Just over 4,100 new CVEs emerged in October 2025, representing new attack surfaces and placing pressure on defenders to identify and patch. For operational resilience, organizations need to scan their IT infrastructure often and prioritize mitigation efforts.

A free trial of Greenbone’s OPENVAS BASIC lets defenders scan their enterprise IT estate and stay on top of emerging threats. The trial includes access to Greenbone’s OPENVAS ENTERPRISE FEED, delivering industry-leading coverage for CVEs and other IT security vulnerabilities. This month’s threat report will cover some of the most critical new vulnerabilities being actively exploited, and emerging high-risk CVEs with widespread exposure.

Oracle EBS Exploited in Two Separate Ransomware Campaigns

CVE-2025-61882 (CVSS 9.8, EPSS ~99th pctl) is an unauthenticated remote code execution (RCE) flaw in Oracle E-Business Suite (EBS), actively exploited since at least August 9, 2025 [1][2]. The CVE is being used in mass exploitation campaigns for data-theft and extortion by the Cl0p ransomware [S0611] operator. Public PoC exploits appeared in early October and a detailed technical analysis is available.

Besides CVE-2025-61882, CVE-2025-61884 (CVSS 7.5, EPSS ~93rd pctl), a Server-Side Request Forgery (SSRF) flaw [CWE-918], also in Oracle EBS, was actively exploited in October 2025. CVE-2025-61884 was added to CISA KEV and has been used to deploy ransomware [T1486]. Attacks leveraging CVE-2025-61882 reportedly used data theft for extortion. However, attacks exploiting CVE-2025-61884 have used file encryption for ransom impact.

Both CVEs received alerts from numerous national CERT entities globally [3][4][5][6][7][8][9][10]. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and remote version check for CVE-2025-61882, and a remote version check for CVE-2025-61884 allowing defenders to identify vulnerable assets. According to Oracle’s official advisories [11][12], versions 12.2.3 to 12.2.14 of EBS are affected.

Smartbedded Meteobridge Now Actively Exploited Via CVE-2025-4008

CVE-2025-4008 (CVSS 8.8, ~97th pctl), published on May 13, 2025, is a remote unauthenticated command injection vulnerability [CWE-77] in Smartbedded Meteobridge, now actively exploited. The flaw resides in the template.cgi script of the Meteobridge web interface, which insecurely implements eval() calls. Exploitation allows attackers to execute arbitrary commands with root privileges on affected devices. Smartbedded Meteobridge is a gateway that connects personal weather stations to public networks. Shodan reveals roughly 70–130 devices exposed on the public internet.

A proof-of-concept (PoC) exploit and full technical write-up were published by ONEKEY, which discovered the flaw during firmware analysis. While the vendor’s official advisory claims that Internet exposure is a “precondition for exploiting any security vulnerability”, insider attacks can also present high risk to organizations. Greenbone is able to detect vulnerable instances of Smartbedded Meteobridge with an active check and remote version check. Users should upgrade to version 6.2 or later.

RediShell: A 13-Year-Old Lua Flaw Allows RCE in Redis

CVE-2025-49844 (CVSS 9.9, EPSS ~90th pctl) allows authenticated RCE on all unpatched Redis instances with Lua scripting enabled. The flaw, nicknamed RediShell, is caused by a use-after-free vulnerability [CWE-416] in the Lua garbage collector. Lua scripting is enabled by default, often with authentication disabled, increasing the risk of weak configuration.

Redis is prevalent in cloud environments and has been a hot target for cryptomining [T1496] and ransomware [T1486] leveraging P2PInfect, Redigo, HeadCrab, and Migo malware. A PoC exploit for CVE-2025-49844 confirms exploitability, along with two additional Lua engine flaws:

• CVE-2025-46817 (CVSS 9.8, EPSS ~96th pctl): an Integer Overflow [CWE-190] in the unpack()
• CVE-2025-46818 (CVSS 7.3, EPSS ~88th pctl): a code injection flaw [CWE-94] that allows an attacker to execute Lua scripts with the context of another user.

Multiple national security alerts have been issued for the CVEs [1][2][3][4][5][6]. OPENVAS ENTERPRISE FEED includes authenticated security checks to identify exposure across many Linux environments. Redis has issued a patch and additional mitigations can be found in the vendor’s official advisory.

