Security Advisory : A critical vulnerability has been found in WatchGuard Firebox appliances that allows remote unauthenticated attackers to execute arbitrary code through an out-of-bounds write in the IKEv2 VPN process.
OEM
WatchGuard
Severity
Critical
CVSS Score
9.3
CVEs
CVE-2025-9242
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
The vulnerability, tracked as CVE-2025-9242, which affects multiple Fireware OS versions. Users and administrators are strongly advised to upgrade to the latest patched versions of Fireware OS immediately to stay protected.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Out-of-Bounds Write Vulnerability in IKEv2 Process
Malicious actors could exploit this due to an out-of-bounds write vulnerability in the WatchGuard Fireware OS iked process.
Remote unauthenticated attackers can send crafted IKE_SA_INIT and IKE_SA_AUTH packets to trigger a stack-based buffer overflow in the ike2_ProcessPayload_CERT function, overflowing a 520-byte stack buffer without proper bounds checking.
This impacts VPN setups using IKEv2 or dynamic gateways and can continue even after deleting them if any static peers are still active on UDP port 500.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025- 9242
WatchGuard Firebox Appliances with Fireware OS 11.10.2-11.12.4_Update1, 12.0-12.11.3, 2025.1
Insufficient bounds checking in IKEv2 negotiations allows oversized identification payloads to cause buffer overflow, enabling control flow hijacking and ROP chains for code execution
Arbitrary Code Execution, System Compromise, Data Exfiltration, Ransomware Deployment, Pivoting to Internal Networks
Recommendations:
You can update to the latest versions from the below table
Vulnerable Version
Resolved Version
2025.1
2025.1.1
12.x
12.11.4
12.5.x (T15 & T35 models)
12.5.13
12.3.1 (FIPS-certified release)
12.3.1_Update3 (B722811)
11.x
End of Life
Here are some recommendations below –
Disable unnecessary IKEv2 VPN configurations and restrict access to trusted networks only.
Monitor logs for anomalous traffic.
Implement network segmentation to limit lateral movement and regularly audit VPN setups.
Conclusion: This critical vulnerability in WatchGuard Firebox appliances could allow remote attackers to achieve code execution and compromise perimeter defenses.
Although no exploits are in the wild but its unauthenticated nature and detailed public analysis make it a significant security risk requiring immediate action. Upgrading to the fixed version and applying recommended mitigations are strongly advised to ensure organizational security.
Summary: TP-Link’s October 2025 security updates fixes 4 vulnerabilities in its Omada Gateway devices, including multiple models commonly used in business networks.
The vulnerabilities allow attackers to execute remote commands, even without authentication, potentially compromising systems. Some vulnerabilities also let authenticated users inject commands or gain root access, which could lead to traffic interception, configuration changes or malware installation. Security teams are advised to update firmware immediately, review network configurations and change passwords to reduce the risk of exploitation.
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
OS Command Injection Vulnerability
CVE-2025-6542
TP-Link Omada Gateways
Critical
9.3
Command Injection Vulnerability
CVE-2025-7850
TP-Link Omada Gateways
Critical
9.3
Technical Summary:
TP-Link Omada Gateways allows attackers to run arbitrary commands. The most critical one, CVE-2025-6542, a remote attacker can take full control of the device without logging in through the web interface. Another one allows logged-in users to inject commands and gain root access. The issues show the risks of exposed management portals. TP-Link recommends updating firmware, limiting network access and monitoring systems for any signs of attack.
Command injection exploitable after admin authentication on the web portal
System Compromise, Root-Level Control
Additional Vulnerabilities:
The following high-severity vulnerabilities were also addressed in October 2025 TP-Link security updates for Omada Gateways –
Vulnerability Name
CVE ID
Affected Component
Severity
Authenticated Arbitrary OS Command Execution in Omada Gateways
CVE-2025-6541
TP-Link Omada Gateways
High
Root Shell Access Under Restricted Conditions in Omada Gateways
CVE-2025-7851
TP-Link Omada Gateways
High
Remediation:
Install the October 2025 firmware updates immediately via the TP-Link support portal to mitigate risks. Here is the below table with the updated version information for the models.
