In total, just over 4,500 CVEs were published in September, exposing defenders to new risk. For operational resilience, organizations need to scan their IT infrastructure to identify where hidden risk could impact their operations. A free trial of Greenbone’s OPENVAS BASIC allows defenders to scan their enterprise IT infrastructure to stay on top of emerging threats. This free trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, an industry-leading coverage for CVEs and other IT security vulnerabilities.

So far in September, our blog has covered three emerging cyber security events: SessionReaper, an unauthenticated RCE flaw in Adobe Commerce and Magento, CVSS 10 exposed in Fortra GoAnywhere MFT, and an ArcaneDoor espionage campaign actively exploiting a new vulnerability in Cisco ASA and FTD. In this edition of the monthly threat report, we will cover other high-risk threats from September 2025.

Emerging Threats to Linux Systems

Linux OS is the backbone of global IT infrastructure. As attackers increasingly target Linux environments, vulnerability scanning is essential for operational resilience and service continuity. Here are the top vulnerabilities to Linux disclosed in September 2025.

High-Severity Sudo Flaw is Now Actively Exploited

In July, the Greenbone Threat Report flagged an emerging threat: CVE-2025-32463 (CVSS 7.8) permits unauthorized privilege escalation [TA0004] to root by tricking the Linux sudo command (all releases ≥ 1.9.14 and before 1.9.17p1) into loading attacker-controlled shared libraries [T1129]. CVE-2025-32463 is now being actively exploited and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Canada’s Cyber Centre has issued a new CERT advisory, adding to the existing alerts [1][2][3]. Organizations cannot achieve high resilience while waiting for known vulnerabilities to be flagged as actively exploited. Greenbone added detection tests for CVE-2025-32463 to the OPENVAS ENTERPRISE FEED and COMMUNITY FEED immediately in July 2025, giving users advanced detection and the opportunity to patch.

CVE-2025-38352 POSIX CPU TOCTOU Race in the Linux Kernel
CVE-2025-38352 (CVSS 7.4, EPSS ~70th pctl) is a time-of-check to time-of-use (TOCTOU) flaw [CWE-367] in Linux kernel’s POSIX CPU timers. CVE-2025-38352 allows denial of service (DoS) [T1499] on affected systems and has been added to CISA’s KEV. While no public proof-of-concept (PoC) exploit is available, security researchers have published a detailed technical analysis.

The German BSI has issued two alerts for CVE-2025-38352: one for the Linux kernel [1] and one for Android [2]. Greenbone’s OPENVAS ENTERPRISE FEED and COMMUNITY FEED include patch-level checks for Linux distributions.

High-Severity Vulnerability in Linux UDisks Daemon
CVE-2025-8067 (CVSS 8.5) is a local, unauthenticated privilege escalation [TA0004] flaw in Red Hat Enterprise Linux’s (RHEL) UDisks daemon. The UDisks daemon is a system service for managing storage devices such as hard drives, SSDs, USB drives, optical media, and partitions. The root cause of CVE-2025-8067 is improper handling of negative integer indexes, which can trigger an out-of-bounds memory read [CWE-125]. Exploitation can result in DoS [T1499], or local privilege escalation [T1068] by mapping a loop device to a privileged local file [1].

There’s no indication of active exploitation, but PoC code has been published [2][3]. Germany’s BSI has issued a security advisory [4]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include package patch-level checks for many Linux distributions. Patching is the only viable mitigation.

New ImageMagick CVEs Pose DoS and RCE Risks
CVE-2025-53014 (CVSS 9.8), CVE-2025-53019 (CVSS 7.5), and CVE-2025-53101 (CVSS 9.8) arise from improper processing of image filenames [CWE-66] in the ImageMagick packages for Linux. Exploitation could reportedly lead to DoS [T1499] and arbitrary code execution [T1203] in the case of CVE-2025-53101. Although these three CVEs aren’t known to be actively exploited in the wild, the German BSI has issued a CERT-Bund Advisory [WID-SEC-2025-1537]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include detection checks across many Linux distributions.

Multiple High-Risk Security Issues in Cisco Products

CVE-2025-20352 and CVE-2025-20312 (both CVSS 7.7) capped off a tumultuous month for Cisco products. Both CVEs were published on September 24th, 2025. CVE-2025-20352 was discovered by Cisco while fulfilling a customer’s technical support case. The flaw was added to CISA KEV five days later and advisories have been issued by several national CERT agencies [1][2][3][4][5][6][7]. Both CVEs are in the Simple Network Management Protocol (SNMP).

