On September 25, 2025, three new CVEs affecting Cisco networking products exploded onto the global cyber security landscape. Two of these were actively exploited as zero-days prior to their disclosure. Greenbone now includes detection tests for all three new high-risk CVEs in the OPENVAS ENTERPRISE FEED.

arcanedoor espionage campaign

CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) affect the VPN web server of the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) platforms. The VPN web server enables remote devices to access an internal network via SSL/TLS-based VPN. These two CVEs can be chained for full system takeover of unpatched devices. Furthermore, they are reportedly leveraged in ArcaneDoor espionage campaigns. Also, CVE-2025-20363 (CVSS 9.0), while not tagged as actively exploited, has been bundled into most national security advisories addressing the first two flaws. The latter affects an extended list of products: Cisco ASA and FTD, as well as Cisco IOS, IOS XE, and IOS XR under certain configurations.

Greenbone’s OPENVAS ENTERPRISE FEED includes detection checks for each new high-risk CVE [1][2][3][4][5][6][7][8][9]. You can start a free trial to scan your IT environment for these and other cybersecurity vulnerabilities. Below, we discuss aspects of this ongoing situation, including the attack campaign, a brief technical description of the three flaws, and mitigation guidance.

Campaigns Exploiting Cisco ASA 5500-X Devices

CVE-2025-20333 and CVE-2025-20362 were actively exploited as zero-days targeting Cisco ASA 5500-X series devices without Secure Boot. Chained, they give unauthenticated attackers full control of the breached device. Known campaigns leveraging these flaws have deployed RayInitiator and LINE VIPER to achieve persistence [TA0003], execute commands remotely [TA0011], and exfiltrate data [TA0010]. These attacks are attributed to the ArcaneDoor cyber-espionage campaign, which has targeted perimeter network devices since early 2024 and are considered highly sophisticated. Advanced techniques used in the attacks include:

  • Low-level ROMMON (ROM Monitor) tampering [004] and Pre-OS bootkit [T1542.003] for covert persistence between reboots
  • Command-line interface (CLI) interception [008]
  • Disabling system logging [001]
  • Network packet capture [T1040]
  • Bypassing AAA network-device authentication and authorization protocols [004]

No public PoC exploits are available, but CISA and Cisco have confirmed that CVE-2025-20333 and CVE-2025-20362 are already exploited in-the-wild [1][2]. While attacks leveraging CVE-2025-20363 have not been confirmed, the CVE is included in many national CERT advisories covering the first two CVEs [3][4][5][6][7][8][9][10]. Supplemental guidance includes malware analysis from the UK’s NCSC [11] and IoC hunt instructions from CISA [12].

Technical Analysis of New Critical-Risk Cisco CVEs

All three CVEs are caused by improper validation of user-supplied input in HTTPS requests [CWE-20]. When combined, CVE-2025-20333 and CVE-2025-20362 allow attackers to execute arbitrary code as root on the victim’s system. CVE-2025-20333 is the culprit for allowing RCE, but requires valid VPN credentials. CVE-2025-20362 provides authentication bypass. CVE-2025-20363 also allows unauthenticated access to restricted URLs, but across a wider scope of products including: Cisco ASA and FTD software, as well as Cisco IOS, IOS XE, and IOS XR, under certain configurations.

Here is a brief description of each vulnerability:

  • CVE-2025-20333 (CVSS 9.9): Crafted HTTPS requests to the VPN web server can lead to arbitrary RCE as root on the VPN web server for Cisco ASA and FTD devices. The flaw is classified as a Buffer Overflow [CWE-122] that requires valid VPN user credentials for exploitation.
  • CVE-2025-20362 (CVSS 6.5): Unauthenticated attackers achieve authentication bypass to reach restricted URL endpoints on the VPN web server for Cisco ASA and FTD devices. The flaw is due to missing authorization [CWE-862] for sensitive HTTP paths.
  • CVE-2025-20363 (CVSS 9.0): Unauthenticated RCE as root on the VPN web server of Cisco ASA and FTD devices. Low-privilege authenticated attackers may achieve RCE as root on Cisco IOS, Cisco IOS XE, and Cisco IOS XR software. The flaw is a heap-based buffer overflow [CWE-122] caused by improper validation of user-supplied input in HTTP requests.

Mitigation Instructions for Impacted Devices

CISA has issued an Emergency Directive for all federal agencies to immediately remediate the ongoing threat. Users of these products should immediately begin to identify, analyze, and mitigate affected products to protect their operations. For analysis, users should follow CISA’s Core Dump and Hunt Instructions and Cisco’s official Detection Guide.

If a breach is identified, compromised devices should be disconnected but not powered off, and Incident Response Plans (IRP) and eviction processes should be activated. Victims should notify the relevant regional authorities and submit their core dump(s) for analysis. Malware analysis for RayInitiator and LINE VIPER has been published from the UK’s NCSC [1]. Cisco’s official advisories can be consulted for more detailed information [2][3][4]. Platforms vulnerable to CVE-2025-20333 and CVE-2025-20362 include:

ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300. Affected Cisco ASA software versions are:

  • 12 – < 9.12.4.72
  • 14 – < 9.14.4.28
  • 16 – < 9.16.4.85
  • 17 – < 9.17.1.45
  • 18 – < 9.18.4.67
  • 19 – < 9.19.1.42
  • 20 – < 9.20.4.10
  • 22 – < 9.22.2.14
  • 23 – < 9.23.1.19

Cisco FTD appliances with software versions:

  • 0 – < 7.0.8.1
  • 1 – all versions
  • 2 – < 7.2.10.2
  • 3 – all versions
  • 4 – < 7.4.2.4
  • 6 – < 7.6.2.1
  • 7 – < 7.7.10.1

CVE-2025-20363 affects the aforementioned ASA and FTD products and all releases of Cisco IOS, Cisco IOS XE with Remote Access SSL VPN enabled and Cisco IOS XR Software versions 6.8 and 6.9 (32-bit on ASR 9001) with the HTTP server enabled. Cisco NX-OS Software, 64-bit IOS XR, IOS/IOS XE without SSL VPN enabled, and ASA/FTD without WebVPN/SSL VPN features configured are not affected.

Summary

The coordinated disclosure of CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 has triggered a global security response. Combined, the CVEs have potential for full system compromise of Cisco ASA and FTD devices as well as devices using Cisco IOS, IOS XE, and IOS XR software with certain configurations. An ongoing ArcaneDoor espionage campaign has been identified leveraging CVE-2025-20333 and CVE-2025-20362 against legacy ASA 5500-X devices.

Security agencies, including CISA and national CERTs, have issued urgent mitigation guidance, stressing immediate patching, forensic investigation, and IRP activation. Greenbone has released detection checks for all three vulnerabilities in the OPENVAS ENTERPRISE FEED to help organizations rapidly identify and remediate exposure. Start a free trial today to scan your IT environment for these and other cybersecurity risks.

