A new maximum-severity zero-day vulnerability in Cisco AsyncOS was published in emergency fashion on Wednesday, December 17th. Cisco has indicated that the flaw, tracked as CVE-2025-20393, has been actively exploited in the wild by Chinese-nexus APT actors since late November 2025, and that it has been aware of the activity for at least a week prior to disclosure. Exploitation is limited to AsyncOS configurations with Spam Quarantine enabled and exposed to remote access. No patch is yet available from the vendor.

The OPENVAS ENTERPRISE FEED now includes remote version detection checks for CVE-2025-20393. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their IT systems infrastructure for emerging threats, including CVE-2025-20393.

Critical: Cisco CVE-2025-20393

CVE-2025-20393 (CVSS 10) is a critical vulnerability in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances if they are running Cisco AsyncOS and the Spam Quarantine feature [1][2] is both enabled and internet-accessible. Cisco’s official advisory and Talos blog post describe known exploit campaigns, but only contain sparse technical details about the vulnerability itself. CVE-2025-20393 has been classified as an improper input validation [CWE-20] flaw and reportedly allows attackers unauthenticated root-level remote code execution (RCE).

On December 17th, Cisco announced it had been aware of exploitation since December 10th, and that the attacks likely started in late November. Notably, when the EU’s Cyber Resilience Act (CRA) reporting obligations come into force in September 2026, known vulnerabilities and exploits must be reported to ENISA within 24 hours. Talos indicates the attacks are part of a cyberespionage campaign conducted by Chinese-nexus APT UAT-9686. However, no references to UAT-9686 exist on the internet prior to the exploitation of CVE-2025-20393.

CISA immediately added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) list. Germany’s BSI and Canada’s Centre for Cyber Security have issued emergency alerts [3][4]. No ransomware activity has been reported and PoC exploit code is not yet publicly available for CVE-2025-20393.

The Spam Quarantine feature acts as a mechanism for retaining spam messages rather than automatically deleting them. This allows administrators and end users to review suspected spam for false positives. Although the Spam Quarantine feature is not enabled by default on Cisco devices, the setup guides for SEG and SEWM include clear instructions for enabling it and configuring remote access [1][2]. Remote access to the Spam Quarantine feature allows administrators and end users to review and manage quarantined messages via a web interface, which is typically enabled on port 82 for HTTP and port 83 for HTTPS access.

Cisco Products Affected by CVE-2025-20393

According to the vendor advisory, all versions of Cisco AsyncOS are affected by CVE-2025-20393:

• Cisco Secure Email Gateway (SEG): Both physical appliances and virtual appliances are affected. The SEG was previously named the Cisco Email Security Appliance (ESA) [1].
• Cisco Secure Email and Web Manager (SEWM): Both physical appliances and virtual appliances are affected. The SEWM device was previously named the Content Security Management Appliance (SMA) [2].

CVE-2025-20393 is only exploitable when enabling the IP interface for remote browser access to the Spam Quarantine feature.

Mitigating Attacks Against CVE-2025-20393

No patch is currently available for CVE-2025-20393. Users who have enabled Spam Quarantine must either disable the service or implement workaround mitigation until a patch is released. These compensating measures may include:

• Ensuring the Spam Quarantine web interface is not exposed to the public internet.
• Restricting access with strict firewall and ACL rules to only authorised IP addresses.
• If compromise is suspected, Cisco indicates that a full rebuild of the appliance is the only effective way to remove the attacker’s persistent foothold. Rebuilding the affected appliance from a known good image is required, since malware may be persistent against configuration changes. If complete restoration of the appliance is not possible, Cisco recommends contacting TAC.

After breaching a device, attackers have deployed persistent backdoors [TA0003], established covert remote access [TA0011], and employed detection evasion techniques [TA0005]. Cisco’s reports claim CVE-2025-20393 is being used to deploy the AquaShell persistence malware, AquaTunnel and Chisel reverse tunnelling tools, and the AquaPurge log-clearing utility. However, these Aqua-branded malware families have not been publicly documented by security researchers prior to this campaign. Cisco has released Indicators of Compromise (IoC) related to the observed attacks.

Summary

On Wednesday, December 17th, Cisco made an emergency disclosure of CVE-2025-20393, a maximum-severity, actively exploited zero-day affecting Cisco Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances having Spam Quarantine both enabled and exposed. The flaw enables unauthenticated root-level RCE. Cisco Talos has attributed the observed exploitation to Chinese-nexus espionage activity.

With no patch available, immediate compensating mitigation is critical. Greenbone’s OPENVAS ENTERPRISE FEED has provided detection for CVE-2025-20393 within 24 hours of its public disclosure. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their IT infrastructure for emerging threats, including CVE-2025-20393. Once affected devices have been identified, mitigation primarily depends on either disabling the Spam Quarantine feature entirely or restricting access to its web interface until a patch becomes available.

On December 3rd 2025, a new maximum CVSS software flaw affecting React (aka ReactJS), exploded onto the cybersecurity landscape. Dubbed React2Shell, CVE-2025-55182 is already actively exploited. Users are urged to verify their exposure and patch immediately if affected. React is the most popular JavaScript library for building modern web-application user interfaces (UIs) implying that the global impact could be widespread. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats, such as React2Shell.

Critical: React2Shell

CVE-2025-55182 (CVSS 10.0) allows unauthenticated server-side remote code execution (RCE) in default configurations of React 19. The flaw exists in the React Server Components (RSC) “Flight” protocol. RSC is a framework and set of libraries that enable React 19 apps to pass application logic back to the server for processing rather than execution in the client browser. The Flight protocol is React’s serialization format for transporting RSC payloads.

