Cyber Exposure Alerts

Frequently asked questions about recent Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild, including CVE-2025-5777 known as CitrixBleed 2.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding CVE-2025-5777 and CVE-2025-6543, two Citrix NetScaler ADC and Gateway vulnerabilities that have reportedly been exploited in the wild.FAQWhat vulnerabilities have been exploited?As of the publication of this blog on June 27, active exploitation has been reported for the following CVEs:CVEDescriptionCVSSv4SeverityCVE-2025-5777Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability (“CitrixBleed 2”)9.3CriticalCVE-2025-6543Citrix NetScaler ADC and Gateway Denial of Service (DoS) Vulnerability9.2CriticalWhat is CVE-2025-5777 (CitrixBleed 2)CVE-2025-5777 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway. Successful exploitation of this vulnerability would allow an attacker to read memory on an affected device, giving the attacker access to sensitive data including session tokens. These session tokens can be used to bypass multi-factor authentication (MFA) and allow the attacker to take over an authenticated session.Source: Kevin BeaumontWhy is CVE-2025-5777 being called CitrixBleed 2?The moniker CitrixBleed 2 was given to CVE-2025-5777 by security researcher Kevin Beaumont, who observed that this vulnerability is very similar to CVE-2023-4966, also known as CitrixBleed. The original CitrixBleed was widely abused by both ransomware groups and other threat actors, including advanced persistent threat (APT) actors. Given the similarities and likelihood of exploitation, Beaumont warned that “organisations patch, unless they want to become the detection in the wild after a security incident.”When was CVE-2025-5777 first disclosed?CVE-2025-5777 was disclosed by Citrix in security bulletin CTX693420 on June 17. In the same security bulletin, Citrix also addressed CVE-2025-5349, an improper access control vulnerability affecting the NetScaler Management Interface.Was CVE-2025-5777 exploited as a zero-day?As of June 27, there is no indication that CVE-2025-5777 (CitrixBleed 2) was exploited as a zero-day. The initial security bulletin from Citrix did not contain any language about exploitation, however on June 26, ReliaQuest released a blog post in which they note they have observed “indications of exploitation” and further state “ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.” At the time this blog was published, Citrix had not updated their security bulletin to indicate active exploitation of CVE-2025-5777.What is CVE-2025-6543?CVE-2025-6543 is a DoS vulnerability resulting from a memory overflow issue. While there are similarities in the vulnerability descriptions from Citrix between CVE-2025-6543 and CVE 2025-5777, Citrix released a Cloud Software Group blog post clarifying that these two vulnerabilities are not related.When was CVE-2025-6543 first disclosed?CVE-2025-6543 was disclosed in security bulletin CTX694788 on June 25.Was CVE-2025-6543 exploited as a zero-day?Yes, CVE-2025-6543 was exploited in the wild as a zero-day. The initial security bulletin release indicated that exploitation had been observed and Citrix confirmed in their supplementary blog post on June 26 that CVE-2025-6543 was exploited as a zero-day.Is there a proof-of-concept (PoC) available for these vulnerabilities?As of the release of this blog post on June 27, no PoC has been publicly released for either of these vulnerabilities.Are patches or mitigations available for CVE-2025-5777?Yes, Citrix released patches for the following NetScaler ADC and Gateway versions that also addresses CVE-2025-5349, which is not known to have been exploited:Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.1-58.3213.1-58.32 and later releases of 13.1Prior to 14.1-43.5614.1-43.56 and later releasesNetScaler ADC 12.1-FIPSPrior to 12.1-55.32812.1-55.328 and later releases of 12.1-FIPSNetScaler ADC 13.1-FIPS and 13.1-NDcPPPrior to 13.1-37.23513.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPPVersion 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.In addition, Citrix recommends terminating all active ICA and PCoIP sessions after applying the updates using the following commands:kill icaconnection -allkill pcoipConnection -allWe strongly recommend reviewing security bulletin CTX693420 for the latest guidance as additional instructions and recommendations may be updated in the future.Are patches or mitigations available for CVE-2025-6543?Yes, Citrix released patches for the following NetScaler ADC and Gateway versions:Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler GatewayPrior to 13.1-59.1913.1-59.19 and later releases of 13.1Prior to 14.1-47.4614.1-47.46 and later releases of 14.1NetScaler ADC 13.1-FIPS and NDcPPPrior to 13.1-37.23613.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPPVersion 12.1 and 13.0 of NetScaler ADC and Gateway are end of life (EOL) and will not receive security updates. Therefore, customers are strongly encouraged to upgrade to a fixed version listed above as soon as possible.Note that according to the security bulletin, “NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server” in order to be vulnerable to CVE-2025-6543.Are Indicators of Compromise (IoCs) available?According to the Citrix Cloud Software Group blog post, customers should contact Citrix customer support for updates on IoCs. We also recommend reviewing their blog post for further updates on both CVE-2025-5777 and CVE-2025-6543.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-5777CVE-2025-6543This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationCitrix Security Bulletin CTX693420 (CVE-2025-5777, CVE-2025-5349)Citrix Security Bulletin CTX694788 (CVE-2025-6543)CitrixBleed 2: Electric Boogaloo CVE-2025–5777ReliaQuest Blog: Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old WoundsTenable Blog: CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Information Disclosure Exploited in the WildTenable Blog: Frequently Asked Questions for CitrixBleed (CVE-2023-4966)Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Tenable’s Research Special Operations team focuses on some frequently asked questions about Iranian cyber operations, including the tactics, techniques and procedures employed by Iran-based threat actors.