Frequently Asked Questions About The August 2025 F5 Security Incident
Starting August 9 2025, F5 learned that a nation-state threat actor gained and maintained access to certain systems within their environment. This included access to F5’s BIG-IP product development systems and “engineering knowledge management platforms.” On October 15, F5 released knowledge base (KB) article K000154696 providing current details on the known impacts of the breach, including an acknowledgement that they have not observed further unauthorized activity and believe they have successfully contained the breach. In response, Tenable’s Research Special Operations (RSO) team has compiled a blog to answer Frequently Asked Questions (FAQ) regarding the security incident affecting F5. Alongside the disclosure of the security incident, F5 also released its October 2025 Quarterly Security Notification. While there is no notice in these security advisories that any of the CVEs released on October 15 have been exploited, we strongly recommend applying all available patches. For more information about the vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.Investigating: Cl0p Reportedly Breached Oracle E-Business Suite (EBS) Systems
Tenable's Research Special Operations (RSO) team is investigating reports of breaches connected to Oracle E-Business Suite (EBS) systems by the Cl0p extortion group. As of October 3, there have been no specific vulnerabilities (or CVEs) identified in connection with the attacks. However, Rob Duhart, Chief Security Officer at Oracle, published the following in a blog post: Oracle is aware that some Oracle E-Business Suite (EBS) customers have received extortion emails. Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update. Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates. In the July 2025 Critical Patch Update (CPU), there were 165 unique CVEs patched, including nine associated with Oracle EBS: CVE Product CVSSv3 CVE-2025-30743 Oracle Lease and Finance Management 8.1 CVE-2025-30744 Oracle Mobile Field Service 8.1 CVE-2025-50105 Oracle Universal Work Queue 8.1 CVE-2025-50071 Oracle Applications Framework 6.4 CVE-2025-30746 Oracle iStore 6.1 CVE-2025-30745 Oracle MES for Process Manufacturing 6.1 CVE-2025-50107 Oracle Universal Work Queue 6.1 CVE-2025-30739 Oracle CRM Technical Foundation 5.5 CVE-2025-50090 Oracle Applications Framework 5.4 Cl0p has historically been linked to the exploitation of zero-day vulnerabilities including in managed file transfer platforms, such as Cleo, MOVEit, GoAnywhere and Accellion. If and when more definitive information becomes available, we will update this post and or publish more details on the Tenable Blog.FAQ on SharePoint Zero-Day Vulnerability Exploitation (CVE-2025-53770)
On July 19, researchers at Eye Security identified active exploitation in Microsoft SharePoint Server. Originally, this exploitation was believed to have been linked to a pair of flaws (CVE-2025-49704, CVE-2025-49706) dubbed “ToolShell” that was disclosed at Pwn2Own Berlin and patched in Microsoft’s July 2025 Patch Tuesday release, Microsoft published its own blog post stating that the flaw was actually a zero-day. CVE Description CVSSv3 CVE-2025-53770 Microsoft SharePoint Server Remote Code Execution Vulnerability 9.8 Microsoft confirmed that CVE-2025-53770 is a “variant” of CVE-2025-49706. As of July 20 at 2PM PST, CVE-2025-53770 remains unpatched. Update: Since we published our community and FAQ blog post, Microsoft has created an additional CVE and added in some preliminary patches for SharePoint Subscription Edition and SharePoint Server 2019. CVE Description CVSSv3 CVE-2025-53771 Microsoft SharePoint Server Spoofing Vulnerability 6.3 For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.CVE-2025-14847 (MongoBleed): MongoDB Memory Leak Vulnerability Exploited in the Wild
