Joseph Lee

January 2026 Threat Report: Off to a Raucous Start

So far, 2026 is off to a raucous start. The number of critical severity vulnerabilities impacting widely deployed software is staggering. Defenders need to scan widely and scan often to detect new threats in their infrastructure and prioritize mitigation efforts based on the potential impact to business operations, privacy regulations, and other compliance responsibilities. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

CVE-2025-20393-cisco-spam-filter

This month, the World Economic Forum’s report Global Cybersecurity Outlook 2026 was released. The annual report surveys the top concerns of global cyber security and business leaders. This edition reported that 58% of surveyed executives perceive increased risk of exploitation via software vulnerabilities in 2026. Fraud, ransomware, and supply chain disruptions were ranked as the top impact concerns, while AI, phishing, and software vulnerabilities were considered the most concerning attack vectors. Respondents who considered their organizations to have high cyber resilience ranked exploitation of software vulnerabilities as the second most concerning threat, while medium and insufficient-resilience organizations ranked it third.

Figure 1: Evolving cyber risk concerns for CEOs and CISOs between 2025 and 2026. (Source: WEF Global Cybersecurity Outlook 2026)

Figure 2: Top cyber risk concerns by cyber resilience level. (Source: WEF Global Cybersecurity Outlook 2026)

The survey included 873 participants from 99 countries, including C-suite executives, academics, civil society, and public-sector cybersecurity leaders. With these sentiments for 2026 in mind, let’s review some of the most high-risk software vulnerabilities from January.

[ High Alert: Max-Severity HPE OneView Actively Exploited

CVE-2025-37164 (CVSS 9.8, EPSS ≥ 99th pctl) was published in mid-December 2025 and added to CISA’s Known Exploited Vulnerabilities (KEV) list in early 2026. The flaw allows an attacker to gain unauthenticated remote code execution (RCE) on HPE OneView prior to version 11.00 and HPE Synergy Composer appliances that expose OneView. CVE-2025-37164 is classified as a Code Injection flaw [CWE-94]. The root cause is a REST API endpoint: /rest/id-pools/executeCommand. Submitted commands are executed with high-level privileges but without authentication.

HPE OneView is a platform for centralized management of HPE data center infrastructure. Therefore, exploitation can provide attackers with control over network infrastructure, device firmware, and lifecycle management. Full technical details and several proof-of-concept (PoC) exploits exist [1][2][3], increasing the risk. Numerous national CERT alerts have been issued globally [4][5][6][7][8][9][10][11]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner detection for defenders to identify affected systems. Users should apply the security hotfix for HPE OneView versions 5.20 trough 10.20 with urgency.

[ Critical Cisco Unified CM Flaw Actively Exploited

CVE-2026-20045 (CVSS 9.8, EPSS ≥ 75th pctl) is an unauthenticated RCE flaw affecting multiple Cisco products including Unified Communications Manager (CM), Unified CM Session Management Edition (SME), Unified CM IM & Presence Service, Cisco Unity Connection, and Webex Calling Dedicated Instance. The root cause is improper validation of user-supplied HTTP input [CWE-20] leading to code injection [CWE-94]. Successful exploitation grants user-level access followed by privilege escalation to root, resulting in full system takeover.

Cisco considers the flaw actively exploited, and it has been added to CISA KEV. Mass scanning activity has also been reported. No PoC exploit is publicly available, but Cisco networking devices are often targeted in high-profile hacks [1][2]. Multiple national CERT alerts have been issued globally [3][4][5][6][7][8][9][10][11].

Greenbone’s OPENVAS ENTERPRISE FEED includes separate vulnerability tests for Unified CM [12] and Unified CM IM&P [13]. No workarounds can mitigate this flaw. Users should upgrade to a fixed software release or apply a patch. See the vendor’s security advisory for more information.

Microsoft: Newly Exploited and Critical Out-of-Band Updates

Microsoft’s January 2026 patch release published 124 CVEs, eight classified as “Exploitation More Likely”. Two of the new CVEs were quickly tagged as actively exploited and added to CISA KEV [1][2]. Microsoft also released out-of-band (OOB) security patches for Windows 11 and Windows Server [3][4]. Greenbone’s OPENVAS ENTERPRISE FEED regularly publishes detection tests for CVEs in Microsoft’s monthly patch cycle and out-of-band security updates [5].