CVE-2025-20352 is due to a stack overflow [CWE-121] in the SNMP subsystem of affected products: IOS/IOS XE (all SNMP versions) and Meraki MS390/Catalyst 9300 running Meraki CS 17 or earlier. Exploitation allows authenticated DoS and potentially root-level RCE, depending on the credentials possessed by the attacker. DoS is possible with an SNMPv1/v2c read-only community string or valid SNMPv3 user credentials. To achieve root-level RCE, administrative (privilege 15) credentials for the device are required.

CVE-2025-20312 allows an authenticated remote attacker to cause a DoS. The flaw is caused by improper error handling that allows the system to enter into an infinite loop when parsing crafted SNMP requests [CWE-835]. Exploitation requires a valid SNMP community string with either read-write or read-only permissions. Affected systems are limited to IOS XE switches with both SNMP enabled and WRED for MPLS EXP configured.

No public exploits are available for either CVE. Users who cannot patch may mitigate the vulnerability by limiting SNMP access to trusted network entities and disabling the vulnerable Object Identifiers (OIDs). Cisco has published advisories for each CVE separately [8][9];. The OPENVAS ENTERPRISE FEED provides both authenticated and remote version detection tests for the actively exploited CVE-2025-20352 [10][11] and a remote version detection check for CVE-2025-20312 [12].

Twice-Patched Flaw in SolarWinds Help Desk Still Vulnerable

CVE-2025-26399 (CVSS 9.8) is an unauthenticated RCE vulnerability in SolarWinds Web Help Desk 12.8.7 and all prior versions. The CVE is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original CVE-2024-28986 was added to CISA’s KEV catalog shortly after its disclosure. While there are no confirmed reports of this latest bypass being exploited in the wild, security experts believe exploitation is likely. The root cause remains the same: flawed deserialization of untrusted data [CWE-502] in the product’s AjaxProxy component.

National CERT advisories have been issued by Canada’s CCCS, CERT-FR, and Spain’s INCIBE-CERT. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check, allowing security teams to identify affected instances. Given the critical severity and history of exploitation, applying the Web Help Desk 12.8.7 Hotfix 1 patch is strongly recommended.

Sitecore XM, XP, and XC Actively Exploited

CVE-2025-53690 (CVSS 9.0, EPSS ~95th pctl) is a deserialization vulnerability [CWE-502] affecting Sitecore Experience Manager (XM), Experience Platform (XP),

Experience Commerce (XC), and some Managed Cloud instances. Unauthenticated attackers can craft malicious __VIEWSTATE payloads to achieve RCE with admin privileges. The vulnerability is under active attack and has been added to CISA’s KEV, joining other exploited SiteCore flaws. At least one Sitecore CVE is known to be leveraged in ransomware attacks.

Attackers are leveraging CVE-2025-53690 to deploy a novel reconnaissance malware dubbed “WEEPSTEEL”. The malware performs host and network discovery [TA0043], exfiltrates sensitive configuration files [TA0010], and escalates privileges [TA0004] by creating local Administrator accounts.

Techniques observed in the attacks include:

• Using Earthworm [1][2][3] for network tunneling [T1572]
• Using DWAgent [4][5] for command-and-control (C2) remote access [T1219]
• Using SharpHound [4][5] for Active Directory (AD) reconnaissance [T1106]
• Using GoTokenTheft to dump SYSTEM/SAM hives for credential harvesting [T1003]
• Exploiting Windows Remote Desktop Protocol (RDP) [T1021] with stolen credentials [T1078] to pivot laterally through the network [TA0008]

The OPENVAS ENTERPRISE FEED includes a remote banner version check for detecting affected Sitecore products. Sitecore’s official advisory strongly urges users to rotate machine keys, enable ViewState MAC, review IoCs, and audit for signs of compromise.

“Exploitation More Likely” for Nine CVEs in Microsoft’s September Patch Cycle

Microsoft’s September patch cycle addresses 97 flaws; 9 rated critical, with the majority rated Important. Affected products include the Windows OS, SMB, NTFS, and NTLM, Microsoft Office, Azure, SQL Server, Hyper-V, DirectX, and more. Microsoft flagged nine vulnerabilities with an “Exploitation More Likely” status:

