Cyber Exposure Alerts

8Critical72Important0Moderate0LowMicrosoft addresses 80 CVEs, including eight flaws rated critical with one publicly disclosed.Microsoft addresses 80 CVEs in its September 2025 Patch Tuesday release, with eight rated critical, and 72 rated important. Our counts omitted one vulnerability reported by VulnCheck.This month’s update includes patches for:Azure ArcAzure Windows Virtual Machine AgentCapability Access Management Service (camsvc)Graphics KernelMicrosoft AutoUpdate (MAU)Microsoft Brokering File SystemMicrosoft Graphics ComponentMicrosoft High Performance Compute Pack (HPC)Microsoft OfficeMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Office WordMicrosoft Virtual Hard DriveRole: Windows Hyper-VSQL ServerWindows Ancillary Function Driver for WinSockWindows BitLockerWindows Bluetooth ServiceWindows Connected Devices Platform ServiceWindows DWMWindows Defender Firewall ServiceWindows Imaging ComponentWindows Internet Information ServicesWindows KernelWindows Local Security Authority Subsystem Service (LSASS)Windows Management ServicesWindows MapUrlToZoneWindows MultiPoint ServicesWindows NTFSWindows NTLMWindows PowerShellWindows Routing and Remote Access Service (RRAS)Windows SMBWindows SMBv3 ClientWindows SPNEGO Extended NegotiationWindows TCP/IPWindows UI XAML Maps MapControlSettingsWindows UI XAML Phone DatePickerFlyoutWindows Win32K GRFXXboxElevation of Privilege (EoP) vulnerabilities accounted for 47.5% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 27.5%.ImportantCVE-2025-55234 | Windows SMB Elevation of Privilege VulnerabilityCVE-2025-55234 is an EoP vulnerability affecting Windows Server Message Block (SMB). It was assigned a CVSSv3 score of 8.8 and rated as important. Successful exploitation would allow an unauthenticated attacker to elevate their privileges to that of the compromised user’s account. According to Microsoft, this vulnerability was publicly disclosed prior to a patch being made available.CVE-2025-55234 appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers.CVE-2025-55234 is the fifth Windows SMB vulnerability patched in 2025 and the third Windows SMB EoP disclosed this year. In the June 2025 Patch Tuesday release, Microsoft patched CVE-2025-33073, another publicly disclosed Windows SMB EoP vulnerability. A day after the June 2025 Patch Tuesday release, researchers from RedTeam Pentesting GmbH, one of many researchers credited with reporting the flaw to Microsoft, released a blog post detailing the vulnerability, including proof-of-concept details.CriticalCVE-2025-54918 | Windows NTLM Elevation of Privilege VulnerabilityCVE-2025-54918 is an EoP vulnerability in Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated critical. It was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM.This is the second month in a row that a critical NTLM EoP vulnerability was patched and the third in 2025. In the August 2025 Patch Tuesday release, Microsoft patched CVE-2025-53778, and CVE-2025-21311 in the January 2025 Patch Tuesday release.ImportantCVE-2025-54916 | Windows NTFS Remote Code Execution VulnerabilityCVE-2025-54916 is a RCE in Microsoft Windows New Technology File System (NTFS). It was assigned a CVSSv3 score of 7.8 and is rated important and assessed as “Exploitation More Likely.” An attacker that successfully exploits this flaw would gain RCE on the targeted system. According to the advisory, any authenticated attacker could leverage this vulnerability.Since 2022, the bulk of NTFS vulnerabilities patched across Patch Tuesday have been EoP or Information Disclosure vulnerabilities. However, this is the second NTFS RCE vulnerability since 2022 and the second in 2025. The first, CVE-2025-24993, patched in the March 2025 Patch Tuesday release, was exploited in the wild as a zero-day.CriticalCVE-2025-54910 | Microsoft Office Remote Code Execution VulnerabilityCVE-2025-54910 is a RCE in Microsoft Office. It was assigned a CVSSv3 score of 8.4 and is rated critical and assessed as “Exploitation Less Likely.” An attacker could exploit this vulnerability by convincing a target to open a specially crafted Office document. Additionally, the advisory notes that exploitation is possible through Microsoft Outlook’s Preview Pane. Successful exploitation would grant the attacker RCE privileges on the target system. For users of Microsoft Office LTSC for Mac 2021 and 2024, the advisory states that updates are not yet available, but will be released soon.ImportantCVE-2025-54897 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-54897 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important and assessed as “Exploitation Less Likely.” In order to exploit this flaw, an attacker would need to be authenticated as any user and privileged accounts, such as admin or other elevated privileges are not necessary to exploit this flaw. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.CriticalCVE-2025-55224 | Windows Hyper-V Remote Code Execution VulnerabilityCVE-2025-55224 is a RCE in Windows Hyper-V. It was assigned a CVSSv3 score of 7.8, rated as critical and assessed as “Exploitation Less Likely.” According to the advisory, an attacker who is able to win a race condition could traverse from the guest hosts security boundary in order to execute arbitrary code on the Hyper-V host machine. While the attack complexity for this vulnerability is high, the impact would be significant for an attacker who is able to successfully exploit this vulnerability.ImportantCVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 | Windows Hyper-V Elevation of Privilege VulnerabilitiesCVE-2025-54091, CVE-2025-54092, CVE-2025-54098, CVE-2025-54115 are EoP vulnerabilities in Windows Hyper-V, Microsoft’s virtualization product. CVE-2025-54091, CVE-2025-54092, CVE-2025-54098 were assigned a CVSSv3 score of 7.8 while CVE-2025-54115 was assigned a CVSSv3 score of 7.0. CVE-2025-54098 was assessed as “Exploitation More Likely” while the remaining three flaws were assessed as “Exploitation Less Likely.”A local, authenticated attacker could exploit these vulnerabilities to elevate to SYSTEM privileges, though in order to exploit CVE-2025-54115, an attacker would first need to win a race condition, which is what contributed to its lower CVSS score.Tenable SolutionsA list of all the plugins released for Microsoft’s September 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s September 2025 Security UpdatesTenable plugins for Microsoft September 2025 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.202X Patch Tuesday release.

