain real-time visibility into the security posture of their organization, enabling data-driven decision-making for resource investment and placement.

To learn more about, see documentation about security initiatives or blog series introducing Exposure Management.

for additional Defender Vulnerability Management, please visit Documentation page and Ninja page

Guidance for handling “regreSSHion” (CVE-2024-6387) using Microsoft Security capabilities

BrjannBrekkan — Thu, 25 Jul 2024 20:28:02 GMT

Investigating and assessing vulnerabilities within the software inventory is crucial, especially in light of high-severity vulnerabilities like the recent OpenSSH regreSSHion vulnerability. Such security risks are becoming increasingly common, often exploiting software dependencies and third-party services. The notoriety of incidents like the TeamViewer breach and the XZ Utils backdoor underscores the urgency for comprehensive vulnerability management and strategies to minimize the attack surface. In this blog post, we delve into the methodology for probing such incidents. We will demonstrate how organizations can harness the capabilities of Attack Path analysis together with Microsoft Defender suite of products to pinpoint and neutralize threats arising from such events. Our examination will center on: mapping vulnerabilities, evaluating affected assets, gauging potential impact via blast radius analysis, and implementing efficacious mitigations.

Mapping Vulnerabilities and Impacted Assets

Example: Mapping the regreSSHion vulnerability

To map the presence of the regreSSHion vulnerability (CVE-2024-6387) in your environment, you can use the following KQL query in Advanced Hunting in Microsoft Defender portal:

DeviceTvmSoftwareVulnerabilities | where CveId == "CVE-2024-6387" | summarize by DeviceName, DeviceId, strcat(OSPlatform, " ", OSVersion), SoftwareName, SoftwareVersion

This query searches software vulnerabilities related to the specified CVE and summarizes them by device name and id, you can use this link to open the query in your environment.

Example: Mapping devices with vulnerable OpenSSH version installed

Utilizing software inventory to map devices is advisable even when a CVE hasn’t been officially published or when there’s a specific requirement to upgrade a particular package and version.

DeviceTvmSoftwareInventory | where SoftwareName has "openssh" | extend ParsedSoftwareVersion = extract(@"(\b(\d\.\d)|(\b\d\.\d))", 0, SoftwareVersion) // extract version number (e.g. "1:8.9p1-3ubuntu0.5" > "8.9") | where // filter for potentially vulnerable versions only toreal(ParsedSoftwareVersion) < 4.4 or toreal(ParsedSoftwareVersion) >= 8.5 and toreal(ParsedSoftwareVersion) < 9.8 | project DeviceId, DeviceName, SoftwareName, SoftwareVersion, ParsedSoftwareVersion, SoftwareVendor

This query searches for devices that have the vulnerable OpenSSH versions installed, you can use this link to open the query in your environment.

Understanding Potential Impact: Attack Path Analysis

Understanding the blast radius of impacted devices is critical for assessing the potential impact on your organization. Microsoft Security offers attack path analysis to visualize possible lateral movement steps an adversary might take.

Leveraging Microsoft Defender for Cloud

Defender for Cloud (MDC) discovers all cloud resources affected by the vulnerability which are also exposed to the internet through SSH ports. MDC highlights them in the ‘attack path analysis’ tool:

Internet exposed Azure VM with OpenSSH regreSSHion vulnerability (CVE-2024-6387)

Internet exposed AKS pod is running a container with OpenSSH regreSSHion vulnerability (CVE-2024-6387)

Internet exposed EKS pod is running a container with OpenSSH regreSSHion vulnerability (CVE-2024-6387)

Note: These attack path updates are rolling out and should be available for all customers shortly.

Using Cloud Security Explorer

We have created specific queries for this CVE that help you to easily get an initial assessment of the threat this vulnerability creates for your organization, with choices for customization:

VMs with regreSSHion critical vulnerability (CVE-2024-6387)

Container images with regreSSHion critical vulnerability (CVE-2024-6387)

Code repositories affected by CVE-2024-6387

Container images affected by CVE-2024-6387 pushed by code repositories

Advanced Hunting: Analyzing Attack Paths Across the Organization with Microsoft Security Exposure Management

To analyze the blast radius (i.e. the potential impact of a compromised device) of the regreSSHion vulnerability across different environments and assets, you can use the powerful `graph-match` KQL command under Advanced Hunting to identify other critical assets that might be at risk.

The following query (wrapped in the BlastRadiusAttackPathMapping function for easier repeated usage) maps and returns possible attack paths an adversary can take.
The function receives as an input:

sourceTypes: filter for type of device that can be considered as entry points (e.g. virtual machine, endpoint device)
sourceProperties: filter for properties the above devices must have (e.g. high severity vulnerabilities)
sourceCveIDs: filter for specific vulnerabilities (CVE IDs) the above devices must have
targetTypes: filter for type of device that are considered as the target of the path (e.g. storage account, privileged user, virtual machine, endpoint device)
targetProperties: filter for properties the target devices must have (e.g. critical assets)
maxPathLength: maximum hops for each attack path
resultCountLimit: maximum amount of attack paths calculated