New high-risk CVEs affecting Microsoft products include:

  • CVE-2026-20805 (CVSS 5.5): A flaw in Microsoft Windows Desktop Window Manager that allows an authorized attacker to leak sensitive memory information [CWE-200]. The root cause is exposure of user-mode memory addresses via Advanced Local Procedure Call (ALPC). The flaw enables leakage of small but security-relevant memory fragments that can be chained with other vulnerabilities to bypass protections such as ASLR. Exploitation may allow full system compromise. CISA has added the flaw to its KEV list. However, no public PoC or ransomware activity have been reported. Microsoft distributed a fix for CVE-2026-20805 in its January 2026 cumulative updates.
  • CVE-2026-21509 (CVSS 7.8): An unauthorized local attacker can bypass Microsoft Office security features by exploiting reliance on untrusted inputs [CWE-807]. The flaw impacts Microsoft 365 and Microsoft Office 2016, 2019, and 2021. CISA has added the flaw to its KEV list but no public PoC is available. CVE-2026-21509 can be mitigated by installing the emergency patch or implementing registry-based controls [5][6].
  • CVE-2026-20952 and CVE-2026-20953 (both CVSS 8.4): Both flaws enable RCE via social engineering attacks leveraging trojanized Office documents. Exploitation does not require the target to open a malicious file; the flaw can be triggered via the Preview Pane. These CVEs are not reported as actively exploited and no public PoC exploits are yet available. Patches are available in Microsoft’s January 2026 cumulative updates.

Adobe ColdFusion Requires Critical Patches Amidst Active Attack Campaigns

Adobe has patched a critical RCE flaw in ColdFusion versions 2025 and 2023 introduced by dependency on Apache Tika’s CVE-2025-66516 (CVSS 9.8, EPSS ≥ 88th pctl). The flaw in Apache Tika was published in December 2025. Greenbone includes a remote banner check for affected ColdFusion products as well as detection for other enterprise software products affected by CVE-2025-66516. The OPENVAS ENTERPRISE FEED also includes detection for all ColdFusion CVEs published in Adobe’s December 2025 patch release. Greenbone’s ENTERPRISE FEED also includes detection for 10 ColdFusion CVEs included in a new exploitation campaign that occurred over the holidays [1][2][3][4][5][6][7][8][9][10][11]. The reported mass exploitation event targeted ColdFusion and other enterprise software applications.

CVE-2025-68645: Zimbra Collaboration Suite (ZCS) Actively Exploited Again

CVE-2025-68645 (CVSS 8.8, EPSS ≥ 96th pctl) impacting Zimbra Collaboration Suite (ZCS), published in late December 2025, is now considered actively exploited by CISA. The flaw allows unauthenticated remote attackers to perform local file inclusion against ZCS 10.0 and 10.1. The root cause is improper request parameter handling in the RestFilter servlet of the Webmail Classic UI. This allows arbitrary files to be uploaded into the WebRoot directory such as web shells, potentially resulting in arbitrary RCE.

CVE-2025-68645 is being used in targeted, reconnaissance-driven attack campaigns. A public PoC can be found via Google search, but seems to have been removed from GitHub. ZCS has an extensive history of exploitation, often in ransomware attacks.

Greenbone’s OPENVAS ENTERPRISE FEED has included remote banner checks [1][2] prior to the disclosure of CVE-2025-68645, and now includes an active check for affected ZSC installations. Known affected versions include Zimbra Collaboration Suite 10.0.0 through 10.0.17 and 10.1.0 through 10.1.12, with the issue resolved in versions 10.0.18 and 10.1.13, released in early November 2025. Users who have not patched should do so immediately.

Gogs Self-Hosted Git Server Targeted in Mass Exploitation Attacks

CVE-2025-8110 (CVSS 8.8, EPSS ≥ 96th pctl) is a path traversal flaw [CWE-22] that allows authenticated attackers to achieve RCE against the Gogs self-hosted Git service. The root cause is improper symbolic link handling in the PutContents file update API which can be leveraged to overwrite arbitrary files outside the targeted repository. CVE-2025-8110 is considered a bypass of CVE-2024-55947 (CVSS 8.8) and requires only low-level permissions to create a repository for exploitation. Gogs does not need to be internet-facing for exploitation. Malicious insiders with access to Gogs instances hosted on a local network also represent a significant threat.

CVE-2025-8110 is being actively exploited in automated mass exploitation campaigns and has a full technical description and public PoC exploit kit. Historically, Gogs has a very high rate of exploit development for published CVEs. CVE-2025-8110’s timeline for disclosure and mitigation includes 6 months of active exploitation while patches remained unavailable. Exploitation was first observed in mid-2025, and the vulnerability was responsibly disclosed to maintainers on July 17, 2025. The CVE was only later published on December 10th, 2025 while still unpatched. Inspection of the Gogs release indicates patches became available on January 23, 2026 in Gogs v0.13.4. The OPENVAS ENTERPRISE FEED has included remote banner detection for vulnerable instances since initial publication.