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding Iranian cyber operations in the wake of the recent conflict and warnings from U.S. government agencies, including the Department of Homeland Security (DHS), about potential retaliatory attacks from cyber actors affiliated with the Iranian government as well as hacktivists.This FAQ provides a focused analysis of Iranian state-sponsored cyber threats, detailing the types of threats used by Advanced Persistent Threat (APT) groups, tactics, techniques and procedures (TTPs) mapped to the MITRE ATT&CK framework and the specific vulnerabilities they consistently exploit. We also provide guidance about Tenable product coverage you can use to reduce your cyber exposure to these threats.FAQHas there been an increase in threat activity related to Iran-based threat actors?While there have been ample warnings from U.S. government agencies about retaliatory attacks, we’re also seeing a slight increase in reported activity by threat actors. Reports have cited that threat actors have begun targeting U.S. finance, defense, and energy sectors. While this activity has been limited to distributed-denial-of-service (DDoS) attacks, there have also been recent reports of an increase in targeted phishing attacks.Which threat actors are believed to be Iran-based or linked to the Iranian government?In recent years, several Iran-based groups have been identified by security vendors and U.S. government agencies, including the Cybersecurity and Infrastructure Security Agency (CISA). In some alerts, threat activity has been linked to the Iranian Islamic Revolutionary Guard Corps (IRGC), while other APT groups and hacktivist groups have been identified as having ties to Iran. The table below outlines the groups and known activities linked to them. While this is not an exhaustive list of all known APTs and threat actors known to have previously been attributed to Iran, these groups have been recent subjects of CISA and other U.S. government alerts and have been featured in reports from multiple security vendors.Threat actorActivityHomeLand JusticeCarried out destructive attacks against the Government of Albania in 2022, utilizing ransomware and disk wiping malware.Pioneer KittenFox KittenUNC757ParisiteRUBIDIUMLemon SandstormBr0k3rxplfinderCollaborates with ransomware groups in order to monetize access to victim networks. Known to exploit common and well-known vulnerabilities in internet-facing devices and critical infrastructure.CyberAv3ngersAttacked and defaced OT devices, including Unitronics PLC devices commonly used in water and wastewater systems.APT35CALANQUECharming KittenCharmingCypressITG18Mint Sandstorm (formerly Phosphorus)NewscasterTA453Yellow GarudaEducated ManticoreAPT42*Agent SerpensUNC788Social engineering campaigns targeting journalists and internet-facing applications*APT42 is a subcluster of APT35 and also poses as journalists in order to harvest credentials. Some aliases overlap between these groups.APT34OilRigHelix KittenHazel SandstormEarth SimnavazExploits internet-facing servers and uses supply chain attacks to target finance, energy, chemical, telecommunications and government sectors.MuddyWaterEarth VetalaMERCURYStatic KittenSeedwormTEMP.ZagrosUses remote monitoring and management tools to target telecom companies in the Middle East and North Africa, Europe and North America.AgriusPink SandstormTargets Israeli companies with wiper malware disguised as ransomwareImperial KittenAn APT group that has targeted Israeli transportation/logistics and technology sectorsBanished KittenDuneKnown as “Faketivist” for its attempts to masquerade as hacktivist groups due to their adoption of TTPs used by hacktivist groupsWhat are the vulnerabilities that have been targeted by Iranian threat actors?The following table contains a list of CVEs that have been known to be exploited by Iran-based threat actors. This list of CVEs covers a wide range of commonly exploited vulnerabilities that have also been abused by a wide variety of threat actors beyond just Iran-based APTs or state-sponsored actors.CVEDescriptionCVSSv3 ScoreVPRCVE-2017-11774Microsoft Outlook Security Feature Bypass Vulnerability7.88.9CVE-2018-13379Fortinet FortiOS SSL VPN Web Portal Path Traversal Vulnerability [1] [2] [3]9.89.0CVE-2019-0604Microsoft SharePoint Remote Code Execution (RCE) Vulnerability [1]9.88.9CVE-2019-11510Pulse Connect Secure Arbitrary File Disclosure [1] [2] [3] [4]10.08.1CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal [1] [2] [3] [4] [5] [6] [7] [8] [9]9.88.9CVE-2019-5591Fortinet FortiOS Default Configuration [1] [2]6.56.6CVE-2020-12812Fortinet FortiOS Improper Authentication [1] [2]9.88.9CVE-2020-1472Windows Netlogon Elevation of Privilege (EoP) Vulnerability (Zerologon) [1] [2] [3] [4] [5]1010CVE-2021-31207Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) [1] [2] [3]6.66.6CVE-2021-34473Microsoft Exchange Server RCE (ProxyShell) [1] [2] [3]9.89.2CVE-2021-34523Microsoft Exchange Server EoP (Part of ProxyShell) [1] [2] [3]9.09.6CVE-2021-44228Apache Log4j RCE (Log4Shell) [1] [2] [3] [4]1010CVE-2021-45046Apache Log4j2 Denial of Service (DoS) and RCE [1] [2]9.08.1CVE-2021-45105Apache Log4j2 DoS [1] [2]5.96.6CVE-2022-1388F5 Networks F5 BIG-IP Authentication Bypass Vulnerability [1] [2] [3]9.89.0CVE-2022-26134Atlassian Confluence Server and Data Center OGNL Injection [1] [2]9.89.6CVE-2022-30190Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) [1] [2] [3]7.89.8CVE-2022-42475Fortinet ForiOS Heap-Based Buffer Overflow [1] [2]9.88.9CVE-2022-47966Zoho ManageEngine RCE [1]9.89.7CVE-2022-47986IBM Aspera Faspex RCE9.89.0CVE-2023-27350PaperCut NG Authentication Bypass9.89.0CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated RCE Vulnerability [1] [2]9.89.0CVE-2023-38831RARLAB WinRAR Arbitrary Code Execution7.89.7CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability [1] [2]8.26.7CVE-2023-6448Unitronics VisiLogic Default Administrative Password9.87.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability [1] [2] [3]9.19.8CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability [1] [2]8.67.1CVE-2024-30088Windows Kernel Elevation of Privilege Vulnerability [1] [2]7.09.6CVE-2024-3400Palo Alto PAN-OS Command Injection Vulnerability [1] [2]10.010.0*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 27 and reflects VPR at that time.Has Tenable released any product coverage for these vulnerabilities?The CVEs covered in this blog have product coverage from Tenable. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-2017-11774CVE-2018-13379CVE-2019-0604CVE-2019-11510CVE-2019-19781CVE-2019-5591CVE-2020-12812CVE-2020-1472CVE-2021-31207CVE-2021-34473CVE-2021-34523CVE-2021-44228CVE-2021-45046CVE-2021-45105CVE-2022-1388CVE-2022-26134CVE-2022-30190CVE-2022-42475CVE-2022-47966CVE-2022-47986CVE-2023-27350CVE-2023-3519CVE-2023-38831CVE-2023-46805CVE-2023-6448CVE-2024-21887CVE-2024-24919CVE-2024-30088CVE-2024-3400These links will display all available plugins for the listed vulnerabilities, including upcoming plugins in our Plugins Pipeline. In addition to plugin coverage, the tables below highlight additional Tenable product coverage for the MITRE ATT&CK IDs that are known to be associated with Iran-based threat actors.Tenable attack path techniquesMITRE ATT&CK IDDescriptionTenable attack path techniquesT1003.001OS Credential Dumping: LSASS MemoryT1003.001_WindowsT1012Query RegistryT1012_WindowsT1021.001Remote Services: Remote Desktop ProtocolT1021.001_WindowsT1047Windows Management InstrumentationT1047_WindowsT1053.005Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1069.002Permission Groups Discovery: Domain GroupsT1069.002_WindowsT1069.003Permission Groups Discovery: Cloud GroupsT1069.003_AzureT1069.003_AWST1078.001Valid Accounts: Default AccountsT1078.001_ICST1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1078.003Valid Accounts: Local AccountsT1078.003_WindowsT1078.004Valid Accounts: Cloud AccountsT1078.004_AzureT1082System Information DiscoveryT1082T1098Account ManipulationT1098.001_AzureT1098.001_AWST1098.003_AzureT1098.004T1133External Remote ServicesT1133_AWST1133_AzureT1133_WindowsT1190Exploit Public-Facing ApplicationT1190_AwsT1219Remote Access SoftwareT1219_WindowsT1482Domain Trust DiscoveryT1482_WindowsT1484.002Domain or Tenant Policy Modification: Trust ModificationT1484.002_AzureT1499Endpoint Denial of ServiceT1499.004T1555Credentials from Password StoresT1555.004_WindowsT1555.006T1558.003Steal or Forge Kerberos Tickets: KerberoastingT1558.003_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of AttackMITRE ATT&CK IDDescriptionIndicatorsT1003.001OS Credential Dumping: LSASS MemoryC-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsassT1068Exploitation for Privilege EscalationI-SamNameImpersonationT1078Valid AccountsC-AAD-PRIV-SYNCC-AAD-SSO-PASSWORDC-ADM-ACC-USAGEC-ADMIN-RESTRICT-AUTHC-ADMINCOUNT-ACCOUNT-PROPSC-AUTH-SILOC-BAD-SUCCESSORC-CLEARTEXT-PASSWORDC-DANG-PRIMGROUPIDC-DANGEROUS-SENSITIVE-PRIVILEGESC-DC-ACCESS-CONSISTENCYC-DSHEURISTICSC-EXCHANGE-MEMBERSC-KERBEROS-CONFIG-ACCOUNTC-KRBTGT-PASSWORDC-MSA-COMPLIANCEC-NATIVE-ADM-GROUP-MEMBERSC-PASSWORD-DONT-EXPIREC-PASSWORD-HASHES-ANALYSISC-PASSWORD-NOT-REQUIREDC-PASSWORD-POLICYC-PKI-DANG-ACCESSC-PRIV-ACCOUNTS-SPNC-PROP-SET-SANITYC-REVER-PWD-GPOC-SERVICE-ACCOUNTC-SLEEPING-ACCOUNTSC-USER-PASSWORDHIGH-NUMBER-OF-ADMINISTRATORSMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNTT1078.001Valid Accounts: Default AccountsUNRESTRICTED-GUEST-ACCOUNTSC-GUEST-ACCOUNTGUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLEGUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTST1098Account ManipulationC-AAD-CONNECTC-ABNORMAL-ENTRIES-IN-SCHEMAC-CREDENTIAL-ROAMINGC-DANG-PRIMGROUPIDC-DC-ACCESS-CONSISTENCYC-EXCHANGE-PERMISSIONSC-PROP-SET-SANITYC-SDPROP-CONSISTENCYC-SENSITIVE-CERTIFICATES-ON-USERC-SHADOW-CREDENTIALSCONDITIONAL-ACCESS-POLICY-DISABLES-CONTINUOUS-ACCESS-EVALUATIONENTRA-SECURITY-DEFAULTS-NOT-ENABLEDLEGACY-AUTHENTICATION-NOT-BLOCKEDMFA-NOT-REQUIRED-FOR-A-PRIVILEGED-ROLEMFA-NOT-REQUIRED-FOR-RISKY-SIGN-INSMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNTSHOW-ADDITIONAL-CONTEXT-IN-MICROSOFT-AUTHENTICATOR-NOTIFICATIONSUSER-WITH-API-TOKENT1110Brute ForceC-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYI-PasswordSprayingT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONT1589Gather Victim Identity InformationC-DSHEURISTICSC-PRE-WIN2000-ACCESS-MEMBERST1556Modify Authentication ProcessC-AAD-PRIV-SYNCC-SHADOW-CREDENTIALST1558.003Steal or Forge Kerberos Tickets: KerberoastingI-KerberoastingI-UnauthKerberoastingTenable Web App ScanningMITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASTenable OT SecurityMITRE ATT&CK IDDescriptionIndicatorsT0812Exploit Public-Facing ApplicationT0812_ICSWhat else should I do to remain secure?Cyber hygiene is even more critical in the face of heightened awareness than it is in normal times. Many of the attacks stemming from Iranian-sponsored threat actors mirror tactics used by other cyber actors, including exploiting software and devices that use weak authentication. Attacks have also targeted operational technology (OT) devices. To strengthen your cyber defenses, we recommend:Using strong passwords and enforcing a strong password policyEnabling multi-factor authentication (MFA)Changing default passwords, especially on OT hardwarePatching vulnerabilities in assets exposed to the internetIdentifying and prioritizing your most valuable assets for remediationDeveloping a remediation plan and continuing to test and improve itGet more informationTenable Blog: Navigating a Heightened Cyber Threat Landscape: Military Conflict Increases Attack RisksTenable Blog: AA24-241A : Joint Cybersecurity Advisory on Iran-based Cyber Actors Targeting US OrganizationsTenable Blog: AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated AttacksDepartment of Homeland Security National Terrorism Advisory System Bulletin – June 22, 2025Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

9Critical56Important0Moderate0LowMicrosoft addresses 65 CVEs, including two zero-day vulnerabilities, with one being exploited in the wild.Microsoft addresses 65 CVEs in its June 2025 Patch Tuesday release, with nine rated critical, and 56 rated as important. Our counts omitted one vulnerability reported by CERT CC.This month’s update includes patches for:.NET and Visual StudioApp Control for Business (WDAC)Microsoft AutoUpdate (MAU)Microsoft Local Security Authority Server (lsasrv)Microsoft OfficeMicrosoft Office ExcelMicrosoft Office OutlookMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordNuance Digital Engagement PlatformPower AutomateRemote Desktop ClientVisual StudioWebDAVWindows Common Log File System DriverWindows Cryptographic ServicesWindows DHCP ServerWindows DWM Core LibraryWindows HelloWindows InstallerWindows KDC Proxy Service (KPSSVC)Windows KernelWindows Local Security Authority (LSA)Windows Local Security Authority Subsystem Service (LSASS)Windows MediaWindows NetlogonWindows Recovery DriverWindows Remote Access Connection ManagerWindows Remote Desktop ServicesWindows Routing and Remote Access Service (RRAS)Windows SDKWindows SMBWindows Security AppWindows ShellWindows Standards-Based Storage Management ServiceWindows Storage Management ProviderWindows Storage Port DriverWindows Win32K GRFXRemote code execution (RCE) vulnerabilities accounted for 38.5% of the vulnerabilities patched this month, followed by information disclosure vulnerabilities at 26.2%.ImportantCVE-2025-33053 | Web Distributed Authoring and Versioning (WebDAV) Remote Code Execution VulnerabilityCVE-2025-33053 is a RCE in Web Distributed Authoring and Versioning (WebDAV). It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker could exploit this vulnerability through social engineering, by convincing a target to open a malicious URL or file. Successful exploitation would give the attacker the ability to execute code on the victim’s network.According to Microsoft, it was exploited in the wild as a zero-day. It was reported by researchers at Check Point Research, who have released a blog post discussing the discovery of this zero-day. According to the researchers, CVE-2025-33053 was exploited by Stealth Falcon, an APT group that has been observed using zero-day exploits