Uncover the unmanaged and unknown to meet hidden risk requirements

With the Digital Operational Resilience Act (DORA) set to take effect on January 17th, 2025, financial institutions across the European Union must prepare to meet stringent regulatory requirements. At its core, DORA mandates resilience in Information and Communication Technology (ICT) systems, covering five primary pillars:

1. ICT risk management

2. Incident reporting

3. Resilience testing

4. Third-party risk management

5. Information sharing

While these pillars seem straightforward, the implementation has a hidden complexity in meeting standards: unmanaged and unknown assets. These devices—ranging from decentralized IT assets to unconventional (but highly-interconnected ) IoT and OT devices—are notoriously hard to identify and secure.

Why are these unmanaged and unknown devices such a critical focus of DORA? The answer lies in their profound impact on the regulatory pillars. These assets, often hidden in the shadows of your environment, don’t just represent gaps in visibility—they create vulnerabilities that ripple through every aspect of operational resilience.

Consider this: over 60% of connected devices are invisible to defenders, and unmanaged assets were linked to 7 out of 10 breaches last year. To truly grasp the gravity of this problem, let’s explore how these blind spots hinder compliance across DORA’s relevant pillars—and what it takes to close those gaps effectively.

To truly meet DORA’s requirements, you need complete visibility into your environment. Unmanaged and unknown assets are like puzzle pieces left out of the box; they make it impossible to see the full picture. Discovery and management of all your assets are the true foundation of compliance and resilience. Relying solely on traditional discovery and vulnerability management tools often leaves critical gaps, potentially putting you at risk of non-compliance—or worse, exposing your organization to security threats.

That’s where runZero comes in. Unlike traditional tools, runZero uncovers the unmanaged, unknown, and shadow IT assets that others miss using novel discovery and scanning techniques. In fact, enterprises on average find 25% more assets with runZero than they were previously aware of. Our objective is to provide you with unparalleled visibility across IT, OT, IoT, including those assets that aren’t actively managed. By layering in-depth fingerprinting data and detailed insights into vulnerabilities and exposures, runZero helps you to close those gaps, meet DORA’s requirements with confidence, and build a stronger, more resilient ICT environment.

The high-level overview of how runZero aligns with DORA’s pillars demonstrates its powerful capabilities. However, to truly appreciate its impact, let’s explore how runZero directly maps to specific DORA articles, such as Articles 6, 7, 8, and 9. These articles outline the actionable steps required for ICT risk management, resilience, and collaboration. The section below also illustrates how runZero goes beyond compliance to deliver operational excellence.

Article 6: ICT risk management framework

What DORA requires:

• Develop a framework to identify, assess, and mitigate ICT risks.

• Address risks tied to internal systems, third-party services, and external threats.

Key challenges:

• ICT risk management frameworks often rely on incomplete inventories.

• Without identification of all assets and understanding device interdependencies, assessing impact and mitigation strategies is guesswork.

How runZero helps:

runZero supports the creation and maintenance of ICT risk management frameworks by delivering advanced asset discovery, continuous monitoring of IT, OT, IoT, and unmanaged devices, and identifying vulnerabilities and security control gaps.

1. Complete asset discovery:

   • Identifies all IT, OT, IoT, and unmanaged devices using active scanning, passive scanning, and integrations.

   • Incorporates external scanning to identify assets and monitor risks on the edge, ensuring comprehensive visibility across both internal and external attack surfaces.

   • Accurately and precisely fingerprints assets providing deeper insights for more accurate risk assessment and mitigations.

   • Detects shadow IT and rogue devices not visible to traditional tools.

2. Risk interdependency mapping:

   • Maps relationships between assets, revealing critical dependencies.

   • Identifies single points of failure, such as connections between essential systems and vulnerable third-party services.

3. Risk monitoring:

   • Identifies issues beyond CVEs, such as misconfigurations, segmentation weaknesses, insecure services, EoL, policy violations, etc.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Tracks changes in device configurations and interdependencies.

   • Uses safe scanning to identify fragile devices without the risk of disrupting operations.

   • Alerts on deviations, such as newly connected devices or unexpected configuration changes, that introduce new risks.