React2Shell allows Flight payloads to be unsafely deserialized on the server [CWE-502], enabling unauthenticated shell command execution. Exploitation potentially offers attackers full compromise of the target, including remote control.
                       

The threat landscape is active and escalating. AWS was the first cloud vendor to attribute active exploitation. Since then, multiple IaaS vendors have reported active attacks. Reports have uncovered campaigns seeking to install remote access tools [T1219], proxy traffic relays [T1090], and botnet agents [T1583.004], and to leverage infected hosts for cryptocurrency mining [T1496]. GreyNoise has tracked hundreds of unique IP addresses attempting exploitation and The Shadowserver Foundation reports ~160,000 vulnerable instances globally.

The flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) list, and numerous other national CERT alerts have been issued globally for CVE-2025-55182 [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17]. Several public PoC exploits are available [18][19][20], including one from Lachlan Davidson [21], the security researcher who identified and disclosed the React2Shell flaw. These public PoCs increase the risk of evolving attacks.

How Does React2Shell (CVE-2025-55182) Work?

JavaScript prototype pollution [CWE-1321] was found to be possible in React 19 because the deserialization logic did not sufficiently validate serialized object parameters. When RSC reconstructs JavaScript objects from Flight payloads, attacker-controlled special keys can misconfigure the prototype chain. This can cause runtime changes beyond the immediately reconstructed object. In the case of CVE-2025-55182, this includes calling native Node.js functions such as child_process.execSync to execute shell commands on the target server.

What Products Are Affected by React2Shell (CVE-2025-55182)?

According to official advisories from React [1][2], React2Shell impacts the react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack components of React versions 19.0, 19.1.0, 19.1.1, and 19.2.0. These components are enabled in the default configuration. React2Shell also impacts major frameworks that include React 19’s RSC, such as the very popular Next.js web framework.

React 19.0.0, released on December 5th 2024, was the first release to include non-experimental RSC functionality. This means that CVE-2025-55182 largely affects newer websites and organizations that diligently upgrade their web server infrastructure. Because RSC are enabled by default, all endpoints are potentially vulnerable, even if the Server Functions are not implemented.

According to the official react.dev blog post, other affected frameworks include:

• js (see vendor advisory)
• Vite RSC plugin (see vendor advisory)
• Parcel RSC plugin
• React Router RSC preview
• Expo app-building platform (see vendor advisory)
• RedwoodSDK
• Waku (see vendor advisory)

Mitigating React2Shell (CVE-2025-55182)

Website back-end developers should assess their infrastructure to determine whether React 19 is part of their web stack. To detect vulnerable instances, the OPENVAS ENTERPRISE FEED includes a remote version check for Vercel Next.js and an active check that sends an HTTP request to verify whether targets are vulnerable.

The strongest mitigation is to upgrade to a patched version of React in your release line. These are React 19.0.1, 19.1.2, or 19.2.1. Exploitation can also be mitigated via web-application firewall (WAF), and many cloud IaaS providers have published WAF rules for mitigation [1][2][3][4][5].

The patched versions of React and Next.js for each release line are:

• React 0.1
• React 1.2
• React 2.1
• Next.js 15.0.5
• Next.js 15.1.9
• Next.js 15.2.6
• Next.js 15.3.6
• Next.js 15.4.8
• Next.js 15.5.7
• Next.js 16.0.7

Users of Next.js 14.3.0-canary.77 or a later canary release should downgrade to the latest stable 14.x release. According to the official advisory from Next.js, Next.js 13.x, Next.js 14.x stable, Pages Router applications, and the Edge Runtime are not affected. Instructions for updating other affected third-party frameworks are available in React’s official advisory.

Summary

React2Shell (CVE-2025-55182) is a CVSS 10.0, unauthenticated RCE in the React 19 Server Components Flight protocol. The root cause is unsafe server-side deserialization in the Flight protocol. React2Shell also impacts major frameworks that include React 19’s RSC, such as the very popular Next.js web framework.

The vulnerability is considered actively exploited, with publicly available PoCs and a broad number of national CERT advisories globally. Defenders should conduct an exposure assessment and if possible implement WAF rules to temporarily mitigate exploitation, while planning urgent upgrades to patched versions of React 19, and other affected frameworks in use. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as React2Shell.

Was November 2025 a quiet month for cyber security? No, of course not. Fallout from the Oracle EBS ransomware campaigns, which began in October, was widespread; over 29 organizations have been claimed by the Cl0p syndicate alone, with over 100 victims in total. This included Envoy Air (an American Airlines subsidiary), Cox Enterprises, Logitech, Harvard University, The Washington Post, Allianz UK, Schneider Electric, Mazda, Canon, the UK’s National Health Service (NHS), University of the Witwatersrand, Dartmouth College, and others. A free trial of Greenbone’s OPENVAS BASIC offers defenders access to essential cyber security capabilities. Scan your IT environment with Greenbone’s OPENVAS ENTERPRISE FEED to enjoy industry-leading coverage today.

In this month’s threat report, we will review the latest emerging threats to enterprise cyber security in November 2025, including some of the most risky new software vulnerabilities. Data theft and extortion are also hot topics as ransomware attacks continue to increase in 2025. New regulations and civil legal precedents are also coming into play, increasing the potential financial costs to organizations that leak private data.

It’s Time to Talk About Data Theft Again

The May 2025 Threat Report: Hack, Rinse, Repeat reviewed how stolen data is enabling subsequent cyber attacks by providing context for targeted social engineering campaigns, and sensitive information about an organization’s IT infrastructure. Alternatively, stolen data may be used directly for payment card fraud or identity theft, negatively impacting individual victims.

