Trust Site

Our 2023 pentest remediation report is available now on the Trust Site in the Documents section.

On October 19, 2023 Demandbase received a notice from Okta regarding their latest security incident. According to that notice, there was no impact to Demandbase. In addition, we have conducted our own investigation internally and did not find any evidence of impact or inappropriate access due to the Okta incident. We will remain vigilant and provide updates if necessary.

On Oct 16th, 2023, Demandbase became aware of a new software security concern from our threat intelligence sources that involves Progress WS_FTP Server Critical Vulnerabilities (CVE-2023-40044 & CVE-2023-42657). Demandbase has multiple security technologies that permit us to audit our endpoints. Using these technologies and reports, our team searched and did not find any evidence of WS_FTP or the presence of either CVE in our systems.

For more information on this topic, please refer to the advisories posted by NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-40044 and https://nvd.nist.gov/vuln/detail/CVE-2023-42657

On July 12th, 2023, Demandbase became aware of a new software 0-day security concern from our threat intelligence sources that involves Microsoft Windows and Office products. We promptly investigated to determine whether there was an impact to Demandbase systems and/or data.

Demandbase has multiple security technologies that permit us to audit our endpoints for known indicators of compromise that have been provided by Microsoft and our many security vendors. Using these technologies and reports, our team searched and did not find any evidence of Microsoft Windows or Office products being compromised within our environment. We have completed the mitigations provided by Microsoft and will continue to monitor this situation and provide further updates if necessary.

For more information on this topic, refer to the advisory posted at https://nvd.nist.gov/vuln/detail/CVE-2023-36884.

On June 5, 2023, Demandbase became aware of a new software 0-day security concern from its threat intelligence sources that involves MOVEit file transfer solution. We promptly investigated to determine whether there was an impact to Demandbase systems and/or data.

Demandbase has multiple security technologies that permit us to audit what applications are installed on our endpoints. Using these technologies, our team searched and did not find any evidence of MOVEit software installed or used within Demandbase. We continue to monitor this situation and will provide further updates if necessary.

For more information on this topic, refer to the advisory posted at https://nvd.nist.gov/vuln/detail/CVE-2023-34362.

On March 30, 2023, Demandbase became aware of a new software supply chain security concern from its threat intelligence sources that involves potential compromise of 3CX voice and video collaboration software installed on user workstations. We promptly investigated to determine whether there was an impact to Demandbase systems and/or data.

Demandbase has several security technologies that permit us to audit what applications are installed on our endpoints. Using these technologies, our team searched and did not find any evidence of 3CX software installed on our endpoints. We continue to monitor this situation and will provide further updates if necessary.

For more information on this topic, refer to the advisory posted by 3CX at https://www.3cx.com/blog/news/desktopapp-security-alert/.