in espionage attacks.ImportantCVE-2025-33073 | Windows SMB Client Elevation of Privilege VulnerabilityCVE-2025-33073 is an EoP vulnerability affecting the Windows Server Message Block (SMB) client. It was assigned a CVSSv3 score of 8.8 and was publicly disclosed prior to a patch being made available. According to Microsoft, successful exploitation requires an attacker to execute a crafted script to force a target device to connect to an attacker-controlled machine using SMB credentials. If successful, the attacker could elevate their privileges to SYSTEM.CriticalCVE-2025-33070 | Windows Netlogon Elevation of Privilege VulnerabilityCVE-2025-33070 is an EoP vulnerability in Windows Netlogon. It was assigned a CVSSv3 score of 8.1 and is rated as critical. An attacker could exploit this vulnerability to gain domain administrator privileges. According to Microsoft, a successful attack requires the attacker to take additional actions in order to prepare a target for exploitation. Despite these requirements, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.CriticalCVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 | Microsoft Office Remote Code Execution VulnerabilityCVE-2025-47162, CVE-2025-47164, CVE-2025-47167 and CVE-2025-47953 are RCE vulnerabilities affecting Microsoft Office. Each of these critical vulnerabilities were assigned CVSSv3 scores of 8.4 and all except CVE-2025-47953 were assessed as “Exploitation More Likely.” Microsoft notes that Preview Pane is an attack vector for exploitation of these vulnerabilities.In addition, CVE-2025-47173, another RCE in Microsoft Office was patched this month. It received a CVSSv3 score of 7.8, was rated as important and assessed as “Exploitation Unlikely.” Unlike the other Office vulnerabilities, the preview pane is not an attack vector for CVE-2025-47173.CriticalCVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution VulnerabilityCVE-2025-33071 is a RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It received a CVSSv3 score of 8.1 and is rated as critical. An unauthenticated attacker could exploit this vulnerability utilizing a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code. According to the advisory, this only impacts Windows Servers that have been “configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server.” While the advisory does mention that exploitation requires the attacker to win a race condition, this vulnerability was still assessed as “Exploitation More Likely.”ImportantCVE-2025-32713 | Windows Common Log File System Driver Elevation of Privilege VulnerabilityCVE-2025-32713 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. CVE-2025-32713 was assessed as “Exploitation More Likely.” Successful exploitation would allow an attacker to elevate their privileges to SYSTEM.Prior to this month’s release, Microsoft has patched five other EoP vulnerabilities in the Windows CLFS driver in 2025, three of which were exploited as zero-days. This includes CVE-2025-29824 from the April 2025 Patch Tuesday release and both CVE-2025-32701 and CVE-2025-32706, which were patched in the May 2025 Patch Tuesday release.Tenable SolutionsA list of all the plugins released for Microsoft’s June 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s June 2025 Security UpdatesTenable plugins for Microsoft June 2025 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently asked questions about “BadSuccessor,” a zero-day privilege escalation vulnerability in Active Directory domains with at least one Windows Server 2025 domain controller.BackgroundTenable’s Research Special Operations (RSO) and the Identity Content team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a newly disclosed zero-day in Active Directory called BadSuccessor.FAQWhat is BadSuccessor?BadSuccessor is the name of a zero-day privilege escalation vulnerability in Active Directory that was discovered and disclosed by Yuval Gordon, a security researcher at Akamai.According to Gordon, the flaw exists in delegated Managed Service Accounts (dMSAs), a service account type in Active Directory (AD) that was introduced in Windows Server 2025 to enable the migration of non-managed service accounts.What are the vulnerabilities associated with BadSuccessor?As of June 2, Microsoft had not assigned a CVE identifier for BadSuccessor. Microsoft is the CVE Numbering Authority (CNA) for its products. Since there are currently no patches available for BadSuccessor, no CVE has been assigned. If Microsoft does assign a CVE alongside patches for it, we will update this blog accordingly.How is BadSuccessor exploited?To exploit BadSuccessor, an attacker needs to be able to access a user account with specific permissions in AD, and at least one domain controller in the domain needs to be running Windows Server 2025.Based on Akamai’s research, even if an AD domain is not using dMSAs, nor operates at the 2025 functional level, all that is required is that a targeted user has either the permission to:Create a new dMSA (msDS-DelegatedManagedServiceAccount object class) in any container or organizational unit (OU)Abuse an existing dMSA by modifying its msDS-ManagedAccountPrecededByLink attributeWhen was BadSuccessor first disclosed?On May 21, Akamai published a blog post about BadSuccessor, which included a detailed overview of the flaw, as well as detection and mitigation guidance.How severe is BadSuccessor?BadSuccessor has the potential to be very severe, as exploitation could allow an attacker to achieve full domain, and then forest, compromise in an Active Directory environment. However, one mitigating factor is that it only affects domains with at least one Windows Server 2025 domain controller.How prevalent are AD domains with at least one Windows Server 2025 domain controller?Based on a subset of Tenable’s telemetry data, we found just 0.7% of AD domains have at least one Windows Server 2025 domain controller. This appears to be lower than other statistics we’ve seen reported.Was BadSuccessor exploited as a zero-day?As of June 2, there have been no indications that BadSuccessor has been exploited in the wild.Why is it called BadSuccessor?According to Gordon, the name “BadSuccessor” is tied to the fact that the user account (or dMSA) becomes the nefarious “successor” by inheriting the elevated privileges of another identity in the AD environment.6/ We named this attack BadSuccessor, because that’s exactly what the dMSA becomes – the unintended heir to a high-privilege identity.A successor, with all the right keys.