Model
Affected Versions
Fixed Version
ER8411
< 1.3.3 Build 20251013 Rel.44647
>= 1.3.3 Build 20251013 Rel.44647
ER7412-M2
< 1.1.0 Build 20251015 Rel.63594
>= 1.1.0 Build 20251015 Rel.63594
ER707-M2
< 1.3.1 Build 20251009 Rel.67687
>= 1.3.1 Build 20251009 Rel.67687
ER7206
< 2.2.2 Build 20250724 Rel.11109
>= 2.2.2 Build 20250724 Rel.11109
ER605
< 2.3.1 Build 20251015 Rel.78291
>= 2.3.1 Build 20251015 Rel.78291
ER706W
< 1.2.1 Build 20250821 Rel.80909
>= 1.2.1 Build 20250821 Rel.80909
ER706W-4G
< 1.2.1 Build 20250821 Rel.82492
>= 1.2.1 Build 20250821 Rel.82492
ER7212PC
< 2.1.3 Build 20251016 Rel.82571
>= 2.1.3 Build 20251016 Rel.82571
G36
< 1.1.4 Build 20251015 Rel.84206
>= 1.1.4 Build 20251015 Rel.84206
G611
< 1.2.2 Build 20251017 Rel.45512
>= 1.2.2 Build 20251017 Rel.45512
FR365
< 1.1.10 Build 20250626 Rel.81746
>= 1.1.10 Build 20250626 Rel.81746
FR205
< 1.0.3 Build 20251016 Rel.61376
>= 1.0.3 Build 20251016 Rel.61376
FR307-M2
< 1.2.5 Build 20251015 Rel.76743
>= 1.2.5 Build 20251015 Rel.76743
Here are some recommendations below
Restrict network access to the management interface and enable trusted networks only.
Apply least privilege principles and regular security audits for network devices.
Disable remote management if not required and segment networks to limit lateral movement.
Conclusion:
There is no active exploitation noticed but organizations must prioritize firmware updates to prevent data breaches, malware and intrusions. Security teams should deploy updates immediately, enhance monitoring and implement mitigations to safeguard critical infrastructure.
Remember when Qantas, Australia’s flagship airline confirmed a cyberattack exposing data from its frequent flyer program and customer accounts. The data was upto 6 million, which is staggering in number. This means any kind of exploits are malicious programs designed to take advantage of bugs or vulnerabilities in unpatched software or operating systems to gain unauthorised access. When left unpatched, these weak points act as open doors for cybercriminals.
Kaspersky research shows that the share of exploits targeting critical vulnerabilities in operating systems reached 64% in Q2 2025 (up from 48% in Q1 2025), with third-party apps (29%) and browsers (7%) following.
Unpatched Systems, Software’s exposes Business to Cyber Threats
The breach originated from a third-party customer service platform, proving that even indirect systems can expose millions of records we all knew. This was a clear case how unpatched software’s but Qantas denied any of its service platform was vulnerable and there was no sign the platform was compromised.
Similarly 1.5 billion records across 760 global companies record exposed to data breach when Salesforce was hit and the hacking group claimed to have breached Salesforce through compromised integrations with third-party tools like Drift and SalesLoft, stealing huge amounts of CRM data. And as recent Salesloft Drift cyberattack may have also compromised some Google Workspace accounts.
The above case are all about software vulnerabilities when left unpatched.Latest data from cybersecurity and privacy company Kaspersky revealed that existing vulnerabilities in business networks continue to leave Malaysian enterprises exposed to cyberattacks.
Globally, in Q2 2025, the most common exploits targeted vulnerable Microsoft Office products with unpatched security flaws, according to Kaspersky’s findings. Its solutions detected the most exploits on the Windows platform for the following vulnerabilities:
CVE-2018-0802: Remote code execution vulnerability in the Equation Editor component
CVE-2017-11882: Another remote code execution vulnerability in Equation Editor
CVE-2017-0199: Vulnerability in Microsoft Office and WordPad allowing attackers to gain control of the system
The report also revealed that the top 10 most exploited vulnerabilities included both new zero-day flaws and older unpatched issues that organisations continue to overlook. A zero-day vulnerability is a software flaw discovered by attackers before the vendor is aware of it. As no patch exists at the time, zero-day attacks often succeed.
Key findings from Kaspersky reportsto secure your unpatched systems
Increased Exploitation: In the first half of 2025, more Windows and Linux users encountered vulnerability exploits compared to the previous year.