• CVE-2025-55234
  (CVSS 9.8): Improper authentication [CWE-287] in Windows’ SMB services could allow attackers to replay stolen credentials to gain privileged access under certain conditions. Customers who have not enabled SMB hardening measures are advised to assess their environment and apply either SMB Server signing SMB Server Extended Protection for Authentication (EPA).
• CVE-2025-55319 (CVSS 9.8): A command injection flaw [CWE-77] in Agentic AI integrations for Visual Studio Code (version 1.0.0 before 1.104.0) allows RCE for an unauthorized attacker. Users should update to the most recent version of Visual Studio Code [1].
• CVE-2025-54110 (CVSS 8.8): A vulnerability in the Windows kernel involving an integer overflow / wraparound [CWE-190] can allow a local attacker to escape AppContainer Isolation. This can allow privilege escalation to the SYSTEM level and execution of arbitrary code [2].
• CVE-2025-54918 (CVSS 8.8): An authentication flaw [CWE-287] in NTLM allows an authenticated attacker to remotely escalate privileges to the SYSTEM level, enabling full control of a Windows host [3].
• CVE-2025-54916 (CVSS 7.8): A buffer handling bug [CWE-120] in the NTFS file system driver can be triggered by specially crafted input, leading to arbitrary code execution for an authenticated local attacker [4].
• CVE-2025-54098 (CVSS 7.8): Hyper-V virtualization implements improper access control [CWE-284] that permits a malicious guest VM to escape to the host or gain elevated privileges within the hypervisor [5].
• CVE-2025-54093 (CVSS 7.0): A TOCTOU race condition [CWE-367] in Windows TCP/IP could allow local attackers to gain elevated privileges via precise timing attacks [6].
• CVE-2025-53803 (CVSS 5.5): A vulnerability in the Windows kernel results in error messages that leak sensitive information [CWE-209] to a local authenticated attacker, including sensitive memory addresses within kernel space [7].
• CVE-2025-53804 (CVSS 5.5): An information-disclosure vulnerability [CWE-200] in the Windows kernel subsystem enables a local user to determine sensitive memory addresses within kernel space [8].

Organizations that do not attest patch levels across their IT infrastructure are at increased risk of harboring exploitable security gaps that attackers may exploit. Greenbone’s OPENVAS ENTERPRISE FEED frequently updates detection for the latest Microsoft vulnerabilities.

Summary

September 2025 underscored escalating cyber risks for many popular enterprise software platforms. Critical flaws in Fortra GoAnywhere MFT, Cisco ASA/FTD, and Sitecore were among thousands of new CVEs shaping the month’s threat landscape. Active cyber attack campaigns highlight the urgency of proactive vulnerability management. Regular scanning with Greenbone’s OPENVAS ENTERPRISE FEED enables defenders to detect and mitigate emerging risks before attackers exploit them. A free trial of Greenbone’s OPENVAS BASIC allows defenders to stay on top of emerging threats.

Cybersecurity has moved from boardroom buzzword to front-page reality in Italy this year. Walk into any conference room, attend any summit, or join any industry discussion, and you’ll hear the same urgent conversations: companies are under pressure from increasingly sophisticated cyber threats. However, there’s also something new happening – a wave of innovation and collaboration that’s finally matching the scale of the challenge.

From Abstract Risks to Real Solutions

The year started strong at ITASEC in February, where something refreshing emerged. Instead of the usual doom-and-gloom presentations about theoretical vulnerabilities, real solutions were finally taking center stage. Organizations shared practical strategies for balancing compliance requirements like NIS2 with the daily reality of cyberattacks.

The sessions on OPENVAS and enterprise solutions revealed a crucial shift: companies are moving beyond endless vulnerability spreadsheets toward actionable intelligence. The message was clear: staying informed isn’t enough anymore. Organizations need concrete guidance on their next steps in the future.

But beneath the optimism, a sobering truth emerged from every conversation: Italy remains one of Europe’s most targeted countries. Participants weren’t shy about asking the hard questions: Why do our defenses still lag behind the threats? What will it actually take to turn the tide?

AI: The Double-Edged Sword

March brought CyberSec 2025 in Milan, where artificial intelligence dominated every discussion. The atmosphere was electric, with equal parts of excitement and apprehension. Everyone agreed that AI could revolutionize security operations, making them faster and smarter. But there was a catch: AI also creates entirely new attack surfaces.

The concerns were legitimate. AI models can be manipulated or stolen if not properly secured. That’s why approaches like keeping solutions fully on-premise and updating AI models only through controlled feeds have become so critical. It’s about getting the benefits of automation and intelligence without sacrificing security integrity.

As Dirk Boeing, Security Engineer at Greenbone , emphasized in the interview: “AI isn’t just a buzzword for us – it’s a practical tool that, when used responsibly, helps organizations fight back against cyber attacks.”

The New Reality of Vulnerability Management

The Security Summit later in March highlighted another fundamental shift: the end of occasional scanning as an acceptable security practice. Today’s threat landscape demands continuous, robust monitoring. We saw organizations learning to prioritize critical vulnerabilities, streamline remediation processes, and even transform regulatory compliance from a burden into a competitive advantage.

What stood out was the growing recognition that enterprise solutions offer something community editions simply can’t match: stable feeds, accurate detection, and secure on-premise deployment that goes far beyond basic functionality.

