11 Million Critical Vulnerabilities Exposed — Act Now
New research reveals 11 million critical vulnerabilities are exposed to the public internet.
While security vulnerabilities are an integral part of the world of technology, some are more critical than others. The Cybersecurity and Infrastructure Defense Agency, part of the U.S. Department of Homeland Security, has warned time and time again about the dangers of vulnerabilities to organizations. Yet that message does not appear to be getting through if the staggering numbers revealed in a new technology sector risk report are anything to go by: more than 11 million critical vulnerabilities in tech sector environments are currently exposed to the public internet.
11.4 Million Critical Vulnerabilities Are Currently Exposed To The Public Internet
Two recent warnings from the Federal Bureau of Investigation should be burned into the psyche of anyone and everyone who has any influence when it comes to the security of technology environments. The first, from earlier in June this year, involved a skyrocketing number of victims of the Play ransomware group. The primary infection vector was reported as being unpatched critical vulnerabilities: CVE-2025-29824, iCVE-2022-41040, CVE-2022-41082, CVE-2020-12812 and CVE-2018-13379 if you want to go and check that your organization isn't open to these specific attacks. The second, a joint advisory with CISA, warning that unsophisticated hackers are a real danger, including those exploiting vulnerabilities that should already have been patched but have not. The 2025 Risk Radar Report from Trust SpiderLabs has now confirmed the real extent of this danger to the technology sector.
The researchers revealed that a total of more than 11.4 million critical vulnerabilities are exposed to the public internet within the technology sector. That's a staggering and truly frightening number. 'Services are often publicly exposed for a good reason,' Trust SpiderLabs said, 'that is to allow the public to visit your website, and to receive email from people outside your organization.' However, oftentimes services are exposed by mistake, usually as a result of a configuration error. Combine this with the number of critical vulnerabilities that have yet to be patched by the organizations concerned, and Houston, we have a problem.
The report analyzed those vulnerabilities within the CISA Known Exploited Vulnerabilities catalog for 2024 and 2025, and discovered that nine of the top ten were web server vulnerabilities that coincided with the top exposed service in the tech industry. The single KEV vulnerability that was not web-based is BlueKeep, a critical vulnerability in the Remote Desktop Protocol, commonly used by hackers for lateral movement within networks. 'With that service exposed to the public internet,' the report stated, 'it could be used to establish an initial foothold.'
If it's not yet clear, here's what you should do: take an inventory of all currently open services running outside the network perimeter and conduct an immediate access audit. 'It's also essential to prioritize patching for any publicly exposed systems,' Trustwave SpiderLabs said, in order to mitigate the risk from unpatched critical vulnerabilities.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CBS News
35 minutes ago
- CBS News
1 killed, 2 injured after Jeep rolls over on I-94 in Detroit, police say
One person died and two others were injured after two Jeeps collided on westbound I-94 Saturday evening, Michigan State Police said. The crash happened at around 7:10 p.m. Saturday on westbound I-94 near Gratiot Avenue when the driver of a silver Jeep in the left lane and the driver of a green Jeep in the center lane attempted to change lanes at the same time and collided, MSP said. The collision caused the driver of the silver Jeep to strike a median wall and roll over, while the driver of the green Jeep went up the right embankment and struck a tree, police said. A passenger in the silver Jeep, a 27-year-old St. Clair Shores man, was pronounced dead at the scene. The driver and another passenger of the silver Jeep were taken to an area hospital and treated for minor injuries, police said. The driver of the green Jeep, who was the lone occupant, was not injured. The freeway was closed for about four hours for an investigation, according to troopers. "Troopers are continuing the investigation into this crash," said MSP Lt. Mike Shaw. "We want to remind drivers to be careful when changing lanes. Make sure you use your turn signal, check your mirrors and blind spots, and then start to change lanes."