Emergency Out-of-Band Patch for Windows Server Update Service and More Microsoft Risks Emerge

Microsoft’s October security update disclosed a total of 201 new CVEs. Two were flagged as “Exploitation Detected” and 14 as “Exploitation more likely”. In addition to these disclosures, an emergency alert was issued by CISA for CVE-2025-59287, affecting the Windows Server Update Service (WSUS). Here are brief descriptions of the most high-risk emerging threats to Microsoft products:

• CVE-2025-59287 (CVSS 9.8, EPSS ~70th pctl): A flaw in WSUS allows unauthorized RCE when untrusted data is deserialized [CWE-502]. Numerous national CERT alerts have been published, many referencing a public PoC exploit [1][2][3][4][5][6][7][8][9]. Microsoft’s official advisory also acknowledges a PoC exploit exists.
• CVE-2025-33073 (CVSS 8.8, EPSS ~97th pctl): A Windows SMB vulnerability allows an authorized attacker to remotely achieve privilege escalation [CWE-284] to SYSTEM level. The flaw was added to CISA KEV.
• CVE-2025-59230 (CVSS 7.8, EPSS ~95 pctl): An elevation of privilege vulnerability [CWE-284] in the Windows Remote Access Connection Manager has been added to CISA KEV.
• CVE-2025-24990 (CVSS 7.8, EPSS ~91st pctl): The end-of-life (EOL) third party Agere Modem driver in Microsoft Windows is now considered actively exploited. The flaw is due to an untrusted pointer dereference [CWE-822] which can lead to arbitrary code execution.
• CVE-2025-55315 (CVSS 9.9): A security feature bypass vulnerability in NET Core can lead to HTTP request smuggling [CWE-444]. An authenticated attacker could exploit the flaw to bypass front-end security controls, hijack user sessions, perform request-forgery attacks. A technical description is available increasing the risk. See the official security advisory for affected versions and patches.
• CVE-2025-59502 (CVSS 7.5, EPSS ~81 pctl): An unauthorized attacker can remotely induce uncontrolled resource consumption [CWE-400] in Windows Remote Procedure Call (RPC) resulting in Denial of Service (DoS). Microsoft classifies the CVE as “Exploitation More Likely”.
• CVE-2025-47827 (CVSS 4.6): Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature [CWE-324]. The flaw allows a malicious root filesystem to be mounted from an unverified SquashFS image. Even though the vulnerability arises in IGEL OS, the attack chain has implications for Windows/UEFI systems. Microsoft has flagged this flaw as actively exploited and a technical description with PoC exploit is available.

Greenbone provides robust detection for Microsoft’s recent security updates. The OPENVAS ENTERPRISE FEED includes detection for 156 (78%) of the 201 newly disclosed CVEs affecting Microsoft products.

Defenders Still “Living On the Edge”: Constant Flow of Perimeter Device Flaws

Greenbone’s June 2024 Threat Report first began tracking high-risk vulnerabilities in perimeter network devices. Since then, edge vulnerabilities have continued to surface without abate. In this section, we will review emerging threats to devices meant to protect internal networks from attacks.

F5 Hack: Multiple New Vulnerabilities in F5 Products Disclosed

In October 2025, F5 claimed a “highly sophisticated nation-state” adversary had long-term, persistent access to internal systems, indicating dwell time of at least 12 months. The attackers stole BIG-IP source code and internal vulnerability information. The data theft prompted an urgent publication of CVEs triaged in the F5 vulnerability pipeline.

In total, 44 new CVEs were published for F5 products in October 2025, several were subject of national CERT alerts [1][2][3][4][5][6][7][8][9][10]. Active exploitation has not been reported and no PoC exploits have been published. However, F5 vulnerabilities are often used in ransomware attacks. In response, Greenbone added new security tests for F5 devices, covering 32 (73%) of the 44 new CVEs.

Fresh CVEs in Ivanti Products for Defenders to Patch

Trend Micro’s Zero Day Initiative (ZDI) publicly disclosed 14 unpatched vulnerabilities in Ivanti Endpoint Manager (EPM) after months of unsuccessful coordination with Ivanti. According to reports, Ivanti requested six months to address the flaws. ZDI’s disclosure effectively exposed these flaws as “zero-day” vulnerabilities, meaning attackers could now exploit them before patches are available.

Greenbone is able to detect all of ZDI’s newly disclosed CVEs and Ivanti CVEs disclosed by other security researchers. Greenbone’s OPENVAS ENTERPRISE FEED includes detection tests for all 17 Ivanti CVEs disclosed in October 2025.

Fortinet’s Products Exposed to 32 New CVEs in October

In total, 32 CVEs were published for Fortinet products in October 2025. However, only 17 of these are listed on the vendor’s official advisory page. Greenbone added checks for 21 of the 32 new CVEs, providing high detection coverage for defenders using Fortinet devices. Fortinet has 20 CVEs listed in CISA’s KEV catalog; 13 of these are associated with ransomware attacks indicating high risk for customers.

Critical Unauthenticated RCE in WatchGuard Fireware OS

CVE-2025-9242 (CVSS 9.3, EPSS ~90th pctl) affecting WatchGuard Fireware OS allows unauthenticated RCE. Fireware OS supports the vendor’s firewalls, VPN gateways, policy enforcement and intrusion prevention systems (IPS). Watchtowr security researchers have published a technical description and PoC exploit increasing the risk.