Targeted Vulnerabilities: Common exploits in Q2 2025 targeted Microsoft Office products with unpatched security flaws, such as those in the Equation Editor (CVE-2018-0802 and CVE-2017-11882).
End of Support: The end of free support for Windows 10 means millions of users will no longer receive critical security patches, leaving their systems vulnerable to new threats.
High volume of attacks: Kaspersky solutions blocked over 700,000 exploits targeting Indian organizations in the first half of 2025, averaging more than 4,000 per day
“Attackers increasingly use methods to escalate privileges and exploit weaknesses in digital systems. As the number of vulnerabilities continues to grow, it is very important to constantly prioritize patching known vulnerabilities and use software that can mitigate post-exploitation actions. CISOs should counter the consequences of exploitation by searching for and neutralizing command and control implants that can be used by attackers on a compromised system,” says Alexander Kolesnikov, a security expert at Kaspersky.
What Businesses can do to remain Secure from Cyber threats when systems are unpatched?
For legacy systems and applications there is a lack ongoing vendor support, leaving remote code execution vulnerabilities open for exploitation. These attacks enable full system control with little user interaction.
How to Fix:
Apply host-based intrusion prevention and patch virtualization and replace or containerize legacy apps. It is important to isolate critical workloads in secure enclaves as being in legacy catagory they are prone to any kind of cyber threats and intrusion.
Follow more below recommendations
Conduct 24/7 monitoring of your infrastructure, focusing on perimeter defenses and using tools that can detect and block malicious software.
Utilize solutions for vulnerability assessment, patch management
Prioritize defense strategies & threat detection like phishing emails and web threats
Deploy comprehensive cybersecurity solutions that include incident response, employee training, and access to updated threat intelligence.
Overview:LinkPro rootkit targets GNU/Linux systems:LinkPro is a newly discovered Linux rootkit that leverages eBPF (extended Berkeley Packet Filter) technology to stealthily hide its presence on infected systems. The sophisticated Linux rootkit linkpro was uncovered by Synacktiv CSIRT during an investigation of a compromised AWS infrastructure and evade detection in Linux Systems.
This threat was deployed in an AWS environment after attackers exploited a vulnerable Jenkins server to distribute a malicious Docker image containing a Rust downloader that fetched a memory-resident vShell backdoor. This rootkit’s use of eBPF, a legitimate kernel feature, makes detection challenging in Linux as it operates at a low level within the Linux kernel.
Leveraging extended Berkeley Packet Filter (eBPF) technology, where linkpro backdoor evades detection by hiding its processes and network activity, activating remotely via a “magic packet.”
Source: www.synacktiv.com
Issues Details: The attack, originating from a vulnerable Jenkins server, deployed a malicious Docker image across AWS EKS clusters, enabling credential theft and lateral movement. This highlights the misuse of ebpf for advanced persistent threats (apts) in cloud environments.
The LinkPro rootkit targets GNU/Linux systems, exploiting eBPF kernel capabilities to achieve stealth and remote activation.
It embeds multiple ELF modules, including two eBPF programs that hook into critical kernel system calls like getdents and sys_bpf to hide files, processes, and its own presence from detection tools.
If kernel support for these hooks is unavailable, LinkPro falls back to user-space concealment by loading a malicious shared library via /etc/ld.so.preload. This sophisticated rootkit deploys an advanced network packet filtering mechanism, activating only upon receiving a specific “magic packet” (a TCP SYN with a window size of 54321), allowing the attacker to control the system covertly.
LinkPro masquerades as the legitimate systemd-resolved service for persistence and uses encrypted channels such as HTTP, DNS tunneling, and raw TCP/UDP for command and control. Its design enables attackers to execute arbitrary commands, perform file operations, and establish proxy tunnels, making it a highly adaptable and stealthy tool for persistent intrusions targeting cloud-native Linux systems.
Attack Flow
IOCs
IOC Type
Indicator
Description
Network
/api/client/file/download?Path=…
URL used to download tools/payloads onto the compromised host.
Patch the vulnerable Jenkins server (CVE-2024-23897) to prevent initial access.
Restrict public exposure of CI/CD tools and enforce strict network segmentation.
Monitor for suspicious Docker container deployments and unexpected host filesystem mounts.
Watch for unusual or unauthorized eBPF program activity using kernel auditing tools.
Regularly update Linux kernels and apply available security patches.
