September 2025 Threat Report: New Exploits, Active Campaigns, and Critical CVEs

In total, just over 4,500 CVEs were published in September, exposing defenders to new risk. For operational resilience, organizations need to scan their IT infrastructure to identify where hidden risk could impact their operations. A free trial of Greenbone’s OPENVAS BASIC allows defenders to scan their enterprise IT infrastructure to stay on top of emerging threats. This free trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, an industry-leading coverage for CVEs and other IT security vulnerabilities.

So far in September, our blog has covered three emerging cyber security events: SessionReaper, an unauthenticated RCE flaw in Adobe Commerce and Magento, CVSS 10 exposed in Fortra GoAnywhere MFT, and an ArcaneDoor espionage campaign actively exploiting a new vulnerability in Cisco ASA and FTD. In this edition of the monthly threat report, we will cover other high-risk threats from September 2025.

Emerging Threats to Linux Systems

Linux OS is the backbone of global IT infrastructure. As attackers increasingly target Linux environments, vulnerability scanning is essential for operational resilience and service continuity. Here are the top vulnerabilities to Linux disclosed in September 2025.

High-Severity Sudo Flaw is Now Actively Exploited

In July, the Greenbone Threat Report flagged an emerging threat: CVE-2025-32463 (CVSS 7.8) permits unauthorized privilege escalation [TA0004] to root by tricking the Linux sudo command (all releases ≥ 1.9.14 and before 1.9.17p1) into loading attacker-controlled shared libraries [T1129]. CVE-2025-32463 is now being actively exploited and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Canada’s Cyber Centre has issued a new CERT advisory, adding to the existing alerts [1][2][3]. Organizations cannot achieve high resilience while waiting for known vulnerabilities to be flagged as actively exploited. Greenbone added detection tests for CVE-2025-32463 to the OPENVAS ENTERPRISE FEED and COMMUNITY FEED immediately in July 2025, giving users advanced detection and the opportunity to patch.

CVE-2025-38352 POSIX CPU TOCTOU Race in the Linux Kernel
CVE-2025-38352 (CVSS 7.4, EPSS ~70th pctl) is a time-of-check to time-of-use (TOCTOU) flaw [CWE-367] in Linux kernel’s POSIX CPU timers. CVE-2025-38352 allows denial of service (DoS) [T1499] on affected systems and has been added to CISA’s KEV. While no public proof-of-concept (PoC) exploit is available, security researchers have published a detailed technical analysis.

The German BSI has issued two alerts for CVE-2025-38352: one for the Linux kernel [1] and one for Android span style=”color: #1155cc;”>[2]. Greenbone’s OPENVAS ENTERPRISE FEED and COMMUNITY FEED include patch-level checks for Linux distributions.

High-Severity Vulnerability in Linux UDisks Daemon
CVE-2025-8067 (CVSS 8.5) is a local, unauthenticated privilege escalation [TA0004] flaw in Red Hat Enterprise Linux’s (RHEL) UDisks daemon. The UDisks daemon is a system service for managing storage devices such as hard drives, SSDs, USB drives, optical media, and partitions. The root cause of CVE-2025-8067 is improper handling of negative integer indexes, which can trigger an out-of-bounds memory read [CWE-125]. Exploitation can result in DoS [T1499], or local privilege escalation [T1068] by mapping a loop device to a privileged local file [1].

There’s no indication of active exploitation, but PoC code has been published [2][3]. Germany’s BSI has issued a security advisory [4]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include package patch-level checks for many Linux distributions. Patching is the only viable mitigation.

New ImageMagick CVEs Pose DoS and RCE Risks
CVE-2025-53014 (CVSS 9.8), CVE-2025-53019 (CVSS 7.5), and CVE-2025-53101 (CVSS 9.8) arise from improper processing of image filenames [CWE-66] in the ImageMagick packages for Linux. Exploitation could reportedly lead to DoS [T1499] and arbitrary code execution [T1203] in the case of CVE-2025-53101. Although these three CVEs aren’t known to be actively exploited in the wild, the German BSI has issued a CERT-Bund Advisory [WID-SEC-2025-1537]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include detection checks across many Linux distributions.

