CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Vulnerability
On January 13, Fortinet published a security advisory (FG-IR-25-772) for CVE-2025-64155, a critical command injection vulnerability affecting Fortinet FortiSIEM. CVE Description CVSSv3 CVE-2025-64155 Fortinet FortiSIEM Command Injection Vulnerability 9.4 In coordination with the release of the advisory by Fortinet, researchers at Horizon3.ai published a technical writeup as well as a proof of concept for CVE-2025-64155. While there has been no reports of in-the-wild exploitation, we anticipate that attackers will quickly incorporate this exploit into their attacks. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
On January 13, Microsoft released its January 2026 Patch Tuesday release which patched 113 CVEs with eight rated as critical and 105 rated as important. This month's update included patches for two zero-days, one of which was exploited in the wild. CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Connected Machine Agent Azure Core shared client library for Python Capability Access Management Service (camsvc) Connected Devices Platform Service (Cdpsvc) Desktop Window Manager Dynamic Root of Trust for Measurement (DRTM) Graphics Kernel Host Process for Windows Tasks Inbox COM Objects Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Printer Association Object SQL Server Tablet Windows User Interface (TWINUI) Subsystem Windows Admin Center Windows Ancillary Function Driver for WinSock Windows Client-Side Caching (CSC) Service Windows Clipboard Server Windows Cloud Files Mini Filter Driver Windows Common Log File System Driver Windows DWM Windows Deployment Services Windows Error Reporting Windows File Explorer Windows HTTP.sys Windows Hello Windows Hyper-V Windows Installer Windows Internet Connection Sharing (ICS) Windows Kerberos Windows Kernel Windows Kernel Memory Windows Kernel-Mode Drivers Windows LDAP - Lightweight Directory Access Protocol Windows Local Security Authority Subsystem Service (LSASS) Windows Local Session Manager (LSM) Windows Management Services Windows Media Windows NDIS Windows NTFS Windows NTLM Windows Remote Assistance Windows Remote Procedure Call Windows Remote Procedure Call Interface Definition Language (IDL) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Secure Boot Windows Server Update Service Windows Shell Windows TPM Windows Telephony Service Windows Virtualization-Based Security (VBS) Enclave Windows WalletService Windows Win32K - ICOMP For more information, please visit our blog.CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild
On December 19, MongoDB issued a security advisory to address a vulnerability affecting the zlib implementation of MongoDB. CVE Description CVSSv3 VPR CVE-2025-14847 MongoDB Uninitialized Memory Leak Vulnerability (“MongoBleed”) 7.5 8.0 *Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on December 29 and reflects VPR at that time. CVE-2025-14847 is a memory leak vulnerability affecting MongoDB instances in which zlib compression is enabled. A flaw in how MongoDB implements zlib decompression could allow unauthenticated attackers to leak uninitialized memory, which can contain sensitive data including credentials, session tokens and API keys. This flaw was dubbed “MongoBleed” by Elastic Security researcher Joe Desimone, who published a proof-of-concept demonstrating the vulnerability. While exploitation does require zlib compression to be enabled and a vulnerable MongoDB version to be internet exposed, reports of in the wild exploitation have already begun. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-40602: SonicWall Secure Mobile Access (SMA) 1000 Zero-Day Exploited
On December 17, SonicWall published a security advisory (SNWLID-2025-0019) for a newly disclosed vulnerability in its Secure Mobile Access (SMA) 1000 product, a remote access solution. CVE Description CVSSv3 CVE-2025-40602 SonicWall SMA 1000 Privilege Escalation Vulnerability 6.6 CVE-2025-40602 is a local privilege escalation vulnerability in the appliance management console (AMC) of the SonicWall SMA 1000 appliance. An authenticated, remote attacker could exploit this vulnerability to escalate privileges on an affected device. While on its own, this flaw would require authentication in order to exploit, the advisory from SonicWall states that CVE-2025-40602 has been exploited in a chained attack with CVE-2025-23006, a deserialization of untrusted data vulnerability patched in January. The combination of these two vulnerabilities would allow an unauthenticated attacker to execute arbitrary code with root privileges. According to SonicWall, “SonicWall Firewall products are not affected by this vulnerability.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft Patch Tuesday 2025 Year in Review
As the end of the year is approaching quickly, the Research Special Operations Team (RSO) has just published our third annual Patch Tuesday year in review. Over the course of 2025, Microsoft patched 1,130 CVEs throughout the year across a number of products. This was a 12% increase compared to 2024, when Microsoft patched 1,009 CVEs. While Microsoft has yet to surpass its 2020 count of 1,245 CVEs, the trend has continued in an upward direction. For more information, please visit our blog.Microsoft’s December 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-62221)