On December 19, MongoDB issued a security advisory to address a vulnerability affecting the zlib implementation of MongoDB. CVE Description CVSSv3 VPR CVE-2025-14847 MongoDB Uninitialized Memory Leak Vulnerability (“MongoBleed”) 7.5 8.0 *Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on December 29 and reflects VPR at that time. CVE-2025-14847 is a memory leak vulnerability affecting MongoDB instances in which zlib compression is enabled. A flaw in how MongoDB implements zlib decompression could allow unauthenticated attackers to leak uninitialized memory, which can contain sensitive data including credentials, session tokens and API keys. This flaw was dubbed “MongoBleed” by Elastic Security researcher Joe Desimone, who published a proof-of-concept demonstrating the vulnerability. While exploitation does require zlib compression to be enabled and a vulnerable MongoDB version to be internet exposed, reports of in the wild exploitation have already begun. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)
On September 25, Cisco published three advisories for three zero-day vulnerabilities in its Cisco Adaptive Security Appliance (ASA) Software and Firewall Threat Defense (FTD) Software: CVE Description CVSSv3 Exploited CVE-2025-20333 Cisco ASA and FTD Software VPN Web Server Remote Code Execution Vulnerability (RCE) 9.9 Yes CVE-2025-20362 Cisco ASA and FTD Software VPN Web Server Unauthorized Access Vulnerability 6.5 Yes CVE-2025-20363 Cisco ASA and FTD Software, IOS Software, IOS XE Software, and IOS XR Software Web Services 9.0 No According to Cisco, two of the three zero-day vulnerabilities were exploited in the wild by the same threat actor behind 2024's ArcaneDoor campaign that also involved the exploitation of flaws in Cisco devices. For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230)
Microsoft’s October 2025 Patch Tuesday Addresses 167 CVEs (CVE-2025-24990, CVE-2025-59230) On October 14, Microsoft released its October 2025 Patch Tuesday release which patched 167 CVEs with seven rated as critical, 158 rated important and two rated moderate. This release was the largest Patch Tuesday release to date. Included in this month's patches were three zero-day vulnerabilities, two of which were exploited in the wild. CVE-2025-24052 and CVE-2025-24990 are elevation of privilege vulnerabilities in the third party Agere Modem driver. Both CVEs were assigned CVSSv3 scores of 7.8 and rated as important. Microsoft reports that CVE-2025-24990 has been exploited in the wild and CVE-2025-24052 was disclosed prior to a patch being made available. Successful exploitation would allow an attacker to gain administrator privileges on an affected system. CVE-2025-59230 is an elevation of privilege vulnerability affecting Windows Remote Access Connection Manager. According to Microsoft, this vulnerability has been exploited in the wild. It was assigned a CVSSv3 score of 7.8 and is rated as important. Exploitation of this vulnerability involves improper access control in Windows Remote Access Connection Manager and could allow a local attacker to gain SYSTEM privileges. This month’s update includes patches for: .NET .NET, .NET Framework, Visual Studio Active Directory Federation Services Agere Windows Modem Driver ASP.NET Core Azure Connected Machine Agent Azure Entra ID Azure Local Azure Monitor Azure Monitor Agent Azure PlayFab Confidential Azure Container Instances Connected Devices Platform Service (Cdpsvc) Copilot Data Sharing Service Client Inbox COM Objects Internet Explorer JDBC Driver for SQL Server Microsoft Brokering File System Microsoft Configuration Manager Microsoft Defender for Linux Microsoft Exchange Server Microsoft Failover Cluster Virtual Driver Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft PowerShell Microsoft Windows Microsoft Windows Search Component Microsoft Windows Speech Network Connection Status Indicator (NCSI) NtQueryInformation Token function (ntifs.h) Remote Desktop Client Software Protection Platform (SPP) Storport.sys Driver Virtual Secure Mode Visual Studio Windows Ancillary Function Driver for WinSock Windows Authentication Methods Windows BitLocker Windows Bluetooth Service Windows Cloud Files Mini Filter Driver Windows COM Windows Connected Devices Platform Service Windows Core Shell Windows Cryptographic Services Windows Device Association Broker service Windows Digital Media Windows DirectX Windows DWM Windows DWM Core Library Windows Error Reporting Windows ETL Channel Windows Failover Cluster