CVE-2025-31324: Vulnerability in SAP NetWeaver Exploited in the Wild
CVE-2025-31324, a zero day vulnerability in SAP NetWeaver, has been generating a good deal of chatter in recent days. Media outlets report that it is being targeted by multiple ransomware groups and Chinese Advanced Persistent Threat (APT) groups. The unauthenticated file upload vulnerability affects the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. SAP has released patches to address CVE-2025-31324. On April 25, Tenable Research Response Team published a blog post about the vulnerability and provided guidance on how to identify affected systems using Tenable plugins. The blog post can be found here: https://www.tenable.com/blog/cve-2025-31324-zero-day-vulnerability-in-sap-netweaver-exploited-in-the-wild Media outlets reporting on CVE-2025-31324 include Bleeping Computer, CyberScoop and Dark Reading. On May 13, as part of the SAP Security Patch Day, SAP released a patch for CVE-2025-42999, a deserialization vulnerability affecting SAP NetWeaver. Onapsis identified and reported this flaw to SAP and noted this was an additional vector for exploitation that the April patch did not address. To ensure full remediation from these vulnerabilities, it’s imperative that both the April and May patches are applied to SAP NetWeaver hosts. If you have questions or concerns about this vulnerability, please submit a comment below or contact your Tenable sales representative.Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC). On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network. The CVEs from the CSA are as follows: CVE Description CVSSv3 VPR CVE-2024-21887 Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability 9.1 10 CVE-2023-46805 Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability 8.2 6.7 CVE-2024-3400 Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS 10 10 CVE-2023-20273 Cisco IOS XE Web UI Command Injection Vulnerability 7.2 8.4 CVE-2023-20198 Cisco IOS XE Web UI Elevation of Privilege Vulnerability 10 9.9 CVE-2018-0171 Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability 9.8 9.2 In addition to the FAQ, the team performed an analysis of Tenable telemetry data and found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks. For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability
On August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM. According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised. At the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this post was published. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)
On September 25, Cisco published three advisories for three zero-day vulnerabilities in its Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software: CVE Description CVSSv3 Exploited CVE-2025-20333 Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE) 9.9 Yes CVE-2025-20362 Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability 6.5 Yes CVE-2025-20363 Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services 9.0 No According to Cisco, two of the three zero-day vulnerabilities were exploited in the wild by the same threat actor behind 2024's ArcaneDoor campaign that also involved the exploitation of flaws in Cisco devices. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.CrushFTP Zero-Day Exploited (CVE-2025-54309)
On July 18, CrushFTP warned that a zero-day in its CrushFTP software was being exploited in the wild. CVE Description CVSSv3 CVE-2025-54309 Unprotected Alternate Channel Vulnerability 9.0 According to CrushFTP, the vulnerability was first discovered as being exploited on July 18 at 9AM CST, though they caution that exploitation may have “been going on for longer.” For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE...
CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild On October 16, Cisco’s Talos published a blog post warning of a zero-day vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software that has been exploited in the wild by unknown threat actors. According to the security advisory, CVE-2023-20198 is a privilege escalation vulnerability affecting Cisco IOS XE software, receiving the highest possible CVSS score of 10. Successful exploitation of this vulnerability would allow an attacker to create a user account with full administrative privileges. At this time, patches are not yet available to remediate this vulnerability. However Cisco’s security advisory does provide mitigation guidance to apply immediately to prevent exploitation of affected devices. For more information, please visit our blog.