4. Enriched risk context:

   • Integrates with a broad range of existing security solutions in your stack to provide enriched asset data, improving risk analysis and prioritization.

Outcome:
runZero ensures that your ICT risk management framework is underpinned by a complete and up-to-date view of all assets, enabling precise risk assessment, mitigation, and operational resilience.

Article 7: ICT systems, protocols, and tools

What DORA requires:

• Implement secure ICT systems and tools designed to safeguard the organization’s digital infrastructure from unauthorized access and cyber threats.

• Maintain a complete and continuously updated inventory of ICT assets.

• Conduct regular resilience testing through vulnerability assessments and security audits.

Key challenges:

• Legacy discovery tools fail to capture non-traditional protocols or devices outside standard IT ecosystems.

• Inventory updates are often manual, leading to outdated or incomplete data.

• Testing often overlooks unmanaged or obscure devices, leaving blind spots.

How runZero helps:

With runZero, you gain visibility into your IT, OT, and IoT assets, ensuring every device in your environment is tracked and accounted for. This gives you the deep insight needed to uncover vulnerabilities, misconfigurations, and insecure protocols while mapping interdependencies to reveal hidden security gaps. By spotlighting all assets and exposures, runZero helps you ensure nothing is overlooked, empowering you to make more accurate assessments and build stronger defenses.

1. Complete, up-to-date inventory management:

   • Provides comprehensive visibility into both internal and external assets, including IT, OT, and IoT devices to ensure all systems are tracked.

   • Regularly updates asset data through continuous monitoring, maintaining up-to-date visibility into the network’s infrastructure.

   • Discovers unknown and unmanaged devices that may not have been previously tracked, ensuring that all assets are accounted for.

   • Updates inventories continuously through automated scanning, ensuring accuracy.

2. Informs security of ICT systems, protocols, and tools:

   • Identifies CVEs and non-traditional vulnerabilities, such as insecure services and segmentation weaknesses, that compromise infrastructure.

   • Continuously monitors for new or unexpected devices, ensuring prompt response to unauthorized access attempts.

   • Detects outdated or misconfigured protocols like SMBv1, Telnet, or unencrypted HTTP.

   • Maps interdependencies between systems, helping organizations understand how internal and external assets interact including gaps or deficiencies in security controls and segmentation weaknesses

3. Resilience testing optimization:

   • Ensures that all assets, including hidden and rogue devices, are included in vulnerability assessments and threat-based testing procedures.

   • Supports more accurate threat assessments by continuously updating data on internal and external attack surfaces, even as they change.

   • Provides detailed context for each device, such as OS versions, open ports, and known vulnerabilities (CVEs), to prioritize testing efforts.

4. Third-party tool integration:

   • Integrates with vulnerability management and endpoint security tools to enhance testing scopes and ensure no assets are missed.

Outcome
runZero delivers detailed asset visibility, empowering your teams to secure ICT systems and conduct comprehensive resilience testing with confidence.

Article 8: Identification of critical assets

What DORA requires:

• Identify and prioritize critical ICT assets and services.

• Map interdependencies between systems to understand potential cascading failures.

• Continuously monitor critical assets for emerging risks.

Key challenges:

• Identifying critical assets isn’t just about visibility; it requires understanding each device’s function, connectivity, and risk profile.

• Interdependency mapping is complex, particularly when third-party services or legacy systems are involved.

• Monitoring is often siloed, missing broader network impacts.

How runZero helps:

runZero gives you full visibility into your critical IT, OT, and IoT assets, maps out how they’re connected, and spots risks like vulnerabilities or misconfigurations. By continuously keeping an eye on everything, it helps you stay ahead of threats and keep your most important systems secure.

1. Critical asset discovery:

   • Identifies critical devices and services through advanced fingerprinting techniques.

   • Highlights assets critical to business operations based on their roles and interdependencies.

2. Comprehensive risk mapping:

   • Maps interdependencies across IT, OT, IoT, and third-party systems.

   • Visualizes network connections and highlights cascading risks from single points of failure.

   • Combines detailed internal fingerprinting with external data sources to uncover hidden risks such as shared cryptographic keys, cloned assets, and overlooked misconfigurations that EASM tools miss.