let BlastRadiusAttackPathMapping = (sourceTypes: dynamic, sourceProperties: dynamic, sourceCveIDs: dynamic , targetTypes: dynamic, targetProperties: dynamic , maxPathLength: long = 6, resultCountLimit: long = 10000) { let edgeTypes = pack_array ( 'has permissions to', 'contains', 'can authenticate as', 'can authenticate to', 'can remote interactive logon to' , 'can interactive logon to', 'can logon over the network to', 'contains', 'has role on', 'member of' ); let sourceNodePropertiesFormatted = strcat('(', strcat_array(sourceProperties, '|'), ')'); let targetNodePropertiesFormatted = strcat('(', strcat_array(targetProperties, '|'), ')'); let nodes = ( ExposureGraphNodes | project NodeId, NodeName, NodeLabel , SourcePropertiesExtracted = iff(sourceProperties != "[\"\"]", extract_all(sourceNodePropertiesFormatted, tostring(NodeProperties)), pack_array('')) , TargetPropertiesExtracted = iff(targetProperties != "[\"\"]", extract_all(targetNodePropertiesFormatted, tostring(NodeProperties)), pack_array('')) , criticalityLevel = toint(NodeProperties.rawData.criticalityLevel.criticalityLevel) | mv-apply SourcePropertiesExtracted, TargetPropertiesExtracted on ( summarize SourcePropertiesExtracted = make_set_if(SourcePropertiesExtracted, isnotempty(SourcePropertiesExtracted)) , TargetPropertiesExtracted = make_set_if(TargetPropertiesExtracted, isnotempty(TargetPropertiesExtracted)) ) | extend CountSourceProperties = coalesce(array_length(SourcePropertiesExtracted), 0) , CountTargetProperties = coalesce(array_length(TargetPropertiesExtracted), 0) | extend SourceRelevancyByLabel = iff(NodeLabel in (sourceTypes) or sourceTypes == "[\"\"]", 1, 0) , TargetRelevancyByLabel = iff(NodeLabel in (targetTypes) or targetTypes == "[\"\"]", 1, 0) , SourceRelevancyByProperties = iff(CountSourceProperties > 0 or sourceProperties == "[\"\"]", 1, 0) , TargetRelevancyByProperties = iff(CountTargetProperties > 0 or targetProperties == "[\"\"]", 1, 0) | extend SourceRelevancy = iff(SourceRelevancyByLabel == 1 and SourceRelevancyByProperties == 1, 1, 0) , TargetRelevancy = iff(TargetRelevancyByLabel == 1 and TargetRelevancyByProperties == 1, 1, 0) ); let edges = ( ExposureGraphEdges | where EdgeLabel in (edgeTypes) | project EdgeId, EdgeLabel, SourceNodeId, SourceNodeName, SourceNodeLabel, TargetNodeId, TargetNodeName, TargetNodeLabel ); let vulnerableDevices = ( ExposureGraphEdges | where iif(sourceCveIDs == "[\"\"]", true, (SourceNodeName in (sourceCveIDs)) and (EdgeLabel == "affecting")) // filter for CVEs only if listed, otherwise return all nodes | project NodeId=TargetNodeId | distinct NodeId ); let paths = ( edges // Build the graph from all the nodes and edges and enrich it with node data (properties) | make-graph SourceNodeId --> TargetNodeId with nodes on NodeId // Look for existing paths between source nodes and target nodes with up to predefined number of hops | graph-match cycles=none (s)-[e*1 .. maxPathLength]->(t) // Filter only by paths with relevant sources and targets - filtered by node types and properties where (s.SourceRelevancy == 1 and t.TargetRelevancy == 1) and s.NodeId in (vulnerableDevices) project SourceName = s.NodeName , SourceType = s.NodeLabel , SourceId = s.NodeId , SourceProperties = s.SourcePropertiesExtracted , CountSourceProperties = s.CountSourceProperties , SourceRelevancy = s.SourceRelevancy , TargetName = t.NodeName , TargetType = t.NodeLabel , TargetId = t.NodeId , TargetProperties = t.TargetPropertiesExtracted , CountTargetProperties = t.CountTargetProperties , TargetRelevancy = t.TargetRelevancy , EdgeLabels = e.EdgeLabel , EdgeIds = e.EdgeId , EdgeAllTargetIds = e.TargetNodeId , EdgeAllTargetNames = e.TargetNodeId , EdgeAllTargetTypes = e.TargetNodeLabel | extend PathLength = array_length(EdgeIds) + 1 , PathId = hash_md5(strcat(SourceId, strcat(EdgeIds), TargetId)) ); let relevantPaths = ( paths | extend NodesInPath = array_concat(pack_array(SourceId), EdgeAllTargetIds), NodeLabelsInPath = array_concat(pack_array(SourceType), EdgeAllTargetTypes) | extend NodesInPathList = NodesInPath // Wrap the path into meaningful format (can be tweaked as needed) | mv-expand with_itemindex = SortIndex EdgeIds to typeof(string), EdgeLabels to typeof(string) , NodesInPath to typeof(string), NodeLabelsInPath to typeof(string) | sort by PathId, SortIndex asc | extend step = strcat ( iff(isnotempty(NodesInPath), strcat('(', NodeLabelsInPath, ' ', SourceName, ':', NodesInPath, ')'), '') , iff(CountSourceProperties > 0 and NodesInPath == SourceId, SourceProperties, '') , iff(CountTargetProperties > 0 and NodesInPath == TargetId, TargetProperties, '') , iff(isnotempty(EdgeLabels), strcat('-', EdgeLabels, '->'), '') ) | summarize Path = make_list(step), take_any(*) by PathId // Project relevant fields | project SourceName, SourceType, SourceId, SourceProperties, CountSourceProperties, SourceRelevancy , TargetName, TargetType, TargetId, TargetProperties, CountTargetProperties, TargetRelevancy , PathId, PathLength, Path | top resultCountLimit by PathLength asc ); relevantPaths }; // Calling the function starts here let sourceTypes = pack_array('microsoft.compute/virtualmachines', 'compute.instances', 'ec2.instance', 'device', 'container-image', 'microsoft.hybridcompute/machines'); let sourceProperties = pack_array('hasHighOrCritical'); // filter for assets with severe vulnerabilities let sourceCveIDs = pack_array('CVE-2024-6387'); // filter for entry points with regSSHion CVE let targetTypes = pack_array(''); let targetProperties = pack_array('criticalityLevel'); // filter for paths that ends with critical assets BlastRadiusAttackPathMapping(sourceTypes, sourceProperties, sourceCveIDs, targetTypes, targetProperties) | project-reorder SourceType, SourceName, TargetType, TargetName, Path | project-keep SourceType, SourceName, TargetType, TargetName, Path

