{"id":7240,"date":"2026-02-24T21:46:06","date_gmt":"2026-02-24T21:46:06","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7240"},"modified":"2026-02-24T21:46:06","modified_gmt":"2026-02-24T21:46:06","slug":"take-control-locking-down-common-endpoint-vulnerabilities","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7240","title":{"rendered":"Take control: Locking down common endpoint vulnerabilities"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices\u2014laptops, desktops, servers, IoT, and more\u2014are like unlocked doors waiting for threat actors to stroll through. And here\u2019s the kicker: many of these vulnerabilities are shockingly common and easily preventable.<\/p>\n

Let\u2019s break down the weaknesses we most frequently track across three million endpoints (not a bad sample size!) and what you can do to patch those holes before a threat actor sneaks in and wreaks havoc.<\/p>\n

<\/a>Remote Desktop Protocol (RDP): The open back door<\/h2>\n

Remote Desktop Protocol is a prolific protocol used for remote connectivity, but it\u2019s also one of the most common ways threat actors gain access to endpoint devices. In fact, up to 70%<\/a> of organizations have RDP exposed to the public internet. Think of an exposed RDP connection as leaving a spare key under the doormat\u2014while not quite in plain sight, it\u2019s a pretty obvious place to look if you want to get inside.<\/p>\n

<\/a>Here\u2019s an example of what happens:<\/h3>\n

Attackers often use brute force attacks on RDP, cycling through password options until they unlock a login session. Once the initial intrusion is established, they usually don\u2019t waste time dropping malware and trying to move laterally across your network.<\/p>\n

<\/div>\n

An example of event logs showing a successful use of brute force.<\/em><\/p>\n

What you can do:<\/h3>\n

Don\u2019t expose RDP to the public internet unless you really need to.<\/p>\n

Be a stickler with admin rights. Think about who actually needs access to do their job.<\/p>\n

Don\u2019t rely on passwords\u2014it\u2019s old school (and way too risky). Enforce multi-factor authentication (MFA)<\/a> for RDP sessions.<\/p>\n

Don\u2019t slack on Windows security configurations. Defaults won\u2019t cut it against attackers who want a piece of your network.<\/p>\n

Be vigilant for suspicious activity, like logins from unknown IP addresses.<\/p>\n

<\/a>Phishing attacks: Don\u2019t take the bait<\/h2>\n

Email phishing<\/a> is a classic cybercrime strategy, and some things just never go out of style. Every day, phishing emails land in inboxes and a staggering number of victims still fall for social engineering scams. This isn\u2019t a new tactic by any stretch of the imagination, but threat actors continue to rely on it because it works\u2014phishing accounts for 15%<\/a> of all data breaches. But what\u2019s more alarming about phishing attacks these days is that they\u2019re getting craftier, especially as threat actors turn to generative AI tools to fast-track their social engineering tactics. From expertly mimicked branding to fake invoices with urgent requests, hackers have leveled up their game to trick victims into clicking malicious links or giving up personal details to \u201ccustomer service\u201d over the phone. Phishing isn\u2019t just email anymore\u2014hackers will use any type of communication mechanism: email, text, phone calls, voicemail, QR codes, or any combination of these approaches.<\/p>\n

<\/div>\n

Here\u2019s an example of what happens:<\/h3>\n

Let\u2019s take a look at email phishing. When an employee clicks on a malicious link in a phishing email, they might unknowingly hand over sensitive credentials to an attacker or install malware on their system. Or, even worse, they may detonate a ransomware attack. Phishing often uses pressure tactics to prey on victims\u2019 emotions to get a quick response. The attackers walk away with access to your network and sensitive info while leaving you with the mess. It could become an even bigger mess than you\u2019ve bargained for if the attacker gains persistence to endpoints and you don\u2019t immediately find the damage.<\/p>\n

Got an email asking for sensitive info? Don\u2019t respond directly to the sender to avoid falling into the attacker\u2019s trap.\u00a0<\/p>\n

<\/div>\n

An example of a malicious fake thread email phishing attempt.<\/em><\/p>\n

<\/a>What you can do:<\/h3>\n

Get your organization smart on phishing tactics! Regularly scheduled security awareness training (SAT)<\/a> can make users less likely to jump on sketchy requests. You want their \u201cspidey senses\u201d tingling when weird emails show up!<\/p>\n

Use MFA because it can reduce the damage if (when) credentials are compromised.<\/p>\n

For more on how attackers use phishing to access your endpoints, check out Tradecraft Tuesday: \u201cPhishing in the Fast Lane<\/a>.\u201d<\/p>\n

<\/a>Remote monitoring and management (RMM) tools: The double-edged sword<\/h2>\n

RMM tools are double-edged swords. On the one hand, they help IT admins, managed service providers (MSPs), and system admins monitor, manage, and troubleshoot fleets of computers with ease. On the other hand, when left unsecured (as they often are), RMM tools are an easy entry point for attackers to hit your endpoints hard. According to Huntress\u2019 2025 Cyber Threat Report<\/a>, 17.3% of all remote access methods originated from RMM abuse. Threat actors like to blend in and hide in plain sight, and legitimate RMM tools are an easy way to do this.<\/p>\n