   • Highlights network segmentation issues.

3. Risk prioritization:

   • Assesses vulnerabilities in critical systems, including software versions, configuration issues, and exposure levels.

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets and timely remediation.

   • Assesses and prioritizes externally facing assets as critical, highlighting high-risk targets with vulnerabilities or misconfigurations that could expose the organization to external threats.

   • Flags critical assets with high-risk vulnerabilities or misconfigurations.

4. Continuous monitoring:

   • Tracks changes in critical systems, such as new software vulnerabilities or configuration deviations.

   • Monitors for emerging threats, such as exploits targeting specific device types.

Outcome:
runZero provides a detailed, dynamic understanding of critical assets, their risks, and their interdependencies, enabling your team to make more informed decision-making and proactive risk mitigation.

Article 9: Protection & prevention

What DORA requires:

• Regularly update software and apply security patches.

• Address vulnerabilities promptly to minimize risks across systems.

Key challenges:

• Legacy systems and IoT devices often have unique patching challenges, such as vendor-specific firmware updates.

• Traditional vulnerability management tools struggle to identify end-of-life (EOL) systems or devices with no official CVEs.

How runZero helps:

With runZero, you get actionable insights to identify vulnerabilities, enforce security policies, monitor patch status, and stay ahead of emerging risks—ensuring your protection and prevention measures, from IT to IoT, are secure and compliant.

1. Vulnerability identification:

   • Monitors for emerging risks and zero-day vulnerabilities through the Rapid Response Program, enabling swift identification of vulnerable assets without the need for rescanning.

   • Detects outdated software and unpatched systems across all device types, including OT and IoT.

   • Highlights vulnerabilities in non-traditional assets, such as smart cameras or building management systems.

2. Policy enforcement:

   • Flags misconfigurations, insecure protocols, and policy violations on a continuous basis.

   • Identifies segmentation weaknesses that expose critical systems to lateral movement attacks.

3. Patch monitoring:

   • Tracks patch status for all devices, ensuring critical systems are prioritized.

   • Identifies EOL systems, providing actionable recommendations for replacements or compensating controls.

4. Time-sensitive risk updates:

   • Monitors the external attack surface for vulnerabilities in known or unknown assets exposed on the network edge, ensuring timely detection and mitigation of risks.

   • Continuously monitors for new vulnerabilities or exploits targeting devices in your environment.

   • Alerts on deviations from secure configurations, such as weakened encryption protocols.

Outcome:
runZero empowers your team to proactively manage patching and configuration efforts, ensuring no vulnerabilities are left unchecked—even in unconventional or legacy systems.

runZero: Your Partner in DORA Compliance

Compliance with DORA is a monumental challenge that requires comprehensive asset visibility and continuous exposure management. runZero’s capabilities go beyond traditional solutions, offering financial institutions a unified solution to:

• Discover all assets, including IT, OT, IoT, and unmanaged devices.

• Monitor continuously for new vulnerabilities, changes, and risks across your completed attack surface..

• Provide detailed data to enrich security and compliance workflows.

With runZero, you can bridge the gaps that traditional tools leave behind, ensuring not just compliance, but true resilience against today’s evolving cyber threats.

Latest vCenter vulnerabilities

Broadcom has issued a security advisory for VMware vCenter that indicates that one of the two vulnerabilities disclosed on the 17th of September, 2024,  CVE-2024-38812, which was fully patched by October 21, is under active exploitation in the wild.

This vulnerability has a CVSS score of 9.8, which is considered highly critical.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

CVE-2024-38812 and CVE-2024-33813 (September 2024)

Broadcom has issued a security advisory for two vulnerabilities that affect VMware vCenter, which exists in both VMware vSphere and VMware Cloud Foundation products.

• CVE-2024-38812 is rated critical with CVSS score of 9.8, and potentially allows for remote code execution.

• CVE-2024-38813 is rated high with CVSS score of 7.5, which can result in privilege escalation into root.

What is the impact?

An attacker with remote access to a vulnerable system could send specially crafted requests that could trigger a heap-overflow and result in remote code execution or privilege escalation into root.

Are updates or workarounds available?

