Cyber Exposure Alerts

Exploit code is reportedly available for a critical command injection vulnerability affecting Fortinet FortiSIEM devices.BackgroundOn August 12, Fortinet published a security advisory (FG-IR-25-152) for CVE-2025-25256, a critical command injection vulnerability affecting Fortinet FortiSIEM.CVEDescriptionCVSSv3CVE-2025-25256Fortinet FortiSIEM Command Injection Vulnerability9.8AnalysisCVE-2025-25256 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM. A remote, unauthenticated attacker can exploit this flaw to execute arbitrary code using specially crafted requests.According to the advisory, exploitation of this flaw does not “produce distinctive” indicators of compromise (IoCs). As such, it may be difficult to identify that a device has been compromised.Historical Exploitation of Fortinet DevicesFortinet vulnerabilities have historically been common targets for cyber attackers, with 20 CVEs currently on the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) list. The following table outlines some of the most impactful Fortinet vulnerabilities in recent years.CVEDescriptionPatchedTenable BlogCVE-2025-32756Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera Arbitrary Code Execution VulnerabilityMay 2025CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the WildCVE-2024-55591Fortinet Authentication Bypass in FortiOS and FortiProxyJanuary 2025CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the WildCVE-2024-21762Fortinet FortiOS Out-of-bound Write Vulnerability in sslvpndFebruary 2024CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN VulnerabilityCVE-2023-27997FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityJune 2023CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)CVE-2022-42475FortiOS and FortiProxy Heap-Based Buffer Overflow VulnerabilityDecember 2022CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNsAA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475CVE-2022-40684FortiOS and FortiProxy Authentication Bypass VulnerabilityOctober 2022CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxyProof of conceptAt the time the advisory was published by Fortinet on August 12, they warned that “practical exploit code” had been found in the wild, though they did not provide a link to the exploit. Tenable Research has attempted to identify a functional proof-of-concept (PoC) for this flaw, however, we have not successfully located one as of the time this blog was published.SolutionThe following table details the affected and fixed versions of Fortinet devices for CVE-2025-25256:Product VersionAffected RangeFixed VersionFortiSIEM 5.4All Versions of 5.4Migrate to a fixed releaseFortiSIEM 6.1All Versions of 6.1Migrate to a fixed releaseFortiSIEM 6.2All Versions of 6.2Migrate to a fixed releaseFortiSIEM 6.3All Versions of 6.3Migrate to a fixed releaseFortiSIEM 6.4All Versions of 6.4Migrate to a fixed releaseFortiSIEM 6.5All Versions of 6.5Migrate to a fixed releaseFortiSIEM 6.6All Versions of 6.6Migrate to a fixed releaseFortiSIEM 6.76.7.0 through 6.7.96.7.10 or aboveFortiSIEM 7.07.0.0 through 7.0.37.0.4 or aboveFortiSIEM 7.17.1.0 through 7.1.77.1.8 or aboveFortiSIEM 7.27.2.0 through 7.2.57.2.6 or aboveFortiSIEM 7.37.3.0 through 7.3.17.3.2 or aboveFortiSIEM 7.4Not AffectedNot ApplicableFortinet’s security advisory advises if immediate patching is not able to be performed, they recommend limiting access to the phMonitor port of 7900. We strongly recommend reviewing the advisory for updates as well as the latest on mitigation or indicators of compromise (IoCs).Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-25256 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Fortinet devices by using the following subscription:Get more informationFortinet FG-IR-25-152 Security AdvisoryJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

13Critical91Important2Moderate1LowMicrosoft addresses 107 CVEs, including one zero-day vulnerability that was publicly disclosed.Microsoft patched 107 CVEs in its August 2025 Patch Tuesday release, with 13 rated critical, 91 rated as important, one rated as moderate and one rated as low.This month’s update includes patches for:Azure File SyncAzure OpenAIAzure PortalAzure StackAzure Virtual MachinesDesktop Windows ManagerGitHub Copilot and Visual StudioGraphics KernelKernel Streaming WOW Thunk Service DriverKernel Transaction ManagerMicrosoft 365 Copilot’s Business ChatMicrosoft Brokering File SystemMicrosoft Dynamics 365 (on-premises)Microsoft Edge for AndroidMicrosoft Exchange ServerMicrosoft Graphics ComponentMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office VisioMicrosoft Office WordMicrosoft TeamsRemote Access Point-to-Point Protocol (PPP) EAP-TLSRemote Desktop ServerRole: Windows Hyper-VSQL ServerStorage Port DriverWeb DeployWindows Ancillary Function Driver for WinSockWindows Cloud Files Mini Filter DriverWindows Connected Devices Platform ServiceWindows DirectXWindows Distributed Transaction CoordinatorWindows File ExplorerWindows GDI+Windows InstallerWindows KerberosWindows KernelWindows Local Security Authority Subsystem Service (LSASS)Windows MediaWindows Message QueuingWindows NT OS KernelWindows NTFSWindows NTLMWindows PrintWorkflowUserSvcWindows Push NotificationsWindows Remote Desktop ServicesWindows Routing and Remote Access Service (RRAS)Windows SMBWindows Security AppWindows StateRepository APIWindows Subsystem for LinuxWindows Win32K GRFXWindows Win32K ICOMPElevation of privilege (EoP) vulnerabilities accounted for 39.