August 2025 Threat Report: Fast-Moving, High-Risk Vulnerabilities

The August 2025 Threat Report underscores how quickly high-risk vulnerabilities can shift from disclosure to active exploitation. Citrix, Fortinet, N-able, and Trend Micro flaws were weaponized within days. Other critical flaws in highly targeted software, such as Microsoft Exchange, emerged. Mainstream enterprise applications, such as Docker Desktop, Git, and Zoom, were also exposed to new vulnerabilities this month. Let’s review some of the biggest cyber threats that emerged in August 2025.

Trio of High-Risk Citrix NetScaler CVEs: One Actively Exploited

Citrix alerted its customers to active exploitation of CVE-2025-7775 and two additional high-risk CVEs. The trio affect NetScaler ADC and NetScaler Gateway in various configurations. So far, only CVE-2025-7775 has been added to CISA’s Known Exploited Vulnerabilities (KEV). Multiple National CERT alerts have been issued globally [1][2][3][4][5][6][7]. Users of affected products should patch with urgency.

• CVE-2025-7775 (CVSS 9.8, EPSS ≥92nd pctl): A memory overflow [CWE-119] allows Remote Code Execution (RCE) or Denial of Service (DoS) when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
• CVE-2025-6543 (CVSS 9.8): A memory overflow [CWE-119] leads to unintended control flow and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
• CVE-2025-7776 (CVSS 8.8): A memory overflow [CWE-119] leads to unpredictable behavior and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) with a PC-over-IP (PCoIP) profile. PCoIP is a remote display protocol used for virtual desktop access.

Another high-risk flaw affecting NetScaler ADC and Gateway, dubbed “CitrixBleed 2”, just emerged in June 2025, and was actively exploited in ransomware attacks soon after disclosure. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version detection test for these three new CVEs, and for CitrixBleed 2.

Emergency Patch for Microsoft Exchange Hybrid Deployment

CVE-2025-53786 (CVSS 8.0) is a high-risk post-authentication privilege escalation flaw in Microsoft Exchange hybrid-joined configurations. In a hybrid deployment, an on-premises Active Directory (AD) domain is synchronized with a cloud-based Azure AD; devices and services are recognized by both. If exploited, CVE-2025-53786 allows an attacker with admin access to an on-premises Exchange Server to move laterally to Microsoft 365 Exchange Online [CWE-287] and potentially modify authentication processes for persistence [T1556.007].

Exploitation, including authentication bypass, lateral movement [TA0008], and data exfiltration [TA0010], was demonstrated at Black Hat 2025. Despite no observed exploitation in the wild, Microsoft has assigned a status of “Exploitation More Likely”. CISA has issued an Emergency Directive (ED 25-02) and warned that CVE-2025-53786 could result in total domain compromise across hybrid environments. Numerous government CERT agencies have also issued alerts [1][2][3][4][5][6][7]. The OPENVAS ENTERPRISE FEED includes two remote version detection tests to identify vulnerable instances of Microsoft Exchange [8][9].

Max-Severity Flaw in Cisco Secure Firewall Management Center

CVE-2025-20265 (CVSS 10) is an RCE flaw in Cisco Secure Firewall Management Center (FMC) physical and virtual appliances if configured with RADIUS for web-based authentication or for SSH for management access. The flaw is caused by improper input handling, which can result in command injection downstream in the authentication process [CWE-74]. Unauthenticated attackers may inject arbitrary shell commands and have them executed with elevated privileges.

Public exploit code or active attacks have not yet been observed. However, Cisco edge devices have historically been targeted by APT adversaries [1][2][3]. Considering the edge locality of FMC deployments and the maximum CVSS, CVE-2025-20265 warrants urgency. Cisco has published security patches, and contrastingly stated that no workarounds exist while also advising users that disabling RADIUS authentication is a temporary mitigation. Greenbone’s OPENVAS ENTERPRISE FEED includes a version detection test to remotely identify unpatched FMC devices.