An analysis of Tenable telemetry data shows that the vulnerabilities being exploited by Chinese state-sponsored actors remain unremediated on a considerable number of devices, posing major risk to the organizations that have yet to successfully address these flaws.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding state-sponsored threat actor activity associated with the People’s Republic of China (PRC).On August 27, the National Security Agency (NSA) published a joint cybersecurity advisory (CSA) authored and co-authored by a number of security agencies from the United States, Australia, Canada, New Zealand, United Kingdom, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain. This CSA provides guidance on PRC state-sponsored threat actor activity and provides tactics, techniques and procedures (TTPs) utilized by these advanced persistent threat (APT) actors. These malicious actors have routinely targeted critical infrastructure, including telecommunications providers, but have also been observed attacking government, transportation, military and lodging entities. While the CSA provides some vulnerabilities exploited by these actors, it’s clear that this is not an exhaustive list and organizations need to continue to be vigilant in addressing known and exploitable vulnerabilities which are often abused for initial access to a victims network.FAQIs this activity associated with Salt Typhoon?The CSA states that the associated activity “partially overlaps” with Salt Typhoon (also known as OPERATOR PANDA, RedMike, UNC5807, GhostEmperor and more), however, it does not specifically attribute this activity to any one threat actor.We published a blog post in January 2025 about Salt Typhoon, analyzing the vulnerabilities used by this threat actor. The overlap between the CVEs confirmed to be used by Salt Typhoon and this CSA includes a pair of Ivanti Connect and Policy Secure vulnerabilities, CVE-2023-46805 and CVE-2024-21887, which are used as part of an exploit chain.As the threat activity discussed in the recent CSA is more generally attributed to PRC state-sponsored actors, we recommend reviewing the blogs we have published on Volt Typhoon and the top 20 CVEs exploited by PRC state-sponsored actors. These blogs include CVEs known to be used by PRC actors, notably including Fortinet firewalls, Microsoft Exchange server and other applications and devices that are referenced in the CSA.What are the vulnerabilities known to have been exploited in these attacks?According to the CSA, the Chinese state-sponsored threat actors are having “considerable success exploiting publicly known common vulnerabilities and exposures (CVEs)” with the following CVEs being listed as used by these threat actors to gain initial access:CVEDescriptionCVSSv3VPRCVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.110CVE-2023-46805Ivanti Connect Secure and Ivanti Policy Secure Authentication Bypass Vulnerability8.26.7CVE-2024-3400Command Injection Vulnerability in the GlobalProtect Gateway feature of PAN-OS1010CVE-2023-20273Cisco IOS XE Web UI Command Injection Vulnerability7.28.4CVE-2023-20198Cisco IOS XE Web UI Elevation of Privilege Vulnerability109.9CVE-2018-0171Cisco IOS and IOS XE Smart Install Remote Code Execution (RCE) Vulnerability9.89.2*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 29 and reflects VPR at that time.Are there proofs-of-concept (PoCs) available for/these vulnerabilities?Yes, all of the vulnerabilities referenced in the CSA have PoCs available.Are patches or mitigations available for these CVEs?Yes, each of the vendors for these products has released patches and, in many cases, mitigation guidance that may be used if immediate patching is not feasible. However, given that these vulnerabilities have been exploited in the wild, many of them over several years, full remediation of these vulnerabilities should be completed as soon as possible.CVEAffected ProductVendor AdvisoryCVE-2024-21887 and CVE-2023-46805Ivanti Connect Secure and Ivanti Policy SecureAdvisoryCVE-2024-3400Palo Alto PAN-OSAdvisoryCVE-2023-20273 and CVE-2023-20198Cisco IOS XEAdvisoryCisco Talos BlogCVE-2018-0171Cisco IOS and IOS XEAdvisoryHow many devices remain vulnerable to these six CVEs?From an analysis of Tenable telemetry data, we found that a significant number of devices remain unremediated and pose a major risk to the organizations that have yet to successfully patch. As noted in the CSA, these “APT actors may target edge devices regardless of who owns a particular device.” Even in cases where an impacted entity is not a target of interest, these actors may still use compromised devices to conduct additional attacks on targeted networks.In our analysis, we found that Cisco devices had surprisingly significant counts of unpatched devices. For CVE-2023-20273 and CVE-2023-20198, 40% of devices remain unmitigated, while 58% of devices scanned remain vulnerable to CVE-2018-0171.In stark contrast, only around 14% of devices have yet to remediate CVE-2024-21887 and CVE-2023-46805. For Palo Alto devices, only around 3% of devices have yet been patched for CVE-2024-3400.Given the mixed remediation rates amongst these six CVEs, it’s imperative that organizations quickly mitigate these threats and ensure their devices are fully up to date. As the CSA notes, these threat actors are not reliant on zero-day vulnerabilities, but rather continue to target known and exploitable vulnerabilities on edge devices in order to gain initial access to their victims’ networks.Have any of these CVEs been classified under Tenable’s Vulnerability Watch?Yes, we have classified several of the CVEs referenced in this CSA under our Vulnerability Watch:CVEVulnerability Watch StatesFirst EstablishedLast EstablishedCVE-2024-21887Vulnerability of Concern2024-01-102024-08-28CVE-2023-46805Vulnerability of Concern2024-01-102025-02-05CVE-2024-3400Vulnerability of Interest, Vulnerability of Concern2024-04-122024-08-28CVE-2018-0171Vulnerability of Interest2025-08-212025-08-27CVE-2023-20273 and CVE-2023-20198 were not classified prior to the publication of this CSA, as we began our Vulnerability Watch classifications at the start of 2024. We have been publishing Cyber Exposure Alert content since late 2018, and published a blog post for CVE-2023-20198 and CVE-2023-20273 on the same day the advisory was