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 32.7%.ModerateCVE-2025-53779 | Windows Kerberos Elevation of Privilege VulnerabilityCVE-2025-53779 is an EoP vulnerability in Windows Kerberos. It was assigned a CVSSv3 score of 7.2 and is rated moderate. An authenticated attacker with access to a user account with specific permissions in active directory (AD) and at least one domain controller in the domain running Windows Server 2025 could exploit this vulnerability to achieve full domain, and then forest compromise in an AD environment.This is a patch for a zero-day vulnerability dubbed BadSuccessor by Yuval Gordon, a security researcher at Akamai. It was disclosed on May 21. For more information on BadSuccessor, please review our FAQ blog, Frequently Asked Questions About BadSuccessor.ImportantCVE-2025-49712 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-49712 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 8.8 and is rated important. An attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could either write arbitrary code or use code injection to execute code on a vulnerable SharePoint Server to gain RCE.This RCE follows on the heels of the ToolShell vulnerabilities that were disclosed in the July 2025 Patch Tuesday release and exploited in the wild as zero-days.CriticalCVE-2025-53778 | Windows NTLM Elevation of Privilege VulnerabilityCVE-2025-53778 is an EoP vulnerability affecting Windows New Technology LAN Manager (NTLM). It was assigned a CVSSv3 score of 8.8 and is rated as critical. According to the advisory, successful exploitation would allow an attacker to elevate their privileges to SYSTEM. This flaw was assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.This marks the second critical EoP affecting Windows NTLM in 2025, following CVE-2025-21311 which was patched in the January 2025 Patch Tuesday release.CriticalCVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 | Microsoft Message Queuing (MSMQ) Remote Code Execution VulnerabilityCVE-2025-50177, CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). While three of these four CVEs (CVE-2025-53143, CVE-2025-53144 and CVE-2025-53145) were assigned CVSSv3 scores of 8.8 and rated as important, CVE-2025-50177 was assigned a CVSSv3 score of 8.1 and rated as critical. Similarly, CVE-2025-50177 was assessed as “Exploitation More Likely,” while the other three were assessed as “Exploitation Less Likely.”In order to exploit these CVEs, an attacker would need to send a crafted MSMQ packet to a vulnerable server in order to achieve code execution.Tenable SolutionsA list of all the plugins released for Microsoft’s August 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s August 2025 Security UpdatesTenable plugins for Microsoft August 2025 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Frequently asked questions about CVE-2025-53786, an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an elevation of privilege vulnerability affecting Microsoft Exchange Server Hybrid Deployments.FAQWhat is CVE-2025-53786CVE-2025-53786 is an elevation of privilege (EoP) vulnerability affecting hybrid deployments of Microsoft Exchange Server. An attacker with administrator privileges to an on-premises Exchange Server can escalate their privileges within a connected cloud environment. This flaw exists due to Exchange Server and Exchange Online sharing “the same service principal in hybrid configurations.”When was CVE-2025-53786 first disclosed?Microsoft first disclosed CVE-2025-53786 on August 6. According to the security advisory, Microsoft identified the vulnerability after further investigation of a non-security Hot Fix released on April 18 alongside an announcement on Exchange Server Security Changes for Hybrid Deployments.Was this exploited as a zero-day?As of August 7, no known exploitation has been observed by Microsoft. However, Microsoft has assessed this vulnerability as “Exploitation More Likely” according to Microsoft’s Exploitability Index.What makes CVE-2025-53786 so serious?While exploitation of this EoP vulnerability requires an attacker to have administrative access to an on-prem Exchange Server, successful exploitation would impact a victims Exchange Online cloud environment. This vulnerability exists because Exchange Server and Exchange Online share the same service principal. According to Microsoft, a successful attack would not leave an “easily detectable and auditable trace.”The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert for CVE-2025-53786 on August 6, stressing that “if not addressed, could impact the identity integrity of an organization’s Exchange Online service.”CISA followed up with Emergency Directive ED 25-02: Mitigate Microsoft Exchange Vulnerability on August 7, directing federal agencies to take immediate action by 9:00 AM ET on Monday August 11 to address the flaw.Is there a proof-of-concept (PoC) available for this vulnerability?At the time this blog was published on August 7, no PoC had been identified for CVE-2025-53786.Are patches or mitigations available for CVE-2025-53786?Microsoft released a Hot Fix on April 18 that improved the security of Exchange hybrid deployments that mitigates this issue. In order to be fully protected, it is recommended that the Hot Fix or a later release is applied. In addition, Microsoft recommends applying the configuration recommendations in the article Deploy dedicated Exchange hybrid app.Additionally, Microsoft recommends that customers who previously configured Exchange hybrid or OAuth authentication for Exchange Server to Exchange Online and no longer use it to ensure you have “reset the service principal’s keyCredentials.”We recommend reviewing Microsoft’s security advisory for CVE-2025-53786 for the latest recommendations from Microsoft.Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page for CVE-2025-53786 as they’re released.This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationMicrosoft Security Advisory for CVE-2025-53786Microsoft Article: Deploy dedicated Exchange hybrid appMicrosoft Blog: Dedicated Hybrid App: temporary enforcements, new HCW and possible hybrid functionality disruptionsCISA Alert: Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange DeploymentsJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Trend Micro releases a temporary mitigation tool to reduce exposure to two unpatched zero-day command injection vulnerabilities which have been exploited.BackgroundOn August 5, Trend Micro released a security advisory for two critical flaws affecting on-prem versions of Apex One Management Console. According to the advisory, Trend Micro has observed active exploitation of the vulnerabilities.CVEDescriptionCVSSv3CVE-2025-54987Trend Micro Apex One Management Console Command Injection Vulnerability9.4CVE-2025-54948Trend Micro Apex One Management Console Command Injection Vulnerability9.4According to Trend Micro, these two CVEs are the same, however CVE-2025-54987 was issued for a different CPU architecture.AnalysisCVE-2025-54987 and CVE-2025-54948 are both command injection vulnerabilities affecting the management console of on-prem installations of Trend Micro Apex One. An unauthenticated attacker with network or physical access to a vulnerable machine can upload arbitrary files, allowing the attacker to execute commands and achieve code execution. While two CVEs were issued, the advisory notes that CVE-2025-54987 was issued for a different CPU architecture than CVE-2025-54948.Trend Micro Apex One™ as a Service and Trend Vision One Endpoint Security – Standard Endpoint Protection have been mitigated to these vulnerabilities as of July 31 and are not impacted by them. At this time, only on-prem installations of Apex One are affected.Historical exploitation of Apex OneApex One has been targeted by threat actors in the past, including zero-day exploitation of flaws affecting on-prem installations. CVE-2020-8467 and CVE-2020-8468 were addressed in March 2020 after in the wild exploitation was discovered, followed by CVE-2022-40139 in September 2022. As of the time this blog was published on August 6, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) lists nine vulnerabilities in Apex One in its Catalog of Known Exploited Vulnerabilities (KEV).Vendor responseAs of the time this blog was published on August 6, Trend Micro’s security advisory for these vulnerabilities notes that a patch has not yet been released and is to be expected “around the middle of August 2025.” We will update the blog with further updates and solution steps once patches are released.In the meantime, a short-term mitigation tool has been released. This tool can be used to protect against known exploits and disables “the ability for administrators to utilize the Remote Install Agent function to deploy agents.”While successful exploitation requires an attacker to either have physical access or network access to the management interface, Trend Micro suggests that customers who have publicly exposed the management console’s IP address also consider additional mitigation factors to restrict access to the management console.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-54987 and CVE-2025-54948 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Get more informationTrend Micro Security Advisory: ITW CRITICAL SECURITY BULLETIN: Trend Micro Apex One™ (On-Premise) Management Console Command Injection RCE VulnerabilitiesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Researchers have disclosed two vulnerabilities in Cursor, the popular AI-assisted code editor, that impact its handling of model context protocol (MCP) servers, which could be used to gain code execution on vulnerable systems.BackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding two recently disclosed vulnerabilities in Cursor IDE.FAQWhat is Cursor?Cursor is an AI-assisted integrated development environment (IDE), or AI code editor, developed by Anysphere. It was first released in March 2023.Who uses Cursor?In January 2025, Cursor had over 1 million users, according to a Bloomberg report. The company states that Cursor is used by over half of the Fortune 500, naming NVIDIA, Uber and Adobe among its customers.What is CurXecute and MCPoison?CurXecute and MCPoison are the names given to two separate vulnerabilities in Cursor.What are the vulnerabilities associated with CurXecute and MCPoison?The following are the CVEs assigned for both CurXecute and MCPoison:CVEDescriptionCVSSv3CVE-2025-54135Cursor Arbitrary Code Execution Vulnerability (“CurXecute”)8.5CVE-2025-54136Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”)7.2When were these vulnerabilities first disclosed?CurXecute (CVE-2025-54135) was disclosed on August 1 by researchers at AIM Security while MCPoison (CVE-2025-54136) was disclosed on August 5 by researchers at Check Point Research.Were any of these vulnerabilities exploited as a zero-day?No, these vulnerabilities were disclosed to Cursor by the respective researchers through coordinated disclosure on July 7 (CurXecute) and July 16 (MCPoison).Are there any proofs-of-concept (PoCs) available for CurXecute and MCPoison?Yes, the researchers have published PoC details on their respective blog posts, explaining how attackers could potentially exploit these flaws.How severe are CurXecute and MCPoison?Both vulnerabilities have the potential