Tenable®, the exposure management company, today announced that Tenable Cloud Security has been successfully assessed at the “PROTECTED” level under the Information Security Registered Assessors Program (IRAP).

An Australian Signals Directorate-endorsed IRAP Assessor has assessed the security controls implemented by Tenable to protect its Cloud-Native Application Protection Platform (CNAPP) against the Information Security Manual (ISM) controls at the PROTECTED level. This provides government entities with assurance that the platform’s underlying security measures were independently reviewed, helping them make informed, risk-based decisions when considering Tenable to support their own cloud security needs. The assessment empowers agencies to leverage Tenable Cloud Security to gain comprehensive visibility across their cloud infrastructure, enabling them to detect and remediate security exposures with greater speed and confidence.

“Cloud environments offer government agencies unparalleled agility and scalability, but they also introduce significant security complexities and risk exposure,” said Robert Huber, chief security officer, head of Research, and president of Public Sector at Tenable. “The IRAP assessment is a critical assurance mechanism, and completing this ‘PROTECTED’ assessment underscores our unwavering commitment to meeting the high standards of the Australian government.”

As agencies increasingly adopt multi-cloud strategies, they face challenges from siloed security tools and a shortage of cloud expertise. Tenable Cloud Security addresses these issues by providing a single, unified platform that embeds security throughout the entire cloud development lifecycle. This proactive approach helps organisations identify and fix vulnerabilities in code before they reach production, reducing the window of opportunity for attackers and enhancing threat visibility across the entire cloud footprint.

Tenable has also cited the largest Patch Tuesday release to date, with Microsoft patching 167 common vulnerabilities and exposures (CVEs) in its October 2025 Patch Tuesday release. Seven of these were rated critical, 158 rated important, and two rated moderate. Elevation of Privilege (EoP) vulnerabilities accounted for 47.9% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 17.4%.

“October is the largest Patch Tuesday release to date, with Microsoft surpassing the previous record of 157 CVEs set in January 2025. With two months remaining this year, we’ve already blown last year’s tally of 1,009 CVEs patched, as this month’s release brings us up to 1,021 CVEs patched.Please note that our counts omit CVEs that were patched prior to Patch Tuesday or that do not list Microsoft as the issuer,” said Satnam Narang, senior staff research engineer, Tenable

“The two most notable vulnerabilities this month are in Agere Modem, a third-party modem driver that has been included in Windows operating systems for almost 20 years. The two flaws are CVE-2025-24990, which was exploited in the wild as a zero-day, and CVE-2025-24052, which was publicly disclosed prior to this Patch Tuesday release. Even if the modem is not in use, it remains vulnerable to exploitation, which could give an attacker administrator privileges. The fix for this flaw is telling: Microsoft is removing the driver, ltmdm64.sys, from Windows operating systems through the October cumulative update.

“CVE-2025-59230, a zero-day elevation of privilege vulnerability in Windows Remote Access Connection Manager (also known as RasMan), a service used to manage remote network connections through virtual private networks (VPNs) and dial-up networks, was also exploited in the wild. While RasMan is a frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022, this is the first time we’ve seen it exploited in the wild as a zero day.

“Microsoft Office users should also take note of CVE-2025-59227 and CVE-2025-59234, a pair of remote code execution bugs that take advantage of “Preview Pane,” meaning that the target doesn’t even need to open the file for exploitation to occur. To execute these flaws, an attacker would social engineer a target into previewing an email with a malicious Microsoft Office document.”