For our purposes we are filtering for “compute” devices (such as servers, VMs, endpoints) with high severity vulnerabilities, specifically the regSSHion CVE ID that can be utilized by adversaries to serve as an entry point for an attack.
We’re also looking to map paths only to devices that have a critical role in the environment (such as a Domain Controller, user with privileged role, etc.)

An example for such query results:

The function can be easily reused, the only part that should be modified is the parameters and the function calling, right below
Line 177 “// Calling the function starts here:“

Recommendations for Mitigation and Best Practices

Mitigating risks associated with vulnerabilities requires a combination of proactive measures and real-time defenses. Here are some recommendations:

Apply Patches and Updates: Regularly update and patch all software to address known vulnerabilities. Use Defender Vulnerability Management to monitor and enforce patch compliance.
Application Blocking: Once CVE is assigned, utilize Defender Vulnerability Management's application blocking capability to prevent the execution of vulnerable or malicious software. This feature is available in premium plans only (learn more).
Remediate vulnerabilities: Use Defender for Cloud ‘remediate vulnerabilities’ recommendations to remediate affected VMs and containers across your multi-cloud environment. (learn more)
Exposure Management: Keep monitoring your environment using attack path analysis to block possible attack routes, using either the visualization tool under Exposure Management in Security.microsoft.com portal or the ‘graph-match’ KQL command (learn more).
Secure Management ports Use Defender for Cloud ‘Secure management ports’ recommendation to ensure the SSH ports on your machines are closed, or at least protected with just-in-time access control (learn more).
Network Segmentation: Implement network segmentation to limit the spread of an attack and protect critical assets.
Advanced Hunting: Continuously monitor your environment using advanced hunting queries to detect unusual activities and potential exploitation attempts

Conclusion

While the above process provides a comprehensive approach to protecting your organization, continual monitoring, updating, and adapting to new threats are essential for maintaining robust security.

Defender support for CVE-2024-3400 affecting Palo Alto Networks firewalls

NimrodRoimy — Mon, 15 Apr 2024 14:35:35 GMT

On April 12, Palo Alto Networks released a security advisory on CVE-2024-3400, a critical vulnerability affecting several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Starting April 14, 2024, patches are expected to become available.

CVE	Description	CVSSv4	Severity
CVE-2024-3400	Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS	10.0	Critical

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and/or GlobalProtect portal and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating. Palo Alto Networks has released an in-depth blog on the scope of the attack, indicators of compromise, and adversary behavior observations. We highly recommend reviewing both the blog and the advisory for latest information.

Identify affected devices with Defender Vulnerability Management

The following Advanced Hunting query provides a list of the potentially vulnerable devices with PAN-OS affected versions:

DeviceTvmSoftwareInventory

| where SoftwareName has "pan-os"

| where SoftwareVersion startswith "11.1." or SoftwareVersion startswith "11.0." or SoftwareVersion startswith "10.2."

| summarize by DeviceId, DeviceName, SoftwareName, SoftwareVersion

Identify affected multi-cloud resources with Defender for Cloud

To identify affected multi-cloud resources using Defender for Cloud, you can utilize the Security Explorer feature. This will help detect all cloud resources affected by the vulnerability in Azure, AWS, and GCP. To get started, use this query

Mitigation guidance

For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.
This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details for ETAs regarding the upcoming hotfixes in the security advisory.

We will update this blog with information and guidance as needed.

Microsoft FAQ and guidance for XZ Utils backdoor

BrjannBrekkan — Sun, 07 Apr 2024 08:45:04 GMT

On March 28, 2024 a backdoor was identified in XZ Utils. This vulnerability, CVE-2024-3094 with a CVSS score of 10 is a result of a software supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recommended organizations to downgrade to a previous non-compromised XZ Utils version. See below details and Microsoft response for this vulnerability.

Change log:
4 April: Threat Intelligence, Microsoft Defender Antivirus and Defender for Endpoint added to Guidance on using Microsoft products to assess your exposure to CVE-2024-3094 section.

Frequently Asked Questions

What is XZ Utils and what is the library used for?

XZ Utils is data compression software included in common Linux distributions that plays a crucial role in compressing various file formats, including release tarballs, software packages, kernel images, and initramfs images.

Has this backdoor code been exploited?

Originally found by a Microsoft employee Andres Freund, the full extent of this vulnerability impact is still being investigated, we know it can be triggered by remote unprivileged systems connecting to SSH ports. This activation can lead to potentially compromise system integrity and performance issues.

What Linux distributions are affected?

Please see below the list of impacted Linux distributions. As this is a developing situation, we anticipate we will have further clarity for additional distributions and will continue to update this blog as necessary.

