Critical Threat Intelligence & Advisory Summaries

Monthly Vulnerability Roundup - September 2025

Monthly Vulnerability Roundup - September 2025

HackerStorm

September 2025 notable vulnerabilities and related headlines summary.

 

Notable Headlines

  

1. Google Chrome 0-Days Under Active Exploitation

Multiple high-severity zero-day vulnerabilities in Google Chrome V8 engine (including CVE-2025-10585) were actively exploited to execute malicious code and access sensitive data. Chrome 142 and subsequent updates addressed 20 vulnerabilities, with rewards exceeding $100K issued to researchers for reporting. These attacks continue to threaten both enterprise and consumer endpoints.

 

2. Critical Enterprise Software Exploited in the Wild

Zero-day and high-severity vulnerabilities in Fortra GoAnywhere MFT (CVE-2025-10035), VMware Tools/Aria, SAP NetWeaver, S/4HANA (CVE-2025-42957), Adobe Commerce/Magento, SolarWinds Web Help Desk (CVE-2025-26399), Sitecore (CVE-2025-53690), and Dassault Systèmes DELMIA Apriso were exploited for command injection, remote code execution, and privilege escalation. CISA added several of these to its Known Exploited Vulnerabilities (KEV) catalog.

 

3. Cisco ASA, FTD, and IOS/XE Zero-Days Targeted by Nation-State Actors

Critical Cisco firewall, VPN, and IOS vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20352) were actively exploited to deploy ransomware (RayInitiator, LINE VIPER), malware, and for network reconnaissance. Over 2 million devices were potentially impacted, prompting emergency directives from CISA and global advisories.

 

4. Mobile & IoT Platforms Targeted by Zero-Click and RCE Flaws

Samsung Galaxy devices (CVE-2025-21043), Android (CVE-2025-48543, CVE-2025-38352), WhatsApp, TP-Link routers, OnePlus OxygenOS, and IoT devices were targeted with zero-click or remote code execution exploits. Nation-state and cybercriminal groups leveraged these flaws to infiltrate enterprise and consumer environments, often bypassing authentication or UEFI/ASLR protections.

 

5. Apple Patch Releases Mitigate Critical Threats

Apple addressed multiple zero-day vulnerabilities in ImageIO, Font Parser, and CarPlay, some actively exploited in spyware campaigns. Backports and emergency updates mitigated risks of remote code execution, memory corruption, and privilege escalation across macOS, iOS, and watchOS.

 

6. Ransomware Campaigns Exploiting Enterprise Vulnerabilities

Akira, HybridPetya, and RevengeHotels ransomware campaigns exploited SonicWall SSL VPNs, Ivanti EPMM, and improperly patched enterprise software. These campaigns bypassed multi-factor authentication, Secure Boot protections, and leveraged LLM-powered malware delivery to maximize infection and lateral movement.

 

7. Email Security Gateways & Collaboration Platforms Under Attack

Libraesva ESG and FreePBX servers were exploited via command injection and authentication bypass, while vulnerabilities in WhatsApp and Salesforce AI exposed sensitive data. Threat actors actively leveraged these platforms for espionage, data theft, and enterprise network compromise.

 

8. Critical Infrastructure & Telecom Networks Breached

Chinese state-sponsored actors and FSB-linked operatives exploited enterprise network gear, TP-Link routers, and telecommunications infrastructure to exfiltrate sensitive data and infiltrate U.S. federal and corporate networks. A $10M bounty was offered by the U.S. for actionable intelligence on the perpetrators.

 

9. Patch Urgency Highlighted Across Multiple Vendors

CISA, NCSC, and security advisories emphasized immediate patching for SAP, Sitecore, DELMIA Apriso, Chrome, VMware, Cisco, Fortra GoAnywhere, and Android vulnerabilities. Attackers were observed exploiting flaws prior to public patches, underscoring the need for proactive vulnerability management.

