CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild
On October 6, Defused published an X post regarding an unknown exploit targeting Fortinet devices. Shortly after, several cyber security organizations began investigating and confirming that a new exploit appeared to have silently been fixed in some releases of Fortinet’s FortiWeb. This includes researchers at WatchTowr who were able to reproduce the vulnerability. Within hours of their publication, Fortinet released a security advisory acknowledging that CVE-2025-64446 has been exploited in the wild. CVE Description CVSSv3 CVE-2025-64446 Fortinet FortiWeb Path Traversal Vulnerability 9.1 CVE-2025-64446 is a relative path traversal vulnerability affecting Fortinet’s FortiWeb. An unauthenticated attacker could exploit this vulnerability to execute arbitrary commands on an affected device. According to the advisory and several reports released prior to the publication of the security advisory, this vulnerability has been exploited in the wild. Prior to the publication of the security advisory (FG-IR-25-910) from Fortinet, several research groups began testing the exploit to determine which versions were affected and which were patched. Although several new releases appeared to contain a fix based on testing of the exploit, confirmed patch information was not available until Fortinet published their security advisory. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs
Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs On November 11, Microsoft released its November 2025 Patch Tuesday release which patched 63 CVEs with five rated as critical and 58 rated as important. This month's update included one vulnerability that was exploited in the wild as a zero-day. Elevation of privilege (EoP) vulnerabilities accounted for 46% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.4%. CVE-2025-62215 is an elevation of privilege vulnerability in the Windows Kernel. It was assigned a CVSSv3 score of 7.0 and rated important. A local, authenticated attacker could exploit this vulnerability by winning a race condition in order to gain SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Monitor Agent Customer Experience Improvement Program (CEIP) Dynamics 365 Field Service (online) GitHub Copilot and Visual Studio Code Host Process for Windows Tasks Microsoft Configuration Manager Microsoft Dynamics 365 (on-premises) Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Microsoft Streaming Service Microsoft Wireless Provisioning System Multimedia Class Scheduler Service (MMCSS) Nuance PowerScribe OneDrive for Android Role: Windows Hyper-V SQL Server Storvsp.sys Driver Visual Studio Visual Studio Code CoPilot Chat Extension Windows Administrator Protection Windows Ancillary Function Driver for WinSock Windows Bluetooth RFCOM Protocol Driver Windows Broadcast DVR User Service Windows Client-Side Caching (CSC) Service Windows Common Log File System Driver Windows DirectX Windows Kerberos Windows Kernel Windows License Manager Windows OLE Windows Remote Desktop Windows Routing and Remote Access Service (RRAS) Windows Smart Card Windows Speech Windows Subsystem for Linux GUI Windows TDX.sys Windows WLAN Service For more information, please visit our blog.Oracle October 2025 Critical Patch Update Addresses 170 CVEs
On October 21, Oracle released its Oracle Critical Patch Update Advisory - October 2025, the fourth and final quarterly update of the year. This CPU contains fixes for 170 unique CVEs in 374 security updates across 29 Oracle product families. Out of the 374 security updates published this quarter, 10.7% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.3%, followed by high severity patches at 39.0%. This quarter, the Oracle TimesTen In-Memory Database product family contained the highest number of patches at 73, accounting for 19.5% of the total patches, followed by Oracle Spatial Studio at 64 patches, which accounted for 17.1% of the total patches. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Frequently Asked Questions About The August 2025 F5 Security Incident
Starting August 9 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. In response, Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification. While there is no notice in these security advisories that any of the CVEs released on October 15 have been exploited, we strongly recommend applying all available patches. For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230)
Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230) On October 14, Microsoft released its October 2025 Patch Tuesday release which patched 167 CVEs with seven rated as critical, 158 rated important and two rated moderate. This release was the largest Patch Tuesday release to date. Included in this month's patches were three zero-day vulnerabilities, two of which were exploited in the wild. CVE-2025-24052 and CVE-2025-24990 are elevation of privilege vulnerabilities in the third party Agere Modem driver. Both CVEs were assigned CVSSv3 scores of 7.8 and rated as important. Microsoft reports that CVE-2025-24990 has been exploited in the wild and CVE-2025-24052 was disclosed prior to a patch being made available. Successful exploitation would allow an attacker to gain administrator privileges on an affected