Starting December 8th, 2025, the CMS Hybrid Cloud Team will begin the Q4 2025 CMS Enterprise Security Campaign.
Any findings will be tracked via Jira tickets and assigned to the respective teams to remediate risks. The Q4 CMS Enterprise Security Campaign is targeting a list of vulnerabilities and Common Vulnerabilities and Exposures (CVEs) that pose a high risk to CMS systems.
On December 19th, 2025, new GuardRails will be added to all Non-Marketplace accounts to prevent the reintroduction of certain findings back into the CMS environment.
Benefits
Resolving findings in customers' Jira tickets ensures CMS systems remain secure. Participating in proactive, routine security activities, such as this CMS Enterprise Security Campaign, reduces the risk of unauthorized and/or malicious activity.
The CMS Enterprise Security Campaign will target and identify the following vulnerabilities and CVEs:
Targeted Vulnerabilities and Common Vulnerabilities and Exposures (CVEs)
| CVE ID |
Tenable Plugin ID |
Plugin Description |
Severity |
| N/A |
56212 |
Adobe Acrobat Unsupported Version Detection |
Critical |
| N/A |
172178 |
ASP.NET Core SEoL |
Critical |
| CVE-2024-32002 |
202262 |
Git for Windows < 2.45.1 Multiple Vulnerabilities |
Critical |
| N/A |
216754 |
Google Chrome < 133.0.6943.141 Vulnerability |
Critical |
| CVE-2025-62215 |
274789 |
KB5068787: Windows Server 2022 / Azure Stack HCI 22H2 Security Update (November 2025) |
Critical |
| CVE-2025-62215 |
274782 |
KB5068791: Windows 10 version 1809 / Windows Server 2019 Security Update (November 2025) |
Critical |
| CVE-2025-60724 |
274780 |
KB5068864: Windows 10 Version 1607 / Windows Server 2016 Security Update (November 2025) |
Critical |
| CVE-2025-13027 |
274834 |
Mozilla Firefox < 145.0 |
Critical |
| N/A |
55958 |
Oracle Java JRE Unsupported Version Detection |
Critical |
| N/A |
148367 |
Python Unsupported Version Detection |
Critical |
| CVE-2025-6965 |
274798 |
RHEL 9 : sqlite (RHSA-2025:20936) |
Critical |
| CVE-2025-43343 |
274761 |
RHEL 9 : webkit2gtk3 (RHSA-2025:20922) |
Critical |
Note:
Operating System (OS)-level findings are remediated by the CMS Hybrid Cloud Team for customers who receive regular CMS Gold Image patching services. Please note that CMS customers are responsible for patching any software installed on top of the provided CMS Gold Image.
- For all Non-Marketplace accounts, CMS Hybrid Cloud will deploy auto-remediation for the following Security Hub controls:
- GuardRails / auto-remediations (Security Hub controls):
-
EC2.15- Amazon EC2 subnets should not automatically assign public IP addresses.
- CMS customer teams with existing findings for these Security Hub controls will receive a Jira ticket.
- Teams will either need to resolve the finding or obtain an exemption.
Expected Actions
- CMS customer teams with findings will receive a Jira ticket.
- If you would like to obtain an exemption, you will need to complete an attestation.
- CMS customers should resolve all received Jira tickets as soon as possible.
- Failure to resolve findings can lead to compromised systems that result in greater risks for unauthorized and/or malicious activity.
- Unresolved system flaws will result in Plan of Action and Milestones (POA&Ms) being issued against the Federal Information Security Modernization Act (FISMA) boundary.
Timeline
-
December 8th, 2025: CMS customers with findings will receive Jira tickets for the finding noted in the "Benefits" section above.
-
December 19th, 2025: CMS Hybrid Cloud will add new GuardRails to all Non-Marketplace accounts to protect CMS systems from reintroducing findings back into the environment.
Questions or Concerns
We look forward to helping you and your team. Reach out to your IUSG Hosting Coordinator with any questions. For further help, please fill out a Hybrid Cloud Support ticket specifying Service as "Security Hub" and Request as "Security Hub Findings".