Conclusion: The LinkPro rootkit is anadvanced Linux malware that uses eBPF at the kernel level to stay hidden and persist on systems.
It spreads through Jenkins vulnerabilities, container escapes and remote activation, highlighting the critical vigilance organizations must maintain to continuously monitor and secure their environments.
To protect against it, companies should focus on timely patching and monitoring suspicious activities.
Are you planning to trade in online related digital assets , well you might think twice as chances are you might fall in scammers lap where fake traders exploit retail traders who are seeking quick gains amid volatile crypto and stock markets.
According to sources 1400 illegal online trading domains/ websites operating out of Eastern Europe and Germany, marking one of the largest coordinated crackdowns on cyber-trading fraud in the region. “Operation Heracles,” name given took offline 1,406 active illegal domains in cooperation with the European police authority Europol and Bulgarian law enforcement authorities. German investigators and banking watchdog BaFin decided to shut down these websites after the Cyber-trading fraud came to light.
Modus Operandiby Scammers
Firstly users were lured with good returns and sophisticated online ads and social media campaigns before being connected to brokers working from call centers abroad. The shuttered websites displayed huge returns and exciting offers and convinced victims to invest substantial sums, often promising high returns through forex, crypt, or stock trading.
The scammers open fake trading platforms without a license from the BaFin and use call centers to encourage victims to invest money in the scheme.
The scammers posed as international agency but deliberately targeted the German market and people residing in Germany. Since the affected websites were redirected on October 3, authorities have recorded around 866,000 hits on the seized pages, showing the scale of the issue.
The site’s users were directed to brokers operating from overseas call centers, who then persuaded them to invest large amounts of funds. Many victims just realized after months that their money had never actually been invested, authorities said.
“The perpetrators are getting more professional,” said Birgit Rodolphe from BaFin. They use artificial intelligence to create mass illegal sites and trap investors to invest money.
The operation follows the closure of 800 illegal domains in June this year. Since then, there have been around 20 million attempts to access the sites that have been blocked.
The Alarming Rise of Online Cyber-fraud
The digital world offers incredible opportunities for earning within short time and scammers are lurking every where while harboring sinister plan reminding of stark dangers.
This incident serves as a crucial warning to anyone considering online investments
Here are few important guidelines to protect yourself from similar trading fraud:
If you get unrealistic promises of high returns There is certainly a scam with unrealistic returns. All legitimate investments carry some degree of risk.
Be extremely wary of unexpected calls, messages, or emails from individuals or groups promoting investment opportunities.
Scammers will use tactics creating a sense of urgency, urging to invest quickly and avoid getting you to scan whole documents or contracts etc.
Keep verifying any legitimacy of any trading application or website, if they have regulatory licenses or watch for any sign of unprofessionalism.
Watch if they send requests for transfers to Personal Accounts. Any legitimate investment firms will never ask you to transfer money into personal bank accounts. All transactions should go through official, regulated channels.
Fraudsters often impersonate famous financial institutions or advisors and its important one should always cross-reference their claims.
It is important that you report the issue to the police ASAP. You will need a crime number from the police to help you work with your bank and other organizations.
Approaches to dealing with cybercrime-related financial loss
How you can try and get your money back very much depends on how the money was stolen. Here we are going to focus on four different approaches:
1) Authorised payments (where you were tricked into making a payment),
2) Unauthorised payments (where the criminal actually carried out the payment using your accounts),
3) ID fraud (where you have been impersonated with a financial organisation) and
4) card fraud (where they money was transferred by a credit or debit card payment).
Seminar Titled ‘Impact of Cyber Attacks on Maritime Sector and its Effects on National Security and International Relations’
The eventin Delhi organized by Indian Navy and address cyber threat on the Maritime domain and how the threats are aligned to national security and their impact.
The event organized at a time when geo -politics is evolving and the seminar aims to deepen understanding of cyber threats in the maritime domain and foster collaboration amongst key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.
Cyber threats evolving and looming above the maritime sector as the Maritime industry steps into the world of cyber risk. The cyber risk is vast and includes array of ransomware capable of shutting down port operations to GPS, halting steering vessels as hackers are get more creative.
Any cyberthreat on maritime sector also involves national security and is not isolated and target of cyber criminals. Maritime security involves trade, global logistics, oil and gas, defense which are major reasons to map maritime cyber threat to national security.
