#cisa

#cisa

U.S. federal authorities and industry officials are urging hospitals and clinics to address a critical flaw in BeyondTrust Remote Support and Privileged Remote Access software, which if exploited, could give an attacker a foothold inside a corporate network. The U.S. Department of Health and Human Services in an alert Thursday warned healthcare and public health sector organizations to review and address the vulnerability in light of rising cyberattacks targeting those entities.

Thorpe described the KEV updates as representing a material change to an organization's risk posture. "Your prioritization calculus should shift. But there's no alert, no announcement. Just a field change in a JSON file," the expert said. "We're good at reacting to new disclosures. Decent at tracking active exploitation. But we're not great at noticing when the characterization of existing threats evolves," Thorpe noted.

The vulnerability under attack, CVE-2025-40551, is an untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. SolarWinds fixed the security hole, along with five others, in Web Help Desk version 2026.1, released on January 28. Horizon3.ai and watchTowr researchers reported these six bugs to the software vendor, with Horizon3 warning that "these vulnerabilities are easily exploitable."

We just want to make sure we've got the right elements of, how do we pull together people, and how do we take advantage of the leadership position that we have

CISA has reviewed and determined that we will not participate in the RSA Conference since we regularly review all stakeholder engagements, to ensure maximum impact and good stewardship of taxpayer dollars.

Top Trump administration cyber officials are in discussions to cancel their attendance at the RSAC Conference taking place in San Francisco in March after a top Biden-era cyber leader was named CEO of the event, according to multiple former officials and other people with knowledge of the matter.

U.S. and Australian cyber agencies confirmed that hackers are exploiting a vulnerability that emerged over the Christmas holiday and is impacting data storage systems from the company MongoDB. The issue drew concern on December 25 when a prominent researcher published exploit code for CVE-2025-14847 - a vulnerability MongoDB announced on December 15 and patched on December 19.

The Cybersecurity and Infrastructure Security Agency said it will make 100 internship opportunities available to students participating in a government scholarship program that's been hampered by federal hiring freezes enacted by the Trump administration. The move announced Wednesday would allow undergraduate and graduate students to enter the cyber defense agency under the CyberCorps: Scholarship for Service Program, a longstanding workforce pipeline used to place top student talent into U.S. cybersecurity positions.

"In today's culture of information saturation, it is imperative that we ensure all official information communicated on behalf of CISA is current, accurate, unbiased, and authoritative. This includes any official information communicated to the media," reads part of the note issued by agency acting Director Madhu Gottumukkala. CISA is "committed to a culture of transparency" but also has a "responsibility to ensure we meet the imperative laid out above and to that end, the Office of the Chief External Affairs Office (OCEAO/ /EA) is the only office authorized to facilitate official communication with the media," it adds.

Searchlight Cyber researchers Adam Kues and Shubham Shah, who discovered the flaw, have published their own technical teardown of the vulnerability that doesn't mince words about the ease with which criminals can weaponize it. The researchers call exploitation "trivial," describing a single HTTP request that bypasses OIM's normal authentication flow and ultimately gives an attacker remote system-level control. Oracle disclosed the bug in October, but didn't indicate that it was under active exploitation.

Local election offices are left with fewer resources, less threat intelligence, and diminished federal guidance. "It's kind of heartbreaking to know that they worked [on] creating these relationships and partnerships over the last decade, and they'renowjust disintegrating," Brianna Lennon, the county clerk in Missouri's Boone County, tells Axios. Bloomberg reported yesterday thattheCybersecurity and Infrastructure Security Agency's election monitoring room, which has been stood up during every election cycle to field and share information about active threats to elections, isn't operating this year.

"With the threat to Exchange servers remaining persistent, enforcing a prevention posture and adhering to these best practices is crucial for safeguarding our critical communication systems," Andersen said. "This guidance empowers organizations to proactively mitigate threats, protect enterprise assets, and ensure the resilience of their operations." Anderson added that CISA recommends organizations also "evaluate the use of cloud-based email services" rather than "managing the complexities" of hosting their own.

Staff within the Stakeholder Engagement Division, as well as the cyber-defense agency's Infrastructure Security Division, were targeted with reduction-in-force notices, or RIFs, said the people. OMB Director Russ Vought announced the actions on Friday in line with Trump administration promises to enact layoffs during the ongoing government shutdown. The Integrated Operations Division is also believed to have been impacted, one of the people said.

The CISA law was due for renewal along with the federal government's continuing funding resolution, but given the Senate's inability to pass it and the government shutdown that followed, Peters and Rounds want it extended without having to wait for the government to reopen in order to do so. The CISA law, for those unfamiliar, establishes a framework and legal protections for companies to share threat indicators with the government and each other.

Bloomberg reported Wednesday that the department moved staffers from the U.S. cybersecurity agency CISA, many of whom focus on issuing cyber guidance to help U.S. government agencies and critical infrastructure defend from cyber threats, to other agencies within the federal department, including Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). Both Bloomberg and Nextgov reported that many of the affected CISA staffers are in the agency's Capacity Building unit, which helps to improve the cybersecurity posture of federal agencies,

The update comes about two months after Google warned that some unknown criminals have been exploiting fully patched, end-of-life SonicWall SMA 100 appliances to deploy a previously unknown backdoor and rootkit dubbed OVERSTEP. The malware modifies the appliance's boot process to maintain persistent access, enabling the criminals to steal sensitive credentials and conceal their own components. The Chocolate Factory's intel analysts in July attributed the ongoing campaign to UNC6148 - UNC in Google's threat-group naming taxonomy stands for "Uncategorized."

We'll take whatever the Congress decides to authorize us, wherever they see fit within their purview, to authorize and to give us our authorities to be able to use,