Fortinet Exploited Again: New FortiCloud SSO Admin Authentication Bypass

CVE-2026-24858 (CVSS 9.8) is a new actively exploited flaw affecting FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb when FortiCloud SSO is enabled. The flaw allows a FortiCloud-authenticated attacker to gain unauthorized administrative access to other tenants’ Fortinet devices. The root cause is an improper authentication flow [CWE-288] when FortiCloud SSO is used.

Early exploitation of CVE-2026-24858 was initially mistaken for a recurrence of the December 2025 FortiCloud SSO bypass vulnerabilities CVE-2025-59718 and CVE-2025-59719 (both CVSS 9.8) due to the similar attack patterns. CVE-2026-24858 has no publicly released proof-of-concept exploits, and has not been associated with ransomware attacks. However, attackers have been observed downloading full device configuration files [T1005] and creating persistent super_admin local accounts [T1136.001].

Numerous national CERT alerts have been issued globally [1][2][3][4][5][6][7][8][9][10]. The OPENVAS ENTERPRISE FEED includes detection for CVE-2026-24858 for many Fortinet products [11][12][13][14]. Updates are not yet available for all affected products. Users should seek updated guidance from Fortinet’s official advisory. According to the advisory, Fortinet has disabled FortiCloud SSO authentication from vulnerable devices to provide mitigation and posted indicators of compromise (IoC) observed in attacks.

New High-Risk CVEs in SolarWinds Web Help Desk (WHD)

Six new high-risk vulnerabilities affecting SolarWinds Web Help Desk (WHD) were disclosed in January 2026. WHD plays a significant role in IT service management and sensitive asset tracking globally. Previous exploitation of similar bugs indicate threat actors will target newly disclosed CVEs.

The newly disclosed CVEs affecting SolarWinds WHD are:

Active exploitation has not been reported although Horizon3.ai has published the technical details for at least one potential attack chain. All versions of WHD prior to 2026.1 are impacted. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner version check covering and separate active checks for CVE-2025-40551 and CVE-2025-40536 [1] and CVE-2025-40537 [2] for all aforementioned vulnerabilities in SolarWinds WHD. Users should identify vulnerable instances in their IT infrastructure and upgrade to WHD 2026.1 as soon as possible.

CVE-2025-59470: Critical RCE Flaw in Veeam Restoration and Backups

Four new CVEs affecting Veeam Backup & Replication version 13 builds ≤ v13.0.1.180 were published in Veeam’s January security update. All four CVEs are rated critical . They are not yet reported as actively exploited, and no public PoC exploit exists at this time. Several national CERT advisories have been issued globally [1][2][3][4][5].

The CVEs are described below:

  • CVE-2025-55125 (CVSS 9.8): An attacker with the Backup or Tape Operator can achieve RCE as root by creating a malicious backup configuration file. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].
  • CVE-2025-59468 (CVSS 9.1): An attacker with the Backup Administrator role to perform RCE as the postgres user by sending a malicious password parameter. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].
  • CVE-2025-59469 (CVSS 9.0): An attacker with the Backup or Tape Operator role can write files as root. Although classified as an exposure of a sensitive information flaw [CWE-200] by NIST, it actually allows privileged file write operations, potentially leading to full system takeover.
  • CVE-2025-59470 (CVSS 9.0): Authorized attackers can achieve RCE as the server’s postgres user. The root cause is a command injection flaw due to improper sanitization of user supplied input [CWE-77].

Veeam indicates that it serves 82% of Fortune 500 companies. As such, Veeam Backup & Replication is a high-value target for ransomware operators and has a documented history of exploitation by ransomware groups [7][8][9]. While exploitation requires Backup Operator or Tape Operator roles, these accounts are typically compromised via credential theft [TA0006] or by creating new privileged accounts [T1136] once an attacker gains admin-level control of the environment [6]. The OPENVAS ENTERPRISE FEED includes remote banner detection for all four new CVEs affecting Veeam Backup & Replication.

New Wireshark CVEs Can Trigger Denial-of-Service (DoS)

Multiple vulnerabilities affecting Wireshark’s protocol dissection logic can result in denial-of-service (DoS). The flaws affect various versions of Wireshark between 4.4.0 and 4.6.2. The new CVEs can be triggered by malformed network traffic.

  • CVE-2026-0959 (CVSS 6.5): IEEE 802.11 protocol dissector can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.
  • CVE-2026-0960 (CVSS 5.5): HTTP3 protocol dissector can enter an infinite loop in Wireshark 4.6.0 to 4.6.2 allowing DoS.
  • CVE-2026-0961 (CVSS 6.5): A BLF file parser can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.
  • CVE-2026-0962 (CVSS 6.5)): The SOME/IP-SD protocol dissector can crash in Wireshark 4.6.0 to 4.6.2 and 4.4.0 to 4.4.12 allowing DoS.

