26 Sep 2025
Week in review
Greetings,
Cisco is warning customers to urgently patch two critical zero-day vulnerabilities affecting the VPN web server of its Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software. Both flaws, which the company confirmed have been exploited in the wild, pose serious risks to affected networks.
The first, tracked as CVE-2025-20333 with a CVSS score of 9.9, could allow an attacker with valid VPN credentials to execute arbitrary code as root by sending crafted HTTP requests. The second, CVE-2025-20362, with a CVSS score of 6.5, could enable unauthenticated attackers to access restricted endpoints without authentication. Cisco noted that attackers appear to be chaining the vulnerabilities to bypass authentication and run malicious code on vulnerable devices.
The company credited international partners including the ACSC, CISA, and the UK’s NCSC, for assisting with the investigation. In response, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 25-03, requiring federal agencies to immediately identify, analyse, and mitigate potential compromises. Both flaws have also been added to CISA’s Known Exploited Vulnerabilities catalogue, with a 24-hour deadline for applying mitigations.
CISA warned that the campaign, linked to the advanced threat cluster ArcaneDoor, is ongoing and widespread. Attackers are said to be leveraging these zero-day flaws to gain unauthenticated remote code execution on ASA devices, even manipulating read-only memory to persist through reboots and upgrades. Customers are strongly urged to apply patches without delay to defend against ongoing exploitation.
Fortra warns of max severity flaw in GoAnywhere MFT’s License Servlet
Date: 2025-09-19
Author: Bleeping Computer
Fortra has released security updates to patch a maximum severity vulnerability in GoAnywhere MFT's License Servlet that can be exploited in command injection attacks.
GoAnywhere MFT is a web-based managed file transfer tool that helps organizations securely transfer files and maintain audit logs of who accesses the shared files.
Tracked as CVE-2025-10035, this security flaw is caused by a deserialization of untrusted data weakness and can be exploited remotely in low-complexity attacks that don't require user interaction. While Fortra stated that the vulnerability was discovered over the weekend, it didn't specify who reported it or whether the flaw has been exploited in attacks.
Cisco warns of IOS zero-day vulnerability exploited in attacks
Date: 2025-09-24
Author: Bleeping Computer
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.6759/]
Cisco has released security updates to address a high-severity zero-day vulnerability in Cisco IOS and IOS XE Software that is currently being exploited in attacks.
Tracked as CVE-2025-20352, the flaw is due to a stack-based buffer overflow weakness found in the Simple Network Management Protocol (SNMP) subsystem of vulnerable IOS and IOS XE software, impacting all devices with SNMP enabled.
Authenticated, remote attackers with low privileges can exploit this vulnerability to trigger denial-of-service (DoS) conditions on unpatched devices. High-privileged attackers, on the other hand, can gain complete control of systems running vulnerable Cisco IOS XE software by executing code as the root user.
Microsoft Entra ID flaw allowed hijacking any company's tenant
Date: 2025-09-21
Author: Bleeping Computer
A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.
The fatal mix included undocumented tokens called “actor tokens” and a vulnerability in the Azure AD Graph API (CVE-2025-55241) that allowed the tokens to work with any organization’s Entra ID environment.
SolarWinds releases third patch to fix Web Help Desk RCE bug
Date: 2025-09-23
Author: Bleeping Computer
[AUSCERT has contacted potentially affected members about this vulnerability where possible]
SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication.
Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance.
Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials
Date: 2025-09-24
Author: The Hacker News
Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS).
The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to compromise a target system by injecting a specially crafted HTML iframe element.
ESB-2025.6802 – Red Hat JBoss Enterprise Application Platform 7: CVSS (Max): 8.8
Redhat has released important patches for Red Hat JBoss EAP 7.1 on RHEL 7 to fix multiple vulnerabilities, and it has been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog.
ESB-2025.6809 – Tenable Security Center: CVSS (Max): 8.8
Tenable addresses PostgreSQL vulnerabilities in Security Center 6.5.1 and 6.6.0. The patch update mitigates risks of data exposure, denial of service, and other security weaknesses in the affected versions.
ESB-2025.6814 – Cisco Products: CVSS (Max): 9.9
Cisco has confirmed two critical zero-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) are actively being exploited in its ASA/FTD VPN web server appliances.
ESB-2025.6820 – GitLab Community Edition and Enterprise Edition: CVSS (Max): 7.5*
GitLab issued patch releases 18.4.1, 18.3.3, and 18.2.7, bringing a number of security and bug fixes and urging all self-managed installations to upgrade immediately
Stay safe, stay patched and have a good weekend!
The AUSCERT team
