Infosec

Security Advisory

Microsoft Patch Tuesday has 86 Fixes, 2-0Day Vulnerabilities

September 2025 Patch Tuesday update, addressing 86 security issues in products like Microsoft Windows, Microsoft Office etc.

This includes two publicly known zero-day bugs in the Windows SMB Server and another in Newtonsoft.Json. Here are the CVE addressed for Microsoft & non-Microsoft.

Organizations are strongly encouraged to prioritize patching of systems tied to network services, virtualization and productivity tools to mitigate risks of exploitation. 

OEM Microsoft 
Severity Critical 
Date of Announcement 2025-09-09 
No. of Patches 86 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Here are the CVE addressed for Microsoft & non-Microsoft 

  • 81 Microsoft CVEs addressed 
  • 5 non-Microsoft CVEs addressed 

Breakdown of September 2025 Vulnerabilities 

  • 41 Elevation of Privilege (EoP) 
  • 22 Remote Code Execution (RCE) 
  • 16 Information Disclosure 
  • 4 Denial of Service (DoS) 
  • 2 Security Feature Bypass 
  • 1 Spoofing  
Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Windows SMB Elevation of Privilege Vulnerability  CVE-2025-55234 Windows Server, Windows 10, 11  High 8.8 
Improper Handling of Exceptional Conditions in Newtonsoft.Json CVE-2024-21907 Microsoft SQL Server High 7.5 

Technical Summary 

September 2025 Patch Tuesday includes security updates addressing denial-of-service and privilege escalation vulnerabilities in commonly used libraries and services.

One of the publicly disclosed zero-day CVE-2024-21907 affects the popular .NET library Newtonsoft.Json, where deserialization of crafted JSON can lead to application crashes.

Additionally, CVE-2025-55234 highlights a potential for relay attacks in SMB Server configurations that lack hardening measures such as signing and Extended Protection for Authentication (EPA). Microsoft advises assessing current SMB deployments using new audit capabilities introduced in this month’s updates. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-55234 Microsoft SMB Server Lack of hardening (signing & EPA) in SMB Server can allow attackers to perform relay attacks, potentially resulting in elevation of privilege. Privilege Escalation 
CVE-2024-21907 Newtonsoft.Json < 13.0.1 Improper handling of crafted input to JsonConvert.DeserializeObject may trigger a StackOverflowException, leading to a denial-of-service condition. Denial of Service 

Source: Microsoft and NVD 

In addition to the publicly disclosed zero day vulnerability, several other Critical & High severity issues were addressed 

  • CVE202555232: Microsoft High Performance Compute Pack (HPC), deserialization of untrusted data vulnerability enabling unauthorized remote code execution over a network interface. 
  • CVE202554918: Windows NTLM, improper authentication vulnerability that enables elevation of privilege over a network, with potential for lateral movement across enterprise systems. 
  • CVE202554110: Windows Kernel, integer overflow vulnerability allowing local privilege escalation through exploitation of kernel memory operations. 
  • CVE202554098: Windows Hyper-V, improper access control flaw permitting local privilege escalation from guest to host in virtualized environments. 
  • CVE202554916: Windows NTFS, stack-based buffer overflow vulnerability enabling local attackers to execute arbitrary code with elevated privileges. 

Key Affected Products and Services 

The September 2025 security updates address critical and important vulnerabilities across a broad range of Microsoft products and services: 

  • Windows Core and Security Components 

Includes updates for Windows Kernel, NTFS, TCP/IP, Defender Firewall, LSASS, BitLocker, NTLM, Win32K, and RRAS (Routing and Remote Access Service), with several vulnerabilities rated CVSS 8.8 or higher. 

  • Microsoft Office Suite 

Patches released for Excel, Word, PowerPoint, Visio, and SharePoint addressing RCE and information disclosure issues, especially through Preview Pane vectors. 

  • Azure and Cloud Services 

Fixes affect Azure Virtual Machine Agent, Azure Arc, and High-Performance Compute Pack (HPC). 

  • Virtualization and Hyper-V 

Multiple vulnerabilities in Hyper‑V and Virtual Hard Drive components, including privilege escalation and denial-of-service risks. 

  • Developer and Management Tools 

Patches applied to PowerShell, AutoZone, Windows Management Services and Capability Access Management, addressing local privilege escalation. 