— Yuval Gordon (@YuG0rd) May 21, 2025Is there a proof-of-concept (PoC) available for BadSuccessor?Yes, there are several proofs-of-concept (PoCs) for BadSuccessor available on GitHub, including a.NET implementation called SharpSuccessor. It is also available in NetExec, the successor to the infamous CrackMapExec hack tool. It was also added to BloodyAD, the Active Directory privilege escalation framework.Are patches or mitigations available for BadSuccessor?As of June 2, there were no patches available for BadSuccessor. However, in the Akamai blog post from May 21, Microsoft indicated they would “fix this issue in the future.” If and when a patch becomes available, we will update this section.Akamai’s blog post includes details on detecting BadSuccessor as well as mitigation suggestions.Has Tenable released any product coverage for these vulnerabilities?While Microsoft has not yet released patches for BadSuccessor, Tenable Identity Exposure customers can utilize our recently released (v3.95) Indicator of Exposure (IoE) for BadSuccessor.Once Microsoft assigns a CVE and releases patches, we will update this section with additional Tenable coverage.Get more informationBadSuccessor: Abusing dMSA to Escalate Privileges in Active DirectoryJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Fortinet has observed threat actors exploiting CVE-2025-32756, a critical zero-day arbitrary code execution vulnerability which affects multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera.BackgroundOn May 13th, Fortinet published a security advisory (FG-IR-25-254) for CVE-2025-32756, a critical arbitrary code execution vulnerability affecting multiple Fortinet products.CVEDescriptionCVSSv3CVE-2025-32756An arbitrary code execution vulnerability in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera9.6AnalysisCVE-2025-32756 is an arbitrary code execution vulnerability affecting multiple Fortinet products including FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera. A remote unauthenticated attacker can send crafted HTTP requests in order to create a stack-based overflow condition which would allow for the execution of arbitrary code. This vulnerability was discovered by the Fortinet Product Security Team who observed threat activity involving a device running FortiVoice.According to Fortinet, the threat actors operations included scanning the network, erasing system crashlogs and enabling ‘fcgi debugging’ which is used to log authentication attempts, including SSH logins. The ‘fcgi debugging’ option is not enabled by default and the Fortinet advisory recommends reviewing the setting as one possible indicator of compromise (IoC).Historical Exploitation of Fortinet DevicesFortinet vulnerabilities have historically been common targets for cyber attackers, and CVE-2025-32756 is the eighteenth Fortinet vulnerability to be added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list.CVEDescriptionPatchedTenable BlogCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of conceptAt the time of writing this, no proof-of-concept (PoC) has been published for CVE-2025-32756. When a PoC is released, we expect attackers will incorporate this vulnerability in their attacks as Fortinet devices have been exploited by threat actors, including nation-state actors in the past.Vendor responseFortinet has provided a list of IoCs based on their observations of CVE-2025-32756. We recommend reviewing the list of IoCs and steps recommended by Fortinet to determine if your device may have been impacted.SolutionThe following table details the affected and fixed versions of Fortinet devices affected by CVE-2025-32756:ProductAffected VersionFixed VersionFortiCamera 2.12.1.0 through 2.1.32.1.4 or aboveFortiCamera 2.02.0 all versionsMigrate to a fixed releaseFortiCamera 1.11.1 all versionsMigrate to a fixed releaseFortiMail 7.67.6.0 through 7.6.27.6.3 or aboveFortiMail 7.47.4.0 through 7.4.47.4.5 or aboveFortiMail 7.27.2.0 through 7.2.77.2.8 or aboveFortiMail 7.07.0.0 through 7.0.87.0.9 or aboveFortiNDR 7.67.6.07.6.1 or aboveFortiNDR 7.47.4.0 through 7.4.77.4.8 or aboveFortiNDR 7.27.2.0 through 7.2.47.2.5 or aboveFortiNDR 7.17.1 all versionsMigrate to a fixed releaseFortiNDR 7.07.0.0 through 7.0.67.0.7 or aboveFortiNDR 1.51.5 all versionsMigrate to a fixed releaseFortiNDR 1.41.4 all versionsMigrate to a fixed releaseFortiNDR 1.31.3 all versionsMigrate to a fixed releaseFortiNDR 1.21.2 all versionsMigrate to a fixed releaseFortiNDR 1.11.1 all versionsMigrate to a fixed releaseFortiRecorder 7.27.2.0 through 7.2.37.2.4 or aboveFortiRecorder 7.07.0.0 through 7.0.57.0.6 or aboveFortiRecorder 6.46.4.0 through 6.4.56.4.6 or aboveFortiVoice 7.27.2.07.2.1 or aboveFortiVoice 7.07.0.0 through 7.0.67.0.7 or aboveFortiVoice 6.46.4.0 through 6.4.106.4.11 or aboveFor users that are not able to immediately upgrade, Fortinet has provided a mitigation step; disabling the HTTP/HTTPS administrative interface. We recommend reviewing the Fortinet advisory for the latest information on workarounds and patched versions.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32756 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:Get more informationFortinet FG-IR-25-254 AdvisoryJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacksBackgroundOn May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2AnalysisCVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.Ivanti has credited the CERT-EU with reporting these vulnerabilities.Proof of conceptAt the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.SolutionThe following table details the affected and fixed versions of Ivanti EPMM for both CVE-2025-4427 and CVE-2025-4428:Affected VersionFixed Version11.12.0.4 and prior11.12.0.512.3.0.1 and prior12.3.0.212.4.0.1 and prior12.4.0.212.5.0.0 and prior12.5.0.1Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-4427, and CVE-2025-4428 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti EPMM by using the following filters: Get more informationSecurity Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

5Critical66Important0Moderate0LowMicrosoft addresses 71 CVEs including seven zero-days, five of which were exploited in the wild.Microsoft patched 71 CVEs in its May 2025 Patch Tuesday release, with five rated critical and 66 rated as important.This month’s update includes patches for:.NET, Visual Studio, and Build Tools for Visual StudioActive Directory Certificate Services (AD CS)AzureAzure AutomationAzure DevOpsAzure File SyncAzure Storage Resource ProviderMicrosoft Brokering File SystemMicrosoft DataverseMicrosoft Defender for EndpointMicrosoft Defender for IdentityMicrosoft Edge (Chromium-based)Microsoft OfficeMicrosoft Office ExcelMicrosoft Office OutlookMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft PC ManagerMicrosoft Power AppsMicrosoft Scripting EngineRemote Desktop Gateway ServiceRole: Windows Hyper-VUniversal Print Management ServiceUrlMonVisual StudioVisual Studio CodeWeb Threat Defense (WTD.sys)Windows Ancillary Function Driver for WinSockWindows Common Log File System DriverWindows Deployment ServicesWindows DriversWindows DWMWindows File ServerWindows FundamentalsWindows Hardware Lab KitWindows InstallerWindows KernelWindows LDAP – Lightweight