Broadcom has issued patches to resolve both vulnerabilities. Reference the Response Matrix section of the advisory for the appropriate fixed version to apply in your environment.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:vCenter

Latest Fortinet vulnerabilities

Fortinet has issued advisories for its FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, and FortiOS products.

• CVE-2023-50176 detailed in FG-IR-23-475 is rated high with a CVSS score of 7.1, and may allow an unauthenticated attacker to hijack a user session.
• CVE-2024-23666 detailed in FG-IR-23-396 is rated high with a CVSS score of 7.1 and may allow an authenticated, read-only user the ability to execute “sensitive operations”.

What is the impact?

CVE-2024-23666, which affects FortiAnalyzer and FortiManager products, requires that an attacker (or malicious user) is authenticated against the system. A read-only user can potentially execute sensitive operations through crafted requests, bypassing client-side enforcement through the web interface. CVE-2023-50176, which affects the SSLVPN component of FortiOS, is a session fixation vulnerability that allows an unauthenticated attacker the ability to hijack an authenticated user’s session via a “phishing SAML authentication link”.

Are updates or workarounds available?

The vendor has released patches for all affected products. They recommend following the upgrade path using their upgrade tool.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager OR hw:FortiAnalyzer OR os:FortiOS

March 2024

On March 12th, 2024, Fortinet disclosed several vulnerabilities in their FortiOS, FortiProxy, and FortiClient products:

• FG-IR-23-328 – a buffer overflow vulnerability in the handling of form-based authentication in the FortiOS and FortiProxy captive portals, allowing remote, unauthenticated attackers to execute arbitrary code. This vulnerability has been assigned CVEs CVE-2023-42789 and CVE-2023-42790. These vulnerabilities have a CVSS score of 9.3, indicating that they are critical.

• FG-IR-24-007 – a SQL injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been designated CVE-2023-48788, and has been given a CVSS score of 9.8 (critical).

• FG-IR-23-390 – a log injection vulnerability in the FortiClient Enterprise Management Server. This vulnerability has been assigned CVE-2023-47534 and a CVSS score of 7.7 (high).

• FG-IR-23-103 – a remote code execution vulnerability in the FortiManager product. This vulnerability has been designated CVE-2023-36554 with a CVSS score of 7.7 (high). Note that the vulnerable subsystem is not installed by default.

• FG-IR-23-013 – an information disclosure vulnerability in the FortiGuard SSL-VPN product. This vulnerability has been designated CVE-2024-23112 and given a CVSS score of 7.2 (high).

How to find FortiOS, FortiProxy or FortiClient operating systems

From the Asset Inventory, use the following query to locate assets running the FortiOS or FortiProxy operating systems, which may be vulnerable:

os:"FortiOS" OR os:"FortiProxy"

Additionally, from the Services Inventory, use the following query to locate potentially vulnerable systems:

html.title:="FortiClient Endpoint Management Server"

CVE-2024-21762 (February 2024)

On February 8th, 2024, Fortinet disclosed a serious vulnerability in their FortiOS operating system, used by multiple Fortinet products.

The issue, CVE-2024-21762, allowed attackers to execute arbitrary code on vulnerable devices. The vendor has indicated that this is a critical vulnerability. The vendor reports that there are indications that this vulnerability may be actively exploited in the wild. Upon successful exploitation of these vulnerabilities, attackers could execute arbitrary code on the vulnerable system.

Fortinet released an update to mitigate this issue and all users were urged to update immediately. Additionally, the vendor indicated that disabling the SSL-VPN functionality of the device would mitigate the issue.

How to find FortiOS devices

From the Asset Inventory, use the following query to locate assets running the FortiOS operating system which may potentially be vulnerable:

os:"FortiOS" AND tcp:443

CVE-2022-40684 (October 2022)

News surfaced in October 2022 of a critical authentication bypass vulnerability present in the web administration interface of some Fortinet products. Successful exploitation of this vulnerability (tracked as CVE-2022-40684) via crafted HTTP and HTTPS requests could provide remote attackers with admin-level command execution on vulnerable FortiOS devices including FortiGate firewalls, FortiProxy web proxies, and FortiSwitchManager assets.