Windows File Explorer Windows Health and Optimized Experiences Service Windows Hello Windows High Availability Services Windows Hyper-V Windows Kernel Windows Local Session Manager (LSM) Windows Management Services Windows MapUrlToZone Windows NDIS Windows NTFS Windows NTLM Windows PrintWorkflowUserSvc Windows Push Notification Core Windows Remote Access Connection Manager Windows Remote Desktop Windows Remote Desktop Protocol Windows Remote Desktop Services Windows Remote Procedure Call Windows Resilient File System (ReFS) Windows Resilient File System (ReFS) Deduplication Service Windows Routing and Remote Access Service (RRAS) Windows Server Update Service Windows SMB Client Windows SMB Server Windows SSDP Service Windows StateRepository API Windows Storage Management Provider Windows Taskbar Live Windows USB Video Driver Windows Virtualization-Based Security (VBS) Enclave Windows WLAN Auto Config Service Xbox XBox Gaming Services For more information, please visit our blog.Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
On January 13, Microsoft released its January 2026 Patch Tuesday release which patched 113 CVEs with eight rated as critical and 105 rated as important. This month's update included patches for two zero-days, one of which was exploited in the wild. CVE-2026-20805 is an information disclosure vulnerability affecting Desktop Window Manager. It was assigned a CVSSv3 score of 5.5 and was rated as important. Successful exploitation allows an authenticated attacker to access sensitive data. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Connected Machine Agent Azure Core shared client library for Python Capability Access Management Service (camsvc) Connected Devices Platform Service (Cdpsvc) Desktop Window Manager Dynamic Root of Trust for Measurement (DRTM) Graphics Kernel Host Process for Windows Tasks Inbox COM Objects Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Printer Association Object SQL Server Tablet Windows User Interface (TWINUI) Subsystem Windows Admin Center Windows Ancillary Function Driver for WinSock Windows Client-Side Caching (CSC) Service Windows Clipboard Server Windows Cloud Files Mini Filter Driver Windows Common Log File System Driver Windows DWM Windows Deployment Services Windows Error Reporting Windows File Explorer Windows HTTP.sys Windows Hello Windows Hyper-V Windows Installer Windows Internet Connection Sharing (ICS) Windows Kerberos Windows Kernel Windows Kernel Memory Windows Kernel-Mode Drivers Windows LDAP - Lightweight Directory Access Protocol Windows Local Security Authority Subsystem Service (LSASS) Windows Local Session Manager (LSM) Windows Management Services Windows Media Windows NDIS Windows NTFS Windows NTLM Windows Remote Assistance Windows Remote Procedure Call Windows Remote Procedure Call Interface Definition Language (IDL) Windows Routing and Remote Access Service (RRAS) Windows SMB Server Windows Secure Boot Windows Server Update Service Windows Shell Windows TPM Windows Telephony Service Windows Virtualization-Based Security (VBS) Enclave Windows WalletService Windows Win32K - ICOMP For more information, please visit our blog.Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs
Microsoft’s November 2025 Patch Tuesday Addresses 63 CVEs On November 11, Microsoft released its November 2025 Patch Tuesday release which patched 63 CVEs with five rated as critical and 58 rated as important. This month's update included one vulnerability that was exploited in the wild as a zero-day. Elevation of privilege (EoP) vulnerabilities accounted for 46% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 25.4%. CVE-2025-62215 is an elevation of privilege vulnerability in the Windows Kernel. It was assigned a CVSSv3 score of 7.0 and rated important. A local, authenticated attacker could exploit this vulnerability by winning a race condition in order to gain SYSTEM privileges. According to Microsoft, this vulnerability was exploited in the wild as a zero-day. This month’s update includes patches for: Azure Monitor Agent Customer Experience Improvement Program (CEIP) Dynamics 365 Field Service (online) GitHub Copilot and Visual Studio Code Host Process for