Several alerts have been issued from government agencies regarding CVE-2025-9242 [1][2][3]. The OPENVAS ENTERPRISE FEED includes a remote version check to identify affected appliances. Users should update to version 12.3.1_Update3, 12.5.13, 12.11.4, 2025.1.1 or later and review the vendor’s official advisory for more information.

CVE-2025-59978: Junos Space Flaw Lets Authenticated Attackers Inject Malicious Scripts

CVE-2025-59978 (CVSS 9.0) is a stored XSS flaw [CWE-79] in Juniper Networks’ Junos Space. Junos Space is a network‑management and orchestration that provides centralized management of Juniper’s routers, switches and security devices. The vulnerability lets a low-privileged authenticated attacker inject JavaScript <script> tags which execute with a viewing admin’s privileges. No active exploitation or public PoCs are yet known. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote version check to identify vulnerable instances.  All Junos Space versions before 24.1R4 are affected. See the official security advisory for more information.

Local Privilege Escalation Flaw in VMware Exploited In-The-Wild

CVE-2025-41244 (CVSS 7.8), published in September 2025, is now flagged as actively exploited. Multiple sources have linked in-the-wild exploitation to UNC5174, a China-linked threat actor. The flaw is a local privilege escalation [CWE-284] when VMware Tools is managed by Aria Operations with SDMP enabled. Successful exploitation allows a local attacker to escalate privileges to root on the same VM. A technical analysis and PoC exploit are available increasing the risk.

The VMware platform has appeared on CISA KEV 26 times including this latest CVE; 8 of these entries indicate use in ransomware attacks. CERT advisories have been issued from various countries [1][2][3][4]. So far in 2025, a total of 40 CVEs have been issued across all VMware platforms. In response, Greenbone has added detection to both the OPENVAS ENTERPRISE FEED and COMMUNITY feed, covering  36 (90%) of VMware’s 2025 vulnerabilities.

To mitigate attacks, Windows users should update to VMware Tools 12.5.4 (Windows 32-bit: 12.4.9). Linux users should update to vendor-provided open-vm-tools. If you can’t patch immediately, disable SDMP and strictly limit guest access. Specific versions of VMware Aria Operations, VMware Tools, VMware Cloud Foundation, VMware Telco Cloud Platform and VMware Telco Cloud Infrastructure are affected. See the official advisory for more details.

Gladinet CentreStack Flaw Allows Machine Key Theft and RCE

CVE-2025-11371 (CVSS 9.8, EPSS 89th pctl) is an unauthenticated Local File Inclusion (LFI) flaw [CWE-552] that allows remote attackers to read arbitrary files, including the Web.config in Gladinet CentreStack and Triofox. In the wild attacks have been observed where the LFI flaw was exploited to retrieve the machine key from Web.config, then forge ASP.NET ViewState payloads. For RCE, attackers are exploiting another ViewState deserialization: CVE-2025-30406 (CVSS 9.8, EPSS ~99th pctl). A detailed technical description and attack chain analysis is publicly available.

Greenbone’s OPENVAS ENTERPRISE FEED has included detection tests for both CVEs described above since April 2025 [1][2]. CentreStack has published patches for users to prevent exploitation. According to Gladinet’s official advisory, users who can’t patch should disable the temp handler in UploadDownloadProxy’s Web.config to block the unauthenticated /storage/t.dn endpoint abused for LFI.

Zimbra Zero-Day Used to Target Brazilian Military

CVE-2025-27915 (CVSS 5.4, EPSS 97th pctl) is a stored cross-site scripting (XSS) vulnerability [CWE-79] in Zimbra Collaboration Suite (ZCS). The flaw is caused by insufficient sanitization of HTML content contained in .ICS calendar files. As a result, attackers can launch phishing attacks with malicious .ICS calendar invites [T1566.001] to execute arbitrary JavaScript within a victim’s webmail session.

The CVE has been exploited in targeted attacks against the Brazilian military and added to CISA KEV. Belgium’s CERT.be has published a security advisory. ZCS is highly targeted by threat actors; CISA KEV contains 14 CVEs; five associated with ransomware attacks [T1486]. Greenbone’s OPENVAS ENTERPRISE FEED includes remote banner check to identify vulnerable instances. The flaw affects ZCS versions 9.0, 10.0, and 10.1. Users should upgrade to the latest version and be especially cautious handling email attachments.

Critical Kentico Xperience Flaws are Actively Exploited

CVE-2025-2746 and CVE-2025-2747 (both CVSS 9.8) allow unauthenticated remote attackers to gain full administrative control of Kentico Xperience via an authentication bypass [CWE-288] flaw. Both CVEs are actively exploited. Exploitation enables attackers to manipulate or exfiltrate CMS data and deploy malicious payloads with administrative privileges.

A full technical description, and PoC exploits increase the risk of near future exploitation. Multiple national CERT advisories have been published for the new CVEs [1][2][3]. The OPENVAS ENTERPRISE FEED includes an active check for CVE-2025-2746 and an active check and remote version check for CVE-2025-2747. Versions through 13.0.172 and 13.0.178 are affected and the vendor has published hotfixes for mitigation.