The Numbers Don’t Lie

These conference insights take on new urgency when having a look at what’s actually happening in Italy. The first half of 2025 alone brought 1,549 cyber incidents – a staggering 53% increase compared to 2024. Even more concerning: 346 of these were classified as serious, confirmed-impact events, representing a 98% year-over-year increase.

The attacks aren’t discriminating. Critical sectors like public administration, healthcare, and energy have all been hit hard. Take the attack on April 2 on Mobilità di Marca (MOM), Treviso’s public transport company, which knocked out electronic ticketing services for days. It’s a perfect example of how digital infrastructure vulnerabilities can disrupt everyday life.

Smaller companies aren’t escaping either. April reports showed the telecommunications sector getting hammered by spear-phishing attacks, with numerous organizations suffering significant breaches.

What’s Next: Proactive Defense Is the Only Defense

Every expert at every conference has been saying the same thing: continuous monitoring and proactive vulnerability management aren’t just “nice-to-haves” anymore. They’re survival requirements. The escalating frequency and sophistication of attacks demand a fundamental shift from reactive firefighting to proactive defense strategies.

Mark Your Calendar: October Events You Can’t Miss

The conversation continues this October, with three major events putting Rome at the center of Italy’s cybersecurity evolution:

AFCEA TechNet Europe Rome 2025 (October 1 – 2) brings together defense experts, industry leaders, and technology innovators to explore emerging threats and cutting-edge solutions.

Cybertech Europe (October 21 – 22) offers the chance to connect with top cybersecurity minds, see live demonstrations, and dive deep into the challenges and solutions shaping Italy’s digital resilience.

Richmond Cyber Resilience Forum (October 28 – 30) is a meeting point between demand and supply of innovative solutions. Here, Italian companies meet industry experts to discover trends and strategies of cybersecurity.

OPENVAS S.r.l. will be at all three events, showcasing enterprise-grade vulnerability management solutions, sharing insights on AI-driven security, and demonstrating how organizations can transform compliance from a checkbox exercise into a proactive defense strategy.

The Path Forward

2025 is proving to be a pivotal year for Italian cybersecurity. The threats are real and growing, but so is our collective response. Each conference, each collaboration, and each new innovation brings us closer to transforming today’s challenges into tomorrow’s resilience.

The question isn’t whether you’ll face a cyberattack, it’s whether you’ll be ready when it happens. Don’t wait for the wake-up call. The time to strengthen your cyber defenses is now.

Ready to turn insights into action? Connect with us at the upcoming October events, or reach out today to learn how enterprise-grade vulnerability management can transform your organization’s security position.

After many years at the helm of Greenbone, our co-founder, Dr Jan-Oliver Wagner, is stepping down from active operational management. However, he will remain closely associated with the company as a consultant. We would like to thank Dr Wagner for his extraordinary commitment and all that he has achieved for Greenbone since its foundation.

 

 

The new CEO is Elmar Geese, who has been part of Greenbone’s management team since 2019. With this change in leadership, we are focusing on continuity and stability for our customers, employees and shareholders.

The August 2025 Threat Report underscores how quickly high-risk vulnerabilities can shift from disclosure to active exploitation. Citrix, Fortinet, N-able, and Trend Micro flaws were weaponized within days. Other critical flaws in highly targeted software, such as Microsoft Exchange, emerged. Mainstream enterprise applications, such as Docker Desktop, Git, and Zoom, were also exposed to new vulnerabilities this month. Let’s review some of the biggest cyber threats that emerged in August 2025.

Trio of High-Risk Citrix NetScaler CVEs: One Actively Exploited

Citrix alerted its customers to active exploitation of CVE-2025-7775 and two additional high-risk CVEs. The trio affect NetScaler ADC and NetScaler Gateway in various configurations. So far, only CVE-2025-7775 has been added to CISA’s Known Exploited Vulnerabilities (KEV). Multiple National CERT alerts have been issued globally [1][2][3][4][5][6][7]. Users of affected products should patch with urgency.

• CVE-2025-7775 (CVSS 9.8, EPSS ≥92nd pctl): A memory overflow [CWE-119] allows Remote Code Execution (RCE) or Denial of Service (DoS) when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
• CVE-2025-6543 (CVSS 9.8): A memory overflow [CWE-119] leads to unintended control flow and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
• CVE-2025-7776 (CVSS 8.8): A memory overflow [CWE-119] leads to unpredictable behavior and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) with a PC-over-IP (PCoIP) profile. PCoIP is a remote display protocol used for virtual desktop access.

Another high-risk flaw affecting NetScaler ADC and Gateway, dubbed “CitrixBleed 2”, just emerged in June 2025, and was actively exploited in ransomware attacks soon after disclosure. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version detection test for these three new CVEs, and for CitrixBleed 2.

