Exposures, Exposed! Weekly Round-up October 13 – October 19, 2025
Fall is here, bringing with it the cozy glow of fireplaces and the familiar taste of pumpkin spice, well, just about everything. But as the holiday season approaches, so does the most active time for cyber attackers. And they're already in full swing. This week on Exposures, Exposed!, Senior Researcher Eli Guy shares the most important exposures you need to be aware of—before your organization gets hit.
CISA Orders Federal Patch Deployment for F5 Breach
CISA issued an emergency directive mandating that all civilian agencies identify and patch F5 devices after a nation-state actor breached F5 systems, gaining access to BIG-IP development platforms. The attacker exfiltrated source code and information about undisclosed vulnerabilities.
Agencies must inventory all affected F5 hardware and software, isolate management interfaces exposed to the internet, and apply patches by October 22. Devices beyond support must be disconnected. Agencies should report their F5 deployments by October 29. Organizations outside governments using F5 systems may adopt the same safeguards to reduce risk.
Eli Guy Says:
“This breach materially increases the exploitability of the BIG-IP attack surface. With vendor source and proof-of-concepts, an attacker can craft reliable RCE chains targeting the control plane: think malformed TMUI requests that trigger vulnerable parsing routines, abuse of unsigned or weakly signed iControl REST modules, or targeted manipulation of the TCL/Perl interpreter used on box startup. Practically, expect high-fidelity scanning for management plane endpoints followed by fingerprinting of installed iControl extensions and SSL/TLS certificate profiles; exploit scripts will probe for RPC endpoints and non-standard admin ports. Detection should focus on anomalous POSTs to management endpoints, sudden module uploads, new unsigned binaries under /config or /shared, and unexpected outbound HTTPS to code-hosting domains. After patching, perform binary and config integrity checks and rotate any private keys/certs stored on devices — attackers with source code can craft payloads that mimic legitimate module behavior, so behavioral baselines are essential.”
The Takeaway: Organizations using F5 appliances must immediately:
Failure to act now risks long-term compromise via weaponized vendor code.
Attackers Exploit Cisco SNMP Flaw to Install Rootkits
Trend Research reported an operation that used the Cisco SNMP vulnerability CVE-2025-20352 to achieve remote code execution on network devices. The attackers implanted Linux rootkits to maintain persistence, create universal passwords, and insert hooks into IOSd memory. The campaign primarily affected Cisco 9400, 9300, and phased-out 3750G switches. Investigators also found limited use of a modified Telnet exploit derived from CVE-2017-3881 that enabled memory access.
Trend Research confirmed that compromised devices could bypass access controls, disable logging, and conceal configuration changes. The attackers used spoofed IPs and MAC addresses and leveraged UDP controllers to manage infected systems. Cisco collaborated with Trend to assess impact and assist in forensic review.
Eli Guy Says:
“Rootkits in the switch control plane are extremely stealthy because they operate in the same process space that handles management and forwarding logic. The SNMP vector here typically leverages malformed SNMP PDUs that trigger parser overflows or object handler misrouting, allowing an exploit to inject a small loader into RAM. From there, attackers patch in an ELF-like payload or CLR equivalent and patch dispatch tables so the implant intercepts syslog writes and suppresses events. You'll see artifacts like altered MIB responses, odd CRC differences on SNMP replies, and discrepancies between running-config and startup-config hashes. Real mitigation requires reimaging from a trusted firmware image and rotating NVRAM credentials; for detection, enable packet captures on management VLANs and baseline SNMP MIB queries so you can spot crafted OID sequences or repeated walk operations from unusual sources.”
The Takeaway: Defenders should:
Microsoft Patches Two Actively Exploited Windows Zero-Days
Microsoft released updates addressing 183 security flaws in October 2025. Among them are two zero-day vulnerabilities under active exploitation: CVE-2025-24990 in the Agere modem driver and CVE-2025-59230 in Remote Access Connection Manager. Both allow privilege escalation.
Microsoft said it plans to remove the legacy driver rather than patch it. The company did not disclose specific details of how the exploits operate or their scale. The updates also cover elevated privilege, remote code execution, information disclosure, spoofing, denial of service, and security bypass flaws.