Fedora Rawhide	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Fedora 41	https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Debian testing, unstable and experimental distributions versions 5.5.1alpha-0.1 to 5.6.1-1.	https://lists.debian.org/debian-security-announce/2024/msg00057.html
openSUSE Tumbleweed and openSUSE MicroOS	https://news.opensuse.org/2024/03/29/xz-backdoor/
Kali Linux (Discovery supported)	https://www.kali.org/blog/about-the-xz-backdoor/

Are there patches or mitigations available?

CISA recommends developers and users to downgrade XZ Utils to an uncompromised version—such as XZ Utils 5.4.6 Stable. See Red Hat’s advisory for more information.

Guidance on using Microsoft products to assess your exposure to CVE-2024-3094

In the last few days our teams have worked to provide Microsoft customers with enhancements and guidance to assist in detecting software products in your environments which are affected by the vulnerability and a thorough discovery of the impacted devices which have the vulnerable software version installed. Below you will find guidance on how you can use Defender Vulnerability Management, Defender for Cloud, Microsoft Security Exposure Management, Threat Intelligence, Microsoft Defender Antivirus, Microsoft Defender for Endpoint. We will continue our work and will update this blog with more product updates and guidance.

Microsoft Defender Vulnerability Management

With Defender Vulnerability Management you see available information about CVE-2024-3094 in the Weaknesses inventory and can assess the presence of this vulnerability in your organization.

Note: you may need to change the default view by adding the ‘Doesn’t affect my organization’ filter option (as the vulnerability may not exist in your environment).

The side panel that opens up when you click the CVE includes detailed description of the vulnerability with potential impact and suggested remediation steps and additional CVE metadata.

The vulnerability page provides additional insights such as list of Affected software products, list of Exposed devices which are directly exposed to the vulnerability, and Security recommendations to mitigate risk.

The following advanced hunting queries will allow security teams to perform an immediate assessment of the impact of CVE-2024-3094 on their environment.

This query will provide a list of all installed versions of XZ in your organization:

DeviceTvmSoftwareInventory

| where SoftwareName startswith “liblzma” or SoftwareName startswith “xz”

| summarize dcount(DeviceId) by SoftwareVendor, SoftwareName, SoftwareVersion

This query will provide a list of devices with vulnerable version installed:

DeviceTvmSoftwareInventory

| where SoftwareName startswith “liblzma” or SoftwareName startswith “xz”

| where SoftwareVersion contains “5.6.0” or SoftwareVersion contains “5.6.1”

Microsoft Defender for Cloud

Attack Paths

Defender for Cloud discovers all cloud resources affected by the vulnerability which are also exposed to the internet in SSH ports, and highlights them in the ‘attack path analysis’ page:

Use the following attack path title to filter the view only for exposed machines:

“Internet exposed Azure VM in SSH port with vulnerable XZ Utils version (CVE-2024-3094)”

Security Explorer queries

You can use the Security Explorer feature within Defender for Cloud to perform queries related to your posture management across Azure, AWS & GCP, and investigate this specific CVE to find the affected machines and understand the risk associated with them.

We have developed dedicated queries for this CVE, which allow you to quickly gain an initial understanding of the risk posed by this vulnerability to your organization, with customization option:

Virtual machines with vulnerable packages, which exposed on port 22 (Link to query)
Virtual machines with CVE-2024-3094 detected, and exposed on port 22 (Link to query)
Kubernetes pods running vulnerable container images, and exposed on port 22 (Link to query)

Note: The data is rolling out and should be available for all customers in the upcoming day.

Recommendations

You can use Defender for Cloud recommendations to detect vulnerable resources in your multi-cloud environment (Azure, AWS & GCP) and protect them from exploit:

Remediate vulnerabilities - Use Defender for Cloud ‘remediate vulnerabilities’ recommendation to remediate affected VMs and containers across your multi-cloud environment.
Secure Management ports - Use Defender for Cloud ‘Secure management ports’ recommendation to ensure the SSH ports on your machines are closed, or at least protected with just-in-time access control (Learn more>).

Microsoft Security Exposure Management

Recently released in public preview , Exposure Management unifies data and insights from security tools and provides an organizational wide view of exposure and attack paths. We mention this here as it could provide you with additional insight providing further exploration capabilities to the attack path in Defender for Cloud and the integration of attack surface map visualization in exposed devices in Defender Vulnerability Management.

Attack Surface Exploration

Using the new Attack Surface Map , you can achieve comprehensive visibility into entities, their insights, and relationships within your organization. This tool offers interactive capabilities to visually explore the potential attack paths an attacker could take to traverse the organization, enabling a better understanding of your organization’s attack surface and allowing you to prioritize your focus to protect your critical assets effectively.

Attack Surface Map integration in Microsoft Defender Vulnerability Management provides the ability to further explore the potential impact by accessing the organizational context of each asset. Simply select an exposed device, click on 'View in map,' and gain a clearer understanding of its significance within your environment. This streamlined approach enhances your capability to address vulnerabilities promptly and efficiently.

Microsoft Threat Intelligence

Microsoft Defender Threat Intelligence and Copilot for Security customers can learn more in the Vulnerability Profile here: https://security.microsoft.com/intel-profiles/CVE-2024-3094

Microsoft Defender XDR customers can learn more in the CVE-2024-3094-XZ utility vulnerability report in Threat Analytics:

https://security.microsoft.com/threatanalytics3/89eab842-1d49-4b61-bacb-1f43361002c9/overview

Microsoft Defender Antivirus

Microsoft Defender Antivirus provides detections and protections for components and behaviors related to this threat under the following signatures:

Exploit:Linux/CVE-2024-3094
Behavior:Linux/CVE-2024-3094
Backdoor:Linux/XZBackdoorBuild
Trojan:Linux/Multiverze

Customers utilizing automatic updates do not need to take additional action. Enterprise customers managing updates should select the security intelligence build 1.409.17.0 or newer and deploy it across their environments.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint provides customers with detections and alerts. Alerts with the following title in the Defender portal can indicate threat activity related to this attack on your network:

Possible CVE-2024-3094 exploitation

As the investigation of this event continues, this blog will be updated with additional insights from Microsoft Security, the latest information obtained from the different software vendors and from publicly available security feeds and bulletins.