Emergency Patch for Microsoft Exchange Hybrid Deployment

CVE-2025-53786 (CVSS 8.0) is a high-risk post-authentication privilege escalation flaw in Microsoft Exchange hybrid-joined configurations. In a hybrid deployment, an on-premises Active Directory (AD) domain is synchronized with a cloud-based Azure AD; devices and services are recognized by both. If exploited, CVE-2025-53786 allows an attacker with admin access to an on-premises Exchange Server to move laterally to Microsoft 365 Exchange Online [CWE-287] and potentially modify authentication processes for persistence [T1556.007].

Exploitation, including authentication bypass, lateral movement [TA0008], and data exfiltration [TA0010], was demonstrated at Black Hat 2025. Despite no observed exploitation in the wild, Microsoft has assigned a status of “Exploitation More Likely”. CISA has issued an Emergency Directive (ED 25-02) and warned that CVE-2025-53786 could result in total domain compromise across hybrid environments. Numerous government CERT agencies have also issued alerts [1][2][3][4][5][6][7]. The OPENVAS ENTERPRISE FEED includes two remote version detection tests to identify vulnerable instances of Microsoft Exchange [8][9].

Max-Severity Flaw in Cisco Secure Firewall Management Center

CVE-2025-20265 (CVSS 10) is an RCE flaw in Cisco Secure Firewall Management Center (FMC) physical and virtual appliances if configured with RADIUS for web-based authentication or for SSH for management access. The flaw is caused by improper input handling, which can result in command injection downstream in the authentication process [CWE-74]. Unauthenticated attackers may inject arbitrary shell commands and have them executed with elevated privileges.

Public exploit code or active attacks have not yet been observed. However, Cisco edge devices have historically been targeted by APT adversaries [1][2][3]. Considering the edge locality of FMC deployments and the maximum CVSS, CVE-2025-20265 warrants urgency. Cisco has published security patches, and contrastingly stated that no workarounds exist while also advising users that disabling RADIUS authentication is a temporary mitigation. Greenbone’s OPENVAS ENTERPRISE FEED includes a version detection test to remotely identify unpatched FMC devices.

FortiSIEM Exploited and Other High-Risk CVEs in Fortinet Products

Fortinet was the subject of several high-risk vulnerabilities in August. In total, 14 CVEs were issued for Fortinet products — six were rated CVSS High or Critical. Several national CERT advisories cover the three most critical CVEs from this group [1][2][3], while others address only the most severe — CVE-2025-25256 [4][5][6][7][8] — which has been flagged by Fortinet as actively exploited. The OPENVAS ENTERPRISE FEED includes a version check and active check to identify FortiSIEM devices vulnerable to CVE-2025-25256, and a family of vulnerability tests dedicated to Fortinet CVEs, including those mentioned below and others.

• CVE-2025-25256 (CVSS 9.8, EPSS ≥95th pctl): Improper neutralization of special elements used in an OS command [CWE-78] allows an unauthenticated remote attacker to execute unauthorized commands via requests to the phMonitor service on TCP port 7900. Fortinet acknowledges active exploitation in the wild. A full technical description and proof-of-concept (PoC) exploit are available. FortiSIEM 5.4 and various sub-versions of FortiSIEM 6 and 7 are affected.
• CVE-2024-26009 (CVSS 8.1): An authentication bypass using an alternate path or channel vulnerability [CWE-288] allows an unauthenticated attacker to take control of a managed device via malicious FortiGate to FortiManager Protocol (FGFM) requests. Exploitation requires a FortiGate device to be managed by FortiManager, and for the attacker to know the FortiManager’s serial number. Various versions of FortiOS, FortiPAM, and FortiSwitchManager are affected.
• CVE-2025-52970 (CVSS 8.1): Improper handling of parameters [CWE-233] allows an unauthenticated remote attacker with possession of sensitive information for the target device and an existing user to log in as any user on the device via a specially crafted HTTP request. Various sub-versions of FortiWeb 7 are affected.

Two New N-Able CVEs Actively Exploited

Two new CVEs impacting N-able’s N‑central present a high risk to organizations using the software. Both new CVEs have been added to CISA’s KEV list and national CERT alerts were issued by NCSC.nl [1], the Canadian Cyber Centre [2], and South Korea’s K‑CERT [3]. N‑central is a Remote Monitoring and Management (RMM) platform widely used to monitor and manage networks and systems. Although exploiting either vulnerability requires authentication, credential theft [TA0006], password reuse [T1078], insider threats, and other possible attack trajectories elevate risk.