Cybersecurity has moved from boardroom buzzword to front-page reality in Italy this year. Walk into any conference room, attend any summit, or join any industry discussion, and you’ll hear the same urgent conversations: companies are under pressure from increasingly sophisticated cyber threats. However, there’s also something new happening – a wave of innovation and collaboration that’s finally matching the scale of the challenge.cybersecurity in italy key insights Kopie

From Abstract Risks to Real Solutions

The year started strong at ITASEC in February, where something refreshing emerged. Instead of the usual doom-and-gloom presentations about theoretical vulnerabilities, real solutions were finally taking center stage. Organizations shared practical strategies for balancing compliance requirements like NIS2 with the daily reality of cyberattacks.

The sessions on OPENVAS and enterprise solutions revealed a crucial shift: companies are moving beyond endless vulnerability spreadsheets toward actionable intelligence. The message was clear: staying informed isn’t enough anymore. Organizations need concrete guidance on their next steps in the future.

But beneath the optimism, a sobering truth emerged from every conversation: Italy remains one of Europe’s most targeted countries. Participants weren’t shy about asking the hard questions: Why do our defenses still lag behind the threats? What will it actually take to turn the tide?

AI: The Double-Edged Sword

March brought CyberSec 2025 in Milan, where artificial intelligence dominated every discussion. The atmosphere was electric, with equal parts of excitement and apprehension. Everyone agreed that AI could revolutionize security operations, making them faster and smarter. But there was a catch: AI also creates entirely new attack surfaces.

The concerns were legitimate. AI models can be manipulated or stolen if not properly secured. That’s why approaches like keeping solutions fully on-premise and updating AI models only through controlled feeds have become so critical. It’s about getting the benefits of automation and intelligence without sacrificing security integrity.

As Dirk Boeing, Security Engineer at Greenbone , emphasized in the interview: “AI isn’t just a buzzword for us – it’s a practical tool that, when used responsibly, helps organizations fight back against cyber attacks.”

The New Reality of Vulnerability Management

The Security Summit later in March highlighted another fundamental shift: the end of occasional scanning as an acceptable security practice. Today’s threat landscape demands continuous, robust monitoring. We saw organizations learning to prioritize critical vulnerabilities, streamline remediation processes, and even transform regulatory compliance from a burden into a competitive advantage.

What stood out was the growing recognition that enterprise solutions offer something community editions simply can’t match: stable feeds, accurate detection, and secure on-premise deployment that goes far beyond basic functionality.

The Numbers Don’t Lie

These conference insights take on new urgency when having a look at what’s actually happening in Italy. The first half of 2025 alone brought 1,549 cyber incidents – a staggering 53% increase compared to 2024. Even more concerning: 346 of these were classified as serious, confirmed-impact events, representing a 98% year-over-year increase.

The attacks aren’t discriminating. Critical sectors like public administration, healthcare, and energy have all been hit hard. Take the attack on April 2 on Mobilità di Marca (MOM), Treviso’s public transport company, which knocked out electronic ticketing services for days. It’s a perfect example of how digital infrastructure vulnerabilities can disrupt everyday life.

Smaller companies aren’t escaping either. April reports showed the telecommunications sector getting hammered by spear-phishing attacks, with numerous organizations suffering significant breaches.

What’s Next: Proactive Defense Is the Only Defense

Every expert at every conference has been saying the same thing: continuous monitoring and proactive vulnerability management aren’t just “nice-to-haves” anymore. They’re survival requirements. The escalating frequency and sophistication of attacks demand a fundamental shift from reactive firefighting to proactive defense strategies.

Mark Your Calendar: October Events You Can’t Miss

The conversation continues this October, with three major events putting Rome at the center of Italy’s cybersecurity evolution:

AFCEA TechNet Europe Rome 2025 (October 1 – 2) brings together defense experts, industry leaders, and technology innovators to explore emerging threats and cutting-edge solutions.

Cybertech Europe (October 21 – 22) offers the chance to connect with top cybersecurity minds, see live demonstrations, and dive deep into the challenges and solutions shaping Italy’s digital resilience.

Richmond Cyber Resilience Forum (October 28 – 30) is a meeting point between demand and supply of innovative solutions. Here, Italian companies meet industry experts to discover trends and strategies of cybersecurity.

OPENVAS S.r.l. will be at all three events, showcasing enterprise-grade vulnerability management solutions, sharing insights on AI-driven security, and demonstrating how organizations can transform compliance from a checkbox exercise into a proactive defense strategy.

The Path Forward

2025 is proving to be a pivotal year for Italian cybersecurity. The threats are real and growing, but so is our collective response. Each conference, each collaboration, and each new innovation brings us closer to transforming today’s challenges into tomorrow’s resilience.

The question isn’t whether you’ll face a cyberattack, it’s whether you’ll be ready when it happens. Don’t wait for the wake-up call. The time to strengthen your cyber defenses is now.

Ready to turn insights into action? Connect with us at the upcoming October events, or reach out today to learn how enterprise-grade vulnerability management can transform your organization’s security position.

CVE-2025-10035 (CVSS 10.0) is a new critical severity vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). This maximum-risk CVE could provide attackers with unauthenticated remote command execution (RCE). Greenbone can detect vulnerable systems and all users should patch with urgency. 

blog banner cvss 10 in fortra goanywhere

GoAnywhere MFT is a centralized Managed File Transfer (MFT) platform enabling file exchanges between business partners, customers, and within an organization. The application also provides auditing and compliance reporting.

The root cause of this CVE is a deserialization flaw [CWE-502] in Fortra GoAnywhere MFT’s License Servlet that allows attackers to forge a license response signature to inject and execute arbitrary commands [CWE-77]. Although in-the-wild exploitation has not been confirmed, Fortra GoAnywhere has been a hot target for ransomware attacks in the past. In 2023, CVE-2023-0669 (CVSS 7.2) was targeted by Clop ransomware operator, resulting in multiple high-profile breaches. No public PoCs for CVE-2025-10035 are available yet, but a detailed technical analysis is. However, this technical analysis does not include a complete exploit chain – some exploit chain details remain unconfirmed.

CVE-2025-10035 has prompted national CERT alerts from Canada’s Canadian Centre for Cyber Security [1], the Netherlands’ NCSC-NL [2], and India’s CERT-In [3]. Also, Germany’s BSI assigned an alert [WID-SEC-2025-2090], and a CVSS Temporal score of 8.7, reflecting an unverified exploitation status (E:U), availability of official remediation (RL:O), and strong confidence in the report (RC:C).

A remote version check was swiftly added to Greenbone’s OPENVAS ENTERPRISE FEED, allowing defenders to identify vulnerable instances of Fortra GoAnywhere MFT.

Risk Assessment for CVE-2025-10035 in Fortra GoAnywhere

Going simply by the CVSS 10 rating, the risk posed by CVE-2025-10035 is extremely high if GoAnywhere’s Admin Console is exposed to the Internet. According to the analysis, attack complexity is considered low, no user interaction is required, and exploitation could result in complete system takeover.