Defender Vulnerability Management GA in government cloud

BrjannBrekkan — Mon, 01 Apr 2024 16:00:00 GMT

Microsoft has established itself as a leading solution for vulnerability risk management (VRM) by leveraging its industry-leading threat intelligence and security expertise. Microsoft Defender Vulnerability Management covers the end-to-end VRM lifecycle to identify, assess, prioritize, and remediate vulnerabilities across platforms and workloads. Making it an ideal tool for an expanded attack surface taking advantage of our context-aware, risk-based prioritization breach likelihood predictions and business contexts to prioritize vulnerabilities across their portfolio of managed and unmanaged devices.

Figure: Platform and workload coverage in Defender Vulnerability Management

We are excited to announce that on 1 April, 2024 all Microsoft Defender Vulnerability Management capabilities are available to government cloud customers.

Organizations across commercial, education and government environments can now get the complete set of capabilities for their environment. Defender Vulnerability Management has both core and premium capabilities where the core capabilities are included as part of Defender for Endpoint P2 and premium capabilities available as an add-on. For organizations that are not yet on Defender for Endpoint Plan 2 we also provide a standalone offer that includes both core and premium. Organizations looking for server protection for their hybrid cloud environment the vulnerability management core capabilities are available in Defender for Servers plan 1 and premium capabilities in Defender for Servers plan 2.

Figure: Availability of core and premium capabilities across offerings that include Defender Vulnerability Management for endpoints and servers.

More information about the Defender Vulnerability Management premium capabilities now available in GCC, GCC-High and DOD in these blogs:

Defender Vulnerability Management Add-on GA (3/2023)
Defender Vulnerability Management Standalone GA (8/2023)

Continue to safeguard your organization during NVD update delays

BrjannBrekkan — Tue, 26 Mar 2024 03:04:32 GMT

The National Institute of Standards and Technology (NIST) recently announced updates to the National Vulnerability Database (NVD) program causing delays in enrichment process of its analysis of Common Vulnerabilities and Exposures (CVEs).
This means that important data is missing for a significant number of recent CVEs, lacking metadata, including severity scores and affected product details.

Message from NIST

“NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.” Read more on https://nvd.nist.gov

Microsoft Defender Vulnerability Management continues to safeguard your organization.

Many organizations have expressed concerns about the delays in the NVD process, which has caused thousands of vulnerabilities to lack metadata.
Defender Vulnerability Management provides accurate and timely vulnerability information from multiple sources and does not solely rely on the NVD program. Our platform obtains vulnerabilities data from a variety of public security bulletins including NVD, IBM X-Force, Exploit-DB, Microsoft, RedHat, Ubuntu, Debian, Google, Adobe, Kubernetes and many more, and our vulnerability scoring is based on a diverse range of sources, collected automatically on an hourly/daily basis. We leverage direct information from the source and ensure the accuracy and timeliness of our vulnerability management solutions, ensuring that our customers are safeguarded against potential threats.

Our proprietary exposure score provides a risk-based assessment of the vulnerabilities that matter most, pinpointing organizational risk using business context, threat intel, and numerous other risk factors.

Furthermore, we're collaborating with NIST to understand their plan, while continuing to help customers continue to manage risk in the interim.

In conclusion, during the current delays in the NVD process, Microsoft Defender Vulnerability Management customers can rest assured that our platform provides accurate and timely vulnerability information from multiple sources, ensuring that their organizations are safeguarded against potential threats.

Vulnerability Descriptions enhanced with AI

BrjannBrekkan — Tue, 19 Mar 2024 05:28:24 GMT

Addressing software vulnerabilities can be challenging, especially when remediation and impact of the CVE may vary across different sources. To address this challenge, the Defender Vulnerability Management team has developed an enhanced description for CVEs using AI technology. This innovative approach involves gathering information from diverse public online sources and validating it through Microsoft dedicated research teams providing a comprehensive summary of CVEs, their impact and recommended remediation steps to minimize risk.

The problem

Understanding a CVE is important to comprehend the potential risks, how it can be exploited, and most importantly, the necessary steps for remediation or mitigation. Feedback from you, our customers and partners, has highlighted that our current CVE descriptions often fall short of providing a holistic view, leading to frustration and additional work having to gather information from multiple sources to bridge the informational gap.

Feature overview

This update leverages advanced artificial intelligence to collect data from diverse open-to-the-internet resources, including NVD, IBM, Google, Debian and our own Microsoft research and threat intelligence, providing a comprehensive overview of CVEs.

We now provide comprehensive details and user-friendly description categorized into four key aspects:

Summary	Impact	Remediation	Additional Information
Understand the nature of the CVE with an informative overview.	Gain insights into the potential impact of the vulnerability on your systems and data.	Access actionable steps to address and resolve vulnerability effectively.	Delve deeper into additional details, ensuring you have all the necessary context at your fingertips.

Here is an example of the updated vulnerability descriptions.

Thank you for your feedback and we hope you will be able to spend less time researching information and instead able to focus your time on proactively reducing risk and business disruption.