released. We recently added CVE-2018-0171 following an FBI alert.As a result of this CSA, we have classified all six CVEs as Vulnerabilities Being Monitored. For more information about Vulnerability Watch, please visit our blog, Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.Have any of these CVEs been added to the CISA KEV?Yes, each of these CVEs has been featured in the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog.CVEDate AddedRemediation Due DateCVE-2024-218871/10/20241/22/2024CVE-2023-468051/10/20241/22/2024CVE-2024-34004/12/20244/19/2024CVE-2023-2027310/23/202310/27/2023CVE-2023-2019810/16/202310/20/2023CVE-2018-017111/3/20215/3/2022Has Tenable released any product coverage for these vulnerabilities?Yes, plugin coverage is available for each of these CVEs. A list of Tenable plugins for these vulnerabilities can be found on their individual CVE pages:CVE-2024-21887CVE-2023-46805CVE-2024-3400CVE-2023-20273CVE-2023-20198CVE-2018-0171This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.In addition to these CVEs, we also recommend scanning with plugin ID 105161 to identify if Cisco Smart Install is enabled on any Cisco devices in your network. As noted in the CSA, disabling the Cisco Smart Install feature is highly recommended. In an update to the security advisory for CVE-2018-0171 on August 20, 2025, Cisco noted that they are ”aware of continued exploitation activity of the vulnerability that is described in this advisory and strongly recommends that customers assess their systems and upgrade to a fixed software release as soon as possible.”Tenable Attack Path Analysis techniquesThe following are a list of associated Tenable Attack Path Analysis techniques for the TTPs discussed in the CSA:MITRE ATT&CK IDDescriptionTenable Attack Path techniquesT1040Network SniffingT1040_WindowsT1068Exploitation for Privilege EscalationT1068_WindowsT1082System Information DiscoveryT1082T1098.004Account ManipulationT1098.004T1190Exploit Public-Facing ApplicationT1190_AwsT1190_WAST1048.003Exfiltration over Alternative ProtocolT1048.003_WindowsT1059.006Command and Scripting Interpreter: Python”T1059.006_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of AttackThe following are a list of Indicators of Exposure and Indicators of Attack for Tenable Identity Exposure:MITRE ATT&CK IDDescriptionIndicatorsT1003OS Credential DumpingC-ADM-ACC-USAGEC-ADMIN-RESTRICT-AUTHT1021Remote ServicesC-LAPS-UNSECURE-CONFIGC-AAD-PRIV-SYNCC-USERS-REVER-PWDST1068Exploitation for Privilege EscalationI-SamNameImpersonationT1190Exploit Public-Facing ApplicationAPPLICATION-ALLOWING-MULTI-TENANT-AUTHENTICATIONABILITY-OF-STANDARD-ACCOUNTS-TO-REGISTER-APPLICATIONSC-EXCHANGE-VERSIONT1199Trusted RelationshipC-DANGEROUS-TRUST-RELATIONSHIPC-ACCOUNTS-DANG-SID-HISTORYT1556Modify Authentication ProcessC-SHADOW-CREDENTIALST1595Active ScanningC-GUEST-ACCOUNTGUEST-ACCOUNTS-WITH-EQUAL-ACCESS-TO-NORMAL-ACCOUNTSUNRESTRICTED-GUEST-ACCOUNTSGUEST-ACCOUNT-WITH-A-PRIVILEGED-ROLEAdditional MITRE ATT&CK ResourcesMITRE ATT&CK IDDescriptionProductT1190Exploit Public-Facing ApplicationTenable Web App ScanningT1595Active ScanningTenable Attack Surface ManagementGet more informationJoint CSA: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage SystemTenable blog: Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored ActorTenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure GatewaysTenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the WildTenable Blog: CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the WildTenable Blog: Proof of Concept (and Patch) for Critical Cisco IOS Vulnerability: CVE-2018-0171Tenable Blog: Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored ActorsTenable Blog: Top 20 CVEs Exploited by People’s Republic of China State-Sponsored Actors (AA22-279A)Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Citrix has released patches to address a zero-day remote code execution vulnerability in NetScaler ADC and NetScaler Gateway that has been exploited. Organizations are urged to patch immediately.BackgroundOn August 26, Citrix published a security advisory for three vulnerabilities, including CVE-2025-7775, a zero-day vulnerability which has been exploited against its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances:CVEDescriptionCVSSv4CVE-2025-7775Citrix NetScaler ADC and Gateway Unauthenticated Remote Code Execution (RCE) and Denial of Service (DoS) Vulnerability9.2CVE-2025-7776Citrix NetScaler ADC and Gateway DoS Vulnerability8.8CVE-2025-8424Citrix NetScaler ADC and Gateway Improper Access Control Vulnerability8.7AnalysisCVE-2025-7775 is a RCE vulnerability affecting NetScaler ADC and Gateway appliances. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code or cause a DoS condition on an affected device. According to the security advisory from Citrix, exploitation has been observed prior to the advisory and patches being made public.While Citrix only confirmed exploitation of CVE-2025-7775, two additional vulnerabilities were patched as part of the same security advisory.CVE-2025-7776 is a DoS vulnerability affecting NetScaler ADC and Gateway appliances. An authenticated attacker can trigger a memory overflow vulnerability in order to cause a DoS condition on an affected device. Devices that have been configured as a Gateway with a bounded PCoIP Profile are affected by this vulnerability.CVE-2025-8424 is an improper access control vulnerability affecting NetScaler ADC and Gateway appliances. While no privileges are required to exploit this vulnerability, an attacker would need access to “NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access” in order to take advantage of this flaw.ADC and Gateway Historically Targeted by AttackersCitrix’s NetScaler ADC and Gateway appliances have been a valuable target for attackers over the last several years. Vulnerabilities including CVE-2022-27518 and CVE-2019-19781 have been favored by attackers. This includes attacks from Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.More recently, Citrix NetScaler ADC and Gateway have been targeted by vulnerabilities known as CitrixBleed and CitrixBleed 2. CVE-2023-4966, known as CitrixBleed, was first disclosed in October 2023 after it was discovered as being exploited as a zero-day. Attacks continued to ramp up and the flaw was widely exploited by multiple