Every day, multiple major data breaches are disclosed globally. The Identity Theft Resource Center (ITRC) tracked 1,732 publicly reported data compromises in the first half of 2025 (≈9.6 per day) in the U.S. alone. The ENISA Threat Landscape 2025 report, released in October, tracked 4,875 incidents in the EU from July 2024 to June 2025 (≈13.4 per day). CrowdStrike’s 2025 European Threat Landscape Report claims that 92% of EU-based ransomware victims were listed on a Data Leak Site (DLS) associated with encryption-based extortion and data theft extortion tactics, while 8% of victims were listed on DLS of ransomware gangs that solely rely on data theft.

So where is this all going? Firstly, new EU regulations are poised to impose punitive incentives on organizations to encourage stronger cyber security posture. DORA (the Digital Operational Resilience Act) demands that financial entities assess both their own cyber security posture and that of third-party ICT providers. The German Bundesrat has now effectively approved the NIS 2 Implementation Act, a law that imposes financial penalties and even personal liability on the managing directors and boards of EU covered entities. NIS 2 enforcement is expected in late 2025 to early 2026.

The individuals impacted by data breaches are also making their voices heard. Breach-related litigation hit record levels in 2024 (≈124 per month) and continued growing into 2025. In early 2025, Conduent Business Solutions announced the theft of Personal Health Information (PHI) belonging to more than 10.5 million Americans. In October 2025, victims were notified and ten class action lawsuits have since been filed. In November, a U.S. Fourth Circuit Court ruled that the public leak of driver’s license numbers online equates to “concrete” harm, further widening the risk for companies who leak data.

One way or another, the powers that be are imposing greater financial costs on organizations who fail to implement appropriate cyber security measures. As a fundamental IT security control, risk-based vulnerability management provides widespread benefits: reducing unauthorized initial access to critical IT assets, deflecting mass exploitation attacks, preventing Denial of Service (DoS) attacks, contributing to the mitigation of advanced social engineering attacks, and reducing the blast radius of a breach if one does occur.

Rogue Devices: Another Reason to Scan Your IT Infrastructure

Emerging software vulnerabilities are not the only reason to conduct continuous scans of your organization’s IT infrastructure. A recent criminal case involving Nordex, a Dutch wind farm operator, demonstrates how easily rogue devices can slip into production networks. According to the ruling, a company manager secretly connected three cryptocurrency mining rigs and two Helium network nodes to internal systems at two sites. The now convicted operator plugged miners into a substation router and hid the wireless hotspots inside wind turbines. The rogue devices were only discovered during Nordex’s recovery from a Conti-linked ransomware incident that took place in 2022.

Continuous infrastructure scanning matters: unauthorized hardware could indicate minor policy violations, but may also represent malicious insiders or external attackers who have gained unauthorized access. OPENVAS SCAN is equipped with discovery scan configurations to alert when new devices appear on a network or when critical systems are down.

DNS Risk from New BIND 9 Cache-Poisoning Flaw

CVE-2025-40778 and CVE-2025-40780 (both CVSS 8.6) are unauthenticated vulnerabilities in BIND 9 recursive resolvers that enable remote DNS cache poisoning and record forgery. A third flaw, CVE-2025-8677 (CVSS 7.5) allows Denial of Service via CPU-exhaustion. Cache-poisoning bugs target the way recursive resolvers cache answers in memory. If an attacker can poison a resolver with a malicious DNS record, users will be redirected to the malicious IP until the TTL expires.

BIND 9 is a widely deployed, open-source DNS server developed and maintained by the Internet Systems Consortium (ISC). It is especially common for on-prem and ISP/enterprise deployments. Although in-the-wild exploitation has not been reported, CVE-2025-40778 has a public proof-of-concept (PoC) available [1] and numerous national CERT alerts have been issued globally [2][3][4][5][6][7][8].

Greenbone provides detection checks for all three CVEs across multiple Linux distributions and hardware devices. Broadly speaking, many BIND 9 versions between 9.11 and 9.21, including some Supported Preview (S1) builds, are vulnerable. See ISC’s security advisories for specific affected product information [9][10][11].

2-Year-Old Linux Use-After-Free Flaw Now a Ransomware Threat

CVE-2024-1086 (CVSS 7.8, EPSS > 99th pctl), published in early 2024, is now being leveraged in ransomware attacks. The CVE has been on CISA’s KEV list since mid-2024 and was flagged for use in ransomware attacks in November 2025. CVE-2024-1086 is a use-after-free [CWE-416] flaw that enables a local attacker to escalate privileges to root and achieve kernel-level arbitrary code execution. The flaw resides in Linux kernel netfilter/nf_tables and affects kernels prior to v6.1.77. A public PoC has been available since March 2024 [1].

Greenbone’s OPENVAS ENTERPRISE FEED and COMMUNITY FEED have provided detection for CVE-2024-1086 across multiple Linux distributions since early 2024.

CVE-2025-12480: Gladinet Triofox Flaw Under Active Attack

CVE-2025-12480 (CVSS 9.1, EPSS >98th pctl) is an improper access control flaw [CWE-284] in Gladinet Triofox that allows unauthenticated remote code execution (RCE). The flaw is being actively exploited by the UNC6485 threat group. Although successful ransomware attacks are not yet reported, analysis shows that attackers are importing remote access tools [T1219] and scanning for lateral-movement opportunities [T1046]. A full technical analysis has been published by Google’s Mandiant, increasing the risk of expanding exploitation.

The attack chain works by providing a malicious GET request that specifies localhost in the Host header. The HTTP Host header is used for routing on the server side, but can be spoofed because it is not used for routing across the internet. CVE-2025-12480 may also be considered an Origin Validation Error [CWE-346] because Triofox automatically trusts requests to localhost without proper verification. This spoofing attack subsequently allows access to the AdminAccount.aspx route, sensitive installation scripts, and configuration pages. RCE is finally achieved by supplying Triofox’s antivirus engine with a path to attacker-generated scripts.