New High-Severity Flaw in Zoho ManageEngine ADManager Plus

CVE-2025-10020 (CVSS 8.8, EPSS ~73rd pctl) is an authenticated command injection vulnerability [CWE-77] in the Custom Script component of ManageEngine ADManager Plus. The flaw allows attackers with low-privileged access to gain arbitrary RCE. ManageEngine is a widely used on-prem solution for system administrators, IT operations teams, and security engineers to monitor, automate, and secure IT infrastructures.

Despite no active exploitation, public technical description, or PoC exploit, ManageEngine has historically attracted attention from cyber adversaries. This makes CVE-2025-10020 high risk when combined with stolen credentials or insider attacks. The ManageEngine platform is listed on CISA KEV nine times; twice for ransomware attacks (CVE-2022-47966 and CVE-2021-40539). Updating to version 8024 is strongly recommended.

The OPENVAS ENTERPRISE FEED provides:

• A remote version check to detect servers vulnerable to CVE-2025-10020
• Detection tests for all Zoho vulnerabilities listed in CISA KEV including CVE-2022-47966 and CVE-2021-40539 used in ransomware attacks [T1486]
• Detection tests for >70% of CVEs affecting Zohocorp products from 2021 onward

Flowise Server Gives Attackers RCE and Access to Secrets

CVE-2025-61913 (CVSS 9.9) is a path traversal flaw [CWE-22] in Flowise that lets low-privileged, authenticated attackers read and write arbitrary files, potentially leading to RCE. Flowise is a drag & drop user interface and backend server for building customized large language model (LLM) applications.

CVE-2025-61913 stems from improper input validation of the file_path parameter in WriteFileTool and ReadFileTool. The flaw enables access to sensitive files such as /root/.flowise/encryption.key and /root/.flowise/database.sqlite in Docker, or /etc/passwd, /etc/shadow, and /root/.ssh/id_rsa in non-Docker setups. The vendor has published a full PoC exploit themselves, and at least one other PoC exploit exists [1]. However, in-the-wild exploitation has not been confirmed.

Several other new high-risk CVEs also impact Flowise Server:

• CVE-2025-26319 (CVSS 9.8): An unauthenticated arbitrary file upload vulnerability [CWE-22] in /api/v1/attachments. A complete technical description and PoC is available online increasing the risk.
• CVE-2025-61687 (CVSS 8.8): A file upload vulnerability [CWE-22] allows authenticated users to upload arbitrary files and persistently store malicious js web shells on the server, leading to RCE.
• CVE-2025-29192 (CVSS 6.1): Allows XSS [CWE-79] via FORM element and INPUT element when an admin views the chat log.
• CVE-2025-50538 (CVSS 6.1): Allows XSS [CWE-79] via IFRAME element when an admin views the chat log.

Germany’s BSI has issued WID-SEC alerts for all CVEs described above [2][3][4][5]. The OPENVAS ENTERPRISE FEED includes two remote version detection checks which address all aforementioned CVEs affecting Flowise [6][7][8]. Users should update to version 3.0.8 or later and disable ALLOW_BUILTIN_DEP during installation. See the vendor’s official advisory for more information.

CVE-2025-37729: Critical RCE Vulnerability in Elastic Cloud Enterprise

CVE-2025-37729 (CVSS 9.1) affecting Elastic Cloud Enterprise (ECE) allows RCE to authenticated attackers with admin privileges. Exploitation could allow exfiltration of sensitive data due to improper handling of Jinjava template expressions. The vulnerability poses a significant insider threat, particularly in hybrid and multi-cloud environments where ECE is deployed. Spain’s INCIBE CERT has issued a security alert. Greenbone’s OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable instances. According to the vendor’s official advisory, versions 2.5.0 through 3.8.1 and 4.0.0 through 4.0.1 are affected.

Summary

The October 2025 Threat Report only scratches the surface of new software flaws emerging in the past month—and OPENVAS SECURITY INTELLIGENCE’s ability to detect them. October 2025 saw 4,100 new CVEs and novel cyber attack campaigns leveraging both fresh vulnerabilities and already known ones. This past month, high-impact flaws drove ransomware, data-theft, and operational downtime leading to attempts at corporate extortion and lost revenue. Greenbone’s OPENVAS BASIC free trial plus the OPENVAS ENTERPRISE FEED include detection modules for many emerging and legacy CVEs, helping security teams find, triage, and fix vulnerable IT assets.

Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; no CVE assignment, no acknowledgment from Fortinet. Security researchers recently noted that Fortinet seems to have silently patched the flaw without notifying users beforehand.