On December 9, Microsoft released its December 2025 Patch Tuesday release, the final Patch Tuesday update of the year. This month’s update addresses 56 CVEs with three rated as critical and 53 rated as important. This month's update included one vulnerability that was exploited in the wild as a zero-day as well as two vulnerabilities publicly disclosed prior to patches being made available. Elevation of privilege (EoP) vulnerabilities accounted for 50% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 33.9%. CVE-2025-62221 is an EoP vulnerability in the Windows Cloud Files Mini Filter Driver. It was assigned a CVSSv3 score of 7.8 and rated as important. A local, authenticated attacker could exploit this vulnerability to elevate to SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. The two zero-days which were publicly disclosed prior to patches being released are CVE-2025-64671 and CVE-2025-54100. CVE-2025-64671 is a RCE vulnerability in the GitHub Copilot Plugin for JetBrains Integrated Development Environments (IDEs). CVE-2025-54100 is a RCE vulnerability in Windows PowerShell. This month’s update includes patches for: Application Information Services Azure Monitor Agent Copilot Microsoft Brokering File System Microsoft Edge for iOS Microsoft Exchange Server Microsoft Graphics Component Microsoft Office Microsoft Office Access Microsoft Office Excel Microsoft Office Outlook Microsoft Office SharePoint Microsoft Office Word Storvsp.sys Driver Windows Camera Frame Server Monitor Windows Client-Side Caching (CSC) Service Windows Cloud Files Mini Filter Driver Windows Common Log File System Driver Windows DWM Core Library Windows Defender Firewall Service Windows DirectX Windows Hyper-V Windows Installer Windows Message Queuing Windows PowerShell Windows Projected File System Windows Projected File System Filter Driver Windows Remote Access Connection Manager Windows Resilient File System (ReFS) Windows Routing and Remote Access Service (RRAS) Windows Shell Windows Storage VSP Driver Windows Win32K - GRFX For more information, please visit our blog.CVE-2025-64446: Fortinet FortiWeb Zero-Day Path Traversal Vulnerability Exploited in the Wild
On October 6, Defused published an X post regarding an unknown exploit targeting Fortinet devices. Shortly after, several cyber security organizations began investigating and confirming that a new exploit appeared to have silently been fixed in some releases of Fortinet’s FortiWeb. This includes researchers at WatchTowr who were able to reproduce the vulnerability. Within hours of their publication, Fortinet released a security advisory acknowledging that CVE-2025-64446 has been exploited in the wild. CVE Description CVSSv3 CVE-2025-64446 Fortinet FortiWeb Path Traversal Vulnerability 9.1 CVE-2025-64446 is a relative path traversal vulnerability affecting Fortinet’s FortiWeb. An unauthenticated attacker could exploit this vulnerability to execute arbitrary commands on an affected device. According to the advisory and several reports released prior to the publication of the security advisory, this vulnerability has been exploited in the wild. Prior to the publication of the security advisory (FG-IR-25-910) from Fortinet, several research groups began testing the exploit to determine which versions were affected and which were patched. Although several new releases appeared to contain a fix based on testing of the exploit, confirmed patch information was not available until Fortinet published their security advisory. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs
Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs On November 11, Microsoft released its November 2025 Patch Tuesday release which patched 63 CVEs with five rated as critical and 58 rated as important. This month's update included one vulnerability that was exploited in the wild as a zero-day. Elevation of privilege (EoP) vulnerabilities accounted for 46% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.4%. CVE-2025-62215 is an elevation of privilege vulnerability in the Windows Kernel. It was assigned a CVSSv3 score of 7.0 and rated important. A local, authenticated attacker could exploit this vulnerability by winning a race condition in order to gain SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Monitor Agent Customer Experience Improvement Program (CEIP) Dynamics 365 Field Service (online) GitHub Copilot and Visual Studio Code Host Process for Windows Tasks Microsoft Configuration Manager Microsoft Dynamics 365 (on-premises) Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Microsoft Streaming Service Microsoft Wireless Provisioning System Multimedia Class Scheduler Service (MMCSS) Nuance PowerScribe OneDrive for Android Role: Windows Hyper-V SQL Server Storvsp.sys Driver Visual Studio Visual Studio Code CoPilot Chat Extension Windows Administrator Protection Windows Ancillary Function Driver for WinSock Windows Bluetooth RFCOM Protocol Driver Windows Broadcast DVR User Service Windows Client-Side Caching (CSC) Service Windows Common Log File System Driver Windows DirectX Windows Kerberos Windows Kernel Windows License Manager Windows OLE Windows Remote Desktop Windows Routing and Remote Access Service (RRAS) Windows Smart Card Windows Speech Windows Subsystem for Linux GUI Windows TDX.sys Windows WLAN Service For more information, please visit our blog.Oracle October 2025 Critical Patch Update Addresses 170 CVEs
On October 21, Oracle released its Oracle Critical Patch Update Advisory - October 2025, the fourth and final quarterly update of the year. This CPU contains fixes for 170 unique CVEs in 374 security updates across 29 Oracle product families. Out of the 374 security updates published this quarter, 10.7% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 46.3%, followed by high severity patches at 39.0%. This quarter, the Oracle TimesTen In-Memory Database product family contained the highest number of patches at 73, accounting for 19.5% of the total patches, followed by Oracle Spatial Studio at 64 patches, which accounted for 17.1% of the total patches. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Frequently Asked Questions About The August 2025 F5 Security Incident
Starting August 9 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. In response, Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification. While there is no notice in these security advisories that any of the CVEs released on October 15 have been exploited, we strongly recommend applying all available patches. For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.