Italy’s national cyber agency, the ACN, and Taiwan’s TWCERT have issued alerts for CVE-2025-12480 [1][2]. Greenbone’s OPENVAS ENTERPRISE FEED includes both an active check and version check to identify vulnerable systems. Users should upgrade to Triofox version 16.7.10368.56560 or higher immediately. Mitigation may also be achieved by configuring a WAF to reject external requests that specify localhost in the Host header.

CVE-2025-61757: Unauthenticated RCE in Oracle Identity Manager

CVE-2025-61757 (CVSS 9.8, EPSS > 98th pctl), is a pre-authentication RCE flaw in Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG). OIM is Oracle’s core provisioning and identity lifecycle engine, while OIG includes additional governance features such as access reviews, role/SoD controls, analytics, and more. CVE-2025-61757 is actively exploited, at least one public PoC exploit exists, and a detailed technical analysis is available.

Exploitation for initial access against internet-exposed OIM instances is considered trivial; an attacker can bypass authentication with a single HTTP request. By either adding ?WSDL to the URL or appending ;.wadl as a path parameter, the SecurityFilter skips authentication checks. Researchers used this unauthorized API access to abuse an endpoint designed to syntax check Groovy scripts by compiling them. Although the Groovy script itself isn’t executed (just compiled), code annotations within the script are executed at compile time, providing RCE.

Several national CERT alerts have been issued for CVE-2025-61757 globally [1][2][3][4]. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check to verify vulnerability to CVE-2025-61757 with a specially crafted HTTP request. Versions 12.2.1.4.0 and 14.1.2.1.0 of OIM and OIG are affected.

CentOS Web Panel (CWP) Under Active Attack for RCE

CVE-2025-48703 (CVSS 9.0, EPSS >98th pctl) is a pre-auth remote command injection vulnerability [CWE-78] in Control Web Panel / CentOS Web Panel (CWP). Exploitation requires knowledge of a valid non-root username. The flaw is caused by an authentication bypass in the file-manager changePerm endpoint combined with OS command injection via the unsanitized t_total chmod parameter. As a result, an attacker could spawn a reverse shell as a valid user. A full technical description and PoC was published by Fenrisk, who discovered and reported the flaw.

In November, CISA flagged CVE-2025-48703 as actively exploited and Taiwan’s TWCERT has issued an alert [1]. Given CWP’s widespread use and the large number of internet-exposed instances, CVE-2025-48703 poses a high-risk globally. Greenbone’s OPENVAS ENTERPRISE FEED includes an authenticated version detection check to identify vulnerable CWP servers, allowing users to take immediate action. All versions of CWP before 0.9.8.1205 are affected.

Unpatched Microsoft Office is Exposed to New Social Engineering Attacks

CVE-2025-60724 (CVSS 9.8) is a new critical GDI+ heap overflow flaw [CWE-122] affecting the graphics component of Microsoft Office and Windows. RCE can be triggered on a victim’s computer if an attacker convinces them to open a specially crafted document or metafile. Microsoft has patched the flaw with its November Patch Tuesday rollout. Vulmon lists two public PoC exploits, but both have since been taken down by GitHub.

Sophisticated social engineering attacks often convince users to open a malicious file, which seeks to exploit a local software flaw. For a better understanding of how cyber adversaries execute this tactic, read our recent blog post, Greenbone Helps Defend Against Advanced Social Engineering Attacks. Greenbone includes detection for CVE-2025-60724 and other CVEs disclosed in Microsoft’s monthly patch cycle.

PoC Exploit Published for New Flaws in N-Central

Horizon.ai has published PoC exploit code and a detailed technical analysis for a new attack chain exploiting CVE-2025-9316 and CVE-2025-11700 in N-Able’s N-Central. N-Central is a managing and monitoring (RMM) software used by large enterprises and managed service providers (MSPs) to easily manage fleets of IT infrastructure including configuration, patching, and reporting and analytics. N-Central sits in the “blast radius” category of software; compromise could easily lead to downstream third-party breaches.

Belgium’s CERT.be and Italy’s ACN have issued CERT alerts for the new CVEs [1][2]. Two other critical severity CVEs in N-Central were disclosed and quickly saw active exploitation in August this year; further evidence that attackers consider N-Central a high-value target. Here is a brief summary of the two new exploitable CVEs in N-Central and another new high-risk CVE for the product:

• CVE-2025-11366 (CVSS 8): An authentication bypass via path traversal [CWE-22]. The flaw was discovered and patched by the vendor, with very few details provided.
• CVE-2025-11700 (CVSS 5): An XML External Entities injection [CWE-611] leading to information disclosure
• CVE-2025-9316 (CVSS 6.9): Attackers can generate sessionIDs for unauthenticated users, leading to authentication bypass [CWE-1284].

The CVEs are fixed in N-Central 2025.4. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify all three CVEs referenced above, and an additional active check for CVE-2025-9316.

Summary

November 2025 was anything but quiet for cyber security. Ransomware campaigns targeting Oracle EBS flaws expanded to 100+ victims. Breach volumes keep rising and class action lawsuits on behalf of private victims are keeping pace. The EU’s DORA and NIS 2 are shifting into focus, increasing corporate and personal liability for management. On the vulnerability front, new actively exploited flaws in BIND 9, Linux, Triofox, N-Central, and more ensure that the ransomware war is far from its last act.

A free trial of Greenbone’s OPENVAS BASIC offers defenders access to essential cyber security capabilities. Scan your IT environment with Greenbone’s OPENVAS ENTERPRISE FEED to gain industry-leading coverage today.