FortiSIEM Exploited and Other High-Risk CVEs in Fortinet Products

Fortinet was the subject of several high-risk vulnerabilities in August. In total, 14 CVEs were issued for Fortinet products — six were rated CVSS High or Critical. Several national CERT advisories cover the three most critical CVEs from this group [1][2][3], while others address only the most severe — CVE-2025-25256 [4][5][6][7][8] — which has been flagged by Fortinet as actively exploited. The OPENVAS ENTERPRISE FEED includes a version check and active check to identify FortiSIEM devices vulnerable to CVE-2025-25256, and a family of vulnerability tests dedicated to Fortinet CVEs, including those mentioned below and others.

• CVE-2025-25256 (CVSS 9.8, EPSS ≥95th pctl): Improper neutralization of special elements used in an OS command [CWE-78] allows an unauthenticated remote attacker to execute unauthorized commands via requests to the phMonitor service on TCP port 7900. Fortinet acknowledges active exploitation in the wild. A full technical description and proof-of-concept (PoC) exploit are available. FortiSIEM 5.4 and various sub-versions of FortiSIEM 6 and 7 are affected.
• CVE-2024-26009 (CVSS 8.1): An authentication bypass using an alternate path or channel vulnerability [CWE-288] allows an unauthenticated attacker to take control of a managed device via malicious FortiGate to FortiManager Protocol (FGFM) requests. Exploitation requires a FortiGate device to be managed by FortiManager, and for the attacker to know the FortiManager’s serial number. Various versions of FortiOS, FortiPAM, and FortiSwitchManager are affected.
• CVE-2025-52970 (CVSS 8.1): Improper handling of parameters [CWE-233] allows an unauthenticated remote attacker with possession of sensitive information for the target device and an existing user to log in as any user on the device via a specially crafted HTTP request. Various sub-versions of FortiWeb 7 are affected.

Two New N-Able CVEs Actively Exploited

Two new CVEs impacting N-able’s N‑central present a high risk to organizations using the software. Both new CVEs have been added to CISA’s KEV list and national CERT alerts were issued by NCSC.nl [1], the Canadian Cyber Centre [2], and South Korea’s K‑CERT [3]. N‑central is a Remote Monitoring and Management (RMM) platform widely used to monitor and manage networks and systems. Although exploiting either vulnerability requires authentication, credential theft [TA0006], password reuse [T1078], insider threats, and other possible attack trajectories elevate risk.

• CVE-2025-8876 (CVSS 8.8, EPSS ≥95th pctl): Unsanitized input is injected into OS shell commands [CWE-78], allowing RCE with the N-central application’s privileges.
• CVE‑2025‑8875 (CVSS 7.8, EPSS ≥93rd pctl): Insecure deserialization of untrusted data [CWE-502] may allow attackers to craft object “gadget” chains for arbitrary RCE or unauthorized application state changes.

Versions of N-central prior to 2025.3.1 are affected. One day after the CVEs were published, Shadowserver reported ~1,000 unpatched N‑central servers exposed on the internet. Two weeks later, most remain unpatched. The OPENVAS ENTERPRISE FEED can remotely detect vulnerable versions of N-central, allowing defenders to apply mitigations.

New Critical Trend Micro Apex One Flaw Under Attack

CVE-2025-54948 (CVSS 9.8, EPSS ≥94th pctl) and CVE-2025-54987 (CVSS 9.8, EPSS ≥63rd pctl) are unauthenticated RCE vulnerabilities affecting on-premises Trend Micro Apex One Management Console. Both CVEs represent the same flaw, but for different CPU architectures. The culprit is a pre-authentication OS-command-injection flaw [CWE-78] via malicious file upload. A compromised device gives attackers direct access to an organization’s security infrastructure. Successful exploitation requires either remote or physical access, making internet-exposed instances particularly high-risk. However, local network instances may also offer attackers an opportunity for lateral movement [TA0008] after they gain initial access [TA0001] to a victim’s network.