Directory Access ProtocolWindows MediaWindows NTFSWindows Remote DesktopWindows Routing and Remote Access Service (RRAS)Windows Secure Kernel ModeWindows SMBWindows Trusted Runtime Interface DriverWindows Virtual Machine BusWindows Win32K – GRFXRemote code execution (RCE) vulnerabilities accounted for 39.4% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.4%.ImportantCVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 | Windows Common Log File System Driver Elevation of Privilege VulnerabilitiesCVE-2025-30385, CVE-2025-32701 and CVE-2025-32706 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver. Each was assigned a CVSSv3 score of 7.8 and are rated as important. Both CVE-2025-32701 and CVE-2025-32706 were exploited in the wild as zero-days while CVE-2025-30385 is assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.Prior to this month’s release, Microsoft has patched two other EoP vulnerabilities in the Windows CLFS driver in 2025, including CVE-2025-29824, exploited as a zero-day vulnerability in the April 2025 Patch Tuesday release. In 2024, there were eight CLFS vulnerabilities patched, including one zero-day vulnerability in the CLFS driver that was exploited (CVE-2024-49138) and patched in the December 2024 Patch Tuesday release. Windows CLFS continues to be a popular attack vector for attackers and has been exploited by ransomware gangs.ImportantCVE-2025-30400 | Microsoft DWM Core Library Elevation of Privilege VulnerabilityCVE-2025-30400 is an EoP vulnerability in the Windows Desktop Windows Manager (DWM) Core library. It was assigned a CVSSv3 score of 7.8 and is rated as important. Microsoft notes that it was exploited as a zero-day. Successful exploitation would allow an attacker to elevate their privileges by exploiting a use after free flaw.This is the seventh EoP vulnerability in DWM Core Library patched this year. Eight DWM vulnerabilities were patched in 2024, including one zero-day vulnerability that was actively exploited (CVE-2024-30051) and patched in the May 2024 Patch Tuesday release.ImportantCVE-2025-30397 | Scripting Engine Memory Corruption VulnerabilityCVE-2025-30397 is a memory corruption vulnerability in Microsoft Scripting Engine that can be exploited to achieve arbitrary code execution on a target machine. It was assigned a CVSSv3 score of 7.5 and is rated as Important. The attack complexity is rated as high, and Microsoft notes the target must first be running Microsoft Edge in Internet Explorer mode. Successful exploitation requires the user to click on a crafted URL. This vulnerability was reportedly exploited in the wild as a zero-day.ImportantCVE-2025-26685 | Microsoft Defender for Identity Spoofing VulnerabilityCVE-2025-26685 is a spoofing vulnerability in Microsoft Defender for Identity. It was assigned a CVSSv3 score of 6.5 and is rated as Important. This vulnerability allows an unauthenticated attacker with Local Area Network (LAN) access to perform a spoofing attack. According to Microsoft, this vulnerability was disclosed prior to patches being made available.ImportantCVE-2025-32709 | Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityCVE-2025-32709 is a EoP vulnerability in the Windows Ancillary Function Driver for WinSock. It was assigned a CVSSv3 score of 7.8 and rated as Important. An authenticated attacker can leverage this vulnerability to elevate their privileges to administrator by exploiting a user after free condition. Microsoft notes that this vulnerability was exploited in the wild as a zero-day, the second to be exploited in 2025, preceded by CVE-2025-21418 which was addressed in February’s Patch Tuesday release.ImportantCVE-2025-32702 | Visual Studio Remote Code Execution VulnerabilityCVE-2025-32702 is a RCE vulnerability in Visual Studio. It was assigned a CVSSv3 score of 7.8 and rated as Important. Microsoft notes that the attack vector for this vulnerability is local, and that an unauthenticated attacker could exploit this flaw in order to execute code. This is the third RCE vulnerability in Visual Studio that was patched in 2025.Tenable SolutionsA list of all the plugins released for Microsoft’s May 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s May 2025 Security UpdatesTenable plugins for Microsoft May 2025 Patch Tuesday Security UpdatesJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Timely vulnerability remediation is an ongoing challenge for organizations as they struggle to prioritize the exposures that represent the greatest risk to their operations. Existing scoring systems are invaluable but can lack context. Here’s how Tenable’s Vulnerability Watch classification system can help.BackgroundOver the past six years working in Tenable’s research organization, I’ve watched known vulnerabilities and zero-day flaws plague organizations in the immediate aftermath of disclosure or even years afterwards. Following each blog post or threat report we’ve published, I kept coming back to the same question: Why are so many organizations struggling to remediate vulnerabilities in a timely manner?As someone who followed the evolution of COVID-19 variants throughout the beginning of the pandemic, I saw that the World Health Organization (WHO) began to label new variants under a classification system as the virus began to mutate. This classification system was designed to help prioritization efforts for monitoring and research. It included accessible labels like variants of interest and variants of concern to help communicate urgency and focus global attention.I began to wonder: What if we borrowed from the same type of classification system used by the WHO and applied it to vulnerability intelligence? Numeric-based systems like the Common Vulnerability Scoring System (CVSS) and Exploit Prediction Scoring System (EPSS) provide mechanisms for prioritization based on scoring. However, they don’t always provide enough context to help decision makers. So, what if we used simple, clear and status-based terminology to communicate risks surrounding vulnerabilities in order to guide action?This led us to develop Vulnerability Watch, a classification system for vulnerabilities inspired by the WHO’s classification of COVID-19 variants. Vulnerability Watch is a small, but important part of Tenable’s Vulnerability Intelligence offering that was launched in 2024. Now, in addition to being available in product, Vulnerability Watch classifications can be found on the Tenable CVE page, as well as within individual CVE pages for select vulnerabilities that have been classified under the Vulnerability Watch.In this blog, we discuss some of the challenges organizations face when it comes to vulnerability prioritization and remediation and how a classification system like Vulnerability Watch can help.If everything is important, nothing is importantCVSS is the most widely used metric when assigning a severity