Just over 4,100 new CVEs emerged in October 2025, representing new attack surfaces and placing pressure on defenders to identify and patch. For operational resilience, organizations need to scan their IT infrastructure often and prioritize mitigation efforts.

A free trial of Greenbone’s OPENVAS BASIC lets defenders scan their enterprise IT estate and stay on top of emerging threats. The trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, delivering industry-leading coverage for CVEs and other IT security vulnerabilities. This month’s threat report will cover some of the most critical new vulnerabilities being actively exploited, and emerging high-risk CVEs with widespread exposure.

Oracle EBS Exploited in Two Separate Ransomware Campaigns

CVE-2025-61882 (CVSS 9.8, EPSS ~99th pctl) is an unauthenticated remote code execution (RCE) flaw in Oracle E-Business Suite (EBS), actively exploited since at least August 9, 2025 [1][2]. The CVE is being used in mass exploitation campaigns for data-theft and extortion by the Cl0p ransomware [S0611] operator. Public PoC exploits appeared in early October and a detailed technical analysis is available.

Besides CVE-2025-61882, CVE-2025-61884 (CVSS 7.5, EPSS ~93rd pctl), a Server-Side Request Forgery (SSRF) flaw [CWE-918], also in Oracle EBS, was actively exploited in October 2025. CVE-2025-61884 was added to CISA KEV and has been used to deploy ransomware [T1486]. Attacks leveraging CVE-2025-61882 reportedly used data theft for extortion. However, attacks exploiting CVE-2025-61884 have used file encryption for ransom impact.

Both CVEs received alerts from numerous national CERT entities globally [3][4][5][6][7][8][9][10]. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and remote version check for CVE-2025-61882, and a remote version check for CVE-2025-61884 allowing defenders to identify vulnerable assets. According to Oracle’s official advisories [11][12], versions 12.2.3 to 12.2.14 of EBS are affected.

Smartbedded Meteobridge Now Actively Exploited Via CVE-2025-4008

CVE-2025-4008 (CVSS 8.8, ~97th pctl), published on May 13, 2025, is a remote unauthenticated command injection vulnerability [CWE-77] in Smartbedded Meteobridge, now actively exploited. The flaw resides in the template.cgi script of the Meteobridge web interface, which insecurely implements eval() calls. Exploitation allows attackers to execute arbitrary commands with root privileges on affected devices. Smartbedded Meteobridge is a gateway that connects personal weather stations to public networks. Shodan reveals roughly 70–130 devices exposed on the public internet.

A proof-of-concept (PoC) exploit and full technical write-up were published by ONEKEY, which discovered the flaw during firmware analysis. While the vendor’s official advisory claims that Internet exposure is a “precondition for exploiting any security vulnerability”, insider attacks can also present high risk to organizations. Greenbone is able to detect vulnerable instances of Smartbedded Meteobridge with an active check and remote version check. Users should upgrade to version 6.2 or later.

RediShell: A 13-Year-Old Lua Flaw Allows RCE in Redis

CVE-2025-49844 (CVSS 9.9, EPSS ~90th pctl) allows authenticated RCE on all unpatched Redis instances with Lua scripting enabled. The flaw, nicknamed RediShell, is caused by a use-after-free vulnerability [CWE-416] in the Lua garbage collector. Lua scripting is enabled by default, often with authentication disabled, increasing the risk of weak configuration.

Redis is prevalent in cloud environments and has been a hot target for cryptomining [T1496] and ransomware [T1486] leveraging P2PInfect, Redigo, HeadCrab, and Migo malware. A PoC exploit for CVE-2025-49844 confirms exploitability, along with two additional Lua engine flaws:

• CVE-2025-46817 (CVSS 9.8, EPSS ~96th pctl): an Integer Overflow [CWE-190] in the unpack()
• CVE-2025-46818 (CVSS 7.3, EPSS ~88th pctl): a code injection flaw [CWE-94] that allows an attacker to execute Lua scripts with the context of another user.

Multiple national security alerts have been issued for the CVEs [1][2][3][4][5][6]. OPENVAS ENTERPRISE FEED includes authenticated security checks to identify exposure across many Linux environments. Redis has issued a patch and additional mitigations can be found in the vendor’s official advisory.

Emergency Out-of-Band Patch for Windows Server Update Service and More Microsoft Risks Emerge

Microsoft’s October security update disclosed a total of 201 new CVEs. Two were flagged as “Exploitation Detected” and 14 as “Exploitation more likely”. In addition to these disclosures, an emergency alert was issued by CISA for CVE-2025-59287, affecting the Windows Server Update Service (WSUS). Here are brief descriptions of the most high-risk emerging threats to Microsoft products:

• CVE-2025-59287 (CVSS 9.8, EPSS ~70th pctl): A flaw in WSUS allows unauthorized RCE when untrusted data is deserialized [CWE-502]. Numerous national CERT alerts have been published, many referencing a public PoC exploit [1][2][3][4][5][6][7][8][9]. Microsoft’s official advisory also acknowledges a PoC exploit exists.
• CVE-2025-33073 (CVSS 8.8, EPSS ~97th pctl): A Windows SMB vulnerability allows an authorized attacker to remotely achieve privilege escalation [CWE-284] to SYSTEM level. The flaw was added to CISA KEV.
• CVE-2025-59230 (CVSS 7.8, EPSS ~95 pctl): An elevation of privilege vulnerability [CWE-284] in the Windows Remote Access Connection Manager has been added to CISA KEV.
• CVE-2025-24990 (CVSS 7.8, EPSS ~91st pctl): The end-of-life (EOL) third party Agere Modem driver in Microsoft Windows is now considered actively exploited. The flaw is due to an untrusted pointer dereference [CWE-822] which can lead to arbitrary code execution.
• CVE-2025-55315 (CVSS 9.9): A security feature bypass vulnerability in NET Core can lead to HTTP request smuggling [CWE-444]. An authenticated attacker could exploit the flaw to bypass front-end security controls, hijack user sessions, perform request-forgery attacks. A technical description is available increasing the risk. See the official security advisory for affected versions and patches.
• CVE-2025-59502 (CVSS 7.5, EPSS ~81 pctl): An unauthorized attacker can remotely induce uncontrolled resource consumption [CWE-400] in Windows Remote Procedure Call (RPC) resulting in Denial of Service (DoS). Microsoft classifies the CVE as “Exploitation More Likely”.
• CVE-2025-47827 (CVSS 4.6): Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature [CWE-324]. The flaw allows a malicious root filesystem to be mounted from an unverified SquashFS image. Even though the vulnerability arises in IGEL OS, the attack chain has implications for Windows/UEFI systems. Microsoft has flagged this flaw as actively exploited and a technical description with PoC exploit is available.