The issue finally hit the mainstream on November 13th, when watchTowr Labs posted a full proof-of-concept (PoC) exploit. One day later, the vulnerability was assigned an ID: CVE-2025-64446 (CVSS 9.8, EPSS 97th pctl) is now officially recognized as an actively exploited, critical severity issue in Fortinet FortiWeb. The flaw allows attackers to create rogue admin accounts and execute administrative actions.

Fortinet officially classifies CVE-2025-64446 as a Relative Path Traversal issue [CWE-23]. However, it should also be considered an Authentication Bypass Using an Alternate Path flaw [CWE-288], since URL manipulation allows attackers to access a legacy Common Gateway Interface (CGI) processor, which does not implement proper authentication. Users should consult Fortinet’s official advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw.

A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.

How the Exploit against CVE-2025-64446 Works

The exploit chain for CVE-2025-64446 combines two core design flaws in FortiWeb:

• A Relative Path Traversal vulnerability [CWE-23] allows unprotected URL routing between the management interface’s REST API and its CGI processor. This incorrect routing serves as an alternative path to bypass authentication.
• An Authentication Bypass Using an Alternate Path flaw [CWE-288] in the CGI processor does not perform proper authentication for data provided via a connecting client’s CGIINFO HTTP header.

watchTowr’s Python-based PoC demonstrates how attackers can circumvent FortiWeb’s intended API to  abuse the legacy CGI processor to create unauthorized admin accounts on the device. Here is how the exploit works:

1. Attackers can communicate with FortiWeb management port over HTTPS (port 443) with certificate validation disabled to avoid hang-ups with self-signed, outdated, or otherwise invalid certificates.
2. Unpatched FortiWeb appliances do not properly sanitize the URI before applying authorization rules. Unauthenticated users can achieve path traversal by starting their request URL with https://api/v2.0/… while also traversing via ../../../../../ to cgi-bin/fwbcgi.
3. Source code analysis revealed that FortiWeb’s legacy CGI backend includes a function named cgi_auth(), that blindly trusts any authorization claims provided in the CGIINFO header if the username matches any existing user; including the built-in admin user. This means an unauthenticated attacker can spoof the admin user to gain elevated permissions.
4. FortiWeb’s CGI processor then processes the rest of the request body with full administrative permissions.
5. The attacker can submit a malicious JSON object that instructs the system to create a new administrator account with an arbitrary, attacker-controlled username and password to take full control of the device.

How to Mitigate the Emerging Fortinet Vulnerability

FortiWeb users should consult Fortinet’s advisory, conduct an immediate assessment to determine their risk, and consider emergency mitigation for this flaw. The vendor also officially recommends disabling HTTP and HTTPS for internet-facing interfaces until an upgrade can be performed. If a FortiWeb HTTP/HTTPS Management interface is only accessible from internal network endpoints, the risk is reduced.

Organizations running unpatched versions of FortiWeb should consider this a critical priority issue. The following versions of FortiWeb are affected:

• FortiWeb 8.0.0 through 8.0.1
• FortiWeb 7.6.0 through 7.6.4
• FortiWeb 7.4.0 through 7.4.9
• FortiWeb 7.2.0 through 7.2.11
• FortiWeb 7.0.0 through 7.0.11
• FortiWeb 6.4 through 6.4.3 (disclosed by watchTowr Labs [1])
• FortiWeb 6.3 through 6.3.23 (disclosed by watchTowr Labs)

It’s important to note that Fortinet’s list of affected products is less comprehensive than the one provided by third-party security researchers. The EU’s Cyber Resilience Act (CRA) comes into effect in late 2026, bringing a new measure of legal accountability to software vendors that issue untimely or inaccurate security information to their users. The CRA will require software vendors to report known vulnerabilities and known exploits to ENISA within 24 hours.

Greenbone’s OPENVAS ENTERPRISE FEED Has Got You Covered

Greenbone’s vulnerability test development team assessed this emerging FortiWeb flaw before it was published as a CVE. A version check [1] and active check [2] are now available in the  OPENVAS ENTERPRISE FEED. These detection tests include both version-based checks and active checks that interact with appliances over HTTP to detect vulnerability to the flaw. This dual-layer approach ensures that organizations can reliably identify vulnerable FortiWeb instances.

As new details emerge, Greenbone will refine and expand coverage to ensure that customers can identify affected instances. A free trial of Greenbone’s OPENVAS BASIC is available for defenders to scan their enterprise IT infrastructure for emerging threats such as CVE-2025-64446 in Fortinet’s FortiWeb appliances.

On September 25, 2025, three new CVEs affecting Cisco networking products exploded onto the global cyber security landscape. Two of these were actively exploited as zero-days prior to their disclosure. Greenbone now includes detection tests for all three new high-risk CVEs in the OPENVAS ENTERPRISE FEED.

CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) affect the VPN web server of the Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) platforms. The VPN web server enables remote devices to access an internal network via SSL/TLS-based VPN. These two CVEs can be chained for full system takeover of unpatched devices. Furthermore, they are reportedly leveraged in ArcaneDoor espionage campaigns. Also, CVE-2025-20363 (CVSS 9.0), while not tagged as actively exploited, has been bundled into most national security advisories addressing the first two flaws. The latter affects an extended list of products: Cisco ASA and FTD, as well as Cisco IOS, IOS XE, and IOS XR under certain configurations.

Greenbone’s OPENVAS ENTERPRISE FEED includes detection checks for each new high-risk CVE [1][2][3][4][5][6][7][8][9]. You can start a free trial to scan your IT environment for these and other cybersecurity vulnerabilities. Below, we discuss aspects of this ongoing situation, including the attack campaign, a brief technical description of the three flaws, and mitigation guidance.

Campaigns Exploiting Cisco ASA 5500-X Devices

CVE-2025-20333 and CVE-2025-20362 were actively exploited as zero-days targeting Cisco ASA 5500-X series devices without Secure Boot. Chained, they give unauthenticated attackers full control of the breached device. Known campaigns leveraging these flaws have deployed RayInitiator and LINE VIPER to achieve persistence [TA0003], execute commands remotely [TA0011], and exfiltrate data [TA0010]. These attacks are attributed to the ArcaneDoor cyber-espionage campaign, which has targeted perimeter network devices since early 2024 and are considered highly sophisticated. Advanced techniques used in the attacks include:

• Low-level ROMMON (ROM Monitor) tampering [004] and Pre-OS bootkit [T1542.003] for covert persistence between reboots
• Command-line interface (CLI) interception [008]
• Disabling system logging [001]
• Network packet capture [T1040]
• Bypassing AAA network-device authentication and authorization protocols [004]

No public PoC exploits are available, but CISA and Cisco have confirmed that CVE-2025-20333 and CVE-2025-20362 are already exploited in-the-wild [1][2]. While attacks leveraging CVE-2025-20363 have not been confirmed, the CVE is included in many national CERT advisories covering the first two CVEs [3][4][5][6][7][8][9][10]. Supplemental guidance includes malware analysis from the UK’s NCSC [11] and IoC hunt instructions from CISA [12].

Technical Analysis of New Critical-Risk Cisco CVEs

All three CVEs are caused by improper validation of user-supplied input in HTTPS requests [CWE-20]. When combined, CVE-2025-20333 and CVE-2025-20362 allow attackers to execute arbitrary code as root on the victim’s system. CVE-2025-20333 is the culprit for allowing RCE, but requires valid VPN credentials. CVE-2025-20362 provides authentication bypass. CVE-2025-20363 also allows unauthenticated access to restricted URLs, but across a wider scope of products including: Cisco ASA and FTD software, as well as Cisco IOS, IOS XE, and IOS XR, under certain configurations.

Here is a brief description of each vulnerability:

• CVE-2025-20333 (CVSS 9.9): Crafted HTTPS requests to the VPN web server can lead to arbitrary RCE as root on the VPN web server for Cisco ASA and FTD devices. The flaw is classified as a Buffer Overflow [CWE-122] that requires valid VPN user credentials for exploitation.
• CVE-2025-20362 (CVSS 6.5): Unauthenticated attackers achieve authentication bypass to reach restricted URL endpoints on the VPN web server for Cisco ASA and FTD devices. The flaw is due to missing authorization [CWE-862] for sensitive HTTP paths.
• CVE-2025-20363 (CVSS 9.0): Unauthenticated RCE as root on the VPN web server of Cisco ASA and FTD devices. Low-privilege authenticated attackers may achieve RCE as root on Cisco IOS, Cisco IOS XE, and Cisco IOS XR software. The flaw is a heap-based buffer overflow [CWE-122] caused by improper validation of user-supplied input in HTTP requests.

Mitigation Instructions for Impacted Devices

CISA has issued an Emergency Directive for all federal agencies to immediately remediate the ongoing threat. Users of these products should immediately begin to identify, analyze, and mitigate affected products to protect their operations. For analysis, users should follow CISA’s Core Dump and Hunt Instructions and Cisco’s official Detection Guide.

If a breach is identified, compromised devices should be disconnected but not powered off, and Incident Response Plans (IRP) and eviction processes should be activated. Victims should notify the relevant regional authorities and submit their core dump(s) for analysis. Malware analysis for RayInitiator and LINE VIPER has been published from the UK’s NCSC [1]. Cisco’s official advisories can be consulted for more detailed information [2][3][4]. Platforms vulnerable to CVE-2025-20333 and CVE-2025-20362 include:

ASA hardware, ASA-Service Module (ASA-SM), ASA Virtual (ASAv), and ASA firmware on Firepower 2100/4100/9300. Affected Cisco ASA software versions are:

• 12 – < 9.12.4.72
• 14 – < 9.14.4.28
• 16 – < 9.16.4.85
• 17 – < 9.17.1.45
• 18 – < 9.18.4.67
• 19 – < 9.19.1.42
• 20 – < 9.20.4.10
• 22 – < 9.22.2.14
• 23 – < 9.23.1.19