Become a Microsoft Defender Vulnerability Management Ninja

Ayelet_Artzi — Wed, 07 Feb 2024 16:37:41 GMT

Do you want to become a ninja for Microsoft Defender Vulnerability Management? We can help you get there! We collected content with multiple modules. We will keep updating this training on a regular basis.

In addition, we offer you a knowledge check based on the training material! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun certificate issued at the end of the training: Disclaimer: This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content.

Module 1- Getting started

Module 2 – Portal Orientation

Module 3 -Prioritization

Module 4- Remediation

Module 5 - Posture and Compliance

Module 6 – Data access

Are you ready for the Knowledge check?

Once you’ve finished the training and passed the knowledge check, please click here to request your certificate (you'll see it in your inbox within 3-5 business days.)

Vulnerable Components Inventory now in public preview

Tomer_Reisner — Mon, 22 Jan 2024 15:45:51 GMT

In recent years, software supply chain vulnerabilities and related supply chain attacks have become a major concern for security teams across industries. As software systems become increasingly complex and software developers rely more on open-source software packages and commercial third-party software components, it has become difficult for security teams to keep track of and mitigate new vulnerabilities found within software being used in their organizations.

To address this challenge, Microsoft Defender Vulnerability Management is introducing a dedicated inventory that lists known vulnerable software components found in the organization. This inventory, along with a new security recommendation, improves visibility of vulnerabilities found within software components, such as open-source libraries. These components are widely used, but often not clearly visible, due to inner dependencies within software products.

By increasing awareness among security teams of vulnerabilities found in software components that are being used by multiple software products within an organization, security administrators can identify affected devices, prioritize, and mitigate risk proactively. Therefore, improving their security posture and reducing the risk of potential cyber-attacks.

The new Vulnerable Components Inventory includes a list of software components that are known to have critical vulnerabilities in the past.

The following is a list of components that are currently supported. A few of these components were previously shown under the ‘Software inventory’ but are now available via the ‘Vulnerable components’ inventory.

Apache Commons Text
Apache Log4j
Apache Struts [newly supported]
LiteDB
OpenSSL
Spring Framework
WebP (libwebp) [newly supported]

Defender Vulnerability Management coverage of software components will continue to expand based on the ever-evolving threat landscape and customer demand. For example, in light of critical vulnerabilities recently found in WebP (CVE-2023-4863)

and Apache Struts 2 (CVE-2023-50164), Defender Vulnerability Management was updated to support both components.

For each vulnerable component you will see basic information including the component name and vendor, the number of weaknesses related to that component and the impact to the overall exposure score, whether an exploit is available, and if there are active threats or alerts associated with it.

The Component page’s tabs provide detailed information and insights:

Data visualizations show the number of, and severity of, vulnerabilities and graphs with the number of installed and exposed devices.
Named CVEs of discovered vulnerabilities.
Devices that have the component installed along with device name, domain, OS, and more).
List of components’ versions, including number of devices the version is installed on, the number of discovered vulnerabilities, and the names of the installed devices.

In addition, a list of vulnerable files found is provided with file paths, version, and associated vulnerabilities, which can be exported for further investigation and handling.

Defender Vulnerability Management provides actionable Security Recommendations to assist security administrators reduce their organization’s exposure to vulnerabilities through the process of keeping their software up to date. Given the inherited complexity of updating a software component within an enterprise environment, the Attention required recommendation is designed to raise awareness of security teams to an emerging threat and explore their next steps, rather than a call for action to update a version, which may not be applicable for a specific software component.

Administrators can also drill down to a specific device and view a list of vulnerable components with the relevant file level evidence details.

Learn more.

If you’re interested in learning more about Microsoft Defender Vulnerability Management visit our website to take advantage of our free 90-day trial, check out our interactive guide, and read more information in our product documentation.

Providing feedback.

As always, we’d love to know what you think. Looking forward to your feedback. share your feedback directly at: mdvmfeedback@microsoft.com

Hardware & Firmware Assessment to identify devices with AMD processors

Tomer_Reisner — Fri, 08 Sep 2023 17:19:46 GMT

About this vulnerability

In certain cases, within the microarchitecture of "Zen 2" CPUs, a register may not be properly written to 0, potentially leading to the storage of data from another process or thread in the YMM register. This vulnerability could allow an attacker to access sensitive information. The severity is classified as "Medium" with the CVE identifier CVE-2023-20593. AMD suggests implementing a microcode patch for AMD EPYC™ 7002 Processors and applying BIOS updates with specific AGESA™ firmware versions for other impacted products to mitigate this issue. AMD intends to provide the AGESA™ versions to OEMs on scheduled dates for BIOS updates. Users are advised to consult their OEMs for the relevant BIOS update for their product.

Read more in AMD Security Bulletin

How Defender Vulnerability Management can assist

Microsoft Defender Vulnerability Management Hardware and firmware assessment capability provides an inventory of known hardware and firmware in your organization. This allows you to identify devices with AMD processors that are potentially exposed to this vulnerability (these devices must be onboarded to the service).

To use this capability, you’ll need access Defender Vulnerability Management premium offering. You can do that via purchasing the Add-on or Standalone licenses or by simply joining the free trial.

Identify affected devices.

The following Advanced Hunting query provides a list of the potentially vulnerable devices with AMD processors:

DeviceTvmHardwareFirmware

| where ComponentType == "Processor"

| where Manufacturer contains "amd"

Learn more

If you’re interested in learning more about Microsoft Defender Vulnerability Management visit our website to take advantage of our free 90-day trial, check out our interactive guide, and read more information in our product documentation.

As always, we’d love to know what you think.