Greenbone provides robust detection for Microsoft’s recent security updates. The OPENVAS ENTERPRISE FEED includes detection for 156 (78%) of the 201 newly disclosed CVEs affecting Microsoft products.

Defenders Still “Living On the Edge”: Constant Flow of Perimeter Device Flaws

Greenbone’s June 2024 Threat Report first began tracking high-risk vulnerabilities in perimeter network devices. Since then, edge vulnerabilities have continued to surface without abate. In this section, we will review emerging threats to devices meant to protect internal networks from attacks.

F5 Hack: Multiple New Vulnerabilities in F5 Products Disclosed

In October 2025, F5 claimed a “highly sophisticated nation-state” adversary had long-term, persistent access to internal systems, indicating dwell time of at least 12 months. The attackers stole BIG-IP source code and internal vulnerability information. The data theft prompted an urgent publication of CVEs triaged in the F5 vulnerability pipeline.

In total, 44 new CVEs were published for F5 products in October 2025, several were subject of national CERT alerts [1][2][3][4][5][6][7][8][9][10]. Active exploitation has not been reported and no PoC exploits have been published. However, F5 vulnerabilities are often used in ransomware attacks. In response, Greenbone added new security tests for F5 devices, covering 32 (73%) of the 44 new CVEs.

Fresh CVEs in Ivanti Products for Defenders to Patch

Trend Micro’s Zero Day Initiative (ZDI) publicly disclosed 14 unpatched vulnerabilities in Ivanti Endpoint Manager (EPM) after months of unsuccessful coordination with Ivanti. According to reports, Ivanti requested six months to address the flaws. ZDI’s disclosure effectively exposed these flaws as “zero-day” vulnerabilities, meaning attackers could now exploit them before patches are available.

Greenbone is able to detect all of ZDI’s newly disclosed CVEs and Ivanti CVEs disclosed by other security researchers. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 17 Ivanti CVEs disclosed in October 2025.

Fortinet’s Products Exposed to 32 New CVEs in October

In total, 32 CVEs were published for Fortinet products in October 2025. However, only 17 of these are listed on the vendor’s official advisory page. Greenbone added checks for 21 of the 32 new CVEs, providing high detection coverage for defenders using Fortinet devices. Fortinet has 20 CVEs listed in CISA’s KEV catalog; 13 of these are associated with ransomware attacks indicating high risk for customers.

Critical Unauthenticated RCE in WatchGuard Fireware OS

CVE-2025-9242 (CVSS 9.3, EPSS ~90th pctl) affecting WatchGuard Fireware OS allows unauthenticated RCE. Fireware OS supports the vendor’s firewalls, VPN gateways, policy enforcement and intrusion prevention systems (IPS). Watchtowr security researchers have published a technical description and PoC exploit increasing the risk.

Several alerts have been issued from government agencies regarding CVE-2025-9242 [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote version check to identify affected appliances. Users should update to version 12.3.1_Update3, 12.5.13, 12.11.4, 2025.1.1 or later and review the vendor’s official advisory for more information.

CVE-2025-59978: Junos Space Flaw Lets Authenticated Attackers Inject Malicious Scripts

CVE-2025-59978 (CVSS 9.0) is a stored XSS flaw [CWE-79] in Juniper Networks’ Junos Space. Junos Space is a network‑management and orchestration that provides centralized management of Juniper’s routers, switches and security devices. The vulnerability lets a low-privileged authenticated attacker inject JavaScript <script> tags which execute with a viewing admin’s privileges. No active exploitation or public PoCs are yet known. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version check to identify vulnerable instances.  All Junos Space versions before 24.1R4 are affected. See the official security advisory for more information.

Local Privilege Escalation Flaw in VMware Exploited In-The-Wild

CVE-2025-41244 (CVSS 7.8), published in September 2025, is now flagged as actively exploited. Multiple sources have linked in-the-wild exploitation to UNC5174, a China-linked threat actor. The flaw is a local privilege escalation [CWE-284] when VMware Tools is managed by Aria Operations with SDMP enabled. Successful exploitation allows a local attacker to escalate privileges to root on the same VM. A technical analysis and PoC exploit are available increasing the risk.

The VMware platform has appeared on CISA KEV 26 times including this latest CVE; 8 of these entries indicate use in ransomware attacks. CERT advisories have been issued from various countries [1][2][3][4]. So far in 2025, a total of 40 CVEs have been issued across all VMware platforms. In response, Greenbone has added detection to both the OPENVAS ENTERPRISE FEED and COMMUNITY feed, covering  36 (90%) of VMware’s 2025 vulnerabilities.

To mitigate attacks, Windows users should update to VMware Tools 12.5.4 (Windows 32-bit: 12.4.9). Linux users should update to vendor-provided open-vm-tools. If you can’t patch immediately, disable SDMP and strictly limit guest access. Specific versions of VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure are affected. See the official advisory for more details.