However, public exposure is not a prerequisite for exploitation. Instances on a private network could also be exploited via so-called “malicious insider” threats or trusted third-parties [T1199]. Verizon’s 2025 DBIR (Data Breach Investigations Report) identifies Privilege Misuse (described as nefarious schemes from insider threats) as the primary root cause of 8% of breaches studied from 2024. This is a surprising figure, which erodes the belief that only public-facing vulnerabilities pose a primary threat to cyber resilience.

Technical Analysis of CVE-2025-10035 in Fortra GoAnywhere

GoAnywhere’s License Servlet is used for activating the GoAnywhere MFT license bundle as part of the setup, renewal, and migration processes. The License Servlet involves Java deserialization of the encoded “SignedObject”. In the case of CVE-2025-10035, this deserialization process could reportedly lead to RCE.

Analysis from Watchtowr evidences a pre-authentication flaw that returns an auth token via the Unlicensed.xhtml page, even when an instance has already been licensed. A malformed HTTP GET request to the route such as /goanywhere/license/Unlicensed.xhtml/x? erroneously creates a valid license-request token and returns it encrypted within a bundled data object. This occurs because the error handler function, AdminErrorHandlerServlet, internally generates a valid license-request token, associates it with the unauthenticated session, and returns it to the user within the aforementioned serialized data object. This data bundle is encrypted with a hard-coded key, which can be decrypted offline to reveal the GUID auth token in plaintext.

Once the GUID token is recovered, unauthenticated attackers can use it to access the License Servlet endpoint POST /goanywhere/lic/accept/<GUID> … bundle=<payload> passing a malicious, serialized payload. However, the attack mechanism for deserializing the payload is yet unknown because the payload needs to be signed by Fortra’s own valid private key. Security researchers have pointed to potential mechanisms such as a stolen private key or the existence of malicious payload(s) having been mistakenly signed by Fortra’s private key.

Mitigating CVE-2025-10035 in Fortra GoAnywhere

Fortra has released a security advisory [FI-2025-012] with mitigation instructions for CVE-2025-10035. Full mitigation requires upgrading to a fixed release: either to 7.8.4 (latest) or 7.6.3 (Sustain). Temporary mitigation can be achieved by restricting Admin Console access.

Fortra also advises all users to hunt for Indicators of Compromise (IoC), namely stack trace logs indicating an error for the SignedObject.getObject. Presence of this string strongly suggests the instance has been exploited by attackers. Following best practices, affected parties may also want to provide status updates to customers and other third-party stakeholders.

Summary

CVE-2025-10035 is a CVSS 10, maximum severity deserialization flaw in GoAnywhere MFT which may allow unauthenticated RCE. In 2023 attackers leveraged another CVE in GoAnywhere MFT for widespread exploitation, and national CERTs have issued alerts, signifying high risk. The OPENVAS ENTERPRISE FEED includes a version check to detect vulnerable instances in their infrastructure. End users should identify public-facing and locally deployed instances and patch with urgency.

Dr. Jan-Oliver Wagner

After many years at the helm of Greenbone, our co-founder, Dr Jan-Oliver Wagner, is stepping down from active operational management. However, he will remain closely associated with the company as a consultant. We would like to thank Dr Wagner for his extraordinary commitment and all that he has achieved for Greenbone since its foundation.

 

 

Elmar Geese

The new CEO is Elmar Geese, who has been part of Greenbone’s management team since 2019. With this change in leadership, we are focusing on continuity and stability for our customers, employees and shareholders.

CVE-2025-54236 (CVSS 9.1) is an account-takeover flaw that may result in unauthenticated remote code execution (RCE) under certain conditions. Dubbed “SessionReaper”, CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source web applications. The root cause is Improper Input Validation [CWE-20] in the REST API. Adobe’s official advisory describes the issue as a security feature bypass although no further explanation is provided.

Blog Banner

The exploit chain for CVE-2025-54236 starts with a nested deserialization vulnerability [CWE-502] and results in a malicious session for a customer account. Security researchers from Sansec claim that Remote Code Execution (RCE) is possible when file-based session storage is used and that other attack chains may also exist, such as RCE via Redis or database session storage. Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236 via the Hackerone platform.

A full technical description, PoC, or full exploit kits are not yet publicly available. However, France’s CERT-FR has issued a public advisory for the vulnerability. Greenbone’s OPENVAS ENTERPRISE FEED already includes a remote banner check to identify vulnerable systems and verify patch status.

Risk Assessment for CVE-2025-54236 (aka “SessionReaper”)

Magento Open Source (released in 2008) and its commercial counterpart Adobe Commerce are widely used e-commerce platforms. As of 2024, they power in the order of 200-250,000 live/active stores, putting Magento among the leading global e-commerce platforms. This wide usage makes it an attractive target for attackers.

Previous vulnerabilities in Magento have been leveraged in mass exploitation attacks within hours [1][2][3][4] of their disclosure. In this case, Adobe’s patch was accidentally leaked publicly, giving attackers a head start on developing exploit code. If exploited, attackers could install malware [T1105] in an attempt to covertly maintain persistent access [TA0003] to the victim’s infrastructure. This could lead to future attacks, such as stealing payment card information to make fraudulent transactions [T1657], stealing other sensitive information [TA0010], conducting phishing [T1566] attacks against customers of the website, or deploying ransomware against the victim [T1486].

Mitigating CVE-2025-54236 (aka “SessionReaper”)

CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source across multiple versions, as well as the Custom Attributes Serializable module on all platforms and deployment methods [1]. However, Adobe’s own knowledge base seems to provide contradictory information, stating that the Custom Attributes Serializable module versions 0.1.0 – 0.4.0 are affected, but also advises upgrading the module to version 0.4.0 or higher.

Users are advised to install the hotfix patch provided by Adobe or update to the latest version immediately to protect their online business operations and customers. Users should also conduct a thorough assessment to determine whether their instance has already been compromised and if found, remove the infection. Adobe has also released a developer guide to help users adjust to any necessary changes in the web application’s REST API. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable systems.

Summary

CVE-2025-54236 poses a critical risk to Magento and Adobe Commerce users. For attackers, the flaw enables account takeover and potentially unauthenticated RCE on a victim’s infrastructure. Defenders should identify vulnerable systems and patch them immediately. Greenbone’s OPENVAS ENTERPRISE FEED can help to identify vulnerable web applications and verify remediation status. IT security teams should also audit their systems to detect potential breaches and remove infections if any indicators of compromise (IoC) are found.

The August 2025 Threat Report underscores how quickly high-risk vulnerabilities can shift from disclosure to active exploitation. Citrix, Fortinet, N-able, and Trend Micro flaws were weaponized within days. Other critical flaws in highly targeted software, such as Microsoft Exchange, emerged. Mainstream enterprise applications, such as Docker Desktop, Git, and Zoom, were also exposed to new vulnerabilities this month. Let’s review some of the biggest cyber threats that emerged in August 2025.