ransomware groups and additional threat actors. CVE-2025-5777, known as CitrixBleed 2, was disclosed in June of this year. Multiple security researchers and outlets reported that CitrixBleed 2 was also exploited as a zero-day.Due to the historical exploitation against NetScaler ADC and Gateway appliances, we strongly urge organizations to patch CVE-2025-7775 as soon as possible.Proof of conceptAt the time this blog post was published, no public proof-of-concept (PoC) had been identified for any of these vulnerabilities. However, given the historical exploitation of Citrix NetScaler ADC and Gateway and the reported usage of CVE-2025-7775 as a zero-day, we anticipate that exploit code may become available soon.SolutionCitrix has released patches for these vulnerabilities as outlined in the table below:Affected ProductAffected VersionFixed VersionNetScaler ADC and NetScaler Gateway13.1 before 13.1-59.2213.1-59.22 and later releases of 13.1NetScaler ADC and NetScaler Gateway14.1 before 14.1-47.4814.1-47.48 and later releasesNetScaler ADCADC 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP13.1-37.241-FIPS and NDcPP and later releasesNetScaler ADC12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP12.1-55.330-FIPS and NDcPP and later releasesNote: NetScaler ADC and NetScaler Gateway version 12.1 and 13.0 are End Of Life (EOL). Customers are recommended to upgrade their appliances to a supported version that addresses these vulnerabilities.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing NetScaler ADC and Gateway assets by using the following subscription: Get more informationNetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424Tenable Blog: Frequently Asked Questions for CitrixBleed (CVE-2023-4966)Tenable Blog: CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler ExploitationJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Exploit code is reportedly available for a critical command injection vulnerability affecting Fortinet FortiSIEM devices.BackgroundOn August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM.CVEDescriptionCVSSv3CVE-2025-25256Fortinet FortiSIEM Command Injection Vulnerability9.8AnalysisCVE-2025-25256 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests.According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised.Historical Exploitation of Fortinet DevicesFortinet vulnerabilities have historically been common targets for cyber attackers, with 20 CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.CVEDescriptionPatchedTenable BlogCVE-2025-32756Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution VulnerabilityMay 2025CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the WildCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of conceptAt the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this blog was published.SolutionThe following table details the affected and fixed versions of Fortinet devices for CVE-2025-25256:Product VersionAffected RangeFixed VersionFortiSIEM 5.4All Versions of 5.4Migrate to a fixed releaseFortiSIEM 6.1All Versions of 6.1Migrate to a fixed releaseFortiSIEM 6.2All Versions of 6.2Migrate to a fixed releaseFortiSIEM 6.3All Versions of 6.3Migrate to a fixed releaseFortiSIEM 6.4All Versions of 6.4Migrate to a fixed releaseFortiSIEM 6.5All Versions of 6.5Migrate to a fixed releaseFortiSIEM 6.6All Versions of 6.6Migrate to a fixed releaseFortiSIEM 6.76.7.0 through 6.7.96.7.10 or aboveFortiSIEM 7.07.0.0 through 7.0.37.0.4 or aboveFortiSIEM 7.17.1.0 through 7.1.77.1.8 or aboveFortiSIEM 7.27.2.0 through 7.2.57.2.6 or aboveFortiSIEM 7.37.3.0 through 7.3.17.3.2 or aboveFortiSIEM 7.4Not AffectedNot ApplicableFortinet’s security advisory advises if immediate patching is not able to be performed, they recommend limiting access to the phMonitor port of 7900. We strongly recommend reviewing the advisory for updates as well as the latest on mitigation or indicators of compromise (IoCs).Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-25256 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:Get more informationFortinet FG-IR-25-152 Security AdvisoryJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

13Critical91Important2Moderate1LowMicrosoft addresses 107 CVEs, including one zero-day vulnerability that was publicly disclosed.Microsoft patched 107 CVEs in its August 2025 Patch Tuesday release, with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low.This month’s update includes patches for:Azure File SyncAzure OpenAIAzure PortalAzure StackAzure Virtual MachinesDesktop Windows ManagerGitHub Copilot and Visual StudioGraphics KernelKernel Streaming WOW Thunk Service DriverKernel Transaction ManagerMicrosoft 365 Copilot’s Business ChatMicrosoft Brokering File SystemMicrosoft Dynamics 365 (on-premises)Microsoft Edge for AndroidMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Office WordMicrosoft TeamsRemote Access Point-to-Point Protocol (PPP) EAP-TLSRemote Desktop ServerRole: Windows Hyper-VSQL ServerStorage Port DriverWeb DeployWindows Ancillary Function Driver for WinSockWindows Cloud Files Mini Filter DriverWindows Connected Devices Platform ServiceWindows DirectXWindows Distributed Transaction CoordinatorWindows File ExplorerWindows GDI+Windows InstallerWindows KerberosWindows KernelWindows Local Security Authority Subsystem Service (LSASS)Windows MediaWindows Message QueuingWindows NT OS KernelWindows NTFSWindows NTLMWindows PrintWorkflowUserSvcWindows Push NotificationsWindows Remote Desktop ServicesWindows Routing and Remote Access Service (RRAS)Windows SMBWindows Security AppWindows StateRepository APIWindows Subsystem for LinuxWindows Win32K GRFXWindows Win32K ICOMPElevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 32.7%.ModerateCVE-2025-53779 | Windows Kerberos Elevation of Privilege VulnerabilityCVE-2025-53779 is an EoP vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment.This is a patch for a zero-day vulnerability dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor.ImportantCVE-2025-49712 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-49712 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.This RCE follows on the heels of the ToolShell vulnerabilities that were disclosed in the July 2025 Patch Tuesday release and exploited in the wild as zero-days.CriticalCVE-2025-53778 | Windows NTLM Elevation of Privilege VulnerabilityCVE-2025-53778 is an EoP vulnerability affecting Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated as critical. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM. This flaw was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.This marks the second critical EoP affecting Windows NTLM in 2025, following CVE-2025-21311 which was patched in the January 2025 Patch Tuesday release.CriticalCVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 | Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityCVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). While three of these four CVEs (CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145) were assigned CVSSv3 scores of 8.8 and rated as important, CVE-2025-50177 was assigned a CVSSv3 score of 8.1 and rated as critical. Similarly, CVE-2025-50177 was assessed as “Exploitation More Likely,” while the other three were assessed as “Exploitation Less Likely.”In order to exploit these CVEs, an attacker would need to send a crafted MSMQ packet to a vulnerable server in order to achieve code execution.Tenable SolutionsA list of all the plugins released for Microsoft’s August 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s August 2025 Security UpdatesTenable plugins for Microsoft August 2025 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently asked questions about CVE-2025-53786, an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.FAQWhat is CVE-2025-53786CVE-2025-53786 is an elevation of privilege (EoP) vulnerability affecting hybrid deployments of Microsoft Exchange Server. An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment. This flaw exists due to Exchange Server and Exchange Online sharing “the same service principal in hybrid configurations.”When was CVE-2025-53786 first disclosed?Microsoft first disclosed CVE-2025-53786 on August 6. According to the security advisory, Microsoft identified the vulnerability after further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments.Was this exploited as a zero-day?As of August 7, no known exploitation has been observed by Microsoft. However, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.What makes CVE-2025-53786 so serious?While exploitation of this EoP vulnerability requires an attacker to have administrative access to an on-prem Exchange Server, successful exploitation would impact a victims Exchange Online cloud environment. This vulnerability exists because Exchange Server and Exchange Online share the same service principal. According to Microsoft, a successful attack would not leave an “easily detectable and auditable trace.”The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert for CVE-2025-53786 on August 6, stressing that “if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”CISA followed up with Emergency Directive ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7, directing federal agencies to take immediate action by 9:00 AM ET on Monday August 11 to address the flaw.Is there a proof-of-concept (PoC) available for this vulnerability?At the time this blog was published on August 7, no PoC had been identified for CVE-2025-53786.Are patches or mitigations available for CVE-2025-53786?Microsoft released a Hot Fix on April 18 that improved the security of Exchange hybrid deployments that mitigates this issue. In order to be fully protected, it is recommended that the Hot Fix or a later release is applied. In addition, Microsoft recommends applying the configuration recommendations in the article Deploy dedicated Exchange hybrid app.Additionally, Microsoft recommends that customers who previously configured Exchange hybrid or OAuth authentication for Exchange Server to Exchange Online and no longer use it to ensure you have “reset the service principal’s keyCredentials.”We recommend reviewing Microsoft’s security advisory for CVE-2025-53786 for the latest recommendations from Microsoft.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page for CVE-2025-53786 as they’re released.This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationMicrosoft Security Advisory for CVE-2025-53786Microsoft Article: Deploy dedicated Exchange hybrid appMicrosoft Blog: Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptionsCISA Alert: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange DeploymentsJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Trend Micro releases a temporary mitigation tool to reduce exposure to two unpatched zero-day command injection vulnerabilities which have been exploited.BackgroundOn August 5, Trend Micro released a security advisory for two critical flaws affecting on-prem versions of Apex One Management Console. According to the advisory, Trend Micro has observed active exploitation of the vulnerabilities.CVEDescriptionCVSSv3CVE-2025-54987Trend Micro Apex One Management Console Command Injection Vulnerability9.4CVE-2025-54948Trend Micro Apex One Management Console Command Injection Vulnerability9.4According to Trend Micro, these two CVEs are the same, however CVE-2025-54987 was issued for a different CPU architecture.AnalysisCVE-2025-54987 and CVE-2025-54948 are both command injection vulnerabilities affecting the management console of on-prem installations of Trend Micro Apex One. An unauthenticated attacker with network or physical access to a vulnerable machine can upload arbitrary files, allowing the attacker to execute commands and achieve code execution. While two CVEs were issued, the advisory notes that CVE-2025-54987 was issued for a different CPU architecture than CVE-2025-54948.Trend Micro Apex One™ as a Service and Trend Vision One Endpoint Security – Standard Endpoint Protection have been mitigated to these vulnerabilities as of July 31 and are not impacted by them. At this time, only on-prem installations of Apex One are affected.Historical exploitation of Apex OneApex One has been targeted by threat actors in the past, including zero-day exploitation of flaws affecting on-prem installations. CVE-2020-8467 and CVE-2020-8468 were addressed in March 2020 after in the wild exploitation was discovered, followed by CVE-2022-40139 in September 2022. As of the time this blog was published on August 6, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists nine vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).Vendor responseAs of the time this blog was published on August 6, Trend Micro’s security advisory for these vulnerabilities notes that a patch has not yet been released and is to be expected “around the middle of August 2025.” We will update the blog with further updates and solution steps once patches are released.In the meantime, a short-term mitigation tool has been released. This tool can be used to protect against known exploits and disables “the ability for administrators to utilize the Remote Install Agent function to deploy agents.”While successful exploitation requires an attacker to either have physical access or network access to the management interface, Trend Micro suggests that customers who have publicly exposed the management console’s IP address also consider additional mitigation factors to restrict access to the management console.