With an aim to deepen understanding of cyber threats in the maritime domain, the Indian Navy is organized the seminar.
The seminar, titled ‘Impact of Cyber Attacks on Maritime Sector and Its Effects on National Security and International Relations’, aims to foster collaboration among key stakeholders to enhance cybersecurity and strengthen the national cybersecurity posture.
Minister of State for IT Ministry, Jitin Prasada, deliver the keynote address during the inaugural session. The seminar will feature panel discussions each led by distinguished experts from the ministries and organizations.
The seminar aims to advance Hon’ble PM’s vision of MAHASAGAR (Mutual and Holistic Advancement for Security and Growth Across the Regions) by reinforcing a safe, secure cyberspace, and echoes the call for ‘Aatmanirbhar Bharat’ through indigenous, secure-by-design digital systems and robust public-private partnership.
Aligned with Maritime India Vision 2030 and the Amrit Kaal Vision 2047, the seminar positions cybersecurity as a core enabler of port-led growth, smart logistics, offshore energy security, and mission critical naval operations.
These include the Ministry of Ports, Shipping and Waterways, the Ministry of Petroleum and Natural Gas (MoPNG), the National Security Council Secretariat (NSCS), the Gas Authority of India Limited (GAIL), the Directorate General of Hydrocarbons (DGH), the Indian Computer Emergency Response Team (CERT-In), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the National Maritime Foundation (NMF) as well as leaders from private organisations.
The topics for panel discussions are ‘Global Cyber Threats to Maritime Infrastructure,’ ‘Civil and Military Partnership,’ and ‘Maritime Sector as Critical Information Infrastructure’.
Summary: Fortinet disclosed multiple critical security vulnerabilities impacting several of its core products, including FortiPAM, FortiSwitch Manager and FortiOS platforms and patched them.
The vulnerabilities encompass issues such as improper privilege escalation, heap-based buffer overflow, weak authentication, improper certificate validation, denial-of-service risk, and race condition flaws in authentication modules.
One of the high severity issue is a weak authentication mechanism vulnerability (CVE-2025-49201) in FortiPAM & FortiSwitch Manager, and a heap overflow flaw (CVE-2025-57740) in the SSL VPN RDP bookmark functionality.
These vulnerabilities pose significant risks to enterprise environments, potentially allowing attackers to bypass authentication controls or execute arbitrary code within targeted systems. Users & Administrators are urged to update to the patched version.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Weak Authentication Mechanism
CVE-2025-49201
FortiPAM, FortiSwitch Manager
High
FortiPAM 1.5.1, 1.4.3 or later / FortiSwitch Manager 7.2.5 or later
Multiple critical and medium-severity vulnerabilities have been identified across several Fortinet products, including FortiOS, FortiPAM, FortiProxy, FortiAnalyzer, and FortiSwitchManager.
Other vulnerabilities could allow attackers to escalate privileges, execute unauthorized code, or bypass authentication, threatening system integrity and confidentiality.
Additional flaws may enable unauthenticated users to disrupt services, intercept network traffic, or exploit race conditions to gain improper access within centralized management and authentication platforms. As the Fortinet released the security updates, quick deploy of the patches to ensure resilience against exploitation and to protect enterprise assets.
CVE ID
Component Affected
Vulnerability Details
Impact
CVE-2025-49201
FortiPAM, FortiSwitch Manager
This flaw enables remote attackers to bypass authentication by sending specially crafted HTTP requests, allowing unauthorized code or command execution within privileged access management and switch management interfaces.
This heap-based buffer overflow in the SSL VPN RDP bookmark feature can be triggered by authenticated users through crafted bookmark data, resulting in memory corruption and possible code execution in the VPN context.
Remote Code Execution / System Compromise
CVE-2025-58325
FortiOS
A CLI command functionality bypass allows attackers to execute restricted administrative commands through improper input validation, potentially escalating privileges or modifying critical system parameters.
Privilege Escalation / Remote Code Execution
CVE-2025-57741
FortiProxy
This heap overflow vulnerability in FortiProxy’s SSL VPN RDP bookmarks can result in memory corruption, giving attackers a pathway to execute arbitrary code remotely during VPN session initialization.
Remote Code Execution / Service Compromise
Additionally, multiple vulnerabilities have been disclosed that enable remote authentication bypass and include other issues with significant impact potential.
