Latest Threat Intelligence (November 2025)
Microsoft Defender for IoT has released the November 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 0ed5b864101c471d987b332fc8619551 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (October 2025)
Microsoft Defender for IoT has released the October 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 01757cbb8de8dfb10b140e0e6a1dfe41 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Firmware Analysis now Generally Available
Back in June, we announced the public preview of firmware analysis, a new capability available through Azure Arc to help organizations gain visibility into the security of their Internet of Things (IoT), Operational Technology (OT), and network devices. Today, we are excited to announce that firmware analysis is generally available (GA) for all Azure customers. In modern industrial environments, firmware security is a foundational requirement. IoT sensors and smart devices collect the data fueling AI-driven insights; if those devices aren’t secure, your data and operational continuity are at risk. During the preview, we heard from many customers who used firmware analysis to shine a light into their device software and address hidden vulnerabilities before attackers or downtime could strike. With general availability, firmware analysis is ready to help organizations fortify the “blind spots” in their infrastructure – from factory-floor sensors to branch office routers – by analyzing the software that runs on those devices. What Firmware Analysis Does for You Firmware analysis examines the low-level software (firmware) that powers IoT, OT and network devices, with no agent required on the device. You can upload a firmware image (for example, an extracted embedded Linux image), and the cloud service performs an automated security inspection. Key features include: Software inventory & vulnerability scanning: The service builds a Software Bill of Materials (SBOM) of components within the firmware and checks each component against known CVEs (Common Vulnerabilities and Exposures). This quickly surfaces any known vulnerabilities in your device’s software stack so you can prioritize patching those issues. Security configuration and hardening check: Firmware analysis evaluates how the firmware binaries are built, looking for security hardening measures (e.g. stack protections, ASLR) or dangerous configurations. If certain best practices are missing, the firmware might be easier to exploit – the tool flags this to inform the device manufacturer or your security team. Credential and secrets discovery: The analysis finds any hard-coded credentials (user accounts/password hashes) present in the firmware, as well as embedded cryptographic material like SSL/TLS certificates or keys. These could pose serious risks – for instance, default passwords that attackers could exploit (recall the Mirai botnet using factory-default creds) are identified so you can mitigate them. Any discovered certificates or keys can indicate potentially insecure design if left in production firmware. Comprehensive report: All security findings – from the Software Bill of Materials (SBOM), list of vulnerabilities to hardening recommendations and exposed secrets – are provided in a detailed report for each firmware image analyzed. This gives device makers and operators actionable intelligence to improve their device security posture. In short, firmware analysis provides deep insights into the contents and security quality of device firmware. It turns opaque firmware into transparent data, helping you answer, “What’s really inside my device software?” so you can address weaknesses proactively. What’s New and Licensing We’ve been hard at work making firmware analysis even better as we move to GA. Based on preview feedback, we’ve addressed bugs, implemented usability suggestions and improved the firmware analysis SDKs, CLI and PowerShell extensions. A new Azure resource called “firmware workspace” now stores analyzed firmware images. Firmware analysis workspaces are currently available as a Free Firmware Analysis Workspace SKU with capacity limits. Getting Started If you have IoT, OT and network devices in your environment, use firmware analysis to test just how secure your devices are. Getting started is easy: access firmware analysis by searching “firmware analysis” in the Azure portal, or access using this link. Onboard your subscription and then upload firmware images for analysis. For a step-by-step tutorial, visit our official documentation. The service currently supports embedded Linux-based images up to 1GB in size. We want to thank all the preview participants who tested firmware analysis and provided feedback. You helped us refine the service for GA and we’re thrilled to make this powerful tool broadly available to help secure IoT, OT and network devices around the world. We can’t wait to see how you put it to work. As always, we value your feedback, so please let us know what you think.Latest Threat Intelligence (August 2025)
Microsoft Defender for IoT has released the August 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 6d6cf3931c4e7ad160a74d4fad19a89c For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (July 2025)
Microsoft Defender for IoT has released the July 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 8581e1e0d30133191885115d73b38cf9 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (June 2025)
Microsoft Defender for IoT has released the June 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 06f35a3010697d7978bf89a13f6ae27e For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.Latest Threat Intelligence (May 2025)
Microsoft Defender for IoT has released the May 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: d24a971301003c37622f21b7e30a80cb For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.
Azure IoT Hub Defender Micro Agent on Yocto/STM32MP1 – No Defender Metrics in IoT Hub Portal
Hi all, I'm currently running the Azure IoT Defender Micro Agent on a Yocto-based image (STM32MP1), and although the logs suggest the agent is working and sending data, no Defender metrics are visible in the Azure IoT Hub portal under Defender Metrics. Setup Details: Platform: STM32MP1 with Yocto Linux Transport: AMQP IoT Hub connection: Successful Cloud messages: send_confirm_callback success and device twin updates with result 200 Collectors enabled: SBoM, NetworkActivity, Heartbeat, LogCollector, Process, FileSystem, Peripheral, Baseline, etc. Observations: Logs show telemetry batching with message sizes up to 101KB. Agent attempts to read common paths like /etc/crontab fail with errno=[2] (file not found), which is expected given it's an embedded system. Repeated logs like Failed to stat() on=/proc/[pid]/cmdline, not sure if it's a blocker. Main Issue: Even though the agent appears to be collecting data and successfully sending messages, the Defender Metrics tab in the IoT Hub Portal remains empty, making it hard to verify if Defender is actively evaluating device risk or just accepting telemetry blindly. Questions: Does IoT Hub Defender require a full Linux environment with tools like dmidecode, /boot/grub/grub.cfg, or cron directories to process and display metrics? Are there any known limitations with Yocto-based minimal images that prevent Defender metrics from showing in the IoT Hub portal? Is there a way to validate if metrics are actually reaching and being processed by the Defender backend beyond the send_confirm_callback log? Any insights or guidance would be greatly appreciated. Thanks in advance!Latest Threat Intelligence (April 2025)
Microsoft Defender for IoT has released the April 2025 Threat Intelligence package. The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file). Threat Intelligence updates reflect the combined impact of proprietary research and threat intelligence carried out by Microsoft security teams. Each package contains the latest CVEs (Common Vulnerabilities and Exposures), IOCs (Indicators of Compromise), and other indicators applicable to IoT/ICS/OT networks (published during the past month) researched and implemented by Microsoft Threat Intelligence Research - CPS. The CVE scores are aligned with the National Vulnerability Database (NVD). Starting with the August 2023 threat intelligence updates, CVSSv3 scores are shown if they are relevant; otherwise the CVSSv2 scores are shown. Guidance Customers are recommended to update their systems with the latest TI package in order to detect potential exposure risks and vulnerabilities in their networks and on their devices. Threat Intelligence packages are updated every month with the most up-to-date security information available, ensuring that Microsoft Defender for IoT can identify malicious actors and behaviors on devices. Update your system with the latest TI package The package is available for download from the Microsoft Defender for IoT portal (click Updates, then Download file), for more information, please review Update threat intelligence data | Microsoft Docs. MD5 Hash: 0a36607c37220a634f614de8bf7a0528 For cloud connected sensors, Microsoft Defender for IoT can automatically update new threat intelligence packages following their release, click here for more information.