to be severe, but it is context dependent. The common thread between the two flaws is how Cursor handles interaction with MCP servers.For a primer on MCP, read the blog Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications. Additionally, Tenable Research has published investigations into MCP security, including MCP prompt injection and our discovery of a critical flaw in Anthropic MCP Inspector.In the example outlined by AIM Security for CurXecute, an attacker could leverage prompt injection by targeting an MCP connected to a Slack instance, sending a crafted message that would be processed by the Slack MCP Server and read by Cursor to modify the underlying global mcp.json configuration settings even before the user has a chance to reject the suggested edits by AI. Crucially, Cursor would execute the command added to the modified MCP configuration immediately.In the example outlined by Check Point Research for MCPoison, the flaw stems from the approval of an MCP server that contains a project-specific configuration (mcp.json). Once this MCP server has been approved by the target, any changes to the underlying configuration are considered trusted because it is bound by the MCP name not its contents. This would allow an attacker to modify the configuration to include malicious commands that would be executed silently and without requiring re-approval.AI-assisted code editors help with the development of software but they introduce a new layer of risk. Whether through enabling MCP servers that could be vulnerable to prompt injection (CurXecute) or leveraging a seemingly harmless open-source project that is then compromised by a malicious contributor (MCPoison).Are patches or mitigations available for CurXecute and MCPoison?Yes, Cursor has released updated versions of its IDE to address both CurXecute and MCPoison.CVEAffected ProductAffected VersionsFixed VersionCVE-2025-54135Cursor1.21 and below1.3.9CVE-2025-54136Cursor1.2.4 and below1.3Has Tenable released any product coverage for these vulnerabilities?A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-54135CVE-2025-54136This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Customers can also use our MCP Server Detected plugin to identify MCP server usage.Get more informationWhen Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑StartMCPoison Cursor IDE: Persistent Code Execution via MCP Trust BypassJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

An increase in ransomware activity tied to SonicWall Gen 7 Firewalls has been observed, possibly linked to the exploitation of a zero-day vulnerability in its SSL VPN.Update August 7: The blog has been updated with the latest updates from SonicWall, noting that there has not been a new zero-day vulnerability identified.View Change LogBackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding an increase in ransomware activity targeting SonicWall Gen 7 Firewalls.FAQWhat is the ransomware activity being observed against SonicWall Gen 7 Firewalls?Reports from researchers at Arctic Wolf and Huntress have noted an observable increase in attacks targeting SonicWall firewalls, specifically the Gen 7 (or seventh generation) firewalls. Both Arctic Wolf and Huntress assess that the ransomware activity is linked to the Akira ransomware.When was this ransomware activity against SonicWall firewalls first observed?Arctic Wolf observed an increase in activity at the end of July 2025, while Huntress has been responding to incidents in the first few days of August 2025.What does this have to do with SonicWall’s SSL VPN and a zero-day vulnerability?The ransomware activity has been observed on Gen 7 firewalls with SSL VPN enabled.Researchers have noted that even if multifactor authentication is enabled, attackers have been able to compromise accounts on these devices. In some instances, the SonicWall devices are fully patched. These factors give credence to the likelihood that a zero-day vulnerability in these devices is being exploited.In an update on August 6, SonicWall clarified that the recent activity “is not connected to a zero-day vulnerability.” Instead, many the incidents they have investigated have been in devices that have migrated from Gen 6 to Gen 7 firewalls, where local user accounts were not reset as outlined in security advisory SNWLID-2024-0015. This advisory addresses CVE-2024-40766, an improper access control vulnerability which has been observed to have been exploited in the wild.What are the vulnerabilities associated with this ransomware activity?As of August 5, SonicWall has not yet assigned any CVEs for the ransomware activity. On August 6, SonicWall updated their threat activity notice indicating that threat activity is related to CVE-2024-40766.Are there any other threat actors involved in this ransomware activity?Right now, we are only aware of reports that the Akira ransomware has been leveraged in these attacks. We will update this blog post if or when additional ransomware activity, along with any other malicious activity, is observed.Are patches or mitigations available for this ransomware activity?SonicWall has published a threat activity notice on its website as it investigates the reports of malicious activity. The current guidance as of August 6 instructs customers using SonicWall Gen 7 firewalls who have imported configurations from Gen 6 to review the following guidance:Update firmware to version 7.3.0 which has “enhanced protections against brute force attacks and additional MFA controls.”Reset all local user account passwords. This is especially important in cases where accounts with SSLVPN access