Forum Widgets
Recent Discussions
FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)
On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day. CVE Description CVSSv3 CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability 9.8 Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched. Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019. CVE Description CVSSv3 CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability 6.3 For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
CVE-2025-31324: Vulnerability in SAP NetWeaver Exploited in the Wild
CVE-2025-31324, a zero day vulnerability in SAP NetWeaver, has been generating a good deal of chatter in recent days. Media outlets report that it is being targeted by multiple ransomware groups and Chinese Advanced Persistent Threat (APT) groups. The unauthenticated file upload vulnerability affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. SAP has released patches to address CVE-2025-31324. On April 25, Tenable Research Response Team published a blog post about the vulnerability and provided guidance on how to identify affected systems using Tenable plugins. The blog post can be found here: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild Media outlets reporting on CVE-2025-31324 include Bleeping Computer, CyberScoop and Dark Reading. On May 13, as part of the SAP Security Patch Day, SAP released a patch for CVE-2025-42999, a deserialization vulnerability affecting SAP NetWeaver. Onapsis identified and reported this flaw to SAP and noted this was an additional vector for exploitation that the April patch did not address. To ensure full remediation from these vulnerabilities, it’s imperative that both the April and May patches are applied to SAP NetWeaver hosts. If you have questions or concerns about this vulnerability, please submit a comment below or contact your Tenable sales representative.
Research Release Highlight - Changes to SMB Kerberos
Research Release Highlight - Changes to SMB Kerberos Summary Kerberos has been the default authentication mechanism for domain connected Windows devices since Windows 2008. Tenable credentialed scans of Windows targets support an explicit Kerberos credential type. The explicit credential, which names the DC and domain name, frees the Nessus sensor from having to be connected to the Windows domain being scanned and allows the scanner to be hosted on Linux or MacOS as well. The nature of this explicit Kerberos credential type has widely led to the expectation that a Kerberos scan of Windows will never use NTLM. That is not true. Currently Kerberos Windows scans will fail over to using NTLM if Kerberos does not succeed. The Kerberos protocol depends on time synchronization, FQDN target specification and bi-directional DNS name resolution, but NTLM does not. Tenable fails over to NTLM to preserve scan continuity where Kerberos on the target or scanner may not be configured correctly. As each Windows credential is tried, if Kerberos fails, a second attempt will be made using NTLM. Change We are changing Windows scans so that a scan will try all Windows credentials first before trying them again using NTLM if the credential set contains at least one Kerberos credential. This change also extends our Kerberos coverage to include Windows Configuration Manager and Active Directory Service Interfaces (ADSI) scans. Impact In certain customer environments where a single service credential (username/password) is used across multiple domains the current failover behavior causes NTLM to be used prematurely when it is possible that a subsequent Kerberos credential targeting a different domain might succeed. The change here favors Kerberos first and only fails over to NTLM after all credentials have been tried. Customers can also modify their SCCM (Windows Configuration Manager) credentials to include the domain controller's FQDN to allow those scans to use Kerberos. The net effect of these changes will be reduced dependency on NTLM in Windows scans and should produce better results in some cases. Target Release Date 07/16/2025Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053)
Microsoft’s June 2025 Patch Tuesday Addresses 65 CVEs (CVE-2025-33053) On June 10, Microsoft released its June 2025 Patch Tuesday release which patched 65 CVEs with 9 rated as critical and 56 rated as important. This month’s updates include patches to address two zero-day vulnerabilities, with one being exploited in the wild. CVE-2025-33053 is a remote code execution vulnerability in Web Distributed Authoring and Versioning (WebDAV). It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker could exploit this vulnerability through social engineering, by convincing a target to open a malicious URL or file. Successful exploitation would give the attacker the ability to execute code on the victim’s network. According to Microsoft, it was exploited in the wild as a zero-day. According to researchers at Check Point Research, CVE-2025-33053 was exploited by an APT group known as Stealth Falcon. CVE-2025-33073 is an elevation of privilege vulnerability affecting the Windows Server Message Block (SMB) client. It was assigned a CVSSv3 score of 8.8 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to execute a crafted script to force a target device to connect to an attacker-controlled machine using SMB credentials. If successful, the attacker could elevate their privileges to SYSTEM. This month’s update includes patches for: .NET and Visual Studio App Control for Business (WDAC) Microsoft AutoUpdate (MAU) Microsoft Local Security Authority Server (lsasrv) Microsoft Office Microsoft Office Excel Microsoft Office Outlook Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Word Nuance Digital Engagement Platform Power Automate Remote Desktop Client Visual Studio WebDAV Windows Common Log File System Driver Windows Cryptographic Services Windows DHCP Server Windows DWM Core Library Windows Hello Windows Installer Windows KDC Proxy Service (KPSSVC) Windows Kernel Windows Local Security Authority (LSA) Windows Local Security Authority Subsystem Service (LSASS) Windows Media Windows Netlogon Windows Recovery Driver Windows Remote Access Connection Manager Windows Remote Desktop Services Windows Routing and Remote Access Service (RRAS) Windows SDK Windows SMB Windows Security App Windows Shell Windows Standards-Based Storage Management Service Windows Storage Management Provider Windows Storage Port Driver Windows Win32K GRFX For more information, please visit our blog.Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.Microsoft’s August 2025 Patch Tuesday Addresses 107 CVEs (CVE-2025-53779)
On August 12, Microsoft released its August 2025 Patch Tuesday release which addresses 107 CVEs with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low. This month included a patch for one publicly disclosed zero-day, CVE-2025-53779. This is an elevation of privilege vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment. This vulnerability is dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor. This month’s update includes patches for: Azure File Sync Azure OpenAI Azure Portal Azure Stack Azure Virtual Machines Desktop Windows Manager GitHub Copilot and Visual Studio Graphics Kernel Kernel Streaming WOW Thunk Service Driver Kernel Transaction Manager Microsoft 365 Copilot's Business Chat Microsoft Brokering File System Microsoft Dynamics 365 (on-premises) Microsoft Edge for Android Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Teams Remote Access Point-to-Point Protocol (PPP) EAP-TLS Remote Desktop Server Role: Windows Hyper-V SQL Server Storage Port Driver Web Deploy Windows Ancillary Function Driver for WinSock Windows Cloud Files Mini Filter Driver Windows Connected Devices Platform Service Windows DirectX Windows Distributed Transaction Coordinator Windows File Explorer Windows GDI+ Windows Installer Windows Kerberos Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Media Windows Message Queuing Windows NT OS Kernel Windows NTFS Windows NTLM Windows PrintWorkflowUserSvc Windows Push Notifications Windows Remote Desktop Services Windows Routing and Remote Access Service (RRAS) Windows SMB Windows Security App Windows StateRepository API Windows Subsystem for Linux Windows Win32K GRFX Windows Win32K ICOMP For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC). On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network. The CVEs from the CSA are as follows: CVE Description CVSSv3 VPR CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 10 CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10 10 CVE-2023-20273 Cisco IOS XE Web UI Command Injection Vulnerability 7.2 8.4 CVE-2023-20198 Cisco IOS XE Web UI Elevation of Privilege Vulnerability 10 9.9 CVE-2018-0171 Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability 9.8 9.2 In addition to the FAQ, the team performed an analysis of Tenable telemetry data and found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CrushFTP Zero-Day Exploited (CVE-2025-54309)
On July 18, CrushFTP warned that a zero-day in its CrushFTP software was being exploited in the wild. CVE Description CVSSv3 CVE-2025-54309 Unprotected Alternate Channel Vulnerability 9.0 According to CrushFTP, the vulnerability was first discovered as being exploited on July 18 at 9AM CST, though they caution that exploitation may have “been going on for longer.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild
On August 26, Citrix published a security advisory for three vulnerabilities, including CVE-2025-7775, a zero-day vulnerability which has been exploited against its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances: CVE Description CVSSv4 CVE-2025-7775 Citrix NetScaler ADC and Gateway Unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerability 9.2 CVE-2025-7776 Citrix NetScaler ADC and Gateway DoS Vulnerability 8.8 CVE-2025-8424 Citrix NetScaler ADC and Gateway Improper Access Control Vulnerability 8.7 CVE-2025-7775 is a RCE vulnerability affecting NetScaler ADC and Gateway appliances. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code or cause a DoS condition on an affected device. According to the security advisory from Citrix, exploitation has been observed prior to the advisory and patches being made public. Citrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years. Due to the historical exploitation against NetScaler ADC and Gateway appliances, we strongly urge organizations to patch CVE-2025-7775 as soon as possible. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Microsoft Exchange Server Hybrid Deployment Vulnerability (CVE-2025-53786)
On August 6, Microsoft published a security advisory for a vulnerability in its Microsoft Exchange Server Hybrid Deployments. CVE Description CVSSv3 CVE-2025-53786 Microsoft Exchange Server Elevation of Privilege Vulnerability (Hybrid Deployments) 8.0 The vulnerability was not exploited in the wild, but Microsoft assessed it as “Exploitation More Likely” according to its Exploitability Index. The flaw was discovered after investigating a non-security Hot Fix released on April 18. In addition to its advisory, Microsoft have issued an Emergency Directive, ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7 that requires federal agencies to take immediate action by August 11 at 9AM EST. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.