<\/div>\n

Top abused remote access tools. Source<\/a>.<\/em><\/p>\n

<\/a>Here\u2019s an example of what happens:<\/h3>\n

Attackers abuse RMM software and tools to gain unauthorized remote access to compromise devices. Whether they use pre-existing RMMs or install their own, they can potentially control every connected device across your organization, lurking under the auspices of legitimate software. RMM attacks are dangerous because there\u2019s always a risk that attackers will fly under the radar of your detection systems, moving laterally and gaining persistence without even dropping malware.<\/p>\n

There are generally two ways attackers abuse RMMs. First, they can hijack or abuse existing software by exploiting outdated, unpatched, or misconfigured tools, or by stealing credentials to log in remotely to RMM tools. Second, they can deploy and install the attacker\u2019s preferred RMM tool via social engineering or portable executables.<\/p>\n

Portable executables are notable for their ability to skirt around admin privileges<\/a> and full software installation, giving attackers local user access. Even if a risk management control is supposed to block or audit the RMM software on the network, it doesn\u2019t matter because portable executables don\u2019t require admin privileges, giving the threat actor a free pass into your network. That\u2019s the stuff of nightmares because threat actors drop into your environment undetected without using malware.<\/p>\n

Your RMM tools should make endpoints more secure, not less. Tighten up those settings and keep potential bad actors out.<\/p>\n

<\/div>\n

Example of legitimate RMM tool compromise.<\/em><\/p>\n

<\/a>What you can do:<\/h3>\n

Use role-based permissions. They are king. If you\u2019re not on the guest list, you don\u2019t get access to the RMM software party.<\/p>\n

Update and apply patches to RMM software to address vulnerabilities and bug fixes.\u00a0<\/p>\n

Monitor activity logs for unusual activity. Unauthorized installs or funky logins should be a red flag.<\/p>\n

Know what types of RMM tools are supposed to be in your network. Audit, track, and monitor so that an unauthorized instance stands out.<\/p>\n

For more on keeping RMM tools secure, check out:<\/p>\n

Think Your ScreenConnect Server Is Hacked? Here\u2019s What To Look For.<\/a><\/p>\n

Vulnerability Reproduced: Immediately Patch ScreenConnect 23.9.8<\/a><\/p>\n

Insights: RMM Tools<\/a><\/p>\n

<\/a>Unpatched software: An open door to your network<\/h2>\n

Unpatched software is the cybersecurity equivalent of leaving your front door open. Yes, the breeze might be nice, but you probably wouldn\u2019t leave it wide open most of the time. It\u2019s too risky. Your pets or kids can get loose, outdoor critters can make themselves at home (who wants raccoons in their kitchen?), and worse, thieves can just walk in.<\/p>\n

If you wouldn\u2019t expose your physical environment to this type of risk, why would you allow it virtually?<\/p>\n

<\/a>Here\u2019s what happens:<\/h3>\n

Software vendors release patches for different reasons, but often to fix publicly known security vulnerabilities, usually referred to as CVEs<\/a>. Attackers use this public information to target outdated software and systems. A single instance of an unpatched flaw is an opportunity for an attacker to drop ransomware or malware, or to pull off data breaches. When a new vulnerability drops, you\u2019re up against the clock to get your systems patched before a threat actor takes advantage of you.<\/p>\n

If you\u2019re not updating your software regularly, your endpoints are at unnecessary risk. The door is wide open for unwanted guests. It\u2019s that simple.<\/p>\n

<\/div>\n

Example of PowerShell script exploiting CVE-2023-27532 in outdated Veeam software.<\/em><\/p>\n

<\/a>Patch it up:<\/h3>\n

Set up automatic updates wherever possible. No excuses.<\/p>\n

Keep a regular patch management schedule and stick to it.<\/p>\n

Have a battle plan for patching prioritization, since not all vulnerabilities are created equally.<\/p>\n

<\/a>Stay proactive, stay protected<\/h2>\n

Endpoint vulnerabilities don\u2019t have to be your Achilles\u2019 heel\u2014they\u2019re manageable with the right strategies and tools. Phishing training, endpoint detection and response (EDR)<\/a> solutions, RMM audits, patch schedules, and strong authentication measures are just the start.<\/p>\n

It\u2019s time to take action and secure your systems before attackers target them. Don\u2019t leave it to chance. Examine your cybersecurity tools, train your team, and implement endpoint protection solutions that fit your setup.<\/p>\n

To learn more about staying protected with Huntress, visit here<\/a>.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Attackers are constantly on the prowl, scoping out vulnerabilities of network-connected devices in your systems. These devices\u2014laptops, desktops, servers, IoT, and more\u2014are like unlocked doors waiting for threat actors to stroll through. And here\u2019s the kicker: many of these vulnerabilities are shockingly common and easily preventable. Let\u2019s break down the weaknesses we most frequently track […]<\/p>\n","protected":false},"author":0,"featured_media":7241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7240","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7240"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7240"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7240\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7241"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}