Forum Widgets
Recent Discussions
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC). On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network. The CVEs from the CSA are as follows: CVE Description CVSSv3 VPR CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 10 CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10 10 CVE-2023-20273 Cisco IOS XE Web UI Command Injection Vulnerability 7.2 8.4 CVE-2023-20198 Cisco IOS XE Web UI Elevation of Privilege Vulnerability 10 9.9 CVE-2018-0171 Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability 9.8 9.2 In addition to the FAQ, the team performed an analysis of Tenable telemetry data and found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild
On August 26, Citrix published a security advisory for three vulnerabilities, including CVE-2025-7775, a zero-day vulnerability which has been exploited against its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances: CVE Description CVSSv4 CVE-2025-7775 Citrix NetScaler ADC and Gateway Unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerability 9.2 CVE-2025-7776 Citrix NetScaler ADC and Gateway DoS Vulnerability 8.8 CVE-2025-8424 Citrix NetScaler ADC and Gateway Improper Access Control Vulnerability 8.7 CVE-2025-7775 is a RCE vulnerability affecting NetScaler ADC and Gateway appliances. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code or cause a DoS condition on an affected device. According to the security advisory from Citrix, exploitation has been observed prior to the advisory and patches being made public. Citrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years. Due to the historical exploitation against NetScaler ADC and Gateway appliances, we strongly urge organizations to patch CVE-2025-7775 as soon as possible. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability
On August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM. According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised. At the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this post was published. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s August 2025 Patch Tuesday Addresses 107 CVEs (CVE-2025-53779)
On August 12, Microsoft released its August 2025 Patch Tuesday release which addresses 107 CVEs with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low. This month included a patch for one publicly disclosed zero-day, CVE-2025-53779. This is an elevation of privilege vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment. This vulnerability is dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor. This month’s update includes patches for: Azure File Sync Azure OpenAI Azure Portal Azure Stack Azure Virtual Machines Desktop Windows Manager GitHub Copilot and Visual Studio Graphics Kernel Kernel Streaming WOW Thunk Service Driver Kernel Transaction Manager Microsoft 365 Copilot's Business Chat Microsoft Brokering File System Microsoft Dynamics 365 (on-premises) Microsoft Edge for Android Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Teams Remote Access Point-to-Point Protocol (PPP) EAP-TLS Remote Desktop Server Role: Windows Hyper-V SQL Server Storage Port Driver Web Deploy Windows Ancillary Function Driver for WinSock Windows Cloud Files Mini Filter Driver Windows Connected Devices Platform Service Windows DirectX Windows Distributed Transaction Coordinator Windows File Explorer Windows GDI+ Windows Installer Windows Kerberos Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Media Windows Message Queuing Windows NT OS Kernel Windows NTFS Windows NTLM Windows PrintWorkflowUserSvc Windows Push Notifications Windows Remote Desktop Services Windows Routing and Remote Access Service (RRAS) Windows SMB Windows Security App Windows StateRepository API Windows Subsystem for Linux Windows Win32K GRFX Windows Win32K ICOMP For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Microsoft Exchange Server Hybrid Deployment Vulnerability (CVE-2025-53786)
On August 6, Microsoft published a security advisory for a vulnerability in its Microsoft Exchange Server Hybrid Deployments. CVE Description CVSSv3 CVE-2025-53786 Microsoft Exchange Server Elevation of Privilege Vulnerability (Hybrid Deployments) 8.0 The vulnerability was not exploited in the wild, but Microsoft assessed it as “Exploitation More Likely” according to its Exploitability Index. The flaw was discovered after investigating a non-security Hot Fix released on April 18. In addition to its advisory, Microsoft have issued an Emergency Directive, ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7 that requires federal agencies to take immediate action by August 11 at 9AM EST. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-54987, CVE-2025-54948: Trend Micro Apex One Command Injection Zero-Days Exploited
On August 5, Trend Micro released a security advisory for two critical flaws affecting on-prem versions of Apex One Management Console. According to the advisory, Trend Micro has observed active exploitation of the vulnerabilities. CVE Description CVSSv3 CVE-2025-54987 Trend Micro Apex One Management Console Command Injection Vulnerability 9.4 CVE-2025-54948 Trend Micro Apex One Management Console Command Injection Vulnerability 9.4 CVE-2025-54987 and CVE-2025-54948 are both command injection vulnerabilities affecting the management console of on-prem installations of Trend Micro Apex One. An unauthenticated attacker with network or physical access to a vulnerable machine can upload arbitrary files, allowing the attacker to execute commands and achieve code execution. While two CVEs were issued, the advisory notes that CVE-2025-54987 was issued for a different CPU architecture than CVE-2025-54948. As of August 6, Trend Micro’s security advisory for these vulnerabilities notes that a patch has not yet been released and is to be expected “around the middle of August 2025.” In the meantime, a short-term mitigation tool has been released. This tool can be used to protect against known exploits and disables “the ability for administrators to utilize the Remote Install Agent function to deploy agents.” For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CurXecute and MCPoison: Two Recently Disclosed Vulnerabilities in Cursor IDE
Over the past few days, researchers have disclosed two new vulnerabilities in Cursor, the AI-assisted code editor used by over a million users including notable Fortune 500 companies. CVE Description CVSSv3 CVE-2025-54135 Cursor Arbitrary Code Execution Vulnerability (“CurXecute”) 8.5 CVE-2025-54136 Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”) 7.2 Both vulnerabilities have the potential to be severe, but they are context dependent. The common thread shared between CurXecute and MCPoison is how Cursor handles interaction with MCP servers. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on SonicWall Gen 7 Firewall Ransomware Activity
On August 4, SonicWall issued a threat activity notice following reports of malicious activity by several vendors including Arctic Wolf and Huntress. According to the researchers, they've observed a notable uptick in targeting of SonicWall Gen 7 firewalls with SSLVPN enabled. Based on their observations, it appears that attackers may be utilizing a possible zero-day vulnerability against these devices. So far, the attacks appear to be centered around deployment of the Akira ransomware. SonicWall is currently investigating these reports. No patches and no CVE have been assigned as of yet. For more information about the possible zero-day vulnerability, including the future availability of patches and Tenable product coverage, please visit our blog.FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)
On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day. CVE Description CVSSv3 CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability 9.8 Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched. Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019. CVE Description CVSSv3 CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability 6.3 For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