Blogbanner Thread report august 2025

Trio of High-Risk Citrix NetScaler CVEs: One Actively Exploited

Citrix alerted its customers to active exploitation of CVE-2025-7775 and two additional high-risk CVEs. The trio affect NetScaler ADC and NetScaler Gateway in various configurations. So far, only CVE-2025-7775 has been added to CISA’s Known Exploited Vulnerabilities (KEV). Multiple National CERT alerts have been issued globally [1][2][3][4][5][6][7]. Users of affected products should patch with urgency.

  • CVE-2025-7775 (CVSS 9.8, EPSS ≥92nd pctl): A memory overflow [CWE-119] allows Remote Code Execution (RCE) or Denial of Service (DoS) when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
  • CVE-2025-6543 (CVSS 9.8): A memory overflow [CWE-119] leads to unintended control flow and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
  • CVE-2025-7776 (CVSS 8.8): A memory overflow [CWE-119] leads to unpredictable behavior and DoS when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) with a PC-over-IP (PCoIP) profile. PCoIP is a remote display protocol used for virtual desktop access.

Another high-risk flaw affecting NetScaler ADC and Gateway, dubbed “CitrixBleed 2”, just emerged in June 2025, and was actively exploited in ransomware attacks soon after disclosure. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version detection test for these three new CVEs, and for CitrixBleed 2.

Emergency Patch for Microsoft Exchange Hybrid Deployment

CVE-2025-53786 (CVSS 8.0) is a high-risk post-authentication privilege escalation flaw in Microsoft Exchange hybrid-joined configurations. In a hybrid deployment, an on-premises Active Directory (AD) domain is synchronized with a cloud-based Azure AD; devices and services are recognized by both. If exploited, CVE-2025-53786 allows an attacker with admin access to an on-premises Exchange Server to move laterally to Microsoft 365 Exchange Online [CWE-287] and potentially modify authentication processes for persistence [T1556.007].

Exploitation, including authentication bypass, lateral movement [TA0008], and data exfiltration [TA0010], was demonstrated at Black Hat 2025. Despite no observed exploitation in the wild, Microsoft has assigned a status of “Exploitation More Likely”. CISA has issued an Emergency Directive (ED 25-02) and warned that CVE-2025-53786 could result in total domain compromise across hybrid environments. Numerous government CERT agencies have also issued alerts [1][2][3][4][5][6][7]. The OPENVAS ENTERPRISE FEED includes two remote version detection tests to identify vulnerable instances of Microsoft Exchange [8][9].

Max-Severity Flaw in Cisco Secure Firewall Management Center

CVE-2025-20265 (CVSS 10) is an RCE flaw in Cisco Secure Firewall Management Center (FMC) physical and virtual appliances if configured with RADIUS for web-based authentication or for SSH for management access. The flaw is caused by improper input handling, which can result in command injection downstream in the authentication process [CWE-74]. Unauthenticated attackers may inject arbitrary shell commands and have them executed with elevated privileges.

Public exploit code or active attacks have not yet been observed. However, Cisco edge devices have historically been targeted by APT adversaries [1][2][3]. Considering the edge locality of FMC deployments and the maximum CVSS, CVE-2025-20265 warrants urgency. Cisco has published security patches, and contrastingly stated that no workarounds exist while also advising users that disabling RADIUS authentication is a temporary mitigation. Greenbone’s OPENVAS ENTERPRISE FEED includes a version detection test to remotely identify unpatched FMC devices.

FortiSIEM Exploited and Other High-Risk CVEs in Fortinet Products

Fortinet was the subject of several high-risk vulnerabilities in August. In total, 14 CVEs were issued for Fortinet products — six were rated CVSS High or Critical. Several national CERT advisories cover the three most critical CVEs from this group [1][2][3], while others address only the most severe — CVE-2025-25256 [4][5][6][7][8] — which has been flagged by Fortinet as actively exploited. The OPENVAS ENTERPRISE FEED includes a version check and active check to identify FortiSIEM devices vulnerable to CVE-2025-25256, and a family of vulnerability tests dedicated to Fortinet CVEs, including those mentioned below and others.

  • CVE-2025-25256 (CVSS 9.8, EPSS ≥95th pctl): Improper neutralization of special elements used in an OS command [CWE-78] allows an unauthenticated remote attacker to execute unauthorized commands via requests to the phMonitor service on TCP port 7900. Fortinet acknowledges active exploitation in the wild. A full technical description and proof-of-concept (PoC) exploit are available. FortiSIEM 5.4 and various sub-versions of FortiSIEM 6 and 7 are affected.
  • CVE-2024-26009 (CVSS 8.1): An authentication bypass using an alternate path or channel vulnerability [CWE-288] allows an unauthenticated attacker to take control of a managed device via malicious FortiGate to FortiManager Protocol (FGFM) requests. Exploitation requires a FortiGate device to be managed by FortiManager, and for the attacker to know the FortiManager’s serial number. Various versions of FortiOS, FortiPAM, and FortiSwitchManager are affected.
  • CVE-2025-52970 (CVSS 8.1): Improper handling of parameters [CWE-233] allows an unauthenticated remote attacker with possession of sensitive information for the target device and an existing user to log in as any user on the device via a specially crafted HTTP request. Various sub-versions of FortiWeb 7 are affected.

Two New N-Able CVEs Actively Exploited

Two new CVEs impacting N-able’s N‑central present a high risk to organizations using the software. Both new CVEs have been added to CISA’s KEV list and national CERT alerts were issued by NCSC.nl [1], the Canadian Cyber Centre [2], and South Korea’s K‑CERT [3]. N‑central is a Remote Monitoring and Management (RMM) platform widely used to monitor and manage networks and systems. Although exploiting either vulnerability requires authentication, credential theft [TA0006], password reuse [T1078], insider threats, and other possible attack trajectories elevate risk.

  • CVE-2025-8876 (CVSS 8.8, EPSS ≥95th pctl): Unsanitized input is injected into OS shell commands [CWE-78], allowing RCE with the N-central application’s privileges.
  • CVE‑2025‑8875 (CVSS 7.8, EPSS ≥93rd pctl): Insecure deserialization of untrusted data [CWE-502] may allow attackers to craft object “gadget” chains for arbitrary RCE or unauthorized application state changes.

Versions of N-central prior to 2025.3.1 are affected. One day after the CVEs were published, Shadowserver reported ~1,000 unpatched N‑central servers exposed on the internet. Two weeks later, most remain unpatched. The OPENVAS ENTERPRISE FEED can remotely detect vulnerable versions of N-central, allowing defenders to apply mitigations.

New Critical Trend Micro Apex One Flaw Under Attack

CVE-2025-54948 (CVSS 9.8, EPSS ≥94th pctl) and CVE-2025-54987 (CVSS 9.8, EPSS ≥63rd pctl) are unauthenticated RCE vulnerabilities affecting on-premises Trend Micro Apex One Management Console. Both CVEs represent the same flaw, but for different CPU architectures. The culprit is a pre-authentication OS-command-injection flaw [CWE-78] via malicious file upload. A compromised device gives attackers direct access to an organization’s security infrastructure. Successful exploitation requires either remote or physical access, making internet-exposed instances particularly high-risk. However, local network instances may also offer attackers an opportunity for lateral movement [TA0008] after they gain initial access [TA0001] to a victim’s network.