Because tshark shares the same libwireshark dissection engine, these flaws also affect headless and CLI-based workflows, meaning automated processing of untrusted PCAP files or live captures can trigger DoS conditions. The Greenbone ENTERPRISE FEED includes local security checks for Windows, Linux, and macOS environments. Extended information can be found from the vendor’s advisory.

Summary

January 2026 makes it clear that exploiting software vulnerabilities remains a dominant and persistent cyber security risk for virtually all organizations globally. This month included multiple critical and actively exploited flaws affecting widely deployed enterprise software. Network management systems, collaboration tools, backup software, and security appliances remain prime targets for threat actors. Unauthenticated or low-privilege RCE can have severe downstream impacts such as ransomware or data theft resulting in fraud. Organizations should scan widely and scan often to maintain complete visibility of emerging threats within their infrastructure. Defenders seeking to detect and protect can try Greenbone’s flagship OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Contact Test Now Buy Here Back to Overview
/by
Joseph Lee

CVE-2025-64155: In the Wild Exploitation of FortiSIEM for Unauthenticated Root-Level RCE

On January 13th, 2026, Fortinet publicly disclosed and patched CVE-2025-64155 (CVSS 9.8) affecting FortiSIEM along with five additional vulnerabilities across its product line [1][2][3][4][5]. In particular, CVE-2025-64155 represents high-risk exposure; immediately after its release, active exploitation was reported. The flaw was responsibly disclosed to Fortinet almost six months ago (August 2025), by Horizon3.ai. Greenbone includes a remote banner check for our enterprise customers that can detect the presence of CVE-2025-64155 in a network, as well as three other Fortinet vulnerabilities released in the same patch cycle [6][7][8].

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance, is available for interested parties to evaluate the OPENVAS ENTERPRISE FEED. Our full product line also includes high-performance physical and virtual appliances for corporate, education, and public sector customers.

CVE-2025-64155 (CVSS 9.8) is a new OS command injection flaw [CWE-78] that allows remote code execution (RCE) with root-level permissions on FortiSIEM endpoints. Unauthenticated arbitrary RCE with root permissions is the most dangerous combination of attributes a CVE could have. The combination allows sophisticated attackers to remotely take full control of an affected device to potentially install rootkit malware. Existing rootkits are known to have advanced evasion capabilities including Endpoint Detection and Response evasion [1][2][3], covert persistence mechanisms, log tampering, firmware manipulation, and secure boot bypass [4][5][6].

Honeypot exploitation has been reported by Defused, but no specific victims have been identified, and CVE-2025-64155 has not been added to CISA’s Known Exploited Vulnerabilities (KEV) database. However, Fortinet CVEs have been listed 23 times on CISA KEV; 13 are associated with ransomware attacks. A full technical description and proof-of-concept (PoC) exploit have been published by Horizon.3.ai, the team that first discovered the flaw. Multiple government CERT agencies have issued alerts globally [7][8][9][10][11][12][13]. Fortinet users should review all recent PSIRT advisories issued by the vendor to evaluate their risk.

A Technical Description of CVE-2025-64155 in FortiSIEM

FortiSIEM devices use the phMonitor service for communication and data sharing over TCP/IP. phMonitor exposes multiple command handlers on TCP port 7900 that operate without authentication via the initEventHandler() function. Handler routing is determined by the parameters passed by the client. 

Exploitation of CVE-2025-64155 has been demonstrated by leveraging an argument injection flaw [CWE-88] in phMonitor to achieve arbitrary file write. An attacker can use this flaw for root-level RCE by overwriting non-root owned files that are executed by the /etc/cron.d/fsm-crontab file, FortiSIEM’s root-owned cron scheduler. Non-root RCE attack chains are also possible, such as writing a bash reverse-shell to the /opt/phoenix/bin/phLicenseTool file which is automatically executed periodically.

When specific parameters are passed to phMonitor, invoking the handleStorageRequest function, the user-controlled <cluster_url> parameter is passed to a shell script named elastic_test_url.sh. The shell script further appends the <cluster_url> parameter to the curl command and executes it. However, because the parameter is not properly sanitized, curl can be abused to trigger local file writes on the target FortiSIEM host. Horizon3.ai researchers have also pointed out that FortiSIEM’s lack of authentication for the phMonitor API has contributed to several maximum severity, exploitable CVEs in the past [1][2].

Mitigating CVE-2025-64155 in FortiSIEM Devices

Users should follow the update guidance provided in Fortinet’s official advisory for CVE-2025-64155. According to Fortinet, the flaw does not affect all node types. Only the Super and Worker nodes are impacted. For customers who cannot complete an update, Fortinet advises restricting access to the phMonitor port 7900. However, blocking access to port 7900 may cause services that depend on it to fail.