  • Communication & File Services 

Updates cover SMB, SMBv3, MSMQ and Connected Devices Platform, with critical RCE and lateral movement vectors in enterprise environments. 

  • Browsers and Web Technologies 

Microsoft Edge (Chromium-based) updates, along with republished Chrome CVEs for continued coverage of known browser threats. 

Remediation: 

Apply Patches Promptly: Install the September 2025 security updates immediately to mitigate risks. 

Conclusion: 
Microsoft’s September 2025 Patch Tuesday addresses 86 vulnerabilities, including several critical and high rated issues across Windows, Office, Hyper-V and Azure components etc.

Notably, multiple flaws affect Windows Routing and Remote Access Service (RRAS), SQL Server, and Microsoft High Performance Compute Pack (HPC), with potential for remote code execution (RCE) and privilege escalation.

Microsoft fixed an elevation of privileges flaw in SMB Server that is exploited through relay attacks.

“SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks,” explains Microsoft.

References

Security Advisory

Vulnerability in Spring Cloud Gateway Server WebFlux Discovered; Target of Ease by Attackers

Security Advisory: CVE-2025-41243, A critical vulnerability has been disclosed in Spring Cloud Gateway Server WebFlux. This vulnerability allows attackers to modify sensitive Spring Environment properties under specific configurations.

Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-41243 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The vulnerability has been assigned the maximum CVSS score of 10.0. It arises when actuator endpoints are exposed without proper security controls, potentially allowing attackers to compromise application behavior. Organizations and users of affected versions are strongly urged to upgrade to the fixed releases. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Spring Expression Language Property Modification  CVE-2025-41243  Spring Cloud Gateway WebFlux  Critical   v4.3.1,  
v4.2.5, v4.1.11, v3.1.11  

Technical Summary 

CVE-2025-41243 is a critical vulnerability occurs when the Spring Boot actuator is included as a dependency and the gateway actuator endpoint is explicitly exposed via the “management.endpoints.web.exposure.include=gateway” configuration.

In such cases, if actuator endpoints are unsecured or exposed to public networks, an attacker could exploit them to modify Spring Environment properties at runtime. This could cause unauthorized access, configuration tampering, and potential application compromise. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-41243    4.3.0 – 4.3.x 4.2.0 – 4.2.x 4.1.0 – 4.1.x 4.0.0 – 4.0.x 3.1.0 – 3.1.x Older, unsupported versions   Improperly secured actuator endpoints in Spring Cloud Gateway WebFlux allow unauthorized modification of Spring Environment properties. Unauthorized access potential privilege escalation 

Remediation – 

Upgrade Immediately patch to fixed versions: 

Affected Version Range Upgrade To 
4.3.x 4.3.1 
4.2.x 4.2.5 
4.1.x and 4.0.x 4.1.11 
3.1.x 3.1.11 
Unsupported versions Migrate to a supported release 

If you are unable to upgrade right now, here are the recommendations below 

  • Remove gateway from the “management.endpoints.web.exposure.include” property or secure the actuator endpoints. 
  • Secure actuator endpoints with proper authentication and access controls. 
  • Regularly audit and harden application configuration files. 
  • Monitor application and network logs for suspicious activity or unauthorized access attempts. 
  • Implement firewall rules or reverse proxies to restrict access to sensitive endpoints. 
  • Ensure all systems follow patch management and update policies. 

Conclusion 
CVE-2025-41243 is a critical vulnerability affecting Spring Cloud Gateway WebFlux, allowing remote attackers to modify environment properties when actuator endpoints are misconfigured and exposed.

While no active exploitation has been observed in the wild, vulnerability poses a high risk to application integrity and security due to its CVSS score of 10.0 and ease of exploitation in exposed systems.

Organizations are strongly advised to upgrade to the fixed versions, secure actuator endpoints, and follow best practices to reduce attack surface and prevent future exploitation. 

References 

Blogs

Adversarial Prompt Engineering can bypass Robust Safety Mechanisms; GPT-5 Jailbreak reveal’s the bypass Security strategy

OpenAI’s Advance AI system revealed Critical Vulnerabilities as attack vectors like storytelling and echo chamber module being used by GPT-5.