• CVE-2025-8876 (CVSS 8.8, EPSS ≥95th pctl): Unsanitized input is injected into OS shell commands [CWE-78], allowing RCE with the N-central application’s privileges.
• CVE‑2025‑8875 (CVSS 7.8, EPSS ≥93rd pctl): Insecure deserialization of untrusted data [CWE-502] may allow attackers to craft object “gadget” chains for arbitrary RCE or unauthorized application state changes.

Versions of N-central prior to 2025.3.1 are affected. One day after the CVEs were published, Shadowserver reported ~1,000 unpatched N‑central servers exposed on the internet. Two weeks later, most remain unpatched. The OPENVAS ENTERPRISE FEED can remotely detect vulnerable versions of N-central, allowing defenders to apply mitigations.

New Critical Trend Micro Apex One Flaw Under Attack

CVE-2025-54948 (CVSS 9.8, EPSS ≥94th pctl) and CVE-2025-54987 (CVSS 9.8, EPSS ≥63rd pctl) are unauthenticated RCE vulnerabilities affecting on-premises Trend Micro Apex One Management Console. Both CVEs represent the same flaw, but for different CPU architectures. The culprit is a pre-authentication OS-command-injection flaw [CWE-78] via malicious file upload. A compromised device gives attackers direct access to an organization’s security infrastructure. Successful exploitation requires either remote or physical access, making internet-exposed instances particularly high-risk. However, local network instances may also offer attackers an opportunity for lateral movement [TA0008] after they gain initial access [TA0001] to a victim’s network.

According to Trend Micro, active exploitation is underway and CISA has added CVE-2025-54948 to the KEV catalog, where it joins many other exploited Apex One flaws going back to 2021. National CERT advisories have been issued by government agencies globally [1][2][3][4][5]. Apex One (on‑prem) 2019 (14.0) version 14.0.0.14039 and earlier are affected. Consult the official advisory for mitigation instructions and a custom tool that disables the Remote Install Agent function. Greenbone’s OPENVAS ENTERPRISE FEED includes a local detection test to identify affected endpoints.

Git Repository Cloning Flaw Actively Exploited

CVE-2025-48384 (CVSS 8.0, EPSS ≥88th pctl), issued in early July 2025, has been added to CISA’s KEV and exploitation is considered trivial. The flaw is described as an arbitrary file write when cloning a specially crafted repository containing sub-modules that use a ‘recursive’ flag — i.e. git clone –recursive <repo> — an option used to automatically fetch sub-modules when cloning a repository. The flaw is due to mishandling of trailing carriage return (CR) characters in configuration values, potentially resulting in RCE. Attackers must trick a victim into cloning a malicious Git repository to achieve exploitation.

A full technical description and exploits containing malicious .gitmodules files are already available online [1][2][3]. INCIBE-CERT has issued an alert [4] and CISA has added the CVE to its KEV list [5]. The flaw affects many versions of Git up to 2.50.0. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include local package detection tests for CVE-2025-48384.

Container Escape in Docker Desktop for Windows and macOS

CVE-2025-9074 (CVSS 9.3) is a container escape vulnerability in Docker Desktop for Windows and macOS. The flaw allows attackers to gain unauthorized access to a victim’s host system when running a malicious container. The Docker Engine API was found to be accessible without authentication via TCP/IP at 192.168.65.7:2375. This channel bypasses normal socket restrictions and renders Docker’s Enhanced Container Isolation (ECI) ineffective. On Windows, attackers can mount and overwrite system DLLs to gain full administrative control. On macOS, host file system access is more limited due to OS-level safeguards. Linux instances are not affected.

PoCs indicate that exploitation is trivial — just a few lines of Python or a simple HTTP request can compromise a vulnerable instance of Docker Desktop. A detailed technical write-up, existence of at least one public exploit, and Docker’s widespread use elevate the risk posed by CVE-2025-9074. The OPENVAS ENTERPRISE FEED includes a version detection test for Windows installations.

Critical Flaw in Zoom Client for Windows Allows Unauthenticated RCE

CVE-2025-49457 (CVSS 9.6) affects multiple Zoom products for Windows including Zoom Workplace, VDI, Rooms, Rooms Controller, and Meeting SDK prior to version 6.3.10. The flaw is caused by an untrusted search path vulnerability [CWE-426] due to improper DLL path handling. Known as “DLL side-loading“, this flaw happens when the Windows LoadLibrary() API function is called without specifying a fully qualified file path. In that case, Windows follows its default DLL search order. If attackers can place a file in a searched directory, it will be loaded and executed. Therefore, CVE-2025-49457 is especially dangerous in combination with social engineering [T1566], or insider threats, which continue to be prevalent in 2025. Exploitation provides privilege escalation to an attacker, potentially to the Windows SYSTEM level, and arbitrary code execution.

