Top Vulnerabilities - August 2025
Why This Matters for Business Leaders
Cyber threats aren’t waiting for IT teams to catch up, they’re exploiting vulnerabilities the moment they’re made public. In August alone, we saw real-world attacks targeting software used daily in both SMBs and enterprise environments.
If your organization runs remote access systems, developer tools, mobile devices, or communication platforms you need to see this. This isn’t just IT’s problem, these are business risks tied directly to uptime, trust, and cost.
At SecureIT, we help companies stay ahead of these threats with continuous vulnerability scanning, prioritized patching support, and rapid response when something slips through. The incidents below show exactly why that matters.
Citrix NetScaler ADC and Gateway - CVE-2025-7775
What happened
Attackers are breaking into Citrix NetScaler appliances by exploiting a flaw that lets them overload memory and run their own code (memory overflow). Citrix confirmed that the bug is being used in real-world attacks.
Impact
If your NetScaler is exposed, an attacker could hijack your remote access portal. That means they can steal employee logins, intercept sensitive data, or shut down access altogether. Imagine your staff unable to connect on Monday morning, customers locked out of services, and your helpdesk flooded with complaints. For some businesses, this could mean days of downtime, lost revenue, and trust damage that lingers far longer than the outage itself.
Who is at risk
Any organization using NetScaler as a Gateway or AAA virtual server, especially if the system is directly exposed to the internet.
What to do
Update to a supported fixed version right away. Do not expose the management interface publicly. Before putting the appliance back into production, inspect it for compromise. Citrix provides tooling in NetScaler Console that helps detect and guide the update process.
Docker Desktop for Windows and macOS - CVE-2025-9074
What happened
A weakness in Docker Desktop made it possible for a malicious container to bypass safeguards and talk directly to the Docker Engine API without permission (unauthenticated API access). That means code running inside a container could control the entire host machine.
Impact
Picture this: a developer downloads an innocent-looking container image for testing. Once started, the container launches hidden processes on the laptop, steals SSH keys, and quietly uploads source code. If this happens on a build server, an attacker could poison releases before they are shipped. Beyond stolen data, the bigger risk is silent manipulation of software supply chains.
Who is at risk
Any team using Docker Desktop on Windows or macOS, especially where developers run untrusted or third-party containers.
What to do
Upgrade Docker Desktop to version 4.44.3 or newer. Review recent builds for containers you did not expect. In CI pipelines, limit what containers are allowed to do by restricting privileges and network access.
Sources: Docker advisory and independent analysis.
Microsoft Windows Kerberos - CVE-2025-53779
What happened
A flaw in Windows Kerberos lets a regular authenticated user abuse certain account attributes to climb up to full domain administrator (privilege escalation).
Impact
Think of an attacker starting as a normal employee with limited access. By exploiting this flaw, they could take over your Active Directory, reset passwords, read confidential files, and shut down key services. This is the type of breach that can paralyze a company for days and trigger regulatory investigations.
Who is at risk
Any business running Active Directory, with domain controllers and member servers in scope.
What to do
Install the August 2025 Microsoft security updates, starting with domain controllers. Review permissions on sensitive Kerberos attributes and strip away unnecessary write access.
Sources: Microsoft Security Response Center, NVD, independent coverage of Patch Tuesday.
Apple iOS, iPadOS, macOS - CVE-2025-43300
What happened
Apple devices contained a flaw in the image-handling library where a booby-trapped image could run code on the device (out-of-bounds write in ImageIO). Apple confirmed that attackers have already used this against targeted individuals.
Impact
An executive receives a single picture message, opens it without suspicion, and their device is instantly compromised. From there, attackers can read private emails, listen through microphones, or access corporate apps. The financial and reputational damage of exposed communications can be severe.
Who is at risk
All iPhones, iPads, and Macs, especially staff in leadership, legal, or roles involving sensitive communication.
What to do
Update devices to the latest patched versions: iOS 18.6.2, iPadOS 18.6.2 or 17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, or Ventura 13.7.8. Treat any suspicious device as untrusted until it is wiped and re-enrolled.
Sources: Apple security advisories and industry reporting on active exploitation.
WhatsApp on iOS and macOS - CVE-2025-55177
What happened
WhatsApp did not fully check linked device sync messages, allowing a crafted message to trigger actions on a victim device (incomplete authorization). This flaw was abused as a zero-click exploit in combination with Apple’s ImageIO bug.
Impact
Without clicking anything, a user’s WhatsApp account could be hijacked. Private conversations, contact lists, and files sent through the app may be exposed. Imagine the consequences if this happens to a journalist, a legal advisor, or your own leadership team. Sensitive business discussions could leak directly to an attacker.