were migrated from Gen 6 to Gen 7.Enforce multifactor authentication (MFA) for SSLVPNAudit accounts and identify unused or inactive accountsUse strong and unique passwords for user accountsEnable Botnet Protection and Geo-IP Filtering. I thought that MFA was bypassed by the attackers, so why is that listed as a mitigation?MFA is part of standard security guidance to thwart against common attack vectors, e.g. brute-force, credential stuffing or stolen credentials.Has Tenable released any product coverage?While no new CVE has been announced, the updated guidance as of August 6 is that observed threat activity is related to CVE-2024-40766. Tenable product coverage for CVE-2024-40766 can be found here. Tenable customers can also utilize our SonicWall SonicOS detection plugin to identify Gen 7 devices on their networks.Additionally, Tenable Attack Surface Management customers can identify external-facing SonicWall assets with SSL VPN enabled by leveraging the built-in subscription labeled SonicWall SSL-VPN v1. Change LogUpdate August 7: The blog has been updated with the latest updates from SonicWall, noting that there has not been a new zero-day vulnerability identified.Get more informationGen 7 SonicWall Firewalls – SSLVPN Recent Threat ActivityArctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPNHuntress Threat Advisory: Active Exploitation of SonicWall VPNsJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Successful exploitation of CVE-2025-53770 could expose MachineKey configuration details from a vulnerable SharePoint Server, ultimately enabling unauthenticated remote code execution.Update July 25: The blog has been updated to include a report that Storm-2603 is exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.View Change LogBackgroundTenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day SharePoint Server vulnerability that has been exploited in the wild.FAQWhen was the SharePoint exploitation first disclosed?On July 19, reports emerged that Microsoft SharePoint Servers around the world were under active exploitation. Researchers at Eye Security published a blog post detailing their identification of an “active, large-scale exploitation” that was initially linked to a pair of vulnerabilities in SharePoint dubbed ToolShell.What are the vulnerabilities associated with ToolShell?ToolShell was the name given to a pair of vulnerabilities used as part of an exploit chain in SharePoint Server disclosed at Pwn2Own Berlin by security researcher Dinh Ho Anh Khoa of Viettel Cyber Security.CVEDescriptionCVSSv3CVE-2025-49706Microsoft SharePoint Server Spoofing Vulnerability6.3CVE-2025-49704Microsoft SharePoint Remote Code Execution Vulnerability8.8 The SharePoint patch for Pwn2Own Berlin has been released – patch ASAPThe exploit need only one request💣I’d name this bug ToolShell – ZDI did say the endpoint is ToolPane after all😅https://t.co/I5Lwzj0aOx#CVE_2025_49706 #CVE_2025_49704 #SharePoint #Pwn2Own pic.twitter.com/HqGvV61Plw— Khoa Dinh (@_l0gg) July 10, 2025Was ToolShell actually used in these attacks?Yes, Microsoft confirmed on July 22 that they observed exploit attempts using the ToolShell vulnerabilities. However, Microsoft also published a blog post on July 19 that included a new CVE identifier for a zero-day vulnerability used in the attacks detailed by Eye Security.CVEDescriptionCVSSv3CVE-2025-53770Microsoft SharePoint Server Remote Code Execution Vulnerability9.8According to Microsoft, CVE-2025-53770 is a “variant” of one of the ToolShell vulnerabilities, CVE-2025-49706.Following the publication of our FAQ blog on July 20, Microsoft updated its blog post, creating an additional CVE:CVEDescriptionCVSSv3CVE-2025-53771Microsoft SharePoint Server Spoofing Vulnerability6.3Microsoft says that both CVE-2025-53770 and CVE-2025-53771 were created to provide “more robust protections” than CVE-2025-49704 and CVE-2025-49706.How severe is the exploitation of CVE-2025-53770?Successful exploitation of CVE-2025-53770 could grant an attacker the ability to obtain MachineKey configuration details from a vulnerable SharePoint Server to create specially crafted requests that could enable unauthenticated remote code execution.How widespread are the attacks exploiting CVE-2025-53770?A post from The Shadowserver Foundation on X confirmed that at least 9,300 SharePoint servers were publicly accessible as of July 20. However, it is important to note that not all 9,300 servers are considered vulnerable.Alert: SharePoint CVE-2025-53770 incidents! In collaboration with @eyesecurity & @watchtowrcyber we are notifying compromised parties. Read: https://t.co/j1rxtN32iq~9300 Sharepoint IPs seen exposed daily (just population, no vulnerability assessment): https://t.co/rCFGTrhiDT pic.twitter.com/QEx2sJ3K4X— The Shadowserver Foundation (@Shadowserver) July 20, 2025Has CVE-2025-53771 been exploited in the wild?As of July 20, Microsoft’s advisory for CVE-2025-53771 does not include any references to exploitation. If that changes, we will update this blog.Which threat actors are exploiting CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770?On July 22, Microsoft published a blog post confirming that as early as July 7, they observed exploit attempts of CVE-2025-49706 and CVE-2025-49704 by two Chinese state actors called Linen Typhoon and Violet Typhoon as well as a China-based actor called Storm-2603.As part of an update to its blog post on in-the-wild exploitation, Microsoft says that Storm-2603 has been observed exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.Is there a proof-of-concept (PoC) available for these vulnerabilities?Yes, we are