Looking forward to your feedback. share your feedback directly at: mdvmfeedback@microsoft.com

Availability of Defender Vulnerability Management Standalone and Container vulnerability assessments

BrjannBrekkan — Wed, 09 Aug 2023 15:58:41 GMT

Organizations are increasingly challenged to stay aligned with evolving business requirements and protect against expanding attack surfaces with a diverse portfolio of devices outside of traditional organizational boundaries, adding complexity to the vulnerability management process. Vulnerability management solutions provide understanding of their overall security risk posture and where to prioritize.

In recent years, Microsoft has established itself as a leading solution for vulnerability risk management (VRM) by leveraging its industry-leading threat intelligence and security expertise. Microsoft Defender Vulnerability Management provides end-to-end capabilities across the VRM lifecycle to identify, assess, prioritize, and remediate vulnerabilities, making it an ideal tool for managing an expanded attack surface and reducing overall risk posture.

Announcing availability of Defender Vulnerability Management standalone

Earlier this year we released our premium capabilities as an add-on to the core capabilities included with Defender for Endpoint Plan 2 and we are thrilled to announce Defender Vulnerability Management is now offered as a standalone solution. Now organizations not yet on Defender for Endpoint Plan 2, or have another EDR solution, or just looking to replace an existing vulnerability management solution, can take advantage of our context-aware, risk-based prioritization that leverages Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to prioritize vulnerabilities across their portfolio of managed and unmanaged devices.

With this significant addition of a standalone offering, we also introduced enhancements to the Microsoft 365 Defender Unified RBAC permissions model to clearly associate relevant roles & permissions with Defender Vulnerability Management (this change will not affect existing roles).

Figure: Core and premium capabilities in standalone offer

Defender Vulnerability Management premium capabilities provide advanced assessments with in-depth visibility into potential exposure to your assets:

Security baselines assessment – customized profiles that you can create to assess and monitor endpoints against industry security benchmarks, such as CIS, STIG and Microsoft benchmarks. Instead of running never-ending compliance scans, monitor your organization’s security baselines seamlessly according to customized profiles.
Block vulnerable applications – In addition to the core remediation capabilities, proactively reduce risks with this premium capability by taking mitigation steps such as warning users or blocking known vulnerable versions of applications. Leverage software usage insights to understand the impact of the vulnerable application.
Hardware and firmware assessment – full visibility into device manufacturer, processors, and BIOs information to assess vulnerabilities for hardware and firmware risks.
Digital certificates and browser extensions assessment – expand your asset coverage beyond devices and gain entity-level visibility into the various browser extensions and digital certificates installed across assets.
Network shares analysis- protect against misconfigurations used in the wild by attackers for lateral movement, reconnaissance, data exfiltration, and more.
Authenticated scans for vulnerability assessment- run scans on unmanaged devices by remotely targeting by IP ranges or hostnames to remotely access the devices for vulnerability assessment purposes.

Defender Vulnerability Management capabilities are integrated into Defender for Endpoint and Defender for Cloud enabling security teams to assess their exposure and address changes to improve security posture of your organization. You now have flexibility in our offering across endpoints and servers. More info on our updated website.

Figure: Availability of Core and premium capabilities across offerings that include Defender Vulnerability Management for endpoints and servers.

Your needs for vulnerability assessments and analysis spans platforms, clouds and modalities and our strategy for Defender Vulnerability Management is to support these environments that span multiple platforms across both on-premises and cloud. We have recently added Fortinet to the network devices and container support is our second big news.

Announcing vulnerability assessment (VA) for Containers powered by Microsoft Defender Vulnerability Management in Defender for Cloud

With the rise of containerization and microservices, it's more important than ever to secure the software supply chain and ensure that container images are free from vulnerabilities.

Today, as a result of Defender for Cloud’s integration with Microsoft Defender Vulnerability Management, we are excited to announce the general availability of agentless container posture management in Defender CSPM and the public preview of vulnerability assessment scanning for container images in Defender for Containers.

These new container vulnerability assessment capabilities powered by Defender Vulnerability Management include:

Agentless vulnerability assessment for containers
Zero configuration for onboarding
Near real-time scan of new images
Daily refresh of vulnerability reports
Coverage for both ship (ACR) and runtime (AKS)
Support for OS and language packages
Real-world exploitability insights (based on CISA kev, exploit DB and more)
Support for ACR private links

Agentless container posture management in Defender CSPM, powered by Defender Vulnerability Management

To help proactively strengthen the security posture of your containerized environments, Defender CSPM provides a new vulnerability assessment offering for containers powered by Defender Vulnerability Management, with near real-time scans of new images, daily report refreshes, and real-world exploitability insights. Vulnerabilities are added to Defender CSPM security graph for contextual risk assessment and calculation of attack paths. Customers can now access out-of-the-box container vulnerability assessments that, combined with attack path analysis and agentless discovery of the Kubernetes estate, enable security teams to hunt for risks with the cloud security explorer and prioritize the vulnerabilities that pose the greatest risks to the organization. This agentless approach allows security teams to gain visibility into their Kubernetes and containers registries across the SDLC, removing friction and footprints from the workloads.

Figure Attack path analysis outlining a containerized application publicly exposed with high severity vulnerabilities discovered using Defender Vulnerability Management

Enable Defender CSPM with agentless container posture in a single click.

Public preview of vulnerability assessment for containers in Defender for Containers, powered by Defender Vulnerability Management

In providing comprehensive cloud workload protection, Defender for Containers’ new integration with Defender Vulnerability Management now provides our customers with vulnerability assessments through one-click enablement, near real-time scan of new images, and daily result refreshes of current and emerging vulnerabilities enriched with exploitability insights - all to help organizations focus on vulnerabilities with the greatest security impact to their organization.