Gladinet CentreStack Flaw Allows Machine Key Theft and RCE

CVE-2025-11371 (CVSS 9.8, EPSS 89th pctl) is an unauthenticated Local File Inclusion (LFI) flaw [CWE-552] that allows remote attackers to read arbitrary files, including the Web.config in Gladinet CentreStack and Triofox. In the wild attacks have been observed where the LFI flaw was exploited to retrieve the machine key from Web.config, then forge ASP.NET ViewState payloads. For RCE, attackers are exploiting another ViewState deserialization: CVE-2025-30406 (CVSS 9.8, EPSS ~99th pctl). A detailed technical description and attack chain analysis is publicly available.

Greenbone’s OPENVAS ENTERPRISE FEED has included detection tests for both CVEs described above since April 2025 [1][2]. CentreStack has published patches for users to prevent exploitation. According to Gladinet’s official advisory, users who can’t patch should disable the temp handler in UploadDownloadProxy’s Web.config to block the unauthenticated /storage/t.dn endpoint abused for LFI.

Zimbra Zero-Day Used to Target Brazilian Military

CVE-2025-27915 (CVSS 5.4, EPSS 97th pctl) is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Zimbra Collaboration Suite (ZCS). The flaw is caused by insufficient sanitization of HTML content contained in .ICS calendar files. As a result, attackers can launch phishing attacks with malicious .ICS calendar invites [T1566.001] to execute arbitrary JavaScript within a victim’s webmail session.

The CVE has been exploited in targeted attacks against the Brazilian military and added to CISA KEV. Belgium’s CERT.be has published a security advisory. ZCS is highly targeted by threat actors; CISA KEV contains 14 CVEs; five associated with ransomware attacks [T1486]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner check to identify vulnerable instances. The flaw affects ZCS versions 9.0, 10.0, and 10.1. Users should upgrade to the latest version and be especially cautious handling email attachments.

Critical Kentico Xperience Flaws are Actively Exploited

CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8) allow unauthenticated remote attackers to gain full administrative control of Kentico Xperience via an authentication bypass [CWE-288] flaw. Both CVEs are actively exploited. Exploitation enables attackers to manipulate or exfiltrate CMS data and deploy malicious payloads with administrative privileges.

A full technical description, and PoC exploits increase the risk of near future exploitation. Multiple national CERT advisories have been published for the new CVEs [1][2][3]. The OPENVAS ENTERPRISE FEED includes an active check for CVE-2025-2746 and an active check and remote version check for CVE-2025-2747. Versions through 13.0.172 and 13.0.178 are affected and the vendor has published hotfixes for mitigation.

New High-Severity Flaw in Zoho ManageEngine ADManager Plus

CVE-2025-10020 (CVSS 8.8, EPSS ~73rd pctl) is an authenticated command injection vulnerability [CWE-77] in the Custom Script component of ManageEngine ADManager Plus. The flaw allows attackers with low-privileged access to gain arbitrary RCE. ManageEngine is a widely used on-prem solution for system administrators, IT operations teams, and security engineers to monitor, automate, and secure IT infrastructures.

Despite no active exploitation, public technical description, or PoC exploit, ManageEngine has historically attracted attention from cyber adversaries. This makes CVE-2025-10020 high risk when combined with stolen credentials or insider attacks. The ManageEngine platform is listed on CISA KEV nine times; twice for ransomware attacks (CVE-2022-47966 and CVE-2021-40539). Updating to version 8024 is strongly recommended.

The OPENVAS ENTERPRISE FEED provides:

• A remote version check to detect servers vulnerable to CVE-2025-10020
• Detection tests for all Zoho vulnerabilities listed in CISA KEV including CVE-2022-47966 and CVE-2021-40539 used in ransomware attacks [T1486]
• Detection tests for >70% of CVEs affecting Zohocorp products from 2021 onward

Flowise Server Gives Attackers RCE and Access to Secrets

CVE-2025-61913 (CVSS 9.9) is a path traversal flaw [CWE-22] in Flowise that lets low-privileged, authenticated attackers read and write arbitrary files, potentially leading to RCE. Flowise is a drag & drop user interface and backend server for building customized large language model (LLM) applications.

CVE-2025-61913 stems from improper input validation of the file_path parameter in WriteFileTool and ReadFileTool. The flaw enables access to sensitive files such as /root/.flowise/encryption.key and /root/.flowise/database.sqlite in Docker, or /etc/passwd, /etc/shadow, and /root/.ssh/id_rsa in non-Docker setups. The vendor has published a full PoC exploit themselves, and at least one other PoC exploit exists [1]. However, in-the-wild exploitation has not been confirmed.

Several other new high-risk CVEs also impact Flowise Server:

• CVE-2025-26319 (CVSS 9.8): An unauthenticated arbitrary file upload vulnerability [CWE-22] in /api/v1/attachments. A complete technical description and PoC is available online increasing the risk.
• CVE-2025-61687 (CVSS 8.8): A file upload vulnerability [CWE-22] allows authenticated users to upload arbitrary files and persistently store malicious js web shells on the server, leading to RCE.
• CVE-2025-29192 (CVSS 6.1): Allows XSS [CWE-79] via FORM element and INPUT element when an admin views the chat log.
• CVE-2025-50538 (CVSS 6.1): Allows XSS [CWE-79] via IFRAME element when an admin views the chat log.

Germany’s BSI has issued WID-SEC alerts for all CVEs described above [2][3][4][5]. The OPENVAS ENTERPRISE FEED includes two remote version detection checks which address all aforementioned CVEs affecting Flowise [6][7][8]. Users should update to version 3.0.8 or later and disable ALLOW_BUILTIN_DEP during installation. See the vendor’s official advisory for more information.