According to Trend Micro, active exploitation is underway and CISA has added CVE-2025-54948 to the KEV catalog, where it joins many other exploited Apex One flaws going back to 2021. National CERT advisories have been issued by government agencies globally [1][2][3][4][5]. Apex One (on‑prem) 2019 (14.0) version 14.0.0.14039 and earlier are affected. Consult the official advisory for mitigation instructions and a custom tool that disables the Remote Install Agent function. Greenbone’s OPENVAS ENTERPRISE FEED includes a local detection test to identify affected endpoints.

Git Repository Cloning Flaw Actively Exploited

CVE-2025-48384 (CVSS 8.0, EPSS ≥88th pctl), issued in early July 2025, has been added to CISA’s KEV and exploitation is considered trivial. The flaw is described as an arbitrary file write when cloning a specially crafted repository containing sub-modules that use a ‘recursive’ flag — i.e. git clone –recursive <repo> — an option used to automatically fetch sub-modules when cloning a repository. The flaw is due to mishandling of trailing carriage return (CR) characters in configuration values, potentially resulting in RCE. Attackers must trick a victim into cloning a malicious Git repository to achieve exploitation.

A full technical description and exploits containing malicious .gitmodules files are already available online [1][2][3]. INCIBE-CERT has issued an alert [4] and CISA has added the CVE to its KEV list [5]. The flaw affects many versions of Git up to 2.50.0. The OPENVAS ENTERPRISE FEED and COMMUNITY FEED include local package detection tests for CVE-2025-48384.

Container Escape in Docker Desktop for Windows and macOS

CVE-2025-9074 (CVSS 9.3) is a container escape vulnerability in Docker Desktop for Windows and macOS. The flaw allows attackers to gain unauthorized access to a victim’s host system when running a malicious container. The Docker Engine API was found to be accessible without authentication via TCP/IP at 192.168.65.7:2375. This channel bypasses normal socket restrictions and renders Docker’s Enhanced Container Isolation (ECI) ineffective. On Windows, attackers can mount and overwrite system DLLs to gain full administrative control. On macOS, host file system access is more limited due to OS-level safeguards. Linux instances are not affected.

PoCs indicate that exploitation is trivial — just a few lines of Python or a simple HTTP request can compromise a vulnerable instance of Docker Desktop. A detailed technical write-up, existence of at least one public exploit, and Docker’s widespread use elevate the risk posed by CVE-2025-9074. The OPENVAS ENTERPRISE FEED includes a version detection test for Windows installations.

Critical Flaw in Zoom Client for Windows Allows Unauthenticated RCE

CVE-2025-49457 (CVSS 9.6) affects multiple Zoom products for Windows including Zoom Workplace, VDI, Rooms, Rooms Controller, and Meeting SDK prior to version 6.3.10. The flaw is caused by an untrusted search path vulnerability [CWE-426] due to improper DLL path handling. Known as “DLL side-loading“, this flaw happens when the Windows LoadLibrary() API function is called without specifying a fully qualified file path. In that case, Windows follows its default DLL search order. If attackers can place a file in a searched directory, it will be loaded and executed. Therefore, CVE-2025-49457 is especially dangerous in combination with social engineering [T1566], or insider threats, which continue to be prevalent in 2025. Exploitation provides privilege escalation to an attacker, potentially to the Windows SYSTEM level, and arbitrary code execution.

Malaysia’s MyCERT [1] and Hong Kong’s CERT-HK [2] have issued advisories. The issue is patched in Zoom version 6.3.10 and later, and organizations should verify update status. Although many desktop applications, such as Zoom, support automatic updates, it’s still critical for defenders to verify patch status across their IT fleets. The OPENVAS ENTERPRISE FEED includes an active check to identify vulnerable Zoom applications.

Summary

The August 2025 Threat Report highlights new high-risk vulnerabilities across popular platforms. Defenders faced an intense month with new Citrix NetScaler flaws being actively exploited soon after CitrixBleed 2 was exposed, an emergency Microsoft Exchange patch, a maximum-severity Cisco Secure Firewall CVE, and emerging exploitation of Fortinet, N-able, and Trend Micro products. New Docker Desktop, Git, and Zoom vulnerabilities also add to this month’s list of threats. Greenbone’s OPENVAS SECURITY INTELLIGENCE reduces the burden on security teams by delivering fast and reliable detection and assurance on organization-wide patch levels.

Utrecht will be the central meeting point for the cybersecurity community on September 10 – 11, 2025. OPENVAS B.V. will make its first appearance at Cybersec Netherlands, marking an important milestone in expanding our local presence after establishing the Benelux office and fostering direct connections with customers and partners. The area is one of Europe’s most innovative hubs for digitization and IT infrastructure. With our presence, we strengthen this spirit of innovation and support companies in the region as a partner with comprehensive expertise, practical solutions, and a clear understanding of local market requirements.

EN Blog Banner Cybersec 2025

A Strong Signal for the Benelux Region

“Regulatory requirements such as NIS2 are making many organizations recognize the importance of a proactive IT security strategy. At the same time, they value direct, in-person discussions about our solutions. Cybersec Netherlands provides the perfect platform for this,” explains Maurice Godschalk, Account Director at OPENVAS B.V. With its Dutch subsidiary, Greenbone strengthens its European presence and helps local institutions identify vulnerabilities early and mitigate risks effectively.

Tackling Today’s Challenges

The number of unpatched vulnerabilities in digital infrastructures is growing, and cybercriminals are exploiting known weaknesses faster than ever with the help of new technologies. At the same time, the increasing complexity of IT environments makes it challenging for many organizations to maintain a complete overview of their systems. Professional vulnerability management is therefore essential – the cornerstone for building strong and lasting cyber resilience.

Visit Us in Utrecht!

At Cybersec Netherlands, experts share practical approaches for organizations to sustainably improve their cyber resilience. Interactive sessions, live demonstrations, and specialist presentations encourage collaboration between companies, authorities, and cybersecurity professionals – helping to foster a shared culture of security.

Come and experience OPENVAS B.V. live at booth 11.E069, where you can learn more about our scalable and efficient vulnerability management solutions. Our local team, led by Maurice Godschalk, looks forward to engaging in discussions and providing tailored advice and hands-on insights into our technology.

Cybersec Netherlands marks the start of an exciting autumn of events. Over the next few weeks, Greenbone and its subsidiaries will be participating in numerous leading conferences, all with the same clear objective: to help organizations around the world stay secure.

Starting August 2025, businesses and administrative bodies must implement initial provisions of the EU AI Act – a new era of responsibility in dealing with artificial intelligence begins. Since the AI Act not only demands technical adjustments, but a fundamental rethinking, AI will prospectively be evaluated in a more nuanced way, taking risk and use case into account. This is especially true for AI encroaching on sensitive areas of life or working with personally identifiable data.