While Fortinet’s official hardening guide advises users that FortiSIEM should operate “in a protected network segment”, security researchers are well aware that sensitive services are often exposed to the internet despite the high risk. Even if a FortiSIEM device is not exposed publicly, vulnerable instances could be used for lateral movement and persistence within a target network. This threat applies if attackers already have a foothold, if malicious insiders are present, or if attackers gain unauthorized access to a user’s internal network in the future.

The affected FortiSIEM products and relevant mitigations are:

Affected Product Version Solution
FortiSIEM Cloud Not affected
FortiSIEM 7.5 Not affected
FortiSIEM 7.4 Upgrade to 7.4.1 or above
FortiSIEM 7.3 Upgrade to 7.3.5 or above
FortiSIEM 7.2 Upgrade to 7.2.7 or above
FortiSIEM 7.1 Upgrade to 7.1.9 or above
FortiSIEM 7.0 Migrate to fixed release
FortiSIEM 6.7 Migrate to fixed release

Summary

CVE-2025-64155 (CVSS 9.8) is a critical, unauthenticated, root-level remote code execution vulnerability in FortiSIEM that was disclosed and patched by Fortinet on January 13, 2026. Honeypot exploitation activity was observed almost immediately after disclosure, increasing risk for any exposed or reachable FortiSIEM deployments. Defenders should ensure that their FortiSIEM instances are not publicly accessible and that access controls are strictly enforced even on internal network segments.

A free two-week trial of OPENVAS BASIC, Greenbone’s entry-level virtual appliance is available for interested parties to evaluate the industry-leading coverage of the OPENVAS ENTERPRISE FEED. Our full product line-up also includes high-performance physical and virtual appliances for medium and large corporate, education, and public sector customers.

Contact Test Now Buy Here Back to Overview
/by
Joseph Lee

December 2025 Threat Report: Emergency End-of-Year Patches and New Exploit Campaigns

In 2025, Greenbone increased the total number of vulnerability tests in the OPENVAS ENTERPRISE FEED to over 227,000, adding almost 40,000 vulnerability checks. Since the first CVE was published in 1999, over 300,000 software vulnerabilities have been added to MITRE’s CVE repository. CVE disclosures continued to rocket upward, increasing roughly 21% compared to 2024. CISA added 245 CVEs to its Known Exploited Vulnerabilities (KEV); 24 of these are known ransomware vectors. Defenders seeking to detect and protect can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

CVE-2025-20393-cisco-spam-filter

5,519 new CVEs were published in December 2025, setting a new all-time high for a single month. New critical severity vulnerabilities and emergency responses continued throughout the holiday season unabated. The Greenbone blog has already reported on two actively exploited CVSS 10 vulnerabilities that emerged in December: CVE-2025-55182 dubbed React2Shell and CVE-2025-20393 affecting Cisco AsyncOS Spam Quarantine. In the December 2025 Threat Report, we will round off the month’s most critical emerging threats to IT security.

Ransom Attacks against Hypervisors Spiked in Late 2025

Research from Huntress shows that hypervisors are trending upward as a prime ransomware target. According to their data, hypervisors played a role in 3% of malicious encryption attacks during the first half of 2025, increasing to 25% during the second half. They believe the increase was driven by the Akira ransomware APT, a group known to aggressively exploit software vulnerabilities.

To reduce risk to hypervisor infrastructure, defenders should plan and implement comprehensive security controls, including:

  • Regularly run vulnerability scans across hypervisor infrastructure and prioritize any discovered vulnerabilities for mitigation
  • Disable or restrict unnecessary hypervisors and VM instances
  • Never expose management interfaces directly to the internet
  • Limit access to hypervisor IP addresses and management consoles using firewall rules

MongoBleed Gifts an Emergency Holiday Patch

CVE-2025-14847 (CVSS 7.5, EPSS 98th pctl), affecting MongoDB, was published on December 19th, 2025. The flaw allows an unauthenticated remote attacker to access sensitive memory locations by sending malformed packets with length parameter inconsistency [CWE-130]. It has been nicknamed MongoBleed, following the informal convention for memory leak vulnerabilities such as HeartBleed [1][2], and CitrixBleed [3][4]. The flaw lies in MongoDB’s network transport-layer zlib compression process. When faced with a length mismatch, the zlib message compressor could return an allocated buffer length rather than the true decompressed length, allowing attackers to read uninitialized heap memory.

One security researcher estimates over 200,000 instances are exposed on the public internet globally. The Shadowserver Foundation lists over 80,000. At least one proof-of-concept (PoC) exploit has been published for CVE-2025-14847 that can automatically hunt for secrets like DB passwords and cloud keys. The PoC demonstrates how an attacker can enumerate through heap memory to exfiltrate sensitive information. CVE-2025-14847 has been added to CISA’s KEV catalogue and numerous national CERT alerts have been issued globally [5][6][7][8][9][10][11][12][13]. No ransomware attacks leveraging MongoBleed have yet been reported.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote version detection checks for Windows and Linux instances of MongoDB Server [14][15], and an active check for both Windows and Linux [16]. The vendor’s official advisory includes a list of affected versions, and patches. Users should upgrade with urgency and inspect MongoDB servers for indicators of compromise (IoC).