The breakthrough demonstrates how adversarial prompt engineering can bypass even the most robust safety mechanisms, This raised serious concerns about enterprise deployment readiness and the effectiveness of current AI alignment strategies discovered in august.

What is to Jailbreak in GPT-5

GPT-5 Jailbroken, in two parts by researchers who bypassed safety protocol using echo chamber and storytelling attacks.

As Storytelling attacks are highly effective and traditional methods. This kind of attacks requires additional security before deployment.

When researchers of NeuralTrust reported, the echo chamber attack leverages GPT-5’s enhanced reasoning capabilities against itself by creating recursive validation loops that gradually remove all safety protocols.

So the researchers’ employed a technique called contextual anchoring, where malicious prompts are embedded within seemingly legitimate conversation threads that establish false consensus.

The interesting part is the latest attack aimed at GPT-5, researchers found that it’s possible to infect harmful procedural content by framing it in the context of a story by feeding as input to the AI system.

Using a set of keywords and creating sentences using those words and subsequently expanding on those themes.

The attack modelled in form of a “persuasion” loop within a conversational context, while slowly-but-steadily taking the model on a path that minimizes refusal triggers and allows the “story” to move forward without issuing explicit malicious prompts.

These jailbreaks can be executed with nearly identical prompts across platforms, allowing attackers to bypass built-in content moderation and security protocols. Result is generating illicit or dangerous content.

Enterprise environment exposed to risk

If a malicious user deliberately inputs a crafted prompt into a customer service chatbot that instructs the LLM to ignore safety rules, query confidential databases. This could trigger more actions like emailing internal content.

Similarly in the context of GPT -5, what happened the attackers constructed elaborate fictional frameworks that gradually introduce prohibited elements while maintaining plausible deniability. 

The outcome as per researchers is storytelling attacks can achieve 95% success rates against unprotected GPT-5 instances, compared to traditional jailbreaking methods that achieve only 30-40% effectiveness. 

Once successfully exploited both echo chamber and storytelling attack vectors demonstrates that unless enterprises are ready with their baseline safety measures, deploying any kind of enterprise-grade applications is useless.

Enterprises who are ready to implement a comprehensive AI security strategy, that include prompt hardening, real-time monitoring and automated threat detection systems before production deployment will be better secured.

Sources: Researchers Uncover GPT-5 Jailbreak and Zero-Click AI Agent Attacks Exposing Cloud and IoT Systems

Security Advisory

Critical WhatsApp Zero-Day Vulnerability Allows Remote Code Execution  

Summary 

OEM WhatsApp 
Severity Medium 
CVSS Score 5.4 
CVEs CVE-2025-55177 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A security vulnerability recently discovered in WhatsApp’s linked device feature that allows users to access WhatsApp across multiple devices, such as phones and computers.

CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog, highlighting its significance. The flaw allows attackers to send crafted messages that forced WhatsApp to load malicious content from a rogue website without any user interaction. WhatsApp and Apple already patched the issue and users are urged to update their apps immediately to stay protected.

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
WhatsApp Incorrect Authorization Vulnerability  CVE-2025-55177 WhatsApp  Medium 2.25.21.73 and later. 
 
WB iOS 2.25.21.78 and later.  
WhatsApp Desktop for Mac 2.25.21.78 and later. 

Technical Summary 

The vulnerability was due to incomplete authorization of synchronization messages in WhatsApp’s linked device feature. This flaw allowed an attacker to send crafted sync messages that could trick WhatsApp into processing content from an arbitrary URL, even if the message came from an untrusted source.

This could result in WhatsApp loading and executing malicious content on the target device without any user interaction. The impact of the attack was significantly increased when combined with a separate Apple OS vulnerability (CVE-2025-43300), making it suitable for sophisticated, targeted exploitation.

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-55177 WhatsApp for iOS (v2.22.25.2 to v2.25.21.72) 
 WhatsApp Business for iOS (v2.22.25.2 to v2.25.21.77) 
 WhatsApp Desktop for Mac (v2.22.25.2 to v2.25.21.77		Incomplete authorization in the linked device sync feature allowed attackers to send crafted sync messages that caused WhatsApp to load content from an arbitrary URL without user interaction. This could be used to execute malicious code on the device. Remote code execution,.  Potential full device compromise.  