For organizations, this means: They have to grapple intensively with the ecosystem surrounding their AI-systems, detect risks early, and address them deliberately. Transparency on underlying data, comprehensible models, and human supervision are no longer optional; they are mandatory. Simultaneously, the AI Act offers a valuable framework to build trust and, in the long run, use AI safely and responsibly. Vulnerability management and cybersecurity are not exempt from this.

AI Interview with Cybersecurity Experts

We have interviewed Kim Nguyen, Senior Vice President of Innovation at the German Federal Printing Office (Bundesdruckerei) and seasoned leader and face of their Trusted Services, on the topic of AI, regulation, and the impact on cybersecurity. Additionally, Greenbone CMO Elmar Geese gives a forecast on the future of vulnerability management.

Kim Nguyen, Senior Vice President für Innovation bei der Bundesdruckerei

Greenbone: Kim, the topic of AI is on everyone’s lips right now, especially at events like the recent Potsdam Conference on National Cybersecurity (Potsdamer Konferenz für Nationale Cybersecurity). And you are in the thick of the public discourse.

Nguyen: Yes, I can not deny that the topic of AI is very dear to my heart, as you can tell by looking at my publications and keynotes on the topic. But my approach is a bit different than that of others. It places emphasis on trust and has many different dimensions, one of which is benevolence. That means the well-being of individual users needs to be in focus at all times. Users assume the system operates in their best interest, not in pursuit of an unknown agenda.

Greenbone: What do you think, will cybersecurity as a whole become more secure with AI, or less?

Nguyen: Of course, artificial intelligence has long reached cybersecurity – as a risk and as a chance: On one hand, it increases the attack vector, as cyber-criminals can accelerate, automate, and aim their attacks better. On the other hand, it can help harden defenses, for example, by analysing real-time data from different security sources to automatically identify security incidents and react accordingly.

„A Cat-and-Mouse Game“

To keep up in this cat-and-mouse game between attackers and defenders, you have to rely on AI, especially for defense. Government regulation is crucial here, as without appropriate legislation and technical standards, no one could know what is permitted and trustworthy and what is not.

Moreover, lawmakers must continue to actively intervene in these highly dynamic technical developments to ensure legal certainty and clear guidance. Finding the right measures and simultaneously leaving slack to encourage innovation and allow AI to be an enabler is not easy, but immensely important.

Greenbone: What do you regard as the most important questions/regulations in the EU AI Act and regulations that organizations have to face? What else is coming our way? What are big institutions like the Federal Printing Office doing to prepare?

Nguyen: With the AI Act, organizations must classify their AI-systems in a risk-based manner and fulfill different requirements regarding transparency, data-quality, governance, and security, depending on the classification – especially regarding high-risk appliances.

However, it is not just about assuring compliance, but utilizing the regulatory framework as a strategic lever for trustworthy innovation and sustainable competitiveness. It is not sufficient to focus strictly on an appropriate AI model. Integration, training of the model, and educating users are just as important. Comprehensive security guidelines – so-called “guard rails” – must be set up to ensure the system does not undertake any unauthorized processes.

„Well-Practiced Processes Bring Replicability, Robustness and Transparency to the Foreground“

The Printing Office, as a federal technology company, has been active in the high-security sector for years. We enact well-attuned processes and structures to bring replicability, robustness, and transparency to the foreground and bring trust in different AI solutions to administrations. With the AI Competence Center, we support federal agencies and ministries in developing AI applications. We have built the platform PLAIN, which offers a shared infrastructure for data and AI-applications with the Federal Foreign Office, and we developed an AI-assistant, Assistant.iQ, that meets the administration’s requirements for data security, traceability, and flexibility.

Greenbone: Open Source is a minimum requirement for trust in software, IT, and cybersecurity – is that even possible for AI, and if so, to what degree?

Nguyen: Open Source is an important topic in AI, as it can provide the necessary trust by reviewing code and models. This requires results to be examinable and verifiable, which necessitates a community that actively cares and participates.

The Open Source approach of many projects is ambitious and admirable, but many projects do not get sufficiently maintained over time or come to a standstill all together. In any case, you have to look closely when it comes to the topic of Open Source and AI. In other words: Not all Open Source is created equal. When AI developers publish under an open-source license, that does not mean you get an open-source AI.

For a start, the numerical values, so-called weights of an AI model, are very important, as they determine how it processes input and makes decisions. Then you have to consider the training data – which is often not disclosed to customers and users. Only with them can one arrive at an assessment of how transparent, trustworthy, and reproducible an open source model really is. Only when the complete knowledge behind different models is freely available, viable ideas can be built upon that foundation and lead to innovation.

Greenbone: What is missing to enable the safe deployment of AI? What do we have to change?

Nguyen: Safe deployment of AI requires, in addition to technical excellence, an appropriate Mindset for development, governance, and responsibility. Concretely, we have to keep the principle of “Security by Design” in mind from the very start. What this means: Developers must always systematically examine what could go wrong and integrate those risks early on in the blueprint and architecture of the model.

Equally important is the transparency across the edges of AI-systems: Language models currently only function reliably within certain contexts – outside of their training domain, they may deliver plausible, but potentially erroneous results. Developers should therefore clearly communicate where their model works reliably and where it fails.

Mindset, Context, and Copyright

If we do not want to experience major trust and compliance issues, we must not neglect questions about copyright and training data. Then, you need clear test data, an appropriate evaluation infrastructure, and ongoing monitoring of bias and fairness.

A balanced combination of legal regulation, technical self-commitment, and fast reacting governance is the key to an AI allowing one to protect democratic values and take technological responsibility.

Greenbone: Do you believe the EU has a competitive advantage?

Nguyen: Yes, the EU has a real advantage in the global AI competition – and it is rooted in trust. Other regions primarily bet on speed and market dominance – and in doing so, as recently happened in the U.S., largely absolve tech giants of responsibility for societal risks. On the contrary, Europe establishes a downright exemplary model with the AI Act, relying on security, data protection, and a human-centered approach to development.

Precisely because AI is increasingly entering sensitive areas of life, protection of personal data and the enforcement of democratic values are becoming increasingly crucial. With its governance structure, the EU is building mandatory standards that many countries and organizations around the world look toward. This focus on values will pay off for Europe in the long run – specifically in the export of technology and the strengthening of societal trust in democracy and systems on-site.

Especially in the development of human-centered AI, Europe is a trailblazer. However, regulation must not become a hindrance to innovation: Trust and security must go hand in hand with readiness to invest, technological openness, and fast implementability. Europe can set standards – and build up a unique, competitive AI-identity.

Greenbone-CMO Elmar Geese on AI in Vulnerability Management

Greenbone: Mr. Geese, AI is on everyone’s lips – what changes does AI bring to vulnerability management?

Geese: I think AI is going to support us a lot, but it can never replace vulnerability management fully. Although AI can take care of time-intensive routine tasks like, for example, the evaluation of large quantities of data, finding patterns, and making suggestions for prioritization, security teams must stay in charge of final decisions and stay in control, especially in complex and critical cases where human understanding of context is invaluable.