score for Common Vulnerabilities and Exposures (CVEs). CVSS scores are assigned by a vendor and or an authority like the National Institute of Standards and Technology (NIST). Each CVE score is based on various metrics from exploitability to impact, with a corresponding severity level tied to these scores. Severity levels include low, medium, high and critical.When looking at repositories, such as the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, we can make observations about severity and vulnerability risk. In 2024, CISA added a total of 186 CVEs to the KEV.Source: Tenable ResearchFour in ten (40%) of these 186 CVEs were rated as critical. The remaining 60% was made up of high severity vulnerabilities (46.2%) and medium vulnerabilities(13.4%). This underscores that severity alone is not enough when it comes to making decisions around vulnerability prioritization.Remediation rates underscore a need for more clarityWhile the KEV serves as a valuable resource for security practitioners, we still see many organizations not patching these critical flaws in a timely manner. Despite the severity and inclusion on the KEV, our research has found an overall trend of poor remediation rates.This trend was highlighted as part of a collaboration with Verizon on the 2025 Data Breach Investigations Report (DBIR). Tenable Research analyzed over 160 million data points and evaluated the remediation rates for a list of 17 CVEs in edge devices highlighted in the DBIR. Of the 17 CVEs, over half (52.9%) were non-critical flaws (less than 9.0 CVSS scores).We also analyzed average remediation rates for these CVEs across various industry sectors. Through this analysis, we found many industries faced challenges with remediating many of these flaws. For instance, CVE-2024-21762 and CVE-2024-23113, a pair of critical Fortinet flaws, had very long remediation rates, averaging between 172 days and 260 days. Even CVE-2024-3400, a critical vulnerability in Palo Alto Networks PAN-OS assigned the maximum CVSS score of 10.0, also saw most industries average over 100 days to remediate the flaw.There are a variety of reasons why organizations may struggle with remediation — including organizational siloes, operational downtime required to patch systems, and difficulty determining how to prioritize vulnerabilities based on the risk they represent. While existing scoring systems provide invaluable guidance, we believe additional context is needed in order to improve remediation times.A semantic layer for vulnerability intelligenceOur Vulnerability Watch classifications are not a replacement for CVSS, EPSS or any other scoring metric. Those still serve a distinct purpose in vulnerability prioritization. We also recognize that cybersecurity teams are often inundated by a deluge of alerts and it can be difficult at times to separate the signal from the noise. These vulnerability watch classifications offer a semantic layer to help translate risk into terminology that is easier to understand for various stakeholders in remediation efforts.Tenable’s Vulnerability Watch classificationsVulnerability Watch includes the following classifications: vulnerability being monitored, vulnerability of interest and vulnerability of concern. The following are short descriptions of each classification.Vulnerability Being MonitoredA vulnerability being monitored (VBM) is a vulnerability that has the potential to impact customers of a particular software or hardware and is being actively tracked and researched by Tenable Research. VBMs may quickly evolve into Vulnerabilities of Interest (VOIs) or Vulnerabilities of Concern (VOCs) if a proof-of-concept (PoC) or exploitation is discovered, or if additional intelligence indicates that special attention should be given to this vulnerability. VBMs are actively monitored and elevated to VOI/VOC status should Tenable’s Vulnerability Intelligence justify an escalation of vulnerability status.A few recent examples of VBMs include CVE-2024-48887, an unverified password change vulnerability in FortiSwitch, and CVE-2025-23120, a remote code execution flaw in Veeam Backup and Replication.Vulnerability of InterestA vulnerability of interest (VOI) is a vulnerability that meets the criteria of a VBM, but for which additional intelligence indicates that risk of impacts to customers is elevated or demonstrated through the publication of a PoC or details that could be used to craft a PoC along with initial reports of exploitation.A few recent examples of VOIs include CVE-2025-22457, which was exploited by a China-Nexus threat actor known as UNC5221, and CVE-2025-32433, a remote code execution flaw in Erlang/OTP SSH.Vulnerability of ConcernA Vulnerability of Concern (VOC) is a vulnerability that meets the criteria of a VOI, but for which active, widespread exploitation is imminent or ongoing. For VOCs, the ease of exploitation combined with severity of the issue may lead us to believe that widespread exploitation is imminent, if it has not already begun. Maintainers of software or devices vulnerable to VOCs can expect to see exploitation attempts and probing for vulnerable assets.A few recent examples of VOCs include a pair of ConnectWise Screen Connect vulnerabilities (CVE-2024-1709, CVE-2024-1708) and Citrix Bleed (CVE-2023-4966).The classifications are also flexible: a CVE can be reclassified from VBM to VOI, from VOI to VOC, or even from VOC back to VOI as risk context evolves.ConclusionWe know there’s no single panacea for the challenges of vulnerability prioritization and remediation. These challenges require a multi-pronged approach. Backed by Tenable Research experts, our Vulnerability Watch classifications can help demystify some of the complexities introduced by CVSS and EPSS and provide stakeholders a simpler, more intuitive way to assess and prioritize risks posed by emerging threats that can contribute to faster responses and remediation.Our Vulnerability Watch classifications can now be found on our CVE page.Get more informationTenable Vulnerability Intelligence and Exposure ResponseTurning Data into Action: Intelligence-Driven Vulnerability ManagementJoin Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