aware that proof-of-concept (PoC) exploits for CVE-2025-53770, including repositories that include exploit code, are now available. However, it is important to note that attackers create fake PoCs for trending vulnerabilities and host them on development platforms in order to steal information.When this blog was published on July 20, there were no PoCs for CVE-2025-53770. However, we knew CVE-2025-53770 was a variant of CVE-2025-49706, one of the CVEs in the ToolShell chain. Researchers at CODE WHITE GmbH were able to reproduce the chain and disclosed this confirmation on X (formerly Twitter) on July 14.We have reproduced “ToolShell”, the unauthenticated exploit chain for CVE-2025-49706 + CVE-2025-49704 used by @_l0gg to pop SharePoint at #Pwn2Own Berlin 2025, it’s really just one request! Kudos to @mwulftange pic.twitter.com/sPHVVBal3K— CODE WHITE GmbH (@codewhitesec) July 14, 2025Additionally, security researcher Soroush Dalili was able to work alongside Google’s Gemini to help identify the Microsoft SharePoint authentication bypass (CVE-2025-49706).I originally had Gemini expecting a 200 OK instead of a 401, but after dropping a server-side breakpoint so it could use a timeout as the auth signal, it cracked the bypass! 🥈 AI + human teamwork for the win! 🎉Next: finding the right parameters & deserialization in… https://t.co/uFwK8ANJvz pic.twitter.com/MM916K69um— Soroush Dalili (@irsdl) July 18, 2025Are patches or mitigations available for CVE-2025-53770 and CVE-2025-53771?On July 20, Microsoft released patches for Microsoft SharePoint Server Subscription Edition and Microsoft SharePoint Server 2019 that address both CVE-2025-53770 and CVE-2025-53771. On July 21, Microsoft released patches for Microsoft SharePoint Server 2016.The ToolShell exploit chain was patched as part of Microsoft’s July 2025 Patch Tuesday.Microsoft’s blog post provides mitigation instructions that include configuring AMSI integration in SharePoint Servers that do not have it enabled by default, as well as utilizing Defender Antivirus on all SharePoint servers.Are there any indicators of compromise for exploitation of CVE-2025-53770?Yes, there are several indicators of compromise (IoCs) that have been included in the blog post published by Eye Security, including several known IP addresses and user agent strings.One key indicator of compromise is the creation of a file, spinstall0.aspx, on vulnerable SharePoint Servers. This file is being used to obtain the MachineKey configuration details. Microsoft also provided additional file names including spinstall.aspx, spinstall1.aspx, and spinstall2.aspx as well as other indicators.Has Tenable classified these vulnerabilities under Vulnerability Watch?Yes, our RSO team have classified all the vulnerabilities associated with these attacks as follows:CVEVulnerability Watch ClassificationDate AddedCVE-2025-53770Vulnerability of ConcernJuly 20CVE-2025-53771Vulnerability Being MonitoredJuly 21CVE-2025-49704Vulnerability of ConcernJuly 22CVE-2025-49706Vulnerability of ConcernJuly 22Because CVE-2025-53771 has not been confirmed as exploited in the wild and is considered “Exploitation Less Likely,” we have flagged it as a Vulnerability Being Monitored.For more information about our Vulnerability Watch classifications, please visit our blog, Reducing Remediation Time Remains a Challenge: How Tenable Vulnerability Watch Can Help.Has Tenable released any product coverage for these vulnerabilities?When this blog was published on July 20, there were no patches available for CVE-2025-53770. However, Microsoft has since released patches for SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Server 2016 that address CVE-2025-53770 and CVE-2025-53771. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:CVE-2025-53770CVE-2025-53771The ToolShell vulnerabilities (CVE-2025-49704, CVE-2025-49706) were patched as part of Microsoft’s July Patch Tuesday release. A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-2025-49704CVE-2025-49706This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, Tenable Attack Surface Management customers can identify external-facing assets by leveraging the built-in subscription labeled Microsoft Sharepoint Server – v1.Get more informationMicrosoft: Customer guidance for SharePoint vulnerability CVE-2025-53770Eye Security Blog: ToolShell Mass Exploitation (CVE-2025-53770)Change LogUpdate July 25: The blog has been updated to include a report that Storm-2603 is exploiting the ToolShell vulnerabilities to deploy the Warlock ransomware.Update July 22: The blog has been updated to include confirmation of exploitation of the original ToolShell vulnerabilities by Chinese threat actors as well as clarification on Tenable’s Vulnerability Watch classifications.Update July 21: The blog has been updated to note that Microsoft released patches for SharePoint Server 2016 and confirmation of public proof-of-concept exploits for CVE-2025-53770.Update July 20: The blog has been updated to include an additional CVE (CVE-2025-53771) as well as preliminary coverage details for SharePoint Subscription Edition and SharePoint Server 2019.Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