Vulnerability Name
CVE ID
Affected Component
Severity
FGFM protocol allows unauthenticated reset of the connection
Insufficient Session Expiration in SSLVPN using SAML authentication
CVE-2025-25252
FortiOS
Medium
Missing authentication check in OFTP service
CVE-2025-53845
FortiAnalyzer
Medium
Race condion in FortiCloud SSO SAML authentication
CVE-2025-54973
FortiAnalyzer
Medium
Stack-based buffer overflow on fortitoken import feature
CVE-2025-46718
FortiOS, FortiProxy
Medium
Recommendations
Update Fortinet products to the following fixed versions as soon as possible and check the updated version from the Fortinet website
FortiPAM: Upgrade to version 1.5.1 or later, or 1.4.3 or latest version
FortiSwitch Manager: Upgrade to version 7.2.5 or higher
FortiOS: Upgrade to versions 7.6.6+, 7.4.9+, 7.2.11+,7.0.16+ depending on the release series
FortiProxy: Upgrade to 7.6.3+, 7.4.9+ and latest version
FortiAnalyzer: Upgrade to 7.6.3+, 7.4.7+, 7.2.11+, 7.0.14+ latest version
Patches are available and should be applied immediately. For environments where immediate patching is not immediately feasible, you can also follow the below recommendations :
Enable multi-factor authentication (MFA) to reduce unauthorized access risk
Restrict network access to management interfaces to trusted personnel only
Monitor logs for unusual brute-force attempts or anomalous login activity
Apply the principle of least privilege to limit access to VPN and management services
Use firewalls with strict whitelisting to block external attack vectors to vulnerable services
Conclusion: The recent Fortinet advisories underscore the critical importance of timely vulnerability management, particularly for products controlling privileged access and remote connectivity.
The flaws in authentication and memory management can jeopardize the security posture of enterprise environments.
Organizations should urgently apply patches, monitor for suspicious login and session activity, and implement proactive security measures to reduce exploitation risks. Proactive response and regular updates are essential to maintaining robust security against evolving threats targeting critical infrastructure.
Summary: Microsoft’s October 2025 Patch Tuesday fixes 175 security vulnerabilities in the products Windows, Office, Azure, and .NET and others. It includes patches for 6 – zero-day vulnerabilities where three vulnerabilities have been exploited and three publicly known vulnerabilities.
Microsoft advises immediate deployment of updates and removal of affected drivers, while assessing legacy fax hardware for compatibility issues introduced by the driver removal in this month update.
The October 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services.
OEM
Microsoft
Severity
Critical
Date of Announcement
2025-10-14
No. of Patches
175
Actively Exploited
Yes
Exploited in Wild
Yes
Advisory Version
1.0
Overview
Major fixes address serious remote code execution issues in Office and WSUS, along with privilege escalation vulnerabilities in Windows and Azure. The update also removes the Agere Modem driver, which could affect older fax devices. Users & Administrator are urged to update the patch to immediately to stay protected.
Here are the CVE addresses for Microsoft & non-Microsoft:
175 Microsoft CVEs addressed
21 non-Microsoft CVEs addressed (Republished)
Breakdown of October 2025 Vulnerabilities
80 Elevation of Privilege (EoP)
31 Remote Code Execution (RCE)
28 Information Disclosure
11 Denial of Service (DoS)
11 Security Feature Bypass
12 Spoofing
2 Tampering
Source: Microsoft
Vulnerability Name
CVE ID
Product Affected
Severity
CVSS Score
Windows Agere Modem Driver Elevation of Privilege Vulnerability
CVE-2025-24990
Windows 10, 11, Server 2016-2022
High
7.8
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
CVE-2025-59230
Windows 10, 11, Server 2016-2022
High
7.8
Secure Boot Bypass Vulnerability in IGEL OS
CVE-2025-47827
IGEL OS
Medium
4.6
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
CVE-2025-59287
Windows Server
Critical
9.8
Microsoft Office Remote Code Execution Vulnerability
CVE-2025-59234
Microsoft Office
High
7.8
Microsoft Excel Remote Code Execution Vulnerability
CVE-2025-59236
Microsoft Excel (2016-2021)
High
8.4
Technical Summary
October 2025 Patch Tuesday includes security updates addresses remote code execution, privilege escalation and information disclosure vulnerabilities in core Windows components, Office applications and Azure cloud services.