SAP has released a out-of-band patch to address CVE-2025-31324, a critical zero-day vulnerability in SAP NetWeaver that has been exploited by threat actors. Organizations are strongly encouraged to apply patches as soon as possible.Update May 21: The blog has been updated to include additional information including CVE-2025-42999, the availability of PoC code and updates on active exploitation.View Change LogBackgroundOn April 22, ReliaQuest published details of their investigation of exploit activity in SAP NetWeaver servers. Initially it was unclear if their discovery was a new vulnerability or the abuse of CVE-2017-9844, a vulnerability that could lead to a denial-of-service (DoS) condition or arbitrary code execution. ReliaQuest reported their findings to SAP and on April 24, SAP disclosed CVE-2025-31324, a critical missing authorization check vulnerability with the highest severity CVSS score of 10.0.On May 13, SAP released an additional update for a newly reported CVE affecting SAP NetWeaver servers as part of its May 2025 SAP Security Patch Day.CVEDescriptionCVSSv3VPRCVE-2025-31324SAP NetWeaver Unauthenticated File Upload Vulnerability10.09.4CVE-2025-42999SAP NetWeaver Deserialization of Untrusted Data Vulnerability9.19.2*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was updated on May 21 and reflects VPR at that time.AnalysisCVE-2025-31324 is an unauthenticated file upload vulnerability affecting the Metadata Uploader component of SAP NetWeaver Visual Composer. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files which can be used by an attacker to achieve code execution. The flaw is the result of missing authorization checks to the “/developmentserver/metadatauploader” endpoint. According to ReliaQuest, this vulnerability has been exploited in the wild as a zero-day by threat actors who have abused the flaw to upload malicious web shells to affected hosts. These webshells were used to deploy malware and establish communications with command and control (C2) servers.CVE-2025-42999 is a deserialization vulnerability affecting SAP NetWeaver Visual Composer development server. An authenticated attacker could exploit this vulnerability to achieve code execution on affected hosts. The vulnerability was identified by researchers at Onapsis who were able to reconstruct attack payloads during their investigation of the CVE-2025-31324. They reported CVE-2025-42999 to SAP and the vulnerability was patched during the May 2025 SAP Security Patch Day release. According to Onapsis, this vulnerability remained an underlying issue for exploitation and was not addressed in the update for CVE-2025-31324.Exploitation in the wild has continued to increaseBased on several reports released since this blog was first published, several advanced persistent threat (APT) groups and ransomware groups have been observed actively exploiting CVE-2025-31324. Proof of conceptAt the time this blog was published, no proof-of-concept (PoC) code had been published for CVE-2025-31324. However, shortly after this blog was posted, several scanning tools and PoCs have been released on GitHub. SolutionSAP has released patches for affected versions of SAP NetWeaver. At this time, the SAP security note #3594142 is not publicly accessible, so we are unable to provide a list of affected and patched versions. It is important to note that these patches were released after SAP’s April 2025 Security Patch Day published on April 8. So even if those patches were applied, you will still need to apply the out-of-band patches released for CVE-2025-31324.In addition, SAP released security note #3604119 on May 13 to address CVE-2025-42999. To be fully protected from these vulnerabilities, we recommend that you apply both updates and refer to the SAP security patches for further information.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2025-31324 and CVE-2025-42999 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running SAP NetWeaver by using the following filters:Get more informationReliaQuest Blog: ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaverSAP Security Patch Day – April 2025SAP Security Patch Day – May 2025Onapsis Blog: SAP NetWeaver Flaw Lets Threat Actors Take Full Control: CVE-2025-31324 and CVE-2025-42999 ExplainedChange LogUpdate May 21: The blog has been updated to include additional information including CVE-2025-42999, the availability of PoC code and updates on active exploitation.Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices.BackgroundOn April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the OpenWall vulnerability mailing list. Additionally an official advisory was posted to the GitHub project for Erlang/OTP crediting the researchers for their disclosure.CVEDescriptionCVSSv3VPRCVE-2025-32433Erlang/OTP SSH Remote Code Execution Vulnerability10.010*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 18 and reflects VPR at that time.AnalysisCVE-2025-32433 is a remote code execution (RCE) vulnerability affecting the Erlang/OTP SSH server. The vulnerability exists due to a flaw in the SSH protocol message handling which could allow an unauthenticated attacker to execute arbitrary code. According to the advisory, all users running Erlang/OTP SSH servers are impacted and to assume impact if your application utilizes the Erlang/OTP SSH library. This vulnerability received the maximum CVSSv3 score of 10.0 and when the SSH daemon is running as root, allows an attacker to completely compromise an affected device.At the time this blog was published, no known exploitation has been observed, however with the ease of exploitation and critical severity, we anticipate attacks will occur soon.Proof of conceptOn April 17, researchers at Platform Security released a public proof-of-concept (PoC) exploit for CVE-2025-32433. The writeup notes that the PoC was generated with the help of ChatGPT and Cursor, and that it was fairly simple to do so using those AI tools.The PoC initiates an SSH protocol negotiation as a normal client would. But, before authenticating the user, the client sends an unexpected message with an arbitrary command. The vulnerable server will process these messages and execute the commands. A patched server will disconnect immediately upon seeing these messages prior to authentication.An additional PoC has been released, and the Horizon3 Attack Team posted on X (formerly Twitter) that they had developed a PoC but have chosen not to release it as of writing.Just finished reproducing CVE-2025-32433 and putting together a quick PoC exploit — surprisingly easy. Wouldn’t be shocked if public PoCs start dropping soon. If you’re tracking this, now’s the time to take action. #Erlang #SSH pic.twitter.com/hBqJMfFHMN— Horizon3 Attack Team (@Horizon3Attack) April 17, 2025SolutionErlang/OTP has released patches to address this vulnerability.Affected VersionsFixed VersionsOTP-27.3.2 and belowOTP-27.3.3OTP-26.2.5.10 and belowOTP-26.2.5.11OTP-25.3.2.19 and belowOTP-25.3.2.20If immediate patching cannot be performed, restricting access via a firewall or disabling the SSH server are mitigation steps provided by Erlang/OTP. However, we strongly recommend upgrading as soon as possible to fully remediate this vulnerability.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32433 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify hosts running Erlang/OTP SSH Server.Get more informationOpenwall mailing list announcement for CVE-2025-32433Advisory for CVE-2025-32433Join Tenable’s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.