FAQ on Microsoft Exchange Server Hybrid Deployment Vulnerability (CVE-2025-53786)
On August 6, Microsoft published a security advisory for a vulnerability in its Microsoft Exchange Server Hybrid Deployments. CVE Description CVSSv3 CVE-2025-53786 Microsoft Exchange Server Elevation of Privilege Vulnerability (Hybrid Deployments) 8.0 The vulnerability was not exploited in the wild, but Microsoft assessed it as “Exploitation More Likely” according to its Exploitability Index. The flaw was discovered after investigating a non-security Hot Fix released on April 18. In addition to its advisory, Microsoft have issued an Emergency Directive, ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7 that requires federal agencies to take immediate action by August 11 at 9AM EST. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CurXecute and MCPoison: Two Recently Disclosed Vulnerabilities in Cursor IDE
Over the past few days, researchers have disclosed two new vulnerabilities in Cursor, the AI-assisted code editor used by over a million users including notable Fortune 500 companies. CVE Description CVSSv3 CVE-2025-54135 Cursor Arbitrary Code Execution Vulnerability (“CurXecute”) 8.5 CVE-2025-54136 Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”) 7.2 Both vulnerabilities have the potential to be severe, but they are context dependent. The common thread shared between CurXecute and MCPoison is how Cursor handles interaction with MCP servers. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on SonicWall Gen 7 Firewall Ransomware Activity
On August 4, SonicWall issued a threat activity notice following reports of malicious activity by several vendors including Arctic Wolf and Huntress. According to the researchers, they've observed a notable uptick in targeting of SonicWall Gen 7 firewalls with SSLVPN enabled. Based on their observations, it appears that attackers may be utilizing a possible zero-day vulnerability against these devices. So far, the attacks appear to be centered around deployment of the Akira ransomware. SonicWall is currently investigating these reports. No patches and no CVE have been assigned as of yet. For more information about the possible zero-day vulnerability, including the future availability of patches and Tenable product coverage, please visit our blog.FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)
On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day. CVE Description CVSSv3 CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability 9.8 Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched. Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019. CVE Description CVSSv3 CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability 6.3 For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CrushFTP Zero-Day Exploited (CVE-2025-54309)
On July 18, CrushFTP warned that a zero-day in its CrushFTP software was being exploited in the wild. CVE Description CVSSv3 CVE-2025-54309 Unprotected Alternate Channel Vulnerability 9.0 According to CrushFTP, the vulnerability was first discovered as being exploited on July 18 at 9AM CST, though they caution that exploitation may have “been going on for longer.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on BadSuccessor
On May 21, researchers at Akamai published a blog post detailing a new privilege escalation vulnerability in Active Directory (AD) domains. Dubbed "BadSuccessor," the flaw affects AD domains with at least one Windows Server 2025 domain controller. The blog includes details about the flaw, as well as detection and mitigation guidance. As of June 2, Microsoft has not yet released patches nor assigned a CVE for BadSuccessor. However, in the Akamai blog, they quote Microsoft as saying they would “fix this issue in the future.” For more information, including details about BadSuccessor as well as Tenable product coverage, please visit our FAQ blog.