A critical zero-day flaw in CrushFTP that can grant attackers administrator access was discovered on July 18 and is under active exploitation.BackgroundOn July 18, CrushFTP published an update to its CrushWiki detailing the discovery and exploitation of a zero-day in its CrushFTP software:CVEDescriptionCVSSv3CVE-2025-54309CrushFTP Unprotected Alternate Channel Vulnerability9.0Tenable’s Research Special Operations (RSO) team is monitoring for any further developments surrounding CVE-2025-54309. We have classified it as a Vulnerability of Interest (VOI).AnalysisCVE-2025-54309 is an unprotected alternate channel vulnerability in CrushFTP. The vulnerability exists because of a mishandling of validation in Applicability Statement 2 (AS2), a protocol for transporting critical data. A remote, unauthenticated attacker could exploit this vulnerability to obtain administrative access through CrushFTP.Zero-day exploitation detected on July 18, 2025According to CrushFTP, CVE-2025-54309 was first discovered as being exploited as a zero-day by unknown threat actors on July 18 at 9AM CST. However, they caution that exploitation may have “been going on for longer.”CrushFTP says attackers reviewed recent patch to uncover zero-dayIn addition to confirming exploitation of this flaw, CrushFTP says that attackers appear to have discovered it after reverse engineering its code to discover a bug that is fixed in the latest versions of its software.Historical exploitation of CrushFTPSince 2024, there have been two vulnerabilities exploited in the wild against CrushFTP. CVE-2024-4040, a sandbox escape flaw in CrushFTP’s virtual file system (VFS) sandbox, was exploited against multiple U.S. entities.In May 2025, CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP, first identified as CVE-2025-2825 and subsequently rejected, was exploited in the wild after it was publicly disclosed.Proof of conceptAt the time this blog post was published, there was no proof-of-concept (PoC) for CVE-2025-54309.SolutionThe following are the affected and fixed versions of CrushFTP:Affected VersionsFixed Versions10.8.4 and below10.8.511.3.4_22 and below11.3.4_23Additionally, CrushFTP included some indicators of compromise (IOCs) and mitigation techniques in its Crush11Wiki update on July 18.As a reminder, CrushFTP will stop supporting CrushFTP v10 in March 2026.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-54309 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Get more informationCrushFTP Crush11Wiki: Compromise July 2025 – CVE-2025-54309Join Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Oracle addresses 165 CVEs in its third quarterly update of 2025 with 309 patches, including nine critical updates.BackgroundOn July 15, Oracle released its Critical Patch Update (CPU) for July 2025, the third quarterly update of the year. This CPU contains fixes for 165 unique CVEs in 309 security updates across 28 Oracle product families. Out of the 309 security updates published this quarter, 2.9% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 46.6%, followed by medium severity patches at 43.7%.This quarter’s update includes nine critical patches across five CVEs.SeverityIssues PatchedCVEsCritical95High14459Medium13591Low2110Total309165AnalysisThis quarter, the Oracle REST Data Services product family contained the highest number of patches at 84, accounting for 27.2% of the total patches, followed by Oracle Hospitality Applications at 40 patches, which accounted for 12.9% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle REST Data Services8450Oracle Hospitality Applications403Oracle Communications3622Oracle NoSQL Database291Oracle Communications Applications1813Oracle Analytics1110Oracle Insurance Applications118Oracle TimesTen In-Memory Database93Oracle JD Edwards88Oracle Hyperion73Oracle PeopleSoft70Oracle Database Server60Oracle Java SE65Oracle MySQL65Oracle Blockchain Platform52Oracle Construction and Engineering52Oracle Financial Services Applications41Oracle E-Business Suite32Oracle Fusion Middleware32Oracle Spatial Studio20Oracle HealthCare Applications20Oracle Application Express10Oracle Autonomous Health Framework11Oracle Essbase11Oracle GoldenGate11Oracle Graph Server and Client11Oracle Commerce10Oracle Enterprise Manager11SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the July 2025 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory – July 2025Oracle July 2025 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

12Critical115Important1Moderate0LowMicrosoft addresses 128 CVEs, including one zero-day vulnerability that was publicly disclosed.Microsoft addresses 128 CVEs in its July 2025 Patch Tuesday release, with 12 rated critical, and 115 rated important and one rated as moderate. Our counts omitted nine vulnerabilities reported by AMD and MITRE.This month’s update includes patches for:Azure Monitor AgentCapability Access Management Service (camsvc)HID class driverKernel Streaming WOW Thunk Service DriverMicrosoft Brokering File SystemMicrosoft Graphics ComponentMicrosoft Input Method Editor (IME)Microsoft IntuneMicrosoft MPEG-2 Video ExtensionMicrosoft OfficeMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordMicrosoft PC ManagerMicrosoft TeamsMicrosoft Windows QoS schedulerMicrosoft Windows Search ComponentOffice Developer PlatformRemote Desktop ClientRole: Windows Hyper-VSQL ServerService FabricStorage Port DriverUniversal Print Management ServiceVirtual Hard Disk (VHDX)Visual StudioVisual Studio Code Python extensionWindows Ancillary Function Driver for WinSockWindows AppX Deployment ServiceWindows BitLockerWindows Connected Devices Platform ServiceWindows Cred SSProvider ProtocolWindows Cryptographic ServicesWindows Event TracingWindows Fast FAT DriverWindows GDIWindows Imaging ComponentWindows KDC Proxy Service (KPSSVC)Windows KerberosWindows KernelWindows MBT Transport driverWindows MediaWindows NTFSWindows NetlogonWindows NotificationWindows Performance RecorderWindows Print Spooler ComponentsWindows Remote Desktop Licensing ServiceWindows Routing and Remote Access