CVSS 10 SmarterMail Flaw Allows Unauthenticated RCE

!

Update

January 27, 2026

Both CVE-2025-52691 CVSS 10, published in late December 2025, and CVE-2026-23760 CVSS 9.3, a new flaw, published on January 23rd, 2026, were added to CISA’s KEV list on January 26th, 2026, indicating active exploitation. Both flaws affect SmarterTools SmarterMail.

The newer, CVE-2026-23760, is an authentication bypass vulnerability [CWE-288] that allows an unauthenticated attacker to reset the admin user’s password. As described below, CVE-2025-52691 has a full technical description. A full technical description for CVE-2026-23760 has also been published, increasing the risk.

The OPENVAS ENTERPRISE FEED includes vulnerability tests for both CVEs. A remote banner check for detecting CVE-2026-23760 was published on January 23rd, 2026 within 24 hours of the CVE’s publication and before it was added to CISA KEV.

Users should re-evaluate their risk, and consult SmarterMail’s official release notes, which indicate that users should upgrade to the patched Build 9518.

CVE-2025-52691 (CVSS 10) is a new unauthenticated remote code execution (RCE) vulnerability in SmarterTools SmarterMail affecting Build 9406 and earlier. The flaw is caused by an arbitrary file upload weakness [CWE-434] that lets attackers upload files to any location on the target server. These uploaded files can potentially serve as web shells or be executed as SYSTEM if placed in sensitive directories.

SmarterMail runs on the Windows/IIS/.NET stack and includes a web application with webmail and sync services over HTTPS. SmarterMail’s official documentation claims over 15 million users. Other sources attribute SmarterMail with less than 0.1% of all identifiable web applications. SmarterMail is often used in managed web hosting environments, which could increase the potential blast radius if exploited.

Singapore’s Cyber Security Agency (CSA) published CVE-2025-52691 and first alerted the public to its risk. Active exploitation in the wild or public PoC exploits have not been disclosed, but penligent.ai researchers have published technical descriptions of the attack chain [1][2]. Other national security agencies have also issued emergency cyber alerts [3][4].

The OPENVAS ENTERPRISE FEED includes a version detection check for CVE-2025-52691. The issue was patched in early October 2025 in Build 9413 of SmarterMail. Users are advised to upgrade to the newest version.

OSGeo GeoServer Actively Exploited via XXE Flaw

CVE-2025-58360 (CVSS 9.8, EPSS 99th pctl) is an unauthenticated XML External Entity (XXE) vulnerability [CWE-611] in OSGeo GeoServer. The flaw lets remote attackers read arbitrary files, trigger Server-Side Request Forgery (SSRF) [CWE-918], or cause Denial of Service (DoS). The root cause is a failure to properly sanitize XML data processed by the /geoserver/wms GetMap endpoint.

CVE-2025-58360 was added to CISA KEV on December 11th and multiple public PoC exploits exist [1][2][3]. Use in ransomware attacks or espionage has not been confirmed. The Shadowserver Foundation has tracked 2,451 exposed GeoServer instances; Shodan reports over 14,000, indicating significant global risk. Several national CERT agencies have published alerts for CVE-2025-58360 [4][5][6][7][8]. Previously, in 2024, CVE-2024-36401 (CVSS 9.8) in GeoServer was actively exploited and led to a confirmed breach of an unnamed U.S. federal agency. This indicates cyber adversaries are familiar with exploiting GeoServer infrastructure, which increases the risk.

The OPENVAS ENTERPRISE FEED includes a remote banner check to detect vulnerable GeoServer instances. CVE-2025-58360 affects the main OSGeo GeoServer application, docker.osgeo.org/geoserver containers, gs-web-app, and gs-wms Maven packages. Full affected product status is available in the vendor’s official advisory.

Living on the Edge: New Threats to Network Perimeters in December 2025

Our monthly Threat Report has been closely tracking software vulnerabilities impacting the network perimeter [1][2][3]. In December 2025, there was indeed another wave of new high-risk CVEs and active exploitation. Let’s cover some emerging risks to perimeter networks:

Multiple Fortinet Products Actively Exploited via Authentication Bypass

Published on December 9th, 2025, CVE-2025-59718 (CVSS 9.8, EPSS 90th pctl) and CVE-2025-59719 (CVSS 9.8) were added to CISA’s KEV list one week after being made public. CVE-2025-59718 affects Fortinet FortiOS, FortiProxy, and FortiSwitchManager, while CVE-2025-59719 only impacts FortiWeb. The new CVEs allow authentication bypass of FortiCloud SSO admin logins due to improper cryptographic signature verification [CWE-347] of SAML messages. According to the first report of active attacks, made by Arctic Wolf, FortiCloud SSO login may be enabled by default when registering devices via the FortiCare GUI.

