Tenable: Supply Chain, Cloud Gaps Widespread
A recent Tenable report reveals significant supply chain and cloud identity risks across organizations. The data shows 86% of organizations have installed third-party code packages containing critical-severity vulnerabilities. Furthermore, 65% have high-value assets exposed due to forgotten cloud credentials, creating primary vectors for initial compromise.
- The infamous Log4j vulnerability, discovered in late 2021, was a critical zero-day flaw in a widely used Java logging library that allowed for remote code execution. Its impact was so severe due to Log4j's presence in countless applications and enterprise cloud services, making it a "catastrophic" vulnerability with a CVSS score of 10 out of 10. - The 2020 SolarWinds attack was a sophisticated supply chain breach where hackers, suspected to be from Russia's foreign intelligence service, inserted malicious code into updates for the Orion IT monitoring platform. This allowed the attackers to gain access to the networks of over 18,000 customers, including parts of the Pentagon, the Department of Homeland Security, and major tech companies like Microsoft and Intel. - In May 2023, a zero-day SQL injection vulnerability in the MOVEit Transfer software was exploited by the CL0P ransomware group, leading to data theft from over 2,700 organizations and affecting an estimated 93.3 million individuals. The attack involved deploying a web shell to exfiltrate large volumes of data, often within minutes of the initial breach. - Identity-based compromises were a factor in nearly 90% of incident response investigations in 2025, with techniques like phishing, stolen credentials, and brute force attacks being the primary methods for initial access. Attackers increasingly "log in" rather than "break in," exploiting over-privileged accounts and a lack of phishing-resistant multi-factor authentication. - Research indicates a significant rise in reported vulnerabilities in open-source software, with an annual increase of 98%, which far outpaces the 25% average annual growth in the number of open-source packages. Furthermore, the average time a vulnerability remains in an ecosystem before being fixed has increased by 95% between 2017 and 2024. - Insecure by default configurations are a major issue in many open-source components, such as SnakeYAML, which is the most popular YAML parser for Java. A critical vulnerability (CVE-2022-1471) in SnakeYAML allows for remote code execution because it can deserialize YAML content provided by an attacker. - A significant percentage of vulnerabilities in package repositories for NPM and PyPI are the result of intentionally malicious packages rather than accidental flaws. These attacks represent 49% of reports in the NPM ecosystem and 14% in PyPI.