Cisco FTD appliances with software versions:

• 0 – < 7.0.8.1
• 1 – all versions
• 2 – < 7.2.10.2
• 3 – all versions
• 4 – < 7.4.2.4
• 6 – < 7.6.2.1
• 7 – < 7.7.10.1

CVE-2025-20363 affects the aforementioned ASA and FTD products and all releases of Cisco IOS, Cisco IOS XE with Remote Access SSL VPN enabled and Cisco IOS XR Software versions 6.8 and 6.9 (32-bit on ASR 9001) with the HTTP server enabled. Cisco NX-OS Software, 64-bit IOS XR, IOS/IOS XE without SSL VPN enabled, and ASA/FTD without WebVPN/SSL VPN features configured are not affected.

Summary

The coordinated disclosure of CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363 has triggered a global security response. Combined, the CVEs have potential for full system compromise of Cisco ASA and FTD devices as well as devices using Cisco IOS, IOS XE, and IOS XR software with certain configurations. An ongoing ArcaneDoor espionage campaign has been identified leveraging CVE-2025-20333 and CVE-2025-20362 against legacy ASA 5500-X devices.

Security agencies, including CISA and national CERTs, have issued urgent mitigation guidance, stressing immediate patching, forensic investigation, and IRP activation. Greenbone has released detection checks for all three vulnerabilities in the OPENVAS ENTERPRISE FEED to help organizations rapidly identify and remediate exposure. Start a free trial today to scan your IT environment for these and other cybersecurity risks.

CVE-2025-10035 (CVSS 10.0) is a new critical severity vulnerability in Fortra GoAnywhere MFT (Managed File Transfer). This maximum-risk CVE could provide attackers with unauthenticated remote command execution (RCE). Greenbone can detect vulnerable systems and all users should patch with urgency. 

GoAnywhere MFT is a centralized Managed File Transfer (MFT) platform enabling file exchanges between business partners, customers, and within an organization. The application also provides auditing and compliance reporting.

The root cause of this CVE is a deserialization flaw [CWE-502] in Fortra GoAnywhere MFT’s License Servlet that allows attackers to forge a license response signature to inject and execute arbitrary commands [CWE-77]. Although in-the-wild exploitation has not been confirmed, Fortra GoAnywhere has been a hot target for ransomware attacks in the past. In 2023, CVE-2023-0669 (CVSS 7.2) was targeted by Clop ransomware operator, resulting in multiple high-profile breaches. No public PoCs for CVE-2025-10035 are available yet, but a detailed technical analysis is. However, this technical analysis does not include a complete exploit chain – some exploit chain details remain unconfirmed.

CVE-2025-10035 has prompted national CERT alerts from Canada’s Canadian Centre for Cyber Security [1], the Netherlands’ NCSC-NL [2], and India’s CERT-In [3]. Also, Germany’s BSI assigned an alert [WID-SEC-2025-2090], and a CVSS Temporal score of 8.7, reflecting an unverified exploitation status (E:U), availability of official remediation (RL:O), and strong confidence in the report (RC:C).

A remote version check was swiftly added to Greenbone’s OPENVAS ENTERPRISE FEED, allowing defenders to identify vulnerable instances of Fortra GoAnywhere MFT.

Risk Assessment for CVE-2025-10035 in Fortra GoAnywhere

Going simply by the CVSS 10 rating, the risk posed by CVE-2025-10035 is extremely high if GoAnywhere’s Admin Console is exposed to the Internet. According to the analysis, attack complexity is considered low, no user interaction is required, and exploitation could result in complete system takeover.

However, public exposure is not a prerequisite for exploitation. Instances on a private network could also be exploited via so-called “malicious insider” threats or trusted third-parties [T1199]. Verizon’s 2025 DBIR (Data Breach Investigations Report) identifies Privilege Misuse (described as nefarious schemes from insider threats) as the primary root cause of 8% of breaches studied from 2024. This is a surprising figure, which erodes the belief that only public-facing vulnerabilities pose a primary threat to cyber resilience.

Technical Analysis of CVE-2025-10035 in Fortra GoAnywhere

GoAnywhere’s License Servlet is used for activating the GoAnywhere MFT license bundle as part of the setup, renewal, and migration processes. The License Servlet involves Java deserialization of the encoded “SignedObject”. In the case of CVE-2025-10035, this deserialization process could reportedly lead to RCE.

Analysis from Watchtowr evidences a pre-authentication flaw that returns an auth token via the Unlicensed.xhtml page, even when an instance has already been licensed. A malformed HTTP GET request to the route such as /goanywhere/license/Unlicensed.xhtml/x? erroneously creates a valid license-request token and returns it encrypted within a bundled data object. This occurs because the error handler function, AdminErrorHandlerServlet, internally generates a valid license-request token, associates it with the unauthenticated session, and returns it to the user within the aforementioned serialized data object. This data bundle is encrypted with a hard-coded key, which can be decrypted offline to reveal the GUID auth token in plaintext.

