Forum Widgets
Recent Discussions
FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)
On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day. CVE Description CVSSv3 CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability 9.8 Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched. Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019. CVE Description CVSSv3 CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability 6.3 For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
Frequently Asked Questions About The August 2025 F5 Security Incident
Starting August 9 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. In response, Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification. While there is no notice in these security advisories that any of the CVEs released on October 15 have been exploited, we strongly recommend applying all available patches. For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.Oracle E-Business Suite Zero-Day Exploited by Cl0p Ransomware Group (CVE-2025-61882)
On October 4, Oracle published a Security Alert Advisory for a zero-day in its E-Business Suite (EBS) solution: CVE Description CVSSv3 CVE-2025-61882 Oracle Concurrent Processing Remote Code Execution Vulnerability 9.8 This vulnerability was reportedly exploited in the wild by the Cl0p ransomware group. It followed earlier reports of extortion emails being sent to EBS customers by the Cl0p ransomware group. Initially, Oracle indicated that attacks used flaws in Oracle’s July 2025 CPU release. For more information about this zero-day vulnerability and associated vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)
On September 25, Cisco published three advisories for three zero-day vulnerabilities in its Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software: CVE Description CVSSv3 Exploited CVE-2025-20333 Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE) 9.9 Yes CVE-2025-20362 Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability 6.5 Yes CVE-2025-20363 Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services 9.0 No According to Cisco, two of the three zero-day vulnerabilities were exploited in the wild by the same threat actor behind 2024's ArcaneDoor campaign that also involved the exploitation of flaws in Cisco devices. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-31324: Vulnerability in SAP NetWeaver Exploited in the Wild
CVE-2025-31324, a zero day vulnerability in SAP NetWeaver, has been generating a good deal of chatter in recent days. Media outlets report that it is being targeted by multiple ransomware groups and Chinese Advanced Persistent Threat (APT) groups. The unauthenticated file upload vulnerability affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. SAP has released patches to address CVE-2025-31324. On April 25, Tenable Research Response Team published a blog post about the vulnerability and provided guidance on how to identify affected systems using Tenable plugins. The blog post can be found here: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild Media outlets reporting on CVE-2025-31324 include Bleeping Computer, CyberScoop and Dark Reading. On May 13, as part of the SAP Security Patch Day, SAP released a patch for CVE-2025-42999, a deserialization vulnerability affecting SAP NetWeaver. Onapsis identified and reported this flaw to SAP and noted this was an additional vector for exploitation that the April patch did not address. To ensure full remediation from these vulnerabilities, it’s imperative that both the April and May patches are applied to SAP NetWeaver hosts. If you have questions or concerns about this vulnerability, please submit a comment below or contact your Tenable sales representative.Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.
Research Release Highlight - Changes to SMB Kerberos
Research Release Highlight - Changes to SMB Kerberos Summary Kerberos has been the default authentication mechanism for domain connected Windows devices since Windows 2008. Tenable credentialed scans of Windows targets support an explicit Kerberos credential type. The explicit credential, which names the DC and domain name, frees the Nessus sensor from having to be connected to the Windows domain being scanned and allows the scanner to be hosted on Linux or MacOS as well. The nature of this explicit Kerberos credential type has widely led to the expectation that a Kerberos scan of Windows will never use NTLM. That is not true. Currently Kerberos Windows scans will fail over to using NTLM if Kerberos does not succeed. The Kerberos protocol depends on time synchronization, FQDN target specification and bi-directional DNS name resolution, but NTLM does not. Tenable fails over to NTLM to preserve scan continuity where Kerberos on the target or scanner may not be configured correctly. As each Windows credential is tried, if Kerberos fails, a second attempt will be made using NTLM. Change We are changing Windows scans so that a scan will try all Windows credentials first before trying them again using NTLM if the credential set contains at least one Kerberos credential. This change also extends our Kerberos coverage to include Windows Configuration Manager and Active Directory Service Interfaces (ADSI) scans. Impact In certain customer environments where a single service credential (username/password) is used across multiple domains the current failover behavior causes NTLM to be used prematurely when it is possible that a subsequent Kerberos credential targeting a different domain might succeed. The change here favors Kerberos first and only fails over to NTLM after all credentials have been tried. Customers can also modify their SCCM (Windows Configuration Manager) credentials to include the domain controller's FQDN to allow those scans to use Kerberos. The net effect of these changes will be reduced dependency on NTLM in Windows scans and should produce better results in some cases. Target Release Date 07/16/2025Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230)
Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230) On October 14, Microsoft released its October 2025 Patch Tuesday release which patched 167 CVEs with seven rated as critical, 158 rated important and two rated moderate. This release was the largest Patch Tuesday release to date. Included in this month's patches were three zero-day vulnerabilities, two of which were exploited in the wild. CVE-2025-24052 and CVE-2025-24990 are elevation of privilege vulnerabilities in the third party Agere Modem driver. Both CVEs were assigned CVSSv3 scores of 7.8 and rated as important. Microsoft reports that CVE-2025-24990 has been exploited in the wild and CVE-2025-24052 was disclosed prior to a patch being made available. Successful exploitation would allow an attacker to gain administrator privileges on an affected system. CVE-2025-59230 is an elevation of privilege vulnerability affecting Windows Remote Access Connection Manager. According to Microsoft, this vulnerability has been exploited in the wild. It was assigned a CVSSv3 score of 7.8 and is rated as important. Exploitation of this vulnerability involves improper access control in Windows Remote Access Connection Manager and could allow a local attacker to gain SYSTEM privileges. This month’s update includes patches for: .NET .NET, .NET Framework, Visual Studio Active Directory Federation Services Agere Windows Modem Driver ASP.NET Core Azure Connected Machine Agent Azure Entra ID Azure Local Azure Monitor Azure Monitor Agent Azure PlayFab Confidential Azure Container Instances Connected Devices Platform Service (Cdpsvc) Copilot Data Sharing Service Client Inbox COM Objects Internet Explorer JDBC Driver for SQL Server Microsoft Brokering File System Microsoft Configuration Manager Microsoft Defender for Linux Microsoft Exchange Server Microsoft Failover Cluster Virtual Driver Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft PowerShell Microsoft Windows Microsoft Windows Search Component Microsoft Windows Speech Network Connection Status Indicator (NCSI) NtQueryInformation Token function (ntifs.h) Remote Desktop Client Software Protection Platform (SPP) Storport.sys Driver Virtual Secure Mode Visual Studio Windows Ancillary Function Driver for WinSock Windows Authentication Methods Windows BitLocker Windows Bluetooth Service Windows Cloud Files Mini Filter Driver Windows COM Windows Connected Devices Platform Service Windows Core Shell Windows Cryptographic Services Windows Device Association Broker service Windows Digital Media Windows DirectX Windows DWM Windows DWM Core Library Windows Error Reporting Windows ETL Channel Windows Failover Cluster Windows File Explorer Windows Health and Optimized Experiences Service Windows Hello Windows High Availability Services Windows Hyper-V Windows Kernel Windows Local Session Manager (LSM) Windows Management Services Windows MapUrlToZone Windows NDIS Windows NTFS Windows NTLM Windows PrintWorkflowUserSvc Windows Push Notification Core Windows Remote Access Connection Manager Windows Remote Desktop Windows Remote Desktop Protocol Windows Remote Desktop Services Windows Remote Procedure Call Windows Resilient File System (ReFS) Windows Resilient File System (ReFS) Deduplication Service Windows Routing and Remote Access Service (RRAS) Windows Server Update Service Windows SMB Client Windows SMB Server Windows SSDP Service Windows StateRepository API Windows Storage Management Provider Windows Taskbar Live Windows USB Video Driver Windows Virtualization-Based Security (VBS) Enclave Windows WLAN Auto Config Service Xbox XBox Gaming Services For more information, please visit our blog.
Zero Click Zero Day in Microsoft Support Diagnostic Tool...
Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild (CVE-2022-30190) On May 30, Microsoft released an advisory for a zero-day in the Microsoft Windows Support Diagnostic Tool (MSDT) that has been exploited in the wild and gained considerable researcher attention over the weekend. CVE-2022-30190 is a remote code execution vulnerability in MSDT that impacts several versions of Microsoft Office, including patched versions of Office 2019 and 2021. An attacker would craft a malicious document, Microsoft Word is common, and send it to their target via email. By exploiting this vulnerability, an attacker can execute commands with the permissions of the application used to open the malicious document. Researchers have found that this vulnerability can be exploited without user interaction. Microsoft has published a workaround and detection information, but no patches as of May 31. For more information, please visit our blog post.