The purposeful usage – with careful judgement and planning – in vulnerability management brings numerous advantages, without having to relinquish control completely. We are already using AI today to provide a better product to our customers, completely without relaying client data to big AI service providers. Our “trustworthy AI” works completely without the transfer and central collection of data.

Greenbone: What risks do you have to consider?

Geese: According to today’s state of technology, the use of AI in security-critical areas has several risks that need to be contained. Automation creates many chances, but also risks like flawed decision making, new attack vectors, or unintended system effects. An AI with “measured judgment” combines human and machine strengths, such that technological advantages like speed and scalability can be harnessed, without disempowering technical staff or taking security risks.

Greenbone and KI

Greenbone counts on the purposeful use of artificial intelligence to efficiently detect vulnerabilities in the IT-sector and support priorities. All the while, the security teams stay responsible and in control at all times, especially when it comes to sensitive and complex decisions. Data protection always takes top priority for us: Customer data will never be transferred to external AI companies.

Our approach combines the advantages of modern technology with human reasoning – for contemporary and responsible cybersecurity.

Contact us for further information.

 

On August 27, more than 20 security agencies published a Cybersecurity Advisory with the title “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System”

 

Publishing authorities included:

  • United States National Security Agency (NSA)
  • United States Cybersecurity and Infrastructure Security Agency (CISA)
  • United States Federal Bureau of Investigation (FBI)
  • Germany Federal Intelligence Service (BND) – Bundesnachrichtendienst
  • Germany Federal Office for the Protection of the Constitution (BfV) – Bundesamt für Verfassungsschutz
  • Germany Federal Office for Information Security (BSI) – Bundesamt für Sicherheit in der Informationstechnik

plus many more.

This is bad news. Good news is that Greenbone customers using the OPENVAS products are able to detect all vulnerabilities in this attack

  1. CVE-2024-21887 – Ivanti Connect Secure and Ivanti Policy Secure web-component command injection vulnerability, commonly chained after CVE-2023-46805 (authentication bypass).
  2. CVE-2024-3400 – Palo Alto Networks PAN-OS GlobalProtect arbitrary file creation leading to OS command injection. The CVE allows for unauthenticated remote code execution (RCE) on firewalls when GlobalProtect is enabled on specific versions/configurations.
  3. CVE-2023-20273 – Cisco Internetworking Operating System (IOS) XE software web management user interface flaw enabling post-authentication command injection/privilege escalation [T1068], commonly chained with CVE-2023-20198 for initial access to achieve code execution as root.
  4. CVE-2023-20198 – Cisco IOS XE web user interface authentication bypass vulnerability.
  5. CVE-2018-0171 – Cisco IOS and IOS XE smart install remote code execution vulnerability.

We strongly advise our customers to scan their systems and follow the information for patches, if affected.

The July 2025 Threat Report takes a broad approach, covering some of the top cyber threats from the past month. The Microsoft SharePoint flaw titles “ToolShell” dominated the headlines; see our alert on ToolShell for a detailed analysis. Over 4,000 CVEs were published last month; almost 500 of them were rated Critical, with CVSS over 9.0. Managing this volume of risk is truly a battle of attrition for defenders. In response, Greenbone published almost 5,000 new detection tests. These detection tests allow defenders to find known software flaws in their environment, confirm patch levels, and prevent cyber attackers from gaining the upper hand.

Blog Banner Threat - report July 2025

Critical Cisco ISE Flaws Offer Unauthenticated RCE as Root and More

Cisco has confirmed active exploitation of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC (Passive Identity Connector) versions 3.3 and 3.4. The highest severity CVEs are: CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282; all CVSS 10. CVE-2025-20281 and CVE-2025-20337 have been added to CISA KEV (catalog of known exploited vulnerabilities). Each flaw can be exploited to execute code with root privileges by submitting a malicious API request. Several national CERT agencies have issued alerts: EU-CERT, CSA Singapore, NHS UK, and NCSC Ireland. Cisco advises immediate patching; no workarounds are available. Version detection tests are included in the OPENVAS ENTERPRISE FEED [1][2][3].

Another critical severity CVE in Cisco Unified Communications Manager made waves in early July. CVE-2025-20309 (CVSS 10) allows remote root account access via static SSH credentials. Alerts were issued from Belgium’s CERT.be, NSSC Ireland, and the flaw was featured on the AUSCERT Week in Review.

CrushFTP and WingFTP Servers Under Active Attack

High severity CVEs in CrushFTP and WingFTP were published and quickly added to CISA KEV, with global CERT advisories being issued [1][2][3]. FTP servers are often exposed to the public Internet, but instances within a local network could also offer hackers an opportunity for persistence and lateral movement [4]. Also, FTP servers often store sensitive data, which could represent a high risk of being ransomed.

  • CVE-2025-54309 (CVSS 9.8, EPSS ≥ 91st pctl): If the DMZ proxy feature is not used, CrushFTP is susceptible to an unprotected alternate channel vulnerability [CWE-420]. The software mishandles AS2 validation allowing remote HTTPS admin access. The OPENVAS ENTERPRISE FEED includes a remote banner detection test to identify vulnerable instances. Users should upgrade to CrushFTP 10.8.5_12 (or later) or 11.3.4_23 (or later).
  • CVE-2025-47812 (CVSS 10, EPSS ≥ 99th pctl): Unsanitized null-byte characters in the web-interface of WingFTP prior to version 7.4.4 allow remote execution of arbitrary Lua code with the privileges of the FTP service (root or SYSTEM by default). Greenbone includes an active check and version check to identify vulnerable instances. Users are urged to update to version 7.4.4 or later.

Node.js Patch Bypass Exposes Arbitrary File Access

CVE-2025-27210 (CVSS 7.5) is a bypass for CVE-2025-23084 (CVSS 5.6), a previously patched flaw in Node.js Windows platforms, published in January 2025. An estimated 4.8% of global web servers run Node.js, which also powers many on-premises and cloud-native applications. National CERT advisories have been released warning of high risk [1][2]. At least one proof-of-concept (PoC) has been published [3]. OPENVAS ENTERPRISE FEED and COMMUNITY FEED both include a version detection check.

The flaw, classified as path traversal [CWE-22], is due to built-in functions path.join() and path.normalize() not properly filtering Windows device names like CON, PRN, and AUX, which are reserved names for special system devices [4]. This can be exploited remotely to bypass path protections when user input is passed into these functions. Node.js versions 20.x prior to 20.19.4, as well as 22.x before 22.17.1 and 24.x before 24.4.1 are affected.

CVE-2025-37099: Total Remote Compromise for HPE Insight Remote Support

New vulnerabilities in HPE Insight Remote Support pose an extreme risk of full system compromise within enterprise infrastructure. IRS is used in enterprise local network environments to automate hardware health checks, infrastructure monitoring, and support ticket generation.