Multiple High-Risk Security Issues in Cisco Products

CVE-2025-20352 and CVE-2025-20312 (both CVSS 7.7) capped off a tumultuous month for Cisco products. Both CVEs were published on September 24th, 2025. CVE-2025-20352 was discovered by Cisco while fulfilling a customer’s technical support case. The flaw was added to CISA KEV five days later and advisories have been issued by several national CERT agencies [1][2][3][4][5][6][7]. Both CVEs are in the Simple Network Management Protocol (SNMP).

CVE-2025-20352 is due to a stack overflow [CWE-121] in the SNMP subsystem of affected products: IOS/IOS XE (all SNMP versions) and Meraki MS390/Catalyst 9300 running Meraki CS 17 or earlier. Exploitation allows authenticated DoS and potentially root-level RCE, depending on the credentials possessed by the attacker. DoS is possible with an SNMPv1/v2c read-only community string or valid SNMPv3 user credentials. To achieve root-level RCE, administrative (privilege 15) credentials for the device are required.

CVE-2025-20312 allows an authenticated remote attacker to cause a DoS. The flaw is caused by improper error handling that allows the system to enter into an infinite loop when parsing crafted SNMP requests [CWE-835]. Exploitation requires a valid SNMP community string with either read-write or read-only permissions. Affected systems are limited to IOS XE switches with both SNMP enabled and WRED for MPLS EXP configured.

No public exploits are available for either CVE. Users who cannot patch may mitigate the vulnerability by limiting SNMP access to trusted network entities and disabling the vulnerable Object Identifiers (OIDs). Cisco has published advisories for each CVE separately [8][9]. The OPENVAS ENTERPRISE FEED provides both authenticated and remote version detection tests for the actively exploited CVE-2025-20352 [10][11] and a remote version detection check for CVE-2025-20312 [12].

Twice-Patched Flaw in SolarWinds Help Desk Still Vulnerable

CVE-2025-26399 (CVSS 9.8) is an unauthenticated RCE vulnerability in SolarWinds Web Help Desk 12.8.7 and all prior versions. The CVE is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original CVE-2024-28986 was added to CISA’s KEV catalog shortly after its disclosure. While there are no confirmed reports of this latest bypass being exploited in the wild, security experts believe exploitation is likely. The root cause remains the same: flawed deserialization of untrusted data [CWE-502] in the product’s AjaxProxy component.

National CERT advisories have been issued by Canada’s CCCS, CERT-FR, and Spain’s INCIBE-CERT. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check, allowing security teams to identify affected instances. Given the critical severity and history of exploitation, applying the Web Help Desk 12.8.7 Hotfix 1 patch is strongly recommended.

Sitecore XM, XP, and XC Actively Exploited

CVE-2025-53690 (CVSS 9.0, EPSS ~95th pctl) is a deserialization vulnerability [CWE-502] affecting Sitecore Experience Manager (XM), Experience Platform (XP),

Experience Commerce (XC), and some Managed Cloud instances. Unauthenticated attackers can craft malicious __VIEWSTATE payloads to achieve RCE with admin privileges. The vulnerability is under active attack and has been added to CISA’s KEV, joining other exploited SiteCore flaws. At least one Sitecore CVE is known to be leveraged in ransomware attacks.

Attackers are leveraging CVE-2025-53690 to deploy a novel reconnaissance malware dubbed “WEEPSTEEL”. The malware performs host and network discovery [TA0043], exfiltrates sensitive configuration files [TA0010], and escalates privileges [TA0004] by creating local Administrator accounts.