New vulnerability assessment recommendation powered by Defender Vulnerability Management

Enable Container vulnerability assessments powered by Defender Vulnerability Management in one click here.

If you’re interested in learning more about Defender Vulnerability Management visit our website for updated pricing and packaging and datasheet. Read more about our plans and capabilities here. To take advantage of our free 90-day trial, check out our interactive guide, and read more information in our product documentation.

For additional information and other relevant updates on protecting cloud workloads please visit the Microsoft Defender for Cloud blog.

Update on Defender Vulnerability Management capabilities in Defender for Servers Plan-2

Tomer_Reisner — Fri, 28 Jul 2023 15:34:01 GMT

The aim of this article is to give you a better understanding of the Microsoft Defender Vulnerability Management capabilities available to Microsoft Defender for Cloud customers, as well as information on some recent changes in behavior, which enables these capabilities only to eligible devices.

Defender Vulnerability Management premium capabilities are included in Defender for Servers Plan 2 and available for eligible server devices via the Microsoft 365 Defender portal.

Customers that wish to benefit from these Defender Vulnerability Management premium capabilities on their client devices, can either trial Defender Vulnerability Management Standalone or the Defender Vulnerability Management Add-on license for their Microsoft Defender for Endpoint Plan 2 devices.

Background:

Defender Vulnerability Management is integrated in Defender for Endpoint and Defender for Servers.

For client devices, Defender Vulnerability Management capabilities are available in the following offerings:

Core capabilities in Defender for Endpoint Plan 2.
Premium capabilities via Defender Vulnerability Management Add-On license on top of Defender for Endpoint Plan 2.

Core and premium capabilities via Defender for Vulnerability Management Standalone license, currently available as a free trial while in public preview.

For server devices, Defender for Endpoint and Defender Vulnerability Management integrates seamlessly with Defender for Servers. You can onboard servers automatically and have servers monitored by Defender for Cloud appear in Defender for Endpoint and Defender Vulnerability Management dashboard.

Defender for Servers Plans 1 includes Defender Vulnerability Management Core capabilities.
Defender for Server Plan 2 includes both Core and Premium capabilities.

Initially, when Defender Vulnerability Management premium capabilities were rolled out in Defender for Servers Plan 2, they were enabled across all devices (both clients and servers) for customers with Defender for Servers Plan 2.

Update:

Following a recent update, the Defender Vulnerability Management premium capabilities are only available to eligible client devices for customers that:

Purchased the Defender Vulnerability Management Add-on
Started an Defender Vulnerability Management Add-on trial.

Detailed messaging describing this change was made available in the Defender Vulnerability Management portal in addition to online documentation.

How does this affect me?

Customers who are interested in continuing to use these premium capabilities on their client devices, which are not covered by Defender for Servers Plan 2, are encouraged to start a Defender Vulnerability Managment Standalone or Defender Vulnerability Management Add-on trial and regain access to the premium capabilities for their client devices, with their previous data saved (e.g., Security baselines profiles).

With this update, Defender for Servers Plan 2 customers will be able to use the Block vulnerable applications capability on their eligible server devices.

Learn more

Microsoft Defender Vulnerability Management – Firmware Security Advisories

Tomer_Reisner — Wed, 26 Jul 2023 17:20:21 GMT

We are happy to announce a new capability for Microsoft Defender Vulnerability Management – ‘Firmware Security Advisories’.

This capability allows more streamlined and efficient way to view, track, and monitor firmware advisories. With the ability to filter on exposed devices and view advisories that affect the customer environment, security teams can quickly identify potential vulnerabilities and take action to mitigate them. This is especially important in today's rapidly evolving threat landscape, where firmware vulnerabilities can be exploited by attackers to gain access to sensitive data or systems.

To view firmware security weaknesses, The ‘Weaknesses’ inventory is now extended with a new ‘Security Advisories’ tab.

The security advisories are continuously monitored by Microsoft Defender Vulnerability Management and details from manufacturer websites and inventories, as well as on third-party security websites, and validated against the organization inventory. Security advisories details include specific version of the devices or software that are affected It may also include instructions for how to update the firmware to address the vulnerability, as well as any other steps that should be taken to mitigate the risk. By following the instructions provided in a firmware advisory, users can reduce the likelihood of their device or system being compromised by a firmware vulnerability.

For each advisory there is a list of ‘Exposed Devices’, ’Associated CVE’s’ and ‘Related Firmware’.

‘Exposed Devices’ is the source to identify if your organization is affected for specific security advisory. In case of ‘Exposed Devices’ = 0, that means your organization isn’t at risk for that specific security advisory.

’Associated CVE’s’ is the list of CVE’s related to the specific advisory:

‘Related Firmware’ is the list of all firmware impacted by the vulnerability:

It's important to stay vigilant and regularly check for security advisories related to your devices and systems to ensure that you are aware of any vulnerabilities that may affect them.

The following Security Advisories vendors are currently supported: Lenovo, Dell, HP.
Details of for each published advisory includes:

Advisory ID
Severity (Provided by the vendor)
Related CVE’s
Advisory link
Vendor
Age
Published on
Updated on
Exposed devices

You can also view this list through the ‘Security Recommendation’ filtered by ‘Remediation Type = Firmware update’

Learn more

As always, we’d love to know what you think.

Looking forward to your feedback. share your feedback directly at: mdvmfeedback@microsoft.com

Thanks,

The Microsoft Defender Vulnerability Management Team