Once the GUID token is recovered, unauthenticated attackers can use it to access the License Servlet endpoint POST /goanywhere/lic/accept/<GUID> … bundle=<payload> passing a malicious, serialized payload. However, the attack mechanism for deserializing the payload is yet unknown because the payload needs to be signed by Fortra’s own valid private key. Security researchers have pointed to potential mechanisms such as a stolen private key or the existence of malicious payload(s) having been mistakenly signed by Fortra’s private key.

Mitigating CVE-2025-10035 in Fortra GoAnywhere

Fortra has released a security advisory [FI-2025-012] with mitigation instructions for CVE-2025-10035. Full mitigation requires upgrading to a fixed release: either to 7.8.4 (latest) or 7.6.3 (Sustain). Temporary mitigation can be achieved by restricting Admin Console access.

Fortra also advises all users to hunt for Indicators of Compromise (IoC), namely stack trace logs indicating an error for the SignedObject.getObject. Presence of this string strongly suggests the instance has been exploited by attackers. Following best practices, affected parties may also want to provide status updates to customers and other third-party stakeholders.

Summary

CVE-2025-10035 is a CVSS 10, maximum severity deserialization flaw in GoAnywhere MFT which may allow unauthenticated RCE. In 2023 attackers leveraged another CVE in GoAnywhere MFT for widespread exploitation, and national CERTs have issued alerts, signifying high risk. The OPENVAS ENTERPRISE FEED includes a version check to detect vulnerable instances in their infrastructure. End users should identify public-facing and locally deployed instances and patch with urgency.

CVE-2025-54236 (CVSS 9.1) is an account-takeover flaw that may result in unauthenticated remote code execution (RCE) under certain conditions. Dubbed “SessionReaper”, CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source web applications. The root cause is Improper Input Validation [CWE-20] in the REST API. Adobe’s official advisory describes the issue as a security feature bypass although no further explanation is provided.

The exploit chain for CVE-2025-54236 starts with a nested deserialization vulnerability [CWE-502] and results in a malicious session for a customer account. Security researchers from Sansec claim that Remote Code Execution (RCE) is possible when file-based session storage is used and that other attack chains may also exist, such as RCE via Redis or database session storage. Blaklis is credited with the discovery and responsible disclosure of CVE-2025-54236 via the Hackerone platform.

A full technical description, PoC, or full exploit kits are not yet publicly available. However, France’s CERT-FR has issued a public advisory for the vulnerability. Greenbone’s OPENVAS ENTERPRISE FEED already includes a remote banner check to identify vulnerable systems and verify patch status.

Risk Assessment for CVE-2025-54236 (aka “SessionReaper”)

Magento Open Source (released in 2008) and its commercial counterpart Adobe Commerce are widely used e-commerce platforms. As of 2024, they power in the order of 200-250,000 live/active stores, putting Magento among the leading global e-commerce platforms. This wide usage makes it an attractive target for attackers.

Previous vulnerabilities in Magento have been leveraged in mass exploitation attacks within hours [1][2][3][4] of their disclosure. In this case, Adobe’s patch was accidentally leaked publicly, giving attackers a head start on developing exploit code. If exploited, attackers could install malware [T1105] in an attempt to covertly maintain persistent access [TA0003] to the victim’s infrastructure. This could lead to future attacks, such as stealing payment card information to make fraudulent transactions [T1657], stealing other sensitive information [TA0010], conducting phishing [T1566] attacks against customers of the website, or deploying ransomware against the victim [T1486].

Mitigating CVE-2025-54236 (aka “SessionReaper”)

CVE-2025-54236 affects Adobe Commerce, Adobe Commerce B2B, and Magento Open Source across multiple versions, as well as the Custom Attributes Serializable module on all platforms and deployment methods [1]. However, Adobe’s own knowledge base seems to provide contradictory information, stating that the Custom Attributes Serializable module versions 0.1.0 – 0.4.0 are affected, but also advises upgrading the module to version 0.4.0 or higher.

Users are advised to install the hotfix patch provided by Adobe or update to the latest version immediately to protect their online business operations and customers. Users should also conduct a thorough assessment to determine whether their instance has already been compromised and if found, remove the infection. Adobe has also released a developer guide to help users adjust to any necessary changes in the web application’s REST API. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify vulnerable systems.

Summary

CVE-2025-54236 poses a critical risk to Magento and Adobe Commerce users. For attackers, the flaw enables account takeover and potentially unauthenticated RCE on a victim’s infrastructure. Defenders should identify vulnerable systems and patch them immediately. Greenbone’s OPENVAS ENTERPRISE FEED can help to identify vulnerable web applications and verify remediation status. IT security teams should also audit their systems to detect potential breaches and remove infections if any indicators of compromise (IoC) are found.