Remediation

Update the WhatsApp in iOS and mac devices to the latest version 

  • WhatsApp for iOS: Update to v2.25.21.73 or latest version 
  • WhatsApp Business for iOS: Update to v2.25.21.78 or latest version  
  • WhatsApp Desktop for Mac: Update to v2.25.21.78 or latest version 

Conclusion: 
The WhatsApp vulnerability highlights the growing risks of zero-click attacks, where devices can be compromised without any user interaction. This flaw has been exploited in targeted attacks and poses a serious threat to user security and privacy. It is important for all users to keep their apps and operating systems up to date and follow trusted security recommendations

References

Security Advisory

Chrome Update Released, Fixes RCE & Multiple Vulnerabilities

Summary 

OEM Google Chrome 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-9864, CVE-2025-9865, CVE-2025-9866, CVE-2025-9867 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Several security vulnerabilities were recently identified in Chromium-based browsers, affecting components such as the V8 JavaScript engine, Toolbar, Extensions and Downloads. The high severity vulnerability, use-after-free issue, could allow attackers to execute arbitrary code.

Additional medium-severity bugs were found in the Toolbar, Extensions, and Downloads components. The Chrome team has started rolling out Chrome 140 to the stable channel, and users are urged to update their browsers to stay protected. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Use-after-free vulnerability in V8  CVE-2025-9864 Chrome  High  v140.0.7339.80/81 
​Inappropriate implementation vulnerability in Toolbar  CVE-2025-9865 Chrome  Medium  v140.0.7339.80/81 
Inappropriate implementation vulnerability in Extensions  CVE-2025-9866 Chrome  Medium  v140.0.7339.80/81 
Inappropriate implementation vulnerability in Downloads  CVE-2025-9867 Chrome  Medium  v140.0.7339.80/81 

Technical Summary 

Multiple vulnerabilities were addressed in Google Chrome prior to version 140.0.7339.80. The most critical, CVE-2025-9864, is a use-after-free issue in the V8 JavaScript engine that allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Other medium-severity issues include a Toolbar vulnerability on Android that could be exploited via specific user gestures to spoof domains, a security gap in Extensions allowing attackers to bypass content security policies, and a Downloads flaw on Android that enabled UI spoofing through manipulated web pages.

These could allow attackers to misuse Chrome’s features or gain higher system privileges.  

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9864  Chrome v139 and prior Use-after-free in V8 engine could allow attackers to execute arbitrary code via malicious webpage  Remote Code Execution 
 CVE-2025-9865  Chrome v139 and prior Improper handling Chrome’s Toolbar component could allow attackers misuse browser functions or gain privilege access  Domain Spoofing / UI Spoofing
 CVE-2025-9866  Chrome v139 and prior Inappropriate implementation in Chrome’s Extensions system, could allow attackers misuse or bypass content security policy  Content Security Policy Bypass
 CVE-2025-9867  Chrome v139 and prior Improper validation in Chrome’s Downloads could allow attackers to perform UI spoofing via crafted HTML   UI Spoofing 

Remediation

References

  • https://gbhackers.com/chrome-140-release/

Security Advisory

Fake Govt & Banking Apps Spreading Android Droppers Evolved as Malware

Security Advisory:  

Cybersecurity researchers have discovered a major shift in how Android malware is being delivered. Dropper apps, which were earlier used mainly to distribute banking trojans.

The Malware’s being used to deliver simpler threats like SMS stealers and basic spyware as official government or banking apps, primarily targeting users in India, Southeast Asia, and some parts of Europe. 

ThreatFabric researchers warn of a shift in Android malware: dropper apps now deliver not just banking trojans, but also SMS stealers and spyware, mainly in Asia.

Vulnerability Details 

The recent surge in Android dropper apps introduces a critical security vulnerability affecting mobile users globally. These droppers are impersonating as banking apps, government services, or trading platforms,, bypass Google Play

Pilot Program by initially requesting minimal permissions to avoid detection, making them appear as legitimate applications.

Once installed, they fetch malicious payloads like spyware, SMS stealers, cryptocurrency miners, and banking trojans from remote servers. Attackers also exploit malvertising campaigns on social media to spread fake apps widely. This evolving tactic enables cybercriminals to switch payloads dynamically, making traditional security measures less effective and increasing the risk of data theft and device compromise. 

