SecureIT - Top Vulnerabilities - October 2025
Hot Topic
In October 2025, two major cloud-service disruptions made headlines. An AWS outage on October 20 disrupted global apps and services after DNS and load-balancer failures in the US-East-1 region. Nine days later, Microsoft Azure suffered a major outage caused by a configuration change in Azure Front Door that affected productivity tools, gaming platforms, and airlines. The takeaway is clear: downtime hurts revenue, damages trust, and strains incident-response budgets. As cloud dependence deepens, organizations need stronger processes, procedures, and technologies to reduce the impact of failures.
To strengthen resilience against outages, organizations should revisit their business continuity (BCP), disaster recovery (DR), and high-availability (HA) strategies. For customer-facing systems, best practices design for redundancy across multiple regions. Critical services such as DNS, authentication, and payment processing should have failover paths tested under real-world conditions. For employee-facing tools like collaboration suites or identity platforms, consider offline access options and predefined fallback workflows to keep essential operations running.
While planning for internal failures of AWS, Microsoft, and Google clouds may be unrealistic, every organization should still build and regularly test emergency procedures. Practicing response and recovery ensures teams can act quickly and confidently when the unexpected happens.
Significant Vulnerabilities
Microsoft Windows Server Update Services
CVE-2025-59287
What happened
A flaw in WSUS lets a remote attacker run code on the server without logging in. The bug comes from unsafe object parsing in the WSUS web services. Microsoft shipped an out of band fix after active exploitation.
Impact
Attackers who exploit this vulnerability can take control of the WSUS host. They may distribute malicious updates, move laterally through the network, or deploy ransomware. Exploitation can interrupt patch distribution and delay system updates across the environment.
Who is at risk
Any Windows Server with the WSUS role exposed to the network. Internet exposed WSUS is high risk.
What to do
Update Windows Server to the current release that includes the out of band WSUS fix. Restrict access to the WSUS web services and remove any direct internet exposure. Monitor IIS logs for unusual requests to WSUS endpoints and hunt for new admin users and scheduled tasks.
Sources: Microsoft Security Response Center. Microsoft Security Response Center CISA advisory on the out of band update and active exploitation. CISA
Cisco Secure Firewall ASA and FTD
CVE-2025-20333 CVE-2025-20362
What happened
Flaws in the VPN web server allow code execution and device takeover. One issue needs valid VPN credentials. Chaining makes control of the appliance possible.
Impact
VPN access fails for staff and customers. Policy changes go unlogged. Attackers pivot into internal networks. Incident response and device rebuilds delay projects.
Who is at risk
Organizations running Cisco ASA or FTD with VPN web access. Internet facing gateways are prime targets.
What to do
Update to the latest fixed Cisco ASA and FTD releases. Limit portal access to known IP ranges and enforce MFA on all VPN users. Audit for disabled logging, unexpected reboots, and unknown admin accounts.
Sources: Cisco security advisory. sec.cloudapps.cisco.com CISA Emergency Directive ED 25-03. CISA
Adobe Commerce and Magento Open Source
CVE-2025-54236
What happened
A defect in the Commerce REST API lets attackers bypass checks and hijack customer sessions Attacks are active at scale. Adobe is aware of CVE-2025-54236 being exploited in the wild.
Impact
Customer accounts are taken over. Fraud and chargebacks rise. Web shells may be dropped to keep access. Stores go offline for cleanup.
Who is at risk
Any Adobe Commerce or Magento store not on the current fixed release. Internet exposed admin panels raise risk.
What to do
Update to the current fixed release from Adobe. Rotate all API keys and session secrets. Review web root for unknown PHP files and monitor web logs for abnormal REST API calls.
Sources: Adobe APSB25-88. Adobe Help Center SecurityWeek coverage of active exploitation. SecurityWeek
Oracle E-Business Suite
CVE-2025-61884
What happened
A flaw in Oracle Configurator lets an external attacker make internal requests and reach protected services. CISA confirms real world abuse and data theft.
Impact
Order data, pricing, and customer files can be accessed. Extortion and downtime follow. Finance and supply processes stall while teams contain and restore.
Who is at risk
Oracle E-Business Suite 12.2.3 through 12.2.14. Internet facing EBS or weak egress controls increase risk.
What to do
Apply Oracle’s security alert fix and latest CPU. Block outbound EBS traffic except to approved services. Review access logs for unusual external requests and perform database audit for mass export activity.