Malaysia’s MyCERT [1] and Hong Kong’s CERT-HK [2] have issued advisories. The issue is patched in Zoom version 6.3.10 and later, and organizations should verify update status. Although many desktop applications, such as Zoom, support automatic updates, it’s still critical for defenders to verify patch status across their IT fleets. The OPENVAS ENTERPRISE FEED includes an active check to identify vulnerable Zoom applications.

Summary

The August 2025 Threat Report highlights new high-risk vulnerabilities across popular platforms. Defenders faced an intense month with new Citrix NetScaler flaws being actively exploited soon after CitrixBleed 2 was exposed, an emergency Microsoft Exchange patch, a maximum-severity Cisco Secure Firewall CVE, and emerging exploitation of Fortinet, N-able, and Trend Micro products. New Docker Desktop, Git, and Zoom vulnerabilities also add to this month’s list of threats. Greenbone’s OPENVAS SECURITY INTELLIGENCE reduces the burden on security teams by delivering fast and reliable detection and assurance on organization-wide patch levels.

Starting August 2025, businesses and administrative bodies must implement initial provisions of the EU AI Act – a new era of responsibility in dealing with artificial intelligence begins. Since the AI Act not only demands technical adjustments, but a fundamental rethinking, AI will prospectively be evaluated in a more nuanced way, taking risk and use case into account. This is especially true for AI encroaching on sensitive areas of life or working with personally identifiable data.

For organizations, this means: They have to grapple intensively with the ecosystem surrounding their AI-systems, detect risks early, and address them deliberately. Transparency on underlying data, comprehensible models, and human supervision are no longer optional; they are mandatory. Simultaneously, the AI Act offers a valuable framework to build trust and, in the long run, use AI safely and responsibly. Vulnerability management and cybersecurity are not exempt from this.

AI Interview with Cybersecurity Experts

We have interviewed Kim Nguyen, Senior Vice President of Innovation at the German Federal Printing Office (Bundesdruckerei) and seasoned leader and face of their Trusted Services, on the topic of AI, regulation, and the impact on cybersecurity. Additionally, Greenbone CMO Elmar Geese gives a forecast on the future of vulnerability management.

Greenbone: Kim, the topic of AI is on everyone’s lips right now, especially at events like the recent Potsdam Conference on National Cybersecurity (Potsdamer Konferenz für Nationale Cybersecurity). And you are in the thick of the public discourse.

Nguyen: Yes, I can not deny that the topic of AI is very dear to my heart, as you can tell by looking at my publications and keynotes on the topic. But my approach is a bit different than that of others. It places emphasis on trust and has many different dimensions, one of which is benevolence. That means the well-being of individual users needs to be in focus at all times. Users assume the system operates in their best interest, not in pursuit of an unknown agenda.

Greenbone: What do you think, will cybersecurity as a whole become more secure with AI, or less?

Nguyen: Of course, artificial intelligence has long reached cybersecurity – as a risk and as a chance: On one hand, it increases the attack vector, as cyber-criminals can accelerate, automate, and aim their attacks better. On the other hand, it can help harden defenses, for example, by analysing real-time data from different security sources to automatically identify security incidents and react accordingly.

„A Cat-and-Mouse Game“

To keep up in this cat-and-mouse game between attackers and defenders, you have to rely on AI, especially for defense. Government regulation is crucial here, as without appropriate legislation and technical standards, no one could know what is permitted and trustworthy and what is not.

Moreover, lawmakers must continue to actively intervene in these highly dynamic technical developments to ensure legal certainty and clear guidance. Finding the right measures and simultaneously leaving slack to encourage innovation and allow AI to be an enabler is not easy, but immensely important.

Greenbone: What do you regard as the most important questions/regulations in the EU AI Act and regulations that organizations have to face? What else is coming our way? What are big institutions like the Federal Printing Office doing to prepare?

Nguyen: With the AI Act, organizations must classify their AI-systems in a risk-based manner and fulfill different requirements regarding transparency, data-quality, governance, and security, depending on the classification – especially regarding high-risk appliances.

However, it is not just about assuring compliance, but utilizing the regulatory framework as a strategic lever for trustworthy innovation and sustainable competitiveness. It is not sufficient to focus strictly on an appropriate AI model. Integration, training of the model, and educating users are just as important. Comprehensive security guidelines – so-called “guard rails” – must be set up to ensure the system does not undertake any unauthorized processes.

„Well-Practiced Processes Bring Replicability, Robustness and Transparency to the Foreground“

The Printing Office, as a federal technology company, has been active in the high-security sector for years. We enact well-attuned processes and structures to bring replicability, robustness, and transparency to the foreground and bring trust in different AI solutions to administrations. With the AI Competence Center, we support federal agencies and ministries in developing AI applications. We have built the platform PLAIN, which offers a shared infrastructure for data and AI-applications with the Federal Foreign Office, and we developed an AI-assistant, Assistant.iQ, that meets the administration’s requirements for data security, traceability, and flexibility.