Yahoo
38 minutes ago
- Yahoo
Trump says he has 'a group of very wealthy people' to buy TikTok
President Donald Trump has said he has a buyer for TikTok, the video-sharing app that was banned in the US amid claims it posed a national security risk. In a Fox News interview, Trump said he had a group of "very wealthy people" willing to acquire the platform. "I'll tell you in about two weeks," he teased. A sale would need approval from the Chinese government, but Trump told Fox he thought President Xi Jinping "will probably do it". This month Trump delayed for a third time the enforcement of a law mandating TikTok's sale. The latest extension requires parent company ByteDance to reach a deal to sell the platform by 17 September. The BBC has contacted TikTok for comment. A previous deal to sell TikTok to an American buyer fell apart in April, when the White House clashed with China over Trump's tariffs. It is not clear if the current buyer Trump has lined up is the same as the one who was waiting in the wings three months ago. The US Congress passed a law forcing TikTok's sale in April last year, with lawmakers citing fears that the app or its parent company could hand over US user data to the Chinese government, which TikTok denied. Trump had criticised the app during his first term, but came to see it as a factor in his 2024 election win and now supports its continued use in the US. The law was supposed to take effect on 19 January, but Trump has repeatedly delayed its enforcement through executive actions, moves that have drawn criticism for overruling congressional lawmakers. TikTok challenged the constitutionality of the law, but lost its appeal to the US Supreme Court. Trump confirms further delay to TikTok ban or sale deadline
Yahoo
44 minutes ago
- Yahoo
New PayPal scam uses real emails to trick you
There's a new PayPal phishing scam making the rounds, and it's so convincing that even security-conscious users are getting caught in it. Unlike typical scams riddled with typos and fake domains, this one uses PayPal's own email system to send you an alert that looks 100% real. You might get a message like, "You added a new address. This is just a quick confirmation that you added in your PayPal account." Except … you didn't. And what if you don't even have a PayPal account? Here's what this scam entails, why it works and how to protect yourself. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join. Fake Venmo Accounts Are Stealing Donations From Real Charities Most phishing scams try (and fail) to impersonate big companies. You've probably seen the classics: weird grammar, suspicious email addresses, Microsoft spelled with a "k". They're laughably bad. But this scam flips the script because it uses PayPal against you. Here's how the scam operates: Read On The Fox News App Exploiting real features: Scammers abuse PayPal's "add address" or "money request" tools. By entering your email, they can trigger real emails from PayPal's real domain. And this works even if you don't have a PayPal account. Bypassing filters: Because these emails come directly from PayPal's servers (service@ they pass all security checks and appear legitimate in your inbox. Lack of suspicion: Some versions contain no phishing links at all, just a scammer's phone number, making them even harder to detect. Panic bait: The message often claims a new address was added, or a large payment is being processed, getting your attention and provoking a quick reaction. Follow-up attacks: After the initial email, scammers may later contact you pretending to be PayPal support. Some urge you to click a link to "secure your account", which leads to a fake login page designed to steal your credentials. The Dark Side Of Paypal And How To Stay Safe This scam has been reported by dozens of users on Reddit and cybersecurity forums. One Reddit user posted a detailed thread in r/Scams showing screenshots of phishing emails that look like they came straight from PayPal's official address. In a newer and more sophisticated twist, scammers are removing links altogether. Instead, they include a phone number and ask you to call. Once you do, you're connected with a fake PayPal representative who says they need to verify your identity. They then instruct you to download what appears to be a PayPal-branded support tool, but really it's a customized remote access app hosted on a different server. And once it's installed, it gives the scammer full access to your device. New Phishing Scam Outsmarts Security Codes To Steal Your Info This part is still a bit of a mystery. With typical PayPal invoice scams, content is tightly controlled, which means you normally can't change the email structure or messaging. However, these new emails suggest that scammers may be exploiting internal features, like business tools or API fields, to sneak custom content into PayPal-generated alerts. It's not just phishing, it's weaponizing a legitimate system to create trust and evade detection. This scam is especially effective and dangerous because the emails come directly from PayPal's official servers, making it difficult to distinguish them from legitimate messages. Since the sender address and branding are authentic, recipients are more likely to trust the communication without suspicion. The scammers also use urgent language that creates a sense of panic, such as warnings about unauthorized activity or large charges. This pressure encourages people to act quickly and often before fully considering whether the alert is genuine. Additionally, the scam often involves follow-up contact through calls or texts from individuals posing as PayPal personnel, further exploiting the initial confusion and increasing the chances of victims giving up sensitive information. How To Protect Yourself From The Venmo, Zelle, And Cash App Scam That Can Wipe Out Your Savings In Seconds Even if you're vigilant, you can still be targeted. Here's how to stay safe: 1. Don't click links in suspicious emails, even if they look real, and use strong antivirus software. If you receive a PayPal alert you didn't expect, go to PayPal by typing into your browser or using the official app. Never click links or dial phone numbers provided in the email. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 2. Enable two-factor authentication (2FA): Adding 2Fa to your PayPal and email accounts gives you a second layer of defense even if your password gets compromised. 3. Use a password manager: Using a password manager is the best way to ensure every login you use has a unique, strong password. No repeats means no chain reaction if one site gets hacked. Get more details about my best expert-reviewed Password Managers of 2025 here. 4. Check your account manually: If you're ever in doubt, just log into your PayPal account directly. Review recent activity and see if anything looks off. There is no need to rely on alerts alone. 5. Report the scam: Forward suspicious PayPal messages to phishing@ You can also report phishing attempts to the FTC. 6. Use a personal data removal service: Since phishing scams like the recent PayPal scam often target personal information that scammers gather from data brokers and people search sites, using a reputable data removal service can help reduce your exposure. Check out my top picks for data removal services here. Get a free scan to find out if your personal information is already out on the web. This phishing scam is dangerous because it uses real PayPal emails sent from service@ Scammers exploit PayPal's built-in features to send real notifications that look legitimate. What makes it especially sneaky is the absence of links, Instead, these emails include a phone number, making them more likely to pass through spam filters. When you call, you're connected to a fake PayPal rep who pressures you into downloading a remote access tool disguised as support software. The safest move? Don't click, don't call. Just go straight to and check your account manually. If you've seen a version of this scam (or nearly fell for it), let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Ask Kurt a question or let us know what stories you'd like us to cover Follow Kurt on his social channels Facebook YouTube Instagram Answers to the most asked CyberGuy questions: What is the best way to protect your Mac, Windows, iPhone and Android devices from getting hacked? What is the best way to stay private, secure and anonymous while browsing the web? How can I get rid of robocalls with apps and data removal services? How do I remove my private data from the internet? New from Kurt: Try CyberGuy's new games (crosswords, word searches, trivia and more!) CyberGuy's Exclusive Coupons and Deals Copyright 2025 All rights article source: New PayPal scam uses real emails to trick you