Sources: Oracle Security Alert for CVE-2025-61884. Oracle SecurityWeek confirmation of exploitation and targeting. SecurityWeek
Broadcom VMware Aria Operations and VMware Tools
CVE-2025-41244
What happened
A local flaw allows a low privilege user inside a VM to become root when VMware Tools is managed by Aria with service discovery enabled [local privilege escalation]. Researchers report zero day exploitation since 2024.
Impact
Attackers escalate inside virtual machines. Backups and monitoring agents are disabled. Lateral movement to other workloads follows.
Who is at risk
vSphere environments running affected VMware Tools and Aria Operations Service Discovery Management Pack. Shared tenant and VDI fleets are sensitive.
What to do
Update VMware Tools and Aria Operations to the fixed builds. Limit service discovery features to the minimum set and restrict Tools operations. Monitor for suspicious file writes in temp directories and review hypervisor and guest logs for privilege escalation signs.
Sources: Broadcom advisory. Support Portal SecurityWeek analysis of zero day exploitation. SecurityWeek
XWiki Platform
CVE-2025-24893
What happened
A flaw in the SolrSearch macro allows unauthenticated users to send crafted requests and execute code on the server. Attackers have used this vulnerability to deploy cryptocurrency miners and maintain persistent access.
Impact
Compromised wiki servers expose stored data, suffer performance degradation, and experience service interruptions during remediation.
Who is at risk
Any XWiki instance not updated to a patched version. Wikis exposed to the internet with guest access are most at risk.
What to do
Upgrade to the fixed XWiki versions listed in the vendor advisory. Disable or restrict the vulnerable macro for untrusted users. Review access logs for suspicious SolrSearch requests and remove any malicious or unauthorized pages.
Sources: XWiki vendor security advisory. GitHub SecurityWeek report on active exploitation. SecurityWeek
Dassault Systèmes DELMIA Apriso
CVE-2025-6204 CVE-2025-6205
What happened
Two vulnerabilities in DELMIA Apriso allow code injection and privilege escalation. CISA added both CVEs to its Known Exploited Vulnerabilities catalog after observing active attacks.
Impact
Attackers can alter manufacturing execution data and workflows, disrupting production and delaying orders. Prolonged downtime can trigger contractual penalties or missed SLAs.
Who is at risk
Organizations running DELMIA Apriso versions from 2020 through 2025. Internet-facing systems or networks with weak segmentation face elevated risk.
What to do
Apply the vendor’s fixes for both vulnerabilities. Restrict access to Apriso services and enforce least privilege for service accounts. Review logs for unauthorized administrative activity and scan servers for unexpected startup changes.
Sources: Dassault Systèmes advisories. Dassault Systèmes BleepingComputer coverage of exploitation and KEV listing. BleepingComputer
Rapid7 Velociraptor
CVE-2025-6264
What happened
Default permissions allow users with investigator-level access to execute commands on endpoints through a vulnerable artifact. Threat actors, including ransomware groups, have exploited this flaw in active intrusions.
Impact
Compromised Velociraptor instances enable attackers to control security tooling, reconfigure or wipe endpoints, and disrupt visibility during incidents.
Who is at risk
Organizations running Velociraptor versions prior to the fixed release, particularly those granting broad investigator permissions. Environments where the tool can reach many endpoints are more exposed.
What to do
Upgrade Velociraptor to the fixed version and review role-based permissions. Restrict artifact execution to administrators only. Audit logs for Admin.Client.UpdateClientConfig activity and rotate all API keys.
Sources: Velociraptor vendor advisory. docs.velociraptor.app CISA KEV listing and alert. GovDelivery
What to prioritize this week
- Patch WSUS and confirm the out of band fix is installed. Review WSUS and IIS logs for suspicious activity.
- Update Cisco ASA and FTD. Check for disabled logging and unknown admin accounts before returning devices to service.
- Update Adobe Commerce or Magento. Search the web root for unknown PHP files and remove any web shell.
- Patch AEM Forms on JEE. Restrict admin consoles and hunt for new OSGi bundles or unexpected JSP files.
- Apply Oracle E‑Business Suite fixes. Block unnecessary egress and review logs for unusual external requests.
- Update VMware Tools and Aria Operations. Limit service discovery and review guest logs for privilege escalation.
- Upgrade XWiki to fixed versions. Disable guest access to risky macros and review SolrSearch request logs.
- Update Velociraptor and narrow investigator roles. Review artifact execution logs and rotate credentials.