system. CVE-2025-59230 is an elevation of privilege vulnerability affecting Windows Remote Access Connection Manager. According to Microsoft, this vulnerability has been exploited in the wild. It was assigned a CVSSv3 score of 7.8 and is rated as important. Exploitation of this vulnerability involves improper access control in Windows Remote Access Connection Manager and could allow a local attacker to gain SYSTEM privileges. This month’s update includes patches for: .NET .NET, .NET Framework, Visual Studio Active Directory Federation Services Agere Windows Modem Driver ASP.NET Core Azure Connected Machine Agent Azure Entra ID Azure Local Azure Monitor Azure Monitor Agent Azure PlayFab Confidential Azure Container Instances Connected Devices Platform Service (Cdpsvc) Copilot Data Sharing Service Client Inbox COM Objects Internet Explorer JDBC Driver for SQL Server Microsoft Brokering File System Microsoft Configuration Manager Microsoft Defender for Linux Microsoft Exchange Server Microsoft Failover Cluster Virtual Driver Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft PowerShell Microsoft Windows Microsoft Windows Search Component Microsoft Windows Speech Network Connection Status Indicator (NCSI) NtQueryInformation Token function (ntifs.h) Remote Desktop Client Software Protection Platform (SPP) Storport.sys Driver Virtual Secure Mode Visual Studio Windows Ancillary Function Driver for WinSock Windows Authentication Methods Windows BitLocker Windows Bluetooth Service Windows Cloud Files Mini Filter Driver Windows COM Windows Connected Devices Platform Service Windows Core Shell Windows Cryptographic Services Windows Device Association Broker service Windows Digital Media Windows DirectX Windows DWM Windows DWM Core Library Windows Error Reporting Windows ETL Channel Windows Failover Cluster Windows File Explorer Windows Health and Optimized Experiences Service Windows Hello Windows High Availability Services Windows Hyper-V Windows Kernel Windows Local Session Manager (LSM) Windows Management Services Windows MapUrlToZone Windows NDIS Windows NTFS Windows NTLM Windows PrintWorkflowUserSvc Windows Push Notification Core Windows Remote Access Connection Manager Windows Remote Desktop Windows Remote Desktop Protocol Windows Remote Desktop Services Windows Remote Procedure Call Windows Resilient File System (ReFS) Windows Resilient File System (ReFS) Deduplication Service Windows Routing and Remote Access Service (RRAS) Windows Server Update Service Windows SMB Client Windows SMB Server Windows SSDP Service Windows StateRepository API Windows Storage Management Provider Windows Taskbar Live Windows USB Video Driver Windows Virtualization-Based Security (VBS) Enclave Windows WLAN Auto Config Service Xbox XBox Gaming Services For more information, please visit our blog.Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)
On September 25, Cisco published three advisories for three zero-day vulnerabilities in its Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software: CVE Description CVSSv3 Exploited CVE-2025-20333 Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE) 9.9 Yes CVE-2025-20362 Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability 6.5 Yes CVE-2025-20363 Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services 9.0 No According to Cisco, two of the three zero-day vulnerabilities were exploited in the wild by the same threat actor behind 2024's ArcaneDoor campaign that also involved the exploitation of flaws in Cisco devices. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC). On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network. The CVEs from the CSA are as follows: CVE Description CVSSv3 VPR CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 10 CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10 10 CVE-2023-20273 Cisco IOS XE Web UI Command Injection Vulnerability 7.2 8.4 CVE-2023-20198 Cisco IOS XE Web UI Elevation of Privilege Vulnerability 10 9.9 CVE-2018-0171 Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability 9.8 9.2 In addition to the FAQ, the team performed an analysis of Tenable telemetry data and found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild
On August 26, Citrix published a security advisory for three vulnerabilities, including CVE-2025-7775, a zero-day vulnerability which has been exploited against its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances: CVE Description CVSSv4 CVE-2025-7775 Citrix NetScaler ADC and Gateway Unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerability 9.2 CVE-2025-7776 Citrix NetScaler ADC and Gateway DoS Vulnerability 8.8 CVE-2025-8424 Citrix NetScaler ADC and Gateway Improper Access Control Vulnerability 8.7 CVE-2025-7775 is a RCE vulnerability affecting NetScaler ADC and Gateway appliances. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code or cause a DoS condition on an affected device. According to the security advisory from Citrix, exploitation has been observed prior to the advisory and patches being made public. Citrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years. Due to the historical exploitation against NetScaler ADC and Gateway appliances, we strongly urge organizations to patch CVE-2025-7775 as soon as possible. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