 

10. Open-Source and Developer Tools Remain Targeted

Chaos Mesh, Kubernetes clusters, Pandoc, GitLab, WordPress, and BentoML flaws were exploited for cluster takeover, SSRF, and credential theft. Attackers are increasingly leveraging automation and AI-powered tools (HexStrike-AI) to weaponize zero-days within minutes of discovery.

 

 

Priority CVEs from CISA Known to be Actively Exploited


CVEs identified by CISA which were actively exploited by threat actors during November . These include:

1. Cisco

a) Cisco IOS & IOS XE SNMP Stack-Based Buffer Overflow Vulnerability (CVE-2025-20352) – Allows denial of service or remote code execution.

b) Cisco ASA & FTD Missing Authorization Vulnerability (CVE-2025-20362) – May allow chained attacks or privilege escalation through the VPN Web Server.

c) Cisco ASA & FTD Buffer Overflow Vulnerability (CVE-2025-20333) – Allows remote code execution on firewall and VPN systems.

 

2. Google
Google Chromium V8 Type Confusion Vulnerability (CVE-2025-10585) – Exploitable through JavaScript and WebAssembly engine, potentially compromising systems.

 

3. Sudo / Linux
a) Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2025-32463) – Allows local attackers to leverage the sudo -R (--chroot) option to execute arbitrary commands.


b) Linux Kernel TOCTOU Race Condition Vulnerability (CVE-2025-38352) – High impact on confidentiality, integrity, and availability.

 

4. Libraesva
Libraesva Email Security Gateway Command Injection Vulnerability (CVE-2025-59689) – Enables command injection via compressed e-mail attachments.

 

5. Fortra
Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability (CVE-2025-10035) – Actors with a validly forged license response can deserialize arbitrary objects, leading to remote code execution.

 

6. Adminer
Adminer Server-Side Request Forgery (CVE-2021-21311) – Remote attackers can obtain potentially sensitive information.

 

7. Dassault Systèmes
DELMIA Apriso Deserialization Vulnerability (CVE-2025-5086) – Can lead to remote code execution.

 

8. Android
Android Runtime Use-After-Free Vulnerability (CVE-2025-48543) – Potentially allows Chrome sandbox escape and local privilege escalation.

 

9. Sitecore
Sitecore Deserialization of Untrusted Data Vulnerability (CVE-2025-53690) – Affects multiple Sitecore platforms, enabling remote code execution.

 

10. TP-Link
a) TP-Link TL-WR841N Authentication Bypass Vulnerability (CVE-2023-50224) – Allows disclosure of stored credentials via HTTP service spoofing.


b) TP-Link Archer C7/ TL-WR841N/ND OS Command Injection Vulnerability (CVE-2025-9377) – Exploitable via the Parental Control page; impacted products may be EoL or unsupported.


c) TP-Link TL-WA855RE Missing Authentication Vulnerability (CVE-2020-24363) – Unauthenticated attackers can trigger device reset and potentially compromise the router.

 

Priority CVEs Known to be Used in Ransomware Campaigns

Two priority CVEs identified by CISA are also known to be leveraged in ransomware campaigns:

 

1. Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability (CVE-2025-10035)

2. Cisco ASA & FTD Buffer Overflow Vulnerability (CVE-2025-20333)

 

Author: Hackerstorm.com

 

 

References:


https://www.cisa.gov/news-events/news

https://nvd.nist.gov

https://www.ncsc.gov.uk/section/keep-up-to-date/reports-advisories

https://cert.europa.eu/publications/security-advisories/2024

https://cert.europa.eu/publications/threat-intelligence/cb24-03

https://www.jpcert.or.jp/english/at/2024.html

https://auscert.org.au/bulletins

https://www.csa.gov.sg/alerts-advisories/security-bulletins

 

 

 
By using this site, you agree to our Terms & Conditions.

COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.

Terms & Privacy Policy