Source: cybersecuritynews 

Attack Flow 

Step Description 
1. Craft Attackers create malicious dropper apps disguised as government schemes, banking apps, or trading tools. These apps are designed to look harmless and request only minimal permissions initially. 
2. Send The droppers are distributed through third-party APK sites, malicious ads (e.g., Facebook), or fake update prompts, bypassing initial detection. 
3. Trigger The victim downloads and installs the dropper app, often believing it’s legitimate due to its official-looking design and branding. 
4. Execution When the user clicks “Update” or interacts with the app, the dropper fetches the real malicious payload (spyware, SMS stealer, or banking trojan) from a remote server. 
5. Exploit The installed malware requests high-risk permissions, such as SMS access or notification access, allowing attackers to steal data, track activities, or control the device remotely. 

Proof-of-Concept 

Once the user interacts, the dropper initiates an HTTPS request to a remote server 

Source: cybersecurity news 

Why It’s Effective 

Dynamic Payload Delivery – Attackers hide the real malicious file inside a harmless-looking dropper app. The payload is only downloaded after user interaction, making it harder to detect. 

Permission Evasion – Droppers initially request minimal or safe permissions and only ask for high-risk permissions (like SMS or accessibility access) after installation, bypassing Google Play Protest’sProtects initial scans. 

Fake Update Screens – Many droppers display legitimate looking “Update Required” prompts to trick users into downloading malware, increasing their success rate. 

Recommendations: 

Download Apps Safely  

  • Install apps only from trusted sources like Google Play Store, Apple store etc. 
  • Avoid third-party APKs, unknown links, or apps promoted through social media ads. 

Check Permissions Carefully  

  • Do not grant unnecessary permissions like SMS, notifications, or accessibility dependent on the app services. 
  • Always review requested permissions before installing or updating an app. 

Keep Devices Secure  

  • Enable Google Play Protect and keep your Android security patches up to date. 
  • Use a reliable mobile security solution for real-time malware detection. 

Stay Alert and Aware  

  • Be aware of fake update prompts; apps, and malicious sites. 
  • Stay updated on the latest tactics used by Android malware 

Conclusion: 

  • Android droppers are evolving fast, making them more flexible and harder to detect, increasing risks for both individuals and organizations.
  • Droppers started as tools for advanced banking malware, but now they’re used to install all kinds of harmful apps and sneak past local security.  
  • It is always recommended to stay vigilant, keep your phone and software updated from the original source  and avoid unverified apps installation to minimize the risk of infection. 

References

Blogs

Azure AD configuration file for ASP.NET Core apps credentials leaked by Cybercriminals

A critical flaw in AzureD supported cyber criminals to get access to the digital keys in Azure cloud environment and discovered by Resecurity researchers .

The action enabled unauthorized token requests against Microsoft’s OAuth 2.0 endpoints and giving adversaries a direct path to Microsoft Graph and Microsoft 365 data.

A small critical cloud misconfiguration can give access to cyber attackers to infiltrate and this happened to Azure D when their Cloud native application configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD).

Cloud application are not merely hosted in the cloud instead they are built to thrive in a cloud environment, providing unprecedented scalability, resilience and flexibility making them game changer.

Recently the publicly accessible configuration file for ASP.NET Core applications has been leaking credentials for Azure ActiveDirectory (AD). This potentially led attackers to authenticate directly via Microsoft’s OAuth 2.0 endpoints and infiltrate Azure cloud environments.

This issue cannot be overlooked by enterprise as the discovery by Resecurity’s HUNTER team exposed Azure AD credentials  ClientId and ClientSecret — exposed in an Application Settings (appsettings.json) file on the public Internet.

Once the credentials lands up in hackers domain any malicious activates can be conducted and compromise an organization’s Azure-based cloud deployment simultaneously retrieve sensitive data from SharePoint or Exchange Online etc. Further abuse of Graph API for privilege escalation or persistence; and the deployment of malicious applications under the organization’s tenant.

Exploiting AzureD Flaw The attack flow

To exploit the flaw, an attacker can first use the leaked ClientId and ClientSecret to authenticate against Azure AD using the Client Credentials from OAuth2 flow to acquire an access token.

Once this is acquired, the attacker then can send a GET request to the Microsoft Graph API to enumerate users within the tenant.