Greenbone: Open Source is a minimum requirement for trust in software, IT, and cybersecurity – is that even possible for AI, and if so, to what degree?

Nguyen: Open Source is an important topic in AI, as it can provide the necessary trust by reviewing code and models. This requires results to be examinable and verifiable, which necessitates a community that actively cares and participates.

The Open Source approach of many projects is ambitious and admirable, but many projects do not get sufficiently maintained over time or come to a standstill all together. In any case, you have to look closely when it comes to the topic of Open Source and AI. In other words: Not all Open Source is created equal. When AI developers publish under an open-source license, that does not mean you get an open-source AI.

For a start, the numerical values, so-called weights of an AI model, are very important, as they determine how it processes input and makes decisions. Then you have to consider the training data – which is often not disclosed to customers and users. Only with them can one arrive at an assessment of how transparent, trustworthy, and reproducible an open source model really is. Only when the complete knowledge behind different models is freely available, viable ideas can be built upon that foundation and lead to innovation.

Greenbone: What is missing to enable the safe deployment of AI? What do we have to change?

Nguyen: Safe deployment of AI requires, in addition to technical excellence, an appropriate Mindset for development, governance, and responsibility. Concretely, we have to keep the principle of “Security by Design” in mind from the very start. What this means: Developers must always systematically examine what could go wrong and integrate those risks early on in the blueprint and architecture of the model.

Equally important is the transparency across the edges of AI-systems: Language models currently only function reliably within certain contexts – outside of their training domain, they may deliver plausible, but potentially erroneous results. Developers should therefore clearly communicate where their model works reliably and where it fails.

Mindset, Context, and Copyright

If we do not want to experience major trust and compliance issues, we must not neglect questions about copyright and training data. Then, you need clear test data, an appropriate evaluation infrastructure, and ongoing monitoring of bias and fairness.

A balanced combination of legal regulation, technical self-commitment, and fast reacting governance is the key to an AI allowing one to protect democratic values and take technological responsibility.

Greenbone: Do you believe the EU has a competitive advantage?

Nguyen: Yes, the EU has a real advantage in the global AI competition – and it is rooted in trust. Other regions primarily bet on speed and market dominance – and in doing so, as recently happened in the U.S., largely absolve tech giants of responsibility for societal risks. On the contrary, Europe establishes a downright exemplary model with the AI Act, relying on security, data protection, and a human-centered approach to development.

Precisely because AI is increasingly entering sensitive areas of life, protection of personal data and the enforcement of democratic values are becoming increasingly crucial. With its governance structure, the EU is building mandatory standards that many countries and organizations around the world look toward. This focus on values will pay off for Europe in the long run – specifically in the export of technology and the strengthening of societal trust in democracy and systems on-site.

Especially in the development of human-centered AI, Europe is a trailblazer. However, regulation must not become a hindrance to innovation: Trust and security must go hand in hand with readiness to invest, technological openness, and fast implementability. Europe can set standards – and build up a unique, competitive AI-identity.

Greenbone-CMO Elmar Geese on AI in Vulnerability Management

Greenbone: Mr. Geese, AI is on everyone’s lips – what changes does AI bring to vulnerability management?

Geese: I think AI is going to support us a lot, but it can never replace vulnerability management fully. Although AI can take care of time-intensive routine tasks like, for example, the evaluation of large quantities of data, finding patterns, and making suggestions for prioritization, security teams must stay in charge of final decisions and stay in control, especially in complex and critical cases where human understanding of context is invaluable.

The purposeful usage – with careful judgement and planning – in vulnerability management brings numerous advantages, without having to relinquish control completely. We are already using AI today to provide a better product to our customers, completely without relaying client data to big AI service providers. Our “trustworthy AI” works completely without the transfer and central collection of data.

Greenbone: What risks do you have to consider?

Geese: According to today’s state of technology, the use of AI in security-critical areas has several risks that need to be contained. Automation creates many chances, but also risks like flawed decision making, new attack vectors, or unintended system effects. An AI with “measured judgment” combines human and machine strengths, such that technological advantages like speed and scalability can be harnessed, without disempowering technical staff or taking security risks.

Greenbone and KI

Greenbone counts on the purposeful use of artificial intelligence to efficiently detect vulnerabilities in the IT-sector and support priorities. All the while, the security teams stay responsible and in control at all times, especially when it comes to sensitive and complex decisions. Data protection always takes top priority for us: Customer data will never be transferred to external AI companies.

Our approach combines the advantages of modern technology with human reasoning – for contemporary and responsible cybersecurity.

Contact us for further information.