CVE-2025-37099 (CVSS 9.8) permits unauthenticated remote code execution (RCE) at SYSTEM level due to improper input validation [CWE-20] in processAttachmentDataStream logic, allowing malicious payloads to be executed as code [CWE‑94][1]. This allows attackers to execute malware across managed systems. While not explicitly documented, SYSTEM-level access could also enable attackers to manipulate or delete monitoring logs to conceal activity. Since the affected service often communicates with devices like servers and iLO controllers, compromise may facilitate pivoting laterally within a network. [2]

Users should upgrade immediately to 7.15.0.646 or newer. The coordinated disclosure also included two additional CVEs; CVE-2025-37098 and CVE-2025-37097, both CVSS 7.5. OPENVAS ENTERPRISE FEED includes a version detection test to identify vulnerable instances and verify patch level to meet compliance.

Critical Patches for DELL CVEs with Elevated EPSS Scores

Cumulative patches for a wide number of Dell Technologies products were released to patch various component vulnerabilities. Canadian Cyber CSE has issued three alerts in July addressing these updates [1][2][3]. Here are some of the most critical CVEs from this batch, all of which can be detected with the OPENVAS ENTERPRISE FEED [1][2][3][4][5]:

  • CVE-2024-53677 (CVSS 9.8, EPSS 99th pctl): Dell Avamar Data Store and Avamar Virtual Edition have received updates to address a flaw in Apache Struts. No mitigations or workarounds are available. See the vendor’s advisory for affected product lists.
  • CVE-2025-24813 (CVSS 9.8, EPSS 99pctl): Dell Secure Connect Gateway versions prior to 5.30.0.14 are affected by an Apache Tomcat flaw and other critical CVEs. Dell has classified this update as critical.
  • CVE-2004-0597 (CVSS 10, EPSS 99pctl): Dell Networker is affected by critical buffer overflow flaws in libpng that allow remote attackers to execute arbitrary code via maliciously manipulated PNG images among other vulnerabilities. See vendor advisories for more information [1][2][3][4].
  • CVE-2016-2842 (CVSS 9.8, EPSS ≥ 98pctl): Dell Data Protection Advisor is affected by flaws in numerous components including CVE-2016-2842 in OpenSSL which does not properly verify memory allocation, allowing DoS or possibly RCE. See the vendor advisory for more information.
  • CVE-2025-30477 (CVSS 4.4): Dell PowerScale uses a risky cryptographic algorithm, potentially leading to information disclosure. In June 2025, PowerScale patched critical severity flaws. See vendor advisories for more information [1][2].

A Cumulative Summary of 2025 D-Link Flaws

OPENVAS ENTERPRISE FEED and COMMUNITY FEED currently include 27 vulnerability tests covering the majority of CVEs affecting D-Link products published so far in 2025. Given the importance of network edge security, users should pay particular attention to vulnerabilities in routers and other gateway devices. After the settlement of a U.S. regulatory action involving D‑Link and the Federal Trade Commission, in 2019 D‑Link agreed to implement a comprehensive security program. However, proponents for accountability may ask whether intervention should be more widespread. Ivanti products, for example, have been inundated with numerous high severity flaws in recent years [1][2][3][4][5], many leveraged in ransomware attacks.

Adobe Patches Critical Flaws for ColdFusion

Security updates for ColdFusion 2025, 2023, and 2021 address 13 new CVEs; five critical severity issues including XXE (CVE-2025-49535, CVSS 9.3), hard-coded credentials (CVE-2025-49551, CVSS 8.8), OS command injection, XML injection, and SSRF. In 2023, the ColdFusion flaw CVE‑2023‑26360 (CVSS 9.8) was used by threat actors to gain initial access to US federal civilian agencies.

OPENVAS ENTERPRISE FEED includes a remote version check to identify unpatched instances. Immediate patching to Update 3 (ColdFusion 2025), Update 15 (2023), or Update 21 (2021) is strongly recommended.

Splunk Enterprise Updates Critical Severity Components

Cumulative updates for Splunk Enterprise patch several third-party components in Splunk Enterprise including golang, postgres, aws-sdk-java, idna, and others. Some of these were Critical CVSS severity flaws such as CVE-2024-45337 (CVSS 9.1) with an EPSS percentile of ≥ 97%, indicating a high likelihood of exploit activity. CERT-FR and the Canadian Cyber CSE have published alerts related to Splunk’s July advisories. Users can verify patch status with a version check in the OPENVAS ENTERPRISE FEED. The feed also includes vulnerability checks for previous Splunk security advisories and CVEs.

Oracle Patches Row of High Severity VirtualBox Flaws

Several CVEs published in mid‑July 2025 affecting Oracle VM VirtualBox version 7.1.10 permit a high‑privileged local attacker (with access to the host infrastructure or guest VM execution environment) to compromise VirtualBox, potentially escalating privileges or achieving full control of the hypervisor core component. CVE‑2025‑53024 (CVSS 8.2) is an integer overflow bug in the VMSVGA virtual device due to insufficient validation of user‑supplied data, leading to memory corruption with potential for full hypervisor compromise. [1] OPENVAS ENTERPRISE FEED and COMMUNITY FEED include version detection tests for Windows, Linux, and macOS.

Post Authentication Flaw Allows RCE in SonicWall SMA100

CVE-2025-40599 (CVSS 9.1) is an authenticated arbitrary file upload vulnerability in SonicWall SMA 100 series appliances. It allows a remote attacker with administrative privileges to gain arbitrary code execution and persistent access. The risk posed by this flaw is increased by weak or stolen credentials. The flaw affects models SMA 210, 410, and 500v, versions 10.2.1.15-81sv and earlier. As per the vendor advisory, no workaround is effective. OPENVAS ENTERPRISE FEED includes a remote version check to identify the affected devices.

New MySQL CVEs Allow Authenticated DoS Attacks

Amidst the abundance of vulnerabilities offering unauthorized RCE, it’s easy to overlook ones that merely cause Denial of Service (DoS). A swath of DoS vulnerabilities and related patches were issued for MySQL 8 and MySQL 9 in July [1]. Although the flaws require privileged access to exploit, Managed Service Providers (MSP) may provide shared MySQL hosting for small-to-medium businesses (SMBs), government agencies, or non-profits that don’t want the overhead of managing their own database infrastructure. In this scenario, tenants are given access to separate databases on the same MySQL server instance. When that happens, an unpatched instance could allow a user to impact other organizations. These flaws also highlight the importance of strong passwords and mitigating the threat from brute-force and password spraying attacks.

Remote version detection tests are available for all CVEs referenced below. These are included in both the OPENVAS ENTERPRISE FEED and COMMUNITY FEED. Tests cover both Linux and Windows MySQL installations.

CVE ID Affected Versions Impact Access Vector Patch Status

CVE-2025-50078

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (hang/crash) Remote authenticated access Patched (July 2025)

CVE-2025-50082

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)

CVE-2025-50083

(CVSS 6.5)

8.0.0–8.0.42, 8.4.0–8.4.5, 9.0.0–9.3.0 DoS (crash) Remote authenticated access Patched (July 2025)