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-54987 and CVE-2025-54948 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTrend Micro Security Advisory: ITW CRITICAL SECURITY BULLETIN: Trend Micro Apex One™ (On-Premise) Management Console Command Injection RCE VulnerabilitiesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Researchers have disclosed two vulnerabilities in Cursor, the popular AI-assisted code editor, that impact its handling of model context protocol (MCP) servers, which could be used to gain code execution on vulnerable systems.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding two recently disclosed vulnerabilities in Cursor IDE.FAQWhat is Cursor?Cursor is an AI-assisted integrated development environment (IDE), or AI code editor, developed by Anysphere. It was first released in March 2023.Who uses Cursor?In January 2025, Cursor had over 1 million users, according to a Bloomberg report. The company states that Cursor is used by over half of the Fortune 500, naming NVIDIA, Uber and Adobe among its customers.What is CurXecute and MCPoison?CurXecute and MCPoison are the names given to two separate vulnerabilities in Cursor.What are the vulnerabilities associated with CurXecute and MCPoison?The following are the CVEs assigned for both CurXecute and MCPoison:CVEDescriptionCVSSv3CVE-2025-54135Cursor Arbitrary Code Execution Vulnerability (“CurXecute”)8.5CVE-2025-54136Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”)7.2When were these vulnerabilities first disclosed?CurXecute (CVE-2025-54135) was disclosed on August 1 by researchers at AIM Security while MCPoison (CVE-2025-54136) was disclosed on August 5 by researchers at Check Point Research.Were any of these vulnerabilities exploited as a zero-day?No, these vulnerabilities were disclosed to Cursor by the respective researchers through coordinated disclosure on July 7 (CurXecute) and July 16 (MCPoison).Are there any proofs-of-concept (PoCs) available for CurXecute and MCPoison?Yes, the researchers have published PoC details on their respective blog posts, explaining how attackers could potentially exploit these flaws.How severe are CurXecute and MCPoison?Both vulnerabilities have the potential to be severe, but it is context dependent. The common thread between the two flaws is how Cursor handles interaction with MCP servers.For a primer on MCP, read the blog Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications. Additionally, Tenable Research has published investigations into MCP security, including MCP prompt injection and our discovery of a critical flaw in Anthropic MCP Inspector.In the example outlined by AIM Security for CurXecute, an attacker could leverage prompt injection by targeting an MCP connected to a Slack instance, sending a crafted message that would be processed by the Slack MCP Server and read by Cursor to modify the underlying global mcp.json configuration settings even before the user has a chance to reject the suggested edits by AI. Crucially, Cursor would execute the command added to the modified MCP configuration immediately.In the example outlined by Check Point Research for MCPoison, the flaw stems from the approval of an MCP server that contains a project-specific configuration (mcp.json). Once this MCP server has been approved by the target, any changes to the underlying configuration are considered trusted because it is bound by the MCP name not its contents. This would allow an attacker to modify the configuration to include malicious commands that would be executed silently and without requiring re-approval.AI-assisted code editors help with the development of software but they introduce a new layer of risk. Whether through enabling MCP servers that could be vulnerable to prompt injection (CurXecute) or leveraging a seemingly harmless open-source project that is then compromised by a malicious contributor (MCPoison).Are patches or mitigations available for CurXecute and MCPoison?Yes, Cursor has released updated versions of its IDE to address both CurXecute and MCPoison.CVEAffected ProductAffected VersionsFixed VersionCVE-2025-54135Cursor1.21 and below1.3.9CVE-2025-54136Cursor1.2.4 and below1.3Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-54135CVE-2025-54136This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Customers can also use our MCP Server Detected plugin to identify MCP server usage.Get more informationWhen Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑StartMCPoison Cursor IDE: Persistent Code Execution via MCP Trust BypassJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