CVE-2025-37729: Critical RCE Vulnerability in Elastic Cloud Enterprise

CVE-2025-37729 (CVSS 9.1) affecting Elastic Cloud Enterprise (ECE) allows RCE to authenticated attackers with admin privileges. Exploitation could allow exfiltration of sensitive data due to improper handling of Jinjava template expressions. The vulnerability poses a significant insider threat, particularly in hybrid and multi-cloud environments where ECE is deployed. Spain’s INCIBE CERT has issued a security alert. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances. According to the vendor’s official advisory, versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1 are affected.

Summary

The October 2025 Threat Report only scratches the surface of new software flaws emerging in the past month—and OPENVAS SECURITY INTELLIGENCE’s ability to detect them. October 2025 saw 4,100 new CVEs and novel cyber attack campaigns leveraging both fresh vulnerabilities and already known ones. This past month, high-impact flaws drove ransomware, data-theft, and operational downtime leading to attempts at corporate extortion and lost revenue. Greenbone’s OPENVAS BASIC free trial plus the OPENVAS ENTERPRISE FEED include detection modules for many emerging and legacy CVEs, helping security teams find, triage, and fix vulnerable IT assets.

Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; no CVE assignment, no acknowledgment from Fortinet. Security researchers recently noted that Fortinet seems to have silently patched the flaw without notifying users beforehand.

The issue finally hit the mainstream on November 13th, when watchTowr Labs posted a full proof-of-concept (PoC) exploit. One day later, the vulnerability was assigned an ID: CVE-2025-64446 (CVSS 9.8, EPSS 97th pctl) is now officially recognized as an actively exploited, critical severity issue in Fortinet FortiWeb. The flaw allows attackers to create rogue admin accounts and execute administrative actions.

Fortinet officially classifies CVE-2025-64446 as a Relative Path Traversal issue [CWE-23]. However, it should also be considered an Authentication Bypass Using an Alternate Path flaw [CWE-288], since URL manipulation allows attackers to access a legacy Common Gateway Interface (CGI) processor, which does not implement proper authentication. Users should consult Fortinet’s official advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw.

A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.

How the Exploit against CVE-2025-64446 Works

The exploit chain for CVE-2025-64446 combines two core design flaws in FortiWeb:

• A Relative Path Traversal vulnerability [CWE-23] allows unprotected URL routing between the management interface’s REST API and its CGI processor. This incorrect routing serves as an alternative path to bypass authentication.
• An Authentication Bypass Using an Alternate Path flaw [CWE-288] in the CGI processor does not perform proper authentication for data provided via a connecting client’s CGIINFO HTTP header.

watchTowr’s Python-based PoC demonstrates how attackers can circumvent FortiWeb’s intended API to  abuse the legacy CGI processor to create unauthorized admin accounts on the device. Here is how the exploit works:

1. Attackers can communicate with FortiWeb management port over HTTPS (port 443) with certificate validation disabled to avoid hang-ups with self-signed, outdated, or otherwise invalid certificates.
2. Unpatched FortiWeb appliances do not properly sanitize the URI before applying authorization rules. Unauthenticated users can achieve path traversal by starting their request URL with https://api/v2.0/… while also traversing via ../../../../../ to cgi-bin/fwbcgi.
3. Source code analysis revealed that FortiWeb’s legacy CGI backend includes a function named cgi_auth(), that blindly trusts any authorization claims provided in the CGIINFO header if the username matches any existing user; including the built-in admin user. This means an unauthenticated attacker can spoof the admin user to gain elevated permissions.
4. FortiWeb’s CGI processor then processes the rest of the request body with full administrative permissions.
5. The attacker can submit a malicious JSON object that instructs the system to create a new administrator account with an arbitrary, attacker-controlled username and password to take full control of the device.

How to Mitigate the Emerging Fortinet Vulnerability

FortiWeb users should consult Fortinet’s advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw. The vendor also officially recommends disabling HTTP and HTTPS for internet-facing interfaces until an upgrade can be performed. If a FortiWeb HTTP/HTTPS Management interface is only accessible from internal network endpoints, the risk is reduced.

Organizations running unpatched versions of FortiWeb should consider this a critical priority issue. The following versions of FortiWeb are affected:

• FortiWeb 8.0.0 through 8.0.1
• FortiWeb 7.6.0 through 7.6.4
• FortiWeb 7.4.0 through 7.4.9
• FortiWeb 7.2.0 through 7.2.11
• FortiWeb 7.0.0 through 7.0.11
• FortiWeb 6.4 through 6.4.3 (disclosed by watchTowr Labs [1])
• FortiWeb 6.3 through 6.3.23 (disclosed by watchTowr Labs)

It’s important to note that Fortinet’s list of affected products is less comprehensive than the one provided by third-party security researchers. The EU’s Cyber Resilience Act (CRA) comes into effect in late 2026, bringing a new measure of legal accountability to software vendors that issue untimely or inaccurate security information to their users. The CRA will require software vendors to report known vulnerabilities and known exploits to ENISA within 24 hours.

Greenbone’s OPENVAS ENTERPRISE FEED Has Got You Covered

Greenbone’s vulnerability test development team assessed this emerging FortiWeb flaw before it was published as a CVE. A version check [1] and active check [2] are now available in the  OPENVAS ENTERPRISE FEED. These detection tests include both version-based checks and active checks that interact with appliances over HTTP to detect vulnerability to the flaw. This dual-layer approach ensures that organizations can reliably identify vulnerable FortiWeb instances.

As new details emerge, Greenbone will refine and expand coverage to ensure that customers can identify affected instances. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.