At least one PoC exploit is publicly available [1]. The new CVEs triggered a widespread response from national CERT agencies globally [1][2][3][4][5][6][7][8][9][10][11][12]. Greenbone provides detection for both new critical severity CVEs. For a full list of affected products, see Fortinet’s official advisory.

Privilege Escalation Flaw in SonicWall SMA 1000 Appliances

CVE-2025-40602 (CVSS 6.6, EPSS 84th pctl) is a local privilege escalation flaw affecting the Appliance Management Console of SonicWall Secure Mobile Access (SMA) 1000 appliances. The vulnerability is caused by insufficient or missing authorization [CWE-862]. Exploitation can lead to root-level OS command execution. CVE-2025-40602 is now on CISA’s KEV list and being actively exploited in the wild for unauthenticated RCE when chained with CVE-2025-23006 (CVSS 9.8, EPSS 98th pctl), published in January 2025 and covered in our January 2025 Threat Report. However, CVE-2025-40602 can be exploited on its own with local account access.

No detailed attack tutorials or PoC exploits are publicly available for either CVE. This may indicate that ongoing attacks are conducted by nation-state threat actors or other APT groups. The OPENVAS ENTERPRISE FEED includes remote banner checks for both CVEs described above [1][2]. SMA 1000 Series appliances (6200, 6210, 7200, 7210, 8000v, 8200v) versions 12.4.3-03093 and prior and versions 12.5.x through 12.5.0-02002 are impacted.

CVE-2025-14733: WatchGuard VPNs Actively Exploited Again

CVE-2025-14733 (CVSS 9.8, EPSS 97th pctl) is an unauthenticated RCE flaw affecting WatchGuard Firebox mobile user VPNs and branch office VPNs with IKEv2 when configured with a dynamic gateway peer. The root cause is a software flaw that allows out-of-bounds memory write in the iked IKEv2 daemon responsible for managing VPN sessions. According to the vendor’s own threat report, attackers have exfiltrated configuration files and the user database from compromised VPN devices [TA0010].

The CVE has been added to CISA’s KEV database, but no proof-of-concept or detailed technical write-ups are available yet. The Shadowserver Foundation reports more than 100,000 affected devices exposed on the internet. A similar out-of-bounds write flaw in WatchGuard VPNs, CVE-2025-9242 (CVSS 9.8), has been exploited in the wild since September 2025.

Greenbone’s OPENVAS ENTERPRISE FEED includes remote checks for both CVEs referenced above [1][2], allowing defenders to quickly identify affected devices. See the vendor’s official advisory for more information including specific affected versions and configuration requirements for exploitation, mitigation steps, and indicators of compromise (IoC).

Array Networks AG Series VPNs Exploited for RCE

CVE-2025-66644 (CVSS 9.8, EPSS 86th pctl) is an unauthorized command injection flaw [CWE-78] in Array Networks ArrayOS AG Series VPNs with the DesktopDirect remote access feature enabled. According to a report published in early December 2025, CVE-2025-66644 has been actively exploited against entities in Japan since at least August. The attack chain has included installing PHP webshells [T1505.003] and creating rogue users [T1136] for persistence.

The CVE has been added to CISA’s KEV list. However, no public PoC exploit is available. Greenbone includes a remote banner check to detect vulnerable devices. For mitigation, the vendor instructs users to upgrade to ArrayOS version 9.4.5.9 or later.

Ivanti Patches New Vulnerabilities in EndPoint Manager (EPM)

Four new risky CVEs affecting Ivanti EndPoint Manager (EPM) were published and patched in December 2025. Active exploitation is not yet reported, and none of the flaws triggered high EPSS scores. Users should upgrade to Ivanti Endpoint Manager 2024 SU4 SR1 and ensure that EPM is not internet-facing. The OPENVAS ENTERPRISE FEED includes remote detection for all four new Ivanti vulnerabilities. See Ivanti’s official advisory for more information.

The four new CVEs are briefly described below.

  • CVE-2025-13659 (CVSS 8.8) allows unauthenticated arbitrary file write on the server, potentially leading to remote code execution, due to improper control of dynamically managed code resources [CWE-913].
  • CVE-2025-13662 (CVSS 7.8) enables unauthenticated code execution via improper signature verification in the patch management process [CWE-347].
  • CVE-2025-13661 (CVSS 8.0) is an authenticated path traversal flaw [CWE-22] enabling arbitrary file writes.
  • CVE-2025-10573 (CVSS 6.1): a stored XSS flaw [CWE-79] enabling unauthenticated JavaScript execution in an admin session in Ivanti Endpoint Manager Core and remote consoles.