An increase in ransomware activity tied to SonicWall Gen 7 Firewalls has been observed, possibly linked to the exploitation of a zero-day vulnerability in its SSL VPN.Update August 7: The blog has been updated with the latest updates from SonicWall, noting that there has not been a new zero-day vulnerability identified.View Change LogBackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an increase in ransomware activity targeting SonicWall Gen 7 Firewalls.FAQWhat is the ransomware activity being observed against SonicWall Gen 7 Firewalls?Reports from researchers at Arctic Wolf and Huntress have noted an observable increase in attacks targeting SonicWall firewalls, specifically the Gen 7 (or seventh generation) firewalls. Both Arctic Wolf and Huntress assess that the ransomware activity is linked to the Akira ransomware.When was this ransomware activity against SonicWall firewalls first observed?Arctic Wolf observed an increase in activity at the end of July 2025, while Huntress has been responding to incidents in the first few days of August 2025.What does this have to do with SonicWall’s SSL VPN and a zero-day vulnerability?The ransomware activity has been observed on Gen 7 firewalls with SSL VPN enabled.Researchers have noted that even if multifactor authentication is enabled, attackers have been able to compromise accounts on these devices. In some instances, the SonicWall devices are fully patched. These factors give credence to the likelihood that a zero-day vulnerability in these devices is being exploited.In an update on August 6, SonicWall clarified that the recent activity “is not connected to a zero-day vulnerability.” Instead, many the incidents they have investigated have been in devices that have migrated from Gen 6 to Gen 7 firewalls, where local user accounts were not reset as outlined in security advisory SNWLID-2024-0015. This advisory addresses CVE-2024-40766, an improper access control vulnerability which has been observed to have been exploited in the wild.What are the vulnerabilities associated with this ransomware activity?As of August 5, SonicWall has not yet assigned any CVEs for the ransomware activity. On August 6, SonicWall updated their threat activity notice indicating that threat activity is related to CVE-2024-40766.Are there any other threat actors involved in this ransomware activity?Right now, we are only aware of reports that the Akira ransomware has been leveraged in these attacks. We will update this blog post if or when additional ransomware activity, along with any other malicious activity, is observed.Are patches or mitigations available for this ransomware activity?SonicWall has published a threat activity notice on its website as it investigates the reports of malicious activity. The current guidance as of August 6 instructs customers using SonicWall Gen 7 firewalls who have imported configurations from Gen 6 to review the following guidance:Update firmware to version 7.3.0 which has “enhanced protections against brute force attacks and additional MFA controls.”Reset all local user account passwords. This is especially important in cases where accounts with SSLVPN access were migrated from Gen 6 to Gen 7.Enforce multifactor authentication (MFA) for SSLVPNAudit accounts and identify unused or inactive accountsUse strong and unique passwords for user accountsEnable Botnet Protection and Geo-IP Filtering. I thought that MFA was bypassed by the attackers, so why is that listed as a mitigation?MFA is part of standard security guidance to thwart against common attack vectors, e.g. brute-force, credential stuffing or stolen credentials.Has Tenable released any product coverage?While no new CVE has been announced, the updated guidance as of August 6 is that observed threat activity is related to CVE-2024-40766. Tenable product coverage for CVE-2024-40766 can be found here. Tenable customers can also utilize our SonicWall SonicOS detection plugin to identify Gen 7 devices on their networks.Additionally, Tenable Attack Surface Management customers can identify external-facing SonicWall assets with SSL VPN enabled by leveraging the built-in subscription labeled SonicWall SSL-VPN v1. Change LogUpdate August 7: The blog has been updated with the latest updates from SonicWall, noting that there has not been a new zero-day vulnerability identified.Get more informationGen 7 SonicWall Firewalls – SSLVPN Recent Threat ActivityArctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPNHuntress Threat Advisory: Active Exploitation of SonicWall VPNsJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution.Update July 25: The blog has been updated to include a report that Storm-2603 is exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.View Change LogBackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day SharePoint Server vulnerability that has been exploited in the wild.FAQWhen was the SharePoint exploitation first disclosed?On July 19, reports emerged that Microsoft SharePoint Servers around the world were under active exploitation. Researchers at Eye Security published a blog post detailing their identification of an “active, large-scale exploitation” that was initially linked to a pair of vulnerabilities in SharePoint dubbed ToolShell.What are the vulnerabilities associated with ToolShell?ToolShell was the name given to a pair of vulnerabilities used as part of an exploit chain in SharePoint Server disclosed at Pwn2Own Berlin by security researcher Dinh Ho Anh Khoa of Viettel Cyber Security.CVEDescriptionCVSSv3CVE-2025-49706Microsoft SharePoint Server Spoofing Vulnerability6.3CVE-2025-49704Microsoft SharePoint Remote Code Execution Vulnerability8.8 The SharePoint patch for Pwn2Own Berlin has been released – patch ASAPThe exploit need only one request💣I’d name this bug ToolShell – ZDI did say the endpoint is ToolPane after all😅https://t.co/I5Lwzj0aOx#CVE_2025_49706 #CVE_2025_49704 #SharePoint #Pwn2Own pic.twitter.com/HqGvV61Plw— Khoa Dinh (@_l0gg) July 10, 2025Was ToolShell actually used in these attacks?Yes, Microsoft confirmed on July 22 that they observed exploit attempts using the ToolShell vulnerabilities. However, Microsoft also published a blog post on July 19 that included a new CVE identifier for a zero-day vulnerability used in the attacks detailed by Eye Security.CVEDescriptionCVSSv3CVE-2025-53770Microsoft SharePoint Server Remote Code Execution Vulnerability9.8According to Microsoft, CVE-2025-53770 is a “variant” of one of the ToolShell vulnerabilities, CVE-2025-49706.Following the publication of our FAQ blog on July 20, Microsoft updated its blog post, creating an additional CVE:CVEDescriptionCVSSv3CVE-2025-53771Microsoft SharePoint Server Spoofing Vulnerability6.3Microsoft says that both CVE-2025-53770 and CVE-2025-53771 were created to provide “more robust protections” than CVE-2025-49704 and CVE-2025-49706.How severe is the exploitation of CVE-2025-53770?Successful exploitation of CVE-2025-53770 could grant an attacker the ability to obtain MachineKey configuration details from a vulnerable SharePoint Server to create specially crafted requests that could enable unauthenticated remote code execution.How widespread are the attacks exploiting CVE-2025-53770?A post from The Shadowserver Foundation