Techniques observed in the attacks include:

• Using Earthworm [1][2][3] for network tunneling [T1572]
• Using DWAgent [4][5] for command-and-control (C2) remote access [T1219]
• Using SharpHound [4][5] for Active Directory (AD) reconnaissance [T1106]
• Using GoTokenTheft to dump SYSTEM/SAM hives for credential harvesting [T1003]
• Exploiting Windows Remote Desktop Protocol (RDP) [T1021] with stolen credentials [T1078] to pivot laterally through the network [TA0008]

The OPENVAS ENTERPRISE FEED includes a remote banner version check for detecting affected Sitecore products. Sitecore’s official advisory strongly urges users to rotate machine keys, enable ViewState MAC, review IoCs, and audit for signs of compromise.

“Exploitation More Likely” for Nine CVEs in Microsoft’s September Patch Cycle

Microsoft’s September patch cycle addresses 97 flaws; 9 rated critical, with the majority rated Important. Affected products include the Windows OS, SMB, NTFS, and NTLM, Microsoft Office, Azure, SQL Server, Hyper-V, DirectX, and more. Microsoft flagged nine vulnerabilities with an “Exploitation More Likely” status:

• CVE-2025-55234
  (CVSS 9.8): Improper authentication [CWE-287] in Windows’ SMB services could allow attackers to replay stolen credentials to gain privileged access under certain conditions. Customers who have not enabled SMB hardening measures are advised to assess their environment and apply either SMB Server signing SMB Server Extended Protection for Authentication (EPA).
• CVE-2025-55319 (CVSS 9.8): A command injection flaw [CWE-77] in Agentic AI integrations for Visual Studio Code (version 1.0.0 before 1.104.0) allows RCE for an unauthorized attacker. Users should update to the most recent version of Visual Studio Code [1].
• CVE-2025-54110 (CVSS 8.8): A vulnerability in the Windows kernel involving an integer overflow / wraparound [CWE-190] can allow a local attacker to escape AppContainer Isolation. This can allow privilege escalation to the SYSTEM level and execution of arbitrary code [2].
• CVE-2025-54918 (CVSS 8.8): An authentication flaw [CWE-287] in NTLM allows an authenticated attacker to remotely escalate privileges to the SYSTEM level, enabling full control of a Windows host [3].
• CVE-2025-54916 (CVSS 7.8): A buffer handling bug [CWE-120] in the NTFS file system driver can be triggered by specially crafted input, leading to arbitrary code execution for an authenticated local attacker [4].
• CVE-2025-54098 (CVSS 7.8): Hyper-V virtualization implements improper access control [CWE-284] that permits a malicious guest VM to escape to the host or gain elevated privileges within the hypervisor [5].
• CVE-2025-54093 (CVSS 7.0): A TOCTOU race condition [CWE-367] in Windows TCP/IP could allow local attackers to gain elevated privileges via precise timing attacks [6].
• CVE-2025-53803 (CVSS 5.5): A vulnerability in the Windows kernel results in error messages that leak sensitive information [CWE-209] to a local authenticated attacker, including sensitive memory addresses within kernel space [7].
• CVE-2025-53804 (CVSS 5.5): An information-disclosure vulnerability [CWE-200] in the Windows kernel subsystem enables a local user to determine sensitive memory addresses within kernel space [8].

Organizations that do not attest patch levels across their IT infrastructure are at increased risk of harboring exploitable security gaps that attackers may exploit. Greenbone’s OPENVAS ENTERPRISE FEED frequently updates detection for the latest Microsoft vulnerabilities.

Summary

September 2025 underscored escalating cyber risks for many popular enterprise software platforms. Critical flaws in Fortra GoAnywhere MFT, Cisco ASA/FTD, and Sitecore were among thousands of new CVEs shaping the month’s threat landscape. Active cyber attack campaigns highlight the urgency of proactive vulnerability management. Regular scanning with Greenbone’s OPENVAS ENTERPRISE FEED enables defenders to detect and mitigate emerging risks before attackers exploit them. A free trial of Greenbone’s OPENVAS BASIC allows defenders to stay on top of emerging threats.