Who is at risk
Apple users of WhatsApp, with heightened risk for high-profile or regulated users.
What to do
Update WhatsApp to the latest versions: iOS 2.25.21.73, Business iOS 2.25.21.78, or Mac 2.25.21.78. Ensure Apple devices themselves are also patched. If a user received a Meta threat notification, reset the device before restoring.
Sources: WhatsApp security advisory and independent reporting.
Git - CVE-2025-48384
What happened
Git misinterprets special characters in submodule settings. Cloning a malicious repository could make Git run arbitrary code (submodule configuration confusion).
Impact
A developer clones a new open-source project. Hidden inside is code that runs during clone, installing backdoors on their laptop and poisoning builds. The result: stolen source code, altered binaries, or compromised pipelines. For companies shipping software, this is a direct supply-chain threat.
Who is at risk
Anyone cloning repositories from third-party sources, including developer laptops and CI/CD systems.
What to do
Upgrade Git to the patched series immediately. If upgrading is delayed, avoid recursive submodule clones from untrusted sources and disable hooks globally. Note that CISA placed this issue on the Known Exploited Vulnerabilities list with a mandatory deadline for federal agencies.
Sources: Git release advisories, CISA KEV listing.
Fortinet FortiSIEM - CVE-2025-25256
What happened
The monitoring service inside FortiSIEM contained a flaw that allowed outsiders to send malicious commands to the system (command injection). A working exploit is already public.
Impact
If compromised, attackers could take full control of your monitoring platform. That means they can erase traces of their activity, harvest credentials, and pivot deeper into your environment. The very system meant to give visibility into your infrastructure becomes a weapon against you.
Who is at risk
Any organization running FortiSIEM where the service is reachable from the internet or untrusted networks.
What to do
Upgrade to a fixed version of FortiSIEM. Restrict network access so management interfaces are never exposed to untrusted traffic. Monitor logs for suspicious command-line activity.
Sources: Fortinet PSIRT advisory, independent security research.
FreePBX - Actively exploited zero-day
What happened
Attackers found a way into FreePBX when the administrator panel is open to the internet and the Endpoint module is installed. Exploitation has been active since late August.
Impact
Phone systems can be hijacked to place fraudulent calls, rack up charges, and disrupt communications. Picture waking up to find your phone system down, customers unable to reach you, and a five-figure telecom bill from fraudulent calls routed overseas.
Who is at risk
FreePBX 16 and 17 deployments with exposed admin panels.
What to do
Remove public access to the admin panel. Apply the emergency module update provided by Sangoma. If you suspect compromise, restore from backups taken before the attacks started and rotate all SIP and system credentials.
Sources: Sangoma advisory and industry coverage.
WinRAR for Windows - CVE-2025-8088
What happened
A flaw in WinRAR allowed crafted archives to place malicious files in startup folders (path traversal). When the computer restarts, the attacker’s code runs automatically. ESET linked this to attacks by the RomCom group.
Impact
Employees may receive a file that looks like a harmless report or contract. Once opened, it silently installs malware that steals credentials and spreads. This could result in financial fraud, ransomware deployment, or data exfiltration. A single careless extraction could bring down an entire office network.
Who is at risk
Any Windows system running WinRAR or RAR, especially where staff routinely handle external archives.
What to do
Manually update to WinRAR 7.13. Train staff not to open archives from unknown senders. Block RAR files at email gateways where possible, and audit endpoints for unexpected startup entries.
Sources: ESET research, Ars Technica and The Hacker News coverage.
Final Priorities for Businesses
- Patch Citrix NetScaler immediately and verify appliances for compromise.
- Update Docker Desktop across developer fleets and CI systems.
- Apply Microsoft August updates to all domain controllers.
- Roll out Apple and WhatsApp updates, prioritizing executives and sensitive users.
- Upgrade Git everywhere, especially in build environments.
- Upgrade and lock down FortiSIEM.
- Secure FreePBX panels and apply fixes.
- Move WinRAR to 7.13 and search for persistence from old archives.
Get Help Before These Become Incidents
SecureIT provides hands-on support for:
- Vulnerability scanning and patch prioritization
- Threat monitoring and alerting via our 24/7 SOC
- Executive reporting to align business and security goals
If your team doesn’t have the time, people, or tools to stay ahead of these updates, we can step in. Whether it’s a monthly scan, a one-off audit, or ongoing managed detection, we make security practical, not theoretical.
Contact us today to book a readiness check, or ask us to validate your exposure to any of the CVEs above.