3 zero-days are actively exploited, including CVE-2025-24990 in the Agere Modem driver, where attackers can abuse the third-party component to gain administrative privileges without needing the modem hardware active, leading to local system compromise.
Additionally, exposes improper access controls in Windows Remote Access Connection Manager, enabling authorized attackers to escalate to SYSTEM privileges with moderate effort.
CVE ID
System Affected
Vulnerability Details
Impact
CVE-2025-24990
Windows Agere Modem Driver
Third-party driver abused for admin privileges; removed in updates, may break fax modem hardware
Privilege Escalation
CVE-2025-59230
Windows Remote Access Connection Manager
Improper access control allows local attackers to gain SYSTEM privileges
CVE-2016-9535: LibTIFF Heap Buffer Overflow – RCE via malformed TIFF files in image processing. (Critical)
CVE-2025-59291 & CVE-2025-59292: Azure Container Instances/Compute Gallery EoP – External file path control for local privilege escalation. (Critical)
Key Affected Products and Services
Windows Core and Security Components
Updates for Windows Kernel, NTFS, BitLocker, NTLM, SMB, WinSock, PrintWorkflowUserSvc and Remote Desktop Services, with several vulnerabilities rated CVSS 7.8 or higher.
Microsoft Office Suite
Patches for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, particularly via malicious file execution.
Azure and Cloud Services
Fixes for Azure Entra ID, Monitor Agent, Connected Machine Agent, PlayFab and Confidential Container Instances.
Virtualization and Hyper-V
Vulnerabilities in Hyper-V and Virtual Secure Mode, including privilege escalation and DoS risks.
Developer and Management Tools
Updates for PowerShell, Visual Studio and Configuration Manager addressing local privilege escalation.
Communication & File Services
Patches for SMB, WSUS, and Connected Devices Platform with critical RCE and lateral movement risks.
Browsers and Web Technologies
Microsoft Edge (Chromium-based) updates, including republished Chrome CVEs.
Remediation:
Install the October 2025 security updates immediately to mitigate risks.
Here are some recommendations below
Use EDR tools to monitor any indicators like Office crashes or logs.
Disable unused services to prevent any remote access or other exploitation.
Apply least privilege access in Office and Azure environments.
Segment networks to reduce any lateral movement.
Conclusion: Critical RCE flaws in Office and WSUS, along with privilege escalation bugs, pose significant risks for ransomware, data theft and lateral movement. Administrator, users & security teams should deploy patches immediately, enhance monitoring and apply mitigations to reduce exposure.
Summary : Security Advisory: Ivanti has publicly disclosed 13 vulnerabilities affecting its Endpoint Manager (EPM) 2024 and earlier releases. It includes 2 high-severity issues, 1 enabling remote code execution (RCE) and the other supporting privilege escalation alongside 11 medium-severity SQL injection flaws.Successful exploitation could lead to privilege escalation or remote code execution.
OEM
Ivanti
Severity
High
CVSS Score
8.8
CVEs
CVE-2025-11622, CVE-2025-9713 & CVEs for SQL
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
These vulnerabilities are considered critical for enterprise environments, as they could permit attackers to gain unauthorized access, execute arbitrary code, or extract sensitive database information from vulnerable endpoints.
Administrators are urged to update to the latest version to mitigate the attack and prevent potential exploitation.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Insecure Deserialization
CVE-2025-11622
Ivanti Endpoint Manager 2024 SU3 SR1 and prior
High
2024 SU4
Path Traversal – Remote Code Execution
CVE-2025-9713
Ivanti Endpoint Manager 2024 SU3 SR1 and prior
High
Technical Summary
2 severe vulnerabilities in Ivanti Endpoint Manager significantly increase the risk to affected systems. One of the issues involves insecure deserialization, which may allow a local authenticated attacker to elevate their privileges and gain unauthorized access to sensitive functions or data.
Another notable vulnerability is a path traversal flaw that can lead to remote code execution when triggered by a remote unauthenticated attacker, provided certain user interaction occurs. In addition to these, multiple instances of SQL injection have been identified across various components of the application. These flaws could be exploited by remote authenticated users to retrieve unauthorized information from the backend database, potentially exposing sensitive data.
These vulnerabilities underscores the importance of implementing secure coding practices, validating user input, and applying timely security patches to minimize risk and protect system assets.