This allows them to collect usernames and emails; build a list for password spraying or phishing; and/or identify naming conventions and internal accounts, according to the post.

Cyber attacker also can query the Microsoft Graph API to copy OAuth2 to take permission grants within the tenant, revealing which applications have been authorized for further permissions, they hold.

Once acquired token allows an attacker to use group information to identify privilege clusters and business-critical teams.

Protecting Enterprise from getting Azure secrets exposed.

Enterprise failing to practice regular scanning, penetration tests, or code reviews, exposed cloud files can remain unnoticed until attackers discover them and exploit them, according to the post.

Further for better security posture enterprise can restricting file access; removing secrets from code and configuration files; rotating exposed credentials immediately; enforcing least privilege principles and setting up monitoring and alerts on credential use, according to the post.

Importance of automation in cloud native application

Implement continuous integration and continuous deployment (CI/CD) pipelines to automate building, deploying, and testing cloud native applications. Manage and provision cloud infrastructure using code, allowing for version control and repeatability. 

Several benefits of following best practices when developing cloud native apps, like increased scalability, fewer occurrences of critical failures, and high efficiency

Enterprises having product based focus will go for cloud-first approach and ask questions on how to go about cloud computing etc.

What could have happened or will happen if not looked into Azure Active Directory (Azure AD) flaw?

Azure Active Directory (Azure AD) termed as high impact in terms of vulnerability.

Once authenticated, attackers can:

  • Retrieve sensitive SharePoint, OneDrive, or Exchange Online data via Graph API calls.
  • Enumerate users, groups, and roles, mapping out the tenant’s privilege model.
  • Abuse permission grants to escalate privileges or install malicious service principals.
  • Deploy rogue applications under the compromised tenant, creating persistence and backdoors.

Enterprises must perform compliance checks to ensure that application designed meets industry standards and regulatory requirements. Once robust auditing and reporting mechanisms is on track that changes any access to sensitive data. 

Source: JSON Config File Leaks Azure AD Credentials

Critical Flaw in Azure AD Lets Attackers Steal Credentials and Install Malicious Apps

Cybersecurity News

ENISA to operate the EU Cybersecurity Reserve with EUR 36 million

ENISA to operate the EU Cybersecurity Reserve with EUR 36 million

Continue Reading
Security Advisory

Multiple Critical Vulnerabilities in Citrix NetScaler ADC/Gateway 

Security Advisory: Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway One Actively Exploited in Wild .

Citrix credited Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partnerfor and Francois Hammerli for discovering and reporting the vulnerabilities.

Severity Critical 
CVSS Score 9.2 
CVEs CVE-2025-7775, CVE-2025-7776, CVE-2025-8424 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 
A critical zero-day vulnerability, tracked as CVE-2025-7775, puts over 28,200 Citrix instances at risk worldwide.

This flaw allows attackers to run malicious code on affected systems without authentication. The issue is actively being exploited in the wild and immediate action is needed to secure systems.  Another two flaws were fixed in the latest updates.  

Vulnerability Name CVE ID Product Affected Severity 
Memory overflow vulnerability leading to RCE CVE-2025-7775 NetScaler ADC & Gateway 9.2 
Memory overflow vulnerability leading to unpredictable behavior CVE-2025-7776 NetScaler ADC & Gateway 8.8 
Improper access control on the NetScaler Management Interface CVE-2025-8424 NetScaler ADC & Gateway 8.7 

Technical Summary 

The NetScaler ADC and NetScaler Gateway appliances are affected by multiple critical vulnerabilities that pose significant risks ranging from Remote Code Execution (RCE) and Denial of Service (DoS) to improper access control.