With a CVSS critical score of 9.6, attackers running admin-level commands on compromised assets may have had the ability to persist presence, explore connected internal networks, and exfiltrate data. At the time Fortinet was aware of at least one exploit of this vulnerability in the wild, and Bleeping Computer offered a Shodan search showing more than 140k publicly accessible FortiGate devices potentially running vulnerable FortiOS. Additionally, security researchers with Horizon3.ai planned on publishing an exploit PoC. For admins wanting to check if a FortiOS/FortiProxy/FortiSwitchManager asset had been exploited, Fortinet provides an indicator of compromise (see the “Exploitation Status” section).

Fortinet called out the vulnerable FortiOS, FortiProxy, and FortiSwitchManager versions in their advisory and had made updates available for affected products. Admins were advised to ensure that affected models were updated to the latest version as soon as possible. If updates could not be completed in the near term, Fortinet provided some mitigation steps (see the “Workaround” section) that could be taken to secure vulnerable assets.

How to find FortiOS, FortiProxy, and FortiSwitchManager assets

From the Asset Inventory, runZero users entered the following pre-built query to locate FortiOS, FortiProxy, and FortiSwitchManager assets:

os:FortiOS or product:FortiProxy or product:FortiSwitchManager

Latest FortiManager vulnerability 

Fortinet has issued an advisory for its Fortinet FortiManager product. The vendor confirms that this vulnerability is being actively exploited in the wild.

This vulnerability has been designated CVE-2024-47575 and has been assigned a CVSS score of 9.8 (extremely critical).

Note that this vulnerability is the same one discussed in an earlier version of this blog post, prior to vendor confirmation.

What is the impact?

The vulnerability would allow remote code execution by an attacker with upon connection to a FortiManager instance. Attackers need to have a valid Fortinet device certificate, but this certificate can be obtained from an existing Fortinet device and reused.

Successful exploitation of this attack is reported to allow remote code execution, potentially leading to total compromise of the vulnerable system.

The vendor has released a list of indicators of compromise (IOCs); users are encouraged to use this list to determine if a system has been successfully attacked.

Are updates or workarounds available?

The vendor has released updates and mitigation strategies to address this issue, and the vendor advises users to update as quickly as possible. Mitigation strategies include disabling the affected service and denying registration to systems with unknown serial numbers.

How to find potentially vulnerable systems with runZero

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:FortiManager

Latest SolarWinds vulnerability (CVE-2024-28987)

According to the US Cybersecurity and Infrastructure Security Agency (CISA), a critical hardcoded password vulnerability within SolarWinds’ Web Help Desk software is actively being exploited and was added to their Known Exploited Vulnerability (KEV) catalog.

• CVE-2024-28987 is rated critical with CVSS score of 9.1 allowing for unauthorized access by a remote attacker.

What is the impact?

Are updates or workarounds available?

How to find potentially vulnerable systems with runZero

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_service.product:="SolarWinds:Web Help Desk:"

Latest Palo Alto Networks vulnerabilities

Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.

• CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for  and execution of OS commands as root.
• CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
• CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
• CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
• CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.

What is the impact?

If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis.

According to the vendor, there is no known malicious exploitation of vulnerable systems at this time.

Are updates or workarounds available?

According to Palo Alto Networks, “The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.” They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.

How to find potentially vulnerable PAN-OS systems with runZero

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"

CVE-2024-3400

Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software has a vulnerability that allows for remote command injection.

CVE-2024-3400 is rated critical with CVSS score of 9.8 and indicates an unauthenticated attacker can execute arbitrary code with root privileges on the firewall. The vendor indicates that there is evidence of limited exploitation in the wild.

watchTowr has posted a detailed analysis including the details needed for exploitation. This analysis covers two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that leads to remote execution through the telemetry script. PAN has updated their guidance to state that “Disabling device telemetry is no longer an effective mitigation“.

What is the impact?

The following PAN-OS versions are affected by this vulnerability.

Palo Alto Networks indicates that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

Customers may verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

Are updates or workarounds available?

Palo Alto Networks recommends that customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

It is also recommended that telemetry be disabled until devices can be upgraded to an unaffected version of PAN-OS.

How runZero users found potentially vulnerable PAN-OS systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

os:"PAN-OS"