Service (RRAS)Windows SMBWindows SPNEGO Extended NegotiationWindows SSDP ServiceWindows Secure Kernel ModeWindows ShellWindows SmartScreenWindows StateRepository APIWindows Storage VSP DriverWindows TCP/IPWindows TDX.sysWindows Universal Plug and Play (UPnP) Device HostWindows Update ServiceWindows User-Mode Driver Framework HostWindows Virtualization-Based Security (VBS) EnclaveWindows Visual Basic ScriptingWindows Win32K GRFXWindows Win32K ICOMPWorkspace BrokerElevation of Privilege (EoP) vulnerabilities accounted for 41.4% of the vulnerabilities patched this month, followed by Remote Code Execution (RCE) vulnerabilities at 31.3%.ImportantCVE-2025-49719 | Microsoft SQL Server Information Disclosure VulnerabilityCVE-2025-49719 is a zero-day information disclosure vulnerability in Microsoft SQL Server. It was assigned a CVSSv3 score of 7.5 and is rated important. An unauthenticated attacker could exploit this vulnerability to obtain uninitialized memory. It is assessed as “Exploitation Less Likely” according to Microsoft’s Exploitability Index.According to Microsoft, this vulnerability was publicly disclosed prior to patches being available. Users of SQL Server are advised to update to the latest version, which includes driver fixes. If users are running their own applications or software from another vendor that uses SQL Server, it is advised to update to Microsoft OLE DB Driver for SQL Server version 18 or 19. However, it is important to ensure compatibility before updating. For more information on general distribution release (GDR) or cumulative update (CU) versions, please refer to the advisory.CriticalCVE-2025-47981 | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution VulnerabilityCVE-2025-47981 is a RCE in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism. It was assigned a CVSSv3 score of 9.8 and is rated critical. It is assessed as “Exploitation More Likely.” An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted message to a vulnerable server. Successful exploitation could grant an attacker RCE privileges. Microsoft states that this vulnerability only affects Windows machines 10 version 1607 and above because of a specific group policy object (GPO) enabled by default in these versions, Network security: Allow PKU2U authentication requests to this computer to use online identities.This is only the third vulnerability in SPNEGO NEGOEX since 2022, but it is the second in 2025, as CVE-2025-21295 was addressed in the January 2025 Patch Tuesday release. Both CVE-2025-47981 and CVE-2025-21295 were disclosed by security researcher Yuki Chen.CriticalCVE-2025-49701 and CVE-2025-49704 | Microsoft SharePoint Remote Code Execution VulnerabilityCVE-2025-49701 and CVE-2025-49704 are RCE vulnerabilities in Microsoft SharePoint. They were both assigned a CVSSv3 score of 8.8 and CVE-2025-49704 was rated as critical while CVE-2025-49701 was rated as important. To exploit these flaws, an attacker would need to be authenticated with Site Owner privileges at minimum. Once authenticated, an attacker could write arbitrary code to a vulnerable SharePoint Server to gain RCE.So far in 2025, there have been 16 vulnerabilities disclosed in Microsoft SharePoint, including CVE-2025-49706, a spoofing flaw that was disclosed alongside CVE-2025-49701 and CVE-2025-49704. There were 20 SharePoint vulnerabilities in 2024, 25 in 2023, and 20 in 2022.CriticalCVE-2025-49735 | Windows KDC Proxy Service (KPSSVC) Remote Code Execution VulnerabilityCVE-2025-49735 is an RCE vulnerability affecting Windows Kerberos Key Distribution Center (KDC) proxy service, an authentication mechanism used for KDC servers over HTTPS. It was assigned a CVSSv3 score of 8.1 and rated critical. An unauthenticated attacker could exploit this vulnerability utilizing a crafted application to exploit a cryptographic protocol vulnerability in order to execute arbitrary code.According to the advisory, this only impacts Windows Servers that have been “configured as a [MS-KKDCP]: Kerberos Key Distribution Center (KDC) Proxy Protocol server.” While the advisory does mention that exploitation requires the attacker to win a race condition, this vulnerability was still assessed as “Exploitation More Likely.”This is the second month in a row that Microsoft has patched a KDC Proxy Service (KPSSVC) RCE vulnerability, as it was preceded by CVE-2025-33071 in the June Patch Tuesday release. Both flaws are credited to security researcher “ʌ!ɔ⊥ojv” with Kunlun Lab.ImportantCVE-2025-49724 | Windows Connected Devices Platform Service Remote Code Execution VulnerabilityCVE-2025-49724 is a RCE vulnerability in the Windows Connected Devices Platform Service. It was assigned a CVSSv3 score of 8.8 and is rated important. An unauthenticated, remote attacker could exploit this vulnerability by sending specially crafted data packets to a system with the “Nearby Sharing” feature enabled. Microsoft’s advisory notes that the “Nearby Sharing” feature is not enabled by default.This is the third vulnerability in the Windows Connected Devices Platform Service since 2022. Earlier this year, Microsoft patched CVE-2025-21207, a denial of service flaw in the service. In 2022, Microsoft patched CVE-2022-30212, an information disclosure flaw as part of its July 2022 Patch Tuesday release.Tenable SolutionsA list of all the plugins released for Microsoft’s July 2025 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft’s July 2025 Security UpdatesTenable plugins for Microsoft July 2025 Patch Tuesday Security UpdatesJoin Tenable’s Research Special Operations (RSO) Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.