Windows Tasks Microsoft Configuration Manager Microsoft Dynamics 365 (on-premises) Microsoft Graphics Component Microsoft Office Microsoft Office Excel Microsoft Office SharePoint Microsoft Office Word Microsoft Streaming Service Microsoft Wireless Provisioning System Multimedia Class Scheduler Service (MMCSS) Nuance PowerScribe OneDrive for Android Role: Windows Hyper-V SQL Server Storvsp.sys Driver Visual Studio Visual Studio Code CoPilot Chat Extension Windows Administrator Protection Windows Ancillary Function Driver for WinSock Windows Bluetooth RFCOM Protocol Driver Windows Broadcast DVR User Service Windows Client-Side Caching (CSC) Service Windows Common Log File System Driver Windows DirectX Windows Kerberos Windows Kernel Windows License Manager Windows OLE Windows Remote Desktop Windows Routing and Remote Access Service (RRAS) Windows Smart Card Windows Speech Windows Subsystem for Linux GUI Windows TDX.sys Windows WLAN Service For more information, please visit our blog.Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)
Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234) On September 9, Microsoft released its September 2025 Patch Tuesday release which patched 80 CVEs with eight rated as critical and 72 rated as important. While no vulnerabilities were exploited in the wild, there was one zero-day patch this month. CVE-2025-55234 is an elevation of privilege vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user's account. CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers. This month’s update includes patches for: Azure Arc Azure Windows Virtual Machine Agent Capability Access Management Service (camsvc) Graphics Kernel Microsoft AutoUpdate (MAU) Microsoft Brokering File System Microsoft Graphics Component Microsoft High Performance Compute Pack (HPC) Microsoft Office Microsoft Office Excel Microsoft Office PowerPoint Microsoft Office SharePoint Microsoft Office Visio Microsoft Office Word Microsoft Virtual Hard Drive Role: Windows Hyper-V SQL Server Windows Ancillary Function Driver for WinSock Windows BitLocker Windows Bluetooth Service Windows Connected Devices Platform Service Windows DWM Windows Defender Firewall Service Windows Imaging Component Windows Internet Information Services Windows Kernel Windows Local Security Authority Subsystem Service (LSASS) Windows Management Services Windows MapUrlToZone Windows MultiPoint Services Windows NTFS Windows NTLM Windows PowerShell Windows Routing and Remote Access Service (RRAS) Windows SMB Windows SMBv3 Client Windows SPNEGO Extended Negotiation Windows TCP/IP Windows UI XAML Maps MapControlSettings Windows UI XAML Phone DatePickerFlyout Windows Win32K GRFX Xbox For more information, please visit our blog.Microsoft Issues Out-of-Band Informational Advisory for Zero-
Microsoft Issues Out-of-Band Informational Advisory for Zero-Day in MSHTML (CVE-2021-40444) UPDATE 09-14: Microsoft have published patches for this vulnerability as part of Patch Tuesday. For more information, please visit our blog. On September 7, Microsoft published an out-of-band informational advisory for a critical zero-day vulnerability in its MSHTML rendering engine, also known as Trident. Identified as CVE-2021-40444, the flaw has reportedly been exploited in-the-wild in limited, targeted attacks. Microsoft says that attackers are exploiting this vulnerability using Microsoft Office documents that contain a malicious ActiveX control. Therefore, an attacker would need to use social engineering tactics to convince their target to open the malicious document file. Successful exploitation would grant an attacker remote code execution. Microsoft notes that this would primarily impact those Windows users that have more user rights, such as administrators. At this time, there are no patches available, hence the advisory is informational in nature. However, Microsoft has provided some mitigation instructions, which require disabling ActiveX controls on individual systems. To help aid customers, Tenable has released an audit script to help verify whether or not these mitigations have been applied. When patches become available, we will update this post with more information.