According to Trend Micro, active exploitation is underway and CISA has added CVE-2025-54948 to the KEV catalog, where it joins many other exploited Apex One flaws going back to 2021. National CERT advisories have been issued by government agencies globally [1][2][3][4][5]. Apex One (on‑prem) 2019 (14.0) version 14.0.0.14039 and earlier are affected. Consult the official advisory for mitigation instructions and a custom tool that disables the Remote Install Agent function. Greenbone’s OPENVAS ENTERPRISE FEED includes a local detection test to identify affected endpoints.

Git Repository Cloning Flaw Actively Exploited

CVE-2025-48384 (CVSS 8.0, EPSS ≥88th pctl), issued in early July 2025, has been added to CISA’s KEV and exploitation is considered trivial. The flaw is described as an arbitrary file write when cloning a specially crafted repository containing sub-modules that use a ‘recursive’ flag — i.e. git clone –recursive <repo> — an option used to automatically fetch sub-modules when cloning a repository. The flaw is due to mishandling of trailing carriage return (CR) characters in configuration values, potentially resulting in RCE. Attackers must trick a victim into cloning a malicious Git repository to achieve exploitation.

A full technical description and exploits containing malicious .gitmodules files are already available online [1][2][3]. INCIBE-CERT has issued an alert [4] and CISA has added the CVE to its KEV list [5]. The flaw affects many versions of Git up to 2.50.0. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include local package detection tests for CVE-2025-48384.

Container Escape in Docker Desktop for Windows and macOS

CVE-2025-9074 (CVSS 9.3) is a container escape vulnerability in Docker Desktop for Windows and macOS. The flaw allows attackers to gain unauthorized access to a victim’s host system when running a malicious container. The Docker Engine API was found to be accessible without authentication via TCP/IP at 192.168.65.7:2375. This channel bypasses normal socket restrictions and renders Docker’s Enhanced Container Isolation (ECI) ineffective. On Windows, attackers can mount and overwrite system DLLs to gain full administrative control. On macOS, host file system access is more limited due to OS-level safeguards. Linux instances are not affected.

PoCs indicate that exploitation is trivial — just a few lines of Python or a simple HTTP request can compromise a vulnerable instance of Docker Desktop. A detailed technical write-up, existence of at least one public exploit, and Docker’s widespread use elevate the risk posed by CVE-2025-9074. The OPENVAS ENTERPRISE FEED includes a version detection test for Windows installations.

Critical Flaw in Zoom Client for Windows Allows Unauthenticated RCE

CVE-2025-49457 (CVSS 9.6) affects multiple Zoom products for Windows including Zoom Workplace, VDI, Rooms, Rooms Controller, and Meeting SDK prior to version 6.3.10. The flaw is caused by an untrusted search path vulnerability [CWE-426] due to improper DLL path handling. Known as “DLL side-loading“, this flaw happens when the Windows LoadLibrary() API function is called without specifying a fully qualified file path. In that case, Windows follows its default DLL search order. If attackers can place a file in a searched directory, it will be loaded and executed. Therefore, CVE-2025-49457 is especially dangerous in combination with social engineering [T1566], or insider threats, which continue to be prevalent in 2025. Exploitation provides privilege escalation to an attacker, potentially to the Windows SYSTEM level, and arbitrary code execution.

Malaysia’s MyCERT [1] and Hong Kong’s CERT-HK [2] have issued advisories. The issue is patched in Zoom version 6.3.10 and later, and organizations should verify update status. Although many desktop applications, such as Zoom, support automatic updates, it’s still critical for defenders to verify patch status across their IT fleets. The OPENVAS ENTERPRISE FEED includes an active check to identify vulnerable Zoom applications.

Summary

The August 2025 Threat Report highlights new high-risk vulnerabilities across popular platforms. Defenders faced an intense month with new Citrix NetScaler flaws being actively exploited soon after CitrixBleed 2 was exposed, an emergency Microsoft Exchange patch, a maximum-severity Cisco Secure Firewall CVE, and emerging exploitation of Fortinet, N-able, and Trend Micro products. New Docker Desktop, Git, and Zoom vulnerabilities also add to this month’s list of threats. Greenbone’s OPENVAS SECURITY INTELLIGENCE reduces the burden on security teams by delivering fast and reliable detection and assurance on organization-wide patch levels.