Update: New CVEs Add to Social Engineering Risks

Social engineering is a prominent attack chain used by adversaries. Using deceptive context to trick users into clicking on links and files [T1566] has proven to be a highly effective means for gaining unauthorized access and even RCE. Here are some emerging threats on the social engineering landscape that defenders should mitigate:

New High Risk 7-Zip Flaw Has Public PoC

CVE-2025-11001 (CVSS 7.8) is a path traversal flaw [CWE-22] in the 7-Zip application for Windows caused by insecure handling of Linux-style symbolic links in .zip files. A maliciously crafted .zip archive can potentially allow RCE by placing files into sensitive directories [T1574], or enable other attacks such as placing malware in visible locations on the victim’s system, hoping the user executes them [T1204.002]. On Windows, exploitation depends on the local user having the SeCreateSymbolicLinkPrivilege permission or other configurations such as Developer Mode, or running 7-Zip as admin.

CVE-2025-11001 has not been added to CISA’s KEV list, but the UK’s NHS has reported a public PoC exploit [1]. Multiple national CERT agencies have issued alerts globally [2][3][4][5][6][7][8]. CVE-2025-11002 is often cited alongside CVE-2025-11001, but officially remains in RESERVED status. CVE-2025-11001 was patched in 7-Zip version 25.00. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for the 7-Zip Windows application and other platforms that include vulnerable versions of 7-Zip.

CISA Adds New WinRAR Flaw to Actively Exploited List

CVE-2025-6218 (CVSS 7.8) is a directory traversal flaw [CWE-22] affecting WinRAR versions 7.11 and earlier. Similar to CVE-2025-11001 described above, attackers that trick a victim into opening a malicious archive file could write files into sensitive locations on the target system, potentially leading to a malware infection. In August 2025, another WinRAR flaw, CVE-2025-8088 (CVSS 8.8), was being exploited in espionage campaigns.

Multiple technical analyses of CVE-2025-6218 are available [1][2]. China’s 360 threat intel has attributed attacks to the APT-C-08 group (aka BITTER, Manlinghua, T-APT-17). The group is an Advanced Persistent Threat (APT) active since 2013, and is known to target government, energy, military, and defence-industrial entities in South Asia [3][4]. On December 9th, 2025, CISA added CVE-2025-6218 to its KEV list and numerous national CERT alerts have been issued, going back to the CVE’s time of initial disclosure [5][6][7][8][9][10][11].

The OPENVAS ENTERPRISE FEED includes an authenticated security check to detect the presence of vulnerable WinRAR applications on Windows endpoints. Users are advised to upgrade to the latest version of WinRAR for Windows.

CVE-2025-66516: New Guidance for Critical Apache Tika Vulnerability

CVE-2025-66516 (CVSS 9.8) is a new maximum severity CVE affecting Apache Tika, an open-source content analysis and extraction toolkit. The application is commonly used within search, ETL and indexing pipelines, Data Loss Prevention (DLP) and compliance scanning, and in AI RAG systems to convert encoded documents (such as .pdf and .docx) into plaintext and metadata.

CVE-2025-66516 allows any attacker who can submit a maliciously crafted XFA-enabled PDF to the Apache Tika processor to trigger an XML External Entity injection [CWE-611]. Exploitation enables file disclosure, SSRF, and DoS due to unsafe external entity handling during XFA XML parsing.

CVE-2025-66516 is considered an extension of CVE-2025-54988 (CVSS 8.4), published in August 2025. CVE-2025-54988 didn’t correctly describe the affected components; users who upgraded the tika-parser-pdf-module but didn’t upgrade tika-core are still vulnerable. Patching requires upgrading the full dependency chain to a fixed version.

Although reports do not indicate active exploitation or ransomware use, a public PoC exploit is available. The vulnerability is high-risk due to Tika’s widespread use in automated document-processing pipelines. Belgium’s CERT.be, and Korea’s KRCERT have issued alerts. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for CVE-2025-66516, including affected upstream enterprise SaaS products from Atlassian, Elastic, and more.

Summary

In December 2025, critical CVEs landed throughout the holidays, driving emergency patching and rapid triage for defenders. This report covers new actively exploited vulnerabilities, including MongoBleed, a SmarterMail unauthenticated RCE, OSGeo GeoServer, and trending attacks against edge devices such those from Fortinet SonicWall, WatchGuard, and more. Defenders seeking to harden their IT infrastructure can try OPENVAS BASIC for free, including a two-week free trial of the OPENVAS ENTERPRISE FEED.

Kontakt Kostenlos testen Hier kaufen Zurück zur Übersicht
/by