on X confirmed that at least 9,300 SharePoint servers were publicly accessible as of July 20. However, it is important to note that not all 9,300 servers are considered vulnerable.Alert: SharePoint CVE-2025-53770 incidents! In collaboration with @eyesecurity & @watchtowrcyber we are notifying compromised parties. Read: https://t.co/j1rxtN32iq~9300 Sharepoint IPs seen exposed daily (just population, no vulnerability assessment): https://t.co/rCFGTrhiDT pic.twitter.com/QEx2sJ3K4X— The Shadowserver Foundation (@Shadowserver) July 20, 2025Has CVE-2025-53771 been exploited in the wild?As of July 20, Microsoft’s advisory for CVE-2025-53771 does not include any references to exploitation. If that changes, we will update this blog.Which threat actors are exploiting CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770?On July 22, Microsoft published a blog post confirming that as early as July 7, they observed exploit attempts of CVE-2025-49706 and CVE-2025-49704 by two Chinese state actors called Linen Typhoon and Violet Typhoon as well as a China-based actor called Storm-2603.As part of an update to its blog post on in-the-wild exploitation, Microsoft says that Storm-2603 has been observed exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.Is there a proof-of-concept (PoC) available for these vulnerabilities?Yes, we are aware that proof-of-concept (PoC) exploits for CVE-2025-53770, including repositories that include exploit code, are now available. However, it is important to note that attackers create fake PoCs for trending vulnerabilities and host them on development platforms in order to steal information.When this blog was published on July 20, there were no PoCs for CVE-2025-53770. However, we knew CVE-2025-53770 was a variant of CVE-2025-49706, one of the CVEs in the ToolShell chain. Researchers at CODE WHITE GmbH were able to reproduce the chain and disclosed this confirmation on X (formerly Twitter) on July 14.We have reproduced “ToolShell”, the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it’s really just one request! Kudos to @mwulftange pic.twitter.com/sPHVVBal3K— CODE WHITE GmbH (@codewhitesec) July 14, 2025Additionally, security researcher Soroush Dalili was able to work alongside Google’s Gemini to help identify the Microsoft SharePoint authentication bypass (CVE-2025-49706).I originally had Gemini expecting a 200 OK instead of a 401, but after dropping a server-side breakpoint so it could use a timeout as the auth signal, it cracked the bypass! 🥈 AI + human teamwork for the win! 🎉Next: finding the right parameters & deserialization in… https://t.co/uFwK8ANJvz pic.twitter.com/MM916K69um— Soroush Dalili (@irsdl) July 18, 2025Are patches or mitigations available for CVE-2025-53770 and CVE-2025-53771?On July 20, Microsoft released patches for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019 that address both CVE-2025-53770 and CVE-2025-53771. On July 21, Microsoft released patches for Microsoft SharePoint Server 2016.The ToolShell exploit chain was patched as part of Microsoft’s July 2025 Patch Tuesday.Microsoft’s blog post provides mitigation instructions that include configuring AMSI integration in SharePoint Servers that do not have it enabled by default, as well as utilizing Defender Antivirus on all SharePoint servers.Are there any indicators of compromise for exploitation of CVE-2025-53770?Yes, there are several indicators of compromise (IoCs) that have been included in the blog post published by Eye Security, including several known IP addresses and user agent strings.One key indicator of compromise is the creation of a file, spinstall0.aspx, on vulnerable SharePoint Servers. This file is being used to obtain the MachineKey configuration details. Microsoft also provided additional file names including spinstall.aspx, spinstall1.aspx, and spinstall2.aspx as well as other indicators.Has Tenable classified these vulnerabilities under Vulnerability Watch?Yes, our RSO team have classified all the vulnerabilities associated with these attacks as follows:CVEVulnerability Watch ClassificationDate AddedCVE-2025-53770Vulnerability of ConcernJuly 20CVE-2025-53771Vulnerability Being MonitoredJuly 21CVE-2025-49704Vulnerability of ConcernJuly 22CVE-2025-49706Vulnerability of ConcernJuly 22Because CVE-2025-53771 has not been confirmed as exploited in the wild and is considered “Exploitation Less Likely,” we have flagged it as a Vulnerability Being Monitored.For more information about our Vulnerability Watch classifications, please visit our blog, Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.Has Tenable released any product coverage for these vulnerabilities?When this blog was published on July 20, there were no patches available for CVE-2025-53770. However, Microsoft has since released patches for SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016 that address CVE-2025-53770 and CVE-2025-53771. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-53770CVE-2025-53771The ToolShell vulnerabilities (CVE-2025-49704, CVE-2025-49706) were patched as part of Microsoft’s July Patch Tuesday release. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-2025-49704CVE-2025-49706This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, Tenable Attack Surface Management customers can identify external-facing assets by leveraging the built-in subscription labeled Microsoft Sharepoint Server – v1.Get more informationMicrosoft: Customer guidance for SharePoint vulnerability CVE-2025-53770Eye Security Blog: ToolShell Mass Exploitation (CVE-2025-53770)Change LogUpdate July 25: The blog has been updated to include a report that Storm-2603 is exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.Update July 22: The blog has been updated to include confirmation of exploitation of the original ToolShell vulnerabilities by Chinese threat actors as well as clarification on Tenable’s Vulnerability Watch classifications.Update July 21: The blog has been updated to note that Microsoft released patches for SharePoint Server 2016 and confirmation of public proof-of-concept exploits for CVE-2025-53770.Update July 20: The blog has been updated to include an additional CVE (CVE-2025-53771) as well as preliminary coverage details for SharePoint Subscription Edition and SharePoint Server 2019.Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.