CVE ID
Component Affected
Vulnerability Details
Impact
CVE-2025-11622
Ivanti Endpoint Manager
This flaw allows a local authenticated attacker to escalate privileges on the EPM Core server by exploiting deserialization routines.
Privilege Escalation / Remote Code Execution
CVE-2025-9713
Ivanti Endpoint Manager
This enables remote unauthenticated attackers to achieve remote code execution, with user interaction required to trigger malicious file import or configuration actions.
Remote Code Execution / System Compromise
In addition, releasing eleven CVEs for SQL injection vulnerabilities that permit remote authenticated attackers to access and read arbitrary data from the database.
Update Ivanti Endpoint Manager to the following versions when available:
2024 SU4 for high-severity vulnerabilities (targeted release November 12, 2025)
2024 SU5 for SQL injection vulnerabilities (scheduled Q1 2026)
Patches are currently under development, here are some mitigations below to protect the environment
Use Ivanti EPM 2024 SU3 SR1 to reduce the risk associated with the insecure deserialization vulnerability.
Limit access to the EPM Core server to local administrators only.
Use a firewall with a strict whitelisting configuration to block remote access.
Avoid importing untrusted configuration files into the EPM Core server.
Remove the reporting database user from the EPM configuration to mitigate the SQL injection vulnerabilities. But this action will disable reporting functionality, as the reporting database user is required to run reports.
Conclusion: These vulnerabilities pose a significant threat to organizations relying on Ivanti Endpoint Manager for enterprise device management, potentially enabling privilege escalation, remote code execution, and unauthorized data access. Enterprises are strongly urged to implement Ivanti’s recommended mitigations without delay to reduce immediate risk. Additionally, organizations should prepare for the timely deployment of the upcoming security updates as they become available. Proactive action is essential to maintaining the security and integrity of endpoint management infrastructure.
Summary : Security Advisory: Elastic disclosed vulnerability in Elastic Cloud Enterprise (ECE) that allows attackers with admin access to steal sensitive data or execute any commands through Jinjava template injection. This flaw impacts ECE versions from 2.5.0 up to and including 3.8.1, as well as versions 4.0.0 through 4.0.1.
OEM
Elastic Cloud Enterprise (ECE)
Severity
Critical
CVSS Score
9.1
CVEs
CVE-2025-37729
POC Available
No
Actively Exploited
No
Exploited in Wild
No
Advisory Version
1.0
Overview
The vulnerability with CVE-2025-37729, affects multiple ECE versions starting from 2.5.0 up to and including 3.8.1, and versions starting from 4.0.0 up to and including 4.0.1. Users & Administrators are strongly advised to upgrade to the latest version of ECE immediately to stay protected.
Vulnerability Name
CVE ID
Product Affected
Severity
Fixed Version
Improper Neutralization of Special Elements Vulnerability
CVE-2025-37729
Elastic Cloud Enterprise
Critical
v3.8.2 & v4.0.2
Technical Summary
Improper neutralization of special elements can be used to issuing commands via a specially crafted string where Jinjava variables are evaluated.
Malicious actors are exploiting due to an improper neutralization of special characters vulnerability in the Jinjava template engine used by ECE.
Attackers with admin-level access to the ECE admin console and deployments with the Logging+Metrics feature enabled can inject malicious Jinjava expressions through specially crafted payloads. This vulnerability can allow them to exfiltrate sensitive data or execute arbitrary command on the system.
Improper sanitization of user-supplied input in Jinjava templates allows admin users to inject malicious expressions, enabling code execution and data exfiltration
Sensitive Data Leakage, Arbitrary Command Execution, Potential Full System Compromise
Recommendations:
Upgrade the Elastic Cloud Enterprise versions to v3.8.2 and v4.0.2 or the latest one.
Here are some recommendations below
Keep admin access restricted to trusted accounts only for the ECE admin console.
You can monitor the request logs for malicious payloads using the query “payload.name : int3rpr3t3r or payload.name : forPath”. Implement strict access controls and regularly audit admin privileges.
Conclusion: This is critical vulnerability in Elastic Cloud Enterprise that could allow attackers to data exfiltration and arbitrary command execution.
Although exploitation needs administrative access, but its high impact makes it a major security risk & needs immediate action. Upgrading to the fixed version and applying recommended actions are strongly advised by the organizations to stay secure.