These include memory overflow flaws in configurations such as VPN virtual servers, load balancing virtual servers using IPv6 or DBS IPv6 services, and misconfigurations involving PCoIP profiles. Additionally, the management interface is exposed due to weak access control mechanisms, which could allow unauthorized administrative access if attackers reach key management IP addresses like NSIP or SNIP. CISA has added one vulnerability (CVE-2025-7775) to its Known Exploited Vulnerabilities (KEV) Catalog and strongly urges organizations to apply patches immediately to prevent active exploitation. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-7775  NetScaler ADC & Gateway  A critical memory overflow vulnerability in NetScaler ADC and Gateway that can lead to Remote Code Execution or DoS when configured as a Gateway (e.g., VPN, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, or LB virtual server using IPv6 or DBS IPv6 services including CR virtual servers of type HDX. Remote Code Execution or DoS  
CVE-2025-7776  NetScaler ADC & Gateway A memory overflow vulnerability under analysis, currently known to cause unpredictable system behavior and potential DoS when a PCoIP Profile is bound to a Gateway-configured NetScaler instance (VPN, ICA Proxy, CVPN, RDP Proxy), Erroneous behavior and DoS 
CVE-2025-8424 NetScaler ADC & Gateway An improper access control vulnerability on the NetScaler Management Interface, allowing unauthorized access when attackers can reach management IPs (NSIP, Cluster Management IP, local GSLB Site IP, or SNIP with Management Access), affecting NetScaler ADC and Gateway appliances. Unauthorized access 

Recommendations 

NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.  

  • NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases 
  • NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1 
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP 
  • NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP 

Here are some other recommendations below 

  • Monitor systems for unusual activity or unauthorized changes. 
  • Limit access to Citrix instances from untrusted networks. 
  • Use firewalls to block suspicious traffic targeting Citrix instances. 

Conclusion: 

Combined with additional high-severity vulnerabilities the overall threat landscape demands immediate attention. Organizations are strongly urged to apply the latest patches, restrict access to management interfaces and closely monitor for signs of compromise. Delayed action could result in significant operational and security impacts. 

The active exploitation of CVE-2025-7775 highlights a critical security threat affecting multiple NetScaler ADC and Gateway instances globally. This zero-day confirmed exploitation in the wild poses a severe risk of Remote Code Execution and service disruption.

References

  

Security Advisory

Docker Desktop Vulnerability Allows Full Host Compromise via Exposed API 

A critical vulnerability has been discovered in Docker Desktop for Windows, macOS and Linux distributions.

The vulnerability allows malicious containers to gain full access to the host system by misusing an exposed Docker Engine API endpoint.

Docker Desktop

Docker a must to have in modern enterprise infrastructure, as a strong foundation pillar that powers cloud-native applications including CI/CD pipelines and microservices at massive scale. Any vulnerabilities in Docker images and runtimes are particularly dangerous as they can open the door to severe supply-chain attacks, container escapes, data leaks, and even full host compromise. 

OEM Docker 
Severity Critical 
CVSS Score 9.3 
CVEs CVE-2025-9074 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

The vulnerability, considered as CVE-2025-9074, which affects Docker Desktop versions prior to 4.44.3. This exploitation requires no special configuration and can be triggered with minimal interaction. Docker has addressed this issue in version 4.44.3, administrator or user are suggested to upgrade to the latest version. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Docker Engine API Exposure / Container Escape  CVE-2025-9074 Docker Desktop 
(Windows, macOS, Linux) 		 Critical  v4.44.3 

Technical Summary 

The vulnerability comes from Docker Desktop’s internal API endpoint (http://192.168.65.7:2375) being accessible from any container running locally. The endpoint with lack of authentication allows privileged API commands such as creating new containers, mounting host directories, and controlling images. 

On Windows with WSL, this becomes riskier because attackers could mount your C: drive with the same rights, giving them full access to the machine. With the safety settings like Enhanced Container Isolation (ECI) or disabling TCP exposure, don’t fully block this problem. 

CVE ID System Affected  Vulnerability Details Impact 
 CVE-2025-9074  v4.25 before v4.44.3  An internal HTTP API is automatically open to containers on the default network. This could allow us to run powerful commands – creating containers, managing images or accessing the host system  Full host compromise, including file system and resource access 

Remediation

  • Upgrade to Docker Desktop version 4.44.3 or later across all supported platforms. 

Recommendations: 

Here are some recommendations below  

  • Don’t depend only on container isolation, treat development tools as part of the security perimeter. 
  • Use network segmentation and zero-trust controls to protect container workloads. 
  • Monitor container traffic for unauthorized API access attempts. 
  • Apply strict IAM rules and give users only the permissions they really need on Docker hosts. 

Conclusion: 
CVE-2025-9074 is a critical container escape vulnerability exposing host systems to complete compromise. While no active exploitation has been reported, the weakness is easy to exploit. Immediate patching and environment hardening are strongly recommended for all Docker Desktop users. 

References: 

Scroll to top