Security teams should review their patch status, prioritize applying latest updates, and monitor system logs for suspicious privilege escalation attempts.
Eli Guy Says:
“Driver and service level privilege escalations are potent because they operate at the kernel or service boundary. The Agere driver exploit likely abuses IOCTL handlers to corrupt kernel memory or escalate token privileges; the RasMan issue can be weaponized through malformed RPC calls triggering elevation via impersonation tokens. From a technical hunting perspective, look for unexpected device object creations, new IOCTL patterns, and kernel stack traces in memory dumps that reference vendor driver symbols. EDR should alert on unsigned driver loads, service binary replacements, or direct calls to NtSetInformationProcess and other token-manipulation syscalls. Removing legacy drivers and locking down service binaries, combined with driver load policy enforcement and kernel anomaly monitoring, will blunt these exploitations.”
The Takeaway: Security teams must:
SAP Issues Patch for Multiple Critical Flaws
SAP deployed new security updates covering 16 notes. Among them it fixed CVE-2025-42944, an insecure deserialization flaw in NetWeaver AS Java, rated CVSS 10.0. It also patched CVE-2025-42937, a directory traversal bug in Print Service that permitted file overwrite, and CVE-2025-42910, an unrestricted file upload flaw in SRM.
SAP added JVM-wide filtering via jdk.serialFilter to block unsafe class deserialization. It updated a previous note to align with new hardening steps. The other patched defects span denial of service and security misconfiguration risks in other SAP modules.
Eli Guy Says:
“Deserialization RCE in Java app servers can be exploited by sending crafted serialized objects that invoke gadget chains leading to arbitrary class loading and code execution. In SAP’s ecosystem that often translates to ABAP bridge invocation or JCo calls that execute system commands as the application user. Directory traversal and upload flaws give an attacker a direct mechanism to write servlet/JAR artifacts into the webapp context, enabling remote code execution without chaining additional vulnerabilities. Tactically, look for suspicious multipart uploads that create .jar or .class files, odd classloader errors in catalina/jetty logs, and new endpoints serving unexpected content types. Harden by enabling jdk.serialFilter, blocking upload types at the WAF, and instrumenting Java application server logs for suspicious class instantiation patterns.”
The Takeaway: Defend SAP by:
SAP compromises are high-impact—treat them with enterprise urgency.
Oracle Warns of New E-Business Suite Vulnerability
Oracle issued a security alert for the vulnerability CVE-2025-61884 in its E-Business Suite. The flaw affects the Runtime UI component of Oracle Configurator and allows remote unauthenticated attackers to access sensitive configuration data over HTTP.
Affected versions include 12.2.3 through 12.2.14. Oracle rated the vulnerability with a base score of 7.5. The vendor urged customers to apply the patch or mitigation promptly. The alert notes that unsupported versions may also be vulnerable.
Security teams should check whether their Oracle EBS deployments include the Configurator module, confirm patch installation across all environments, and restrict HTTP access from external networks when possible.
Eli Guy Says:
“Exposed configuration endpoints are reconnaissance multipliers. Configuration metadata exposes object model IDs, role mappings, and sometimes secrets or connection strings if misconfigured. Attackers use that to craft tailored SQL/PLSQL or API calls and to identify service accounts with excessive privileges. In logs you’ll see repeated enumerations of configurator resource IDs, and in some cases leaked JSON payloads with structural definitions. Mitigate by enforcing authentication at the web tier, applying strict WAF rules to block public access to config URIs, and running offline audits of exported metadata to find unexpected disclosures.”
The Takeaway: Protect EBS by:
Configuration visibility leads to targeted attacks—deny reconnaissance routes.
Adobe AEM Exploit Added to CISA KEV
CISA added a critical vulnerability in Adobe Experience Manager to its Known Exploited Vulnerabilities catalog after finding signs of active attacks. The vulnerability CVE-2025-54253 allows unauthenticated remote code execution through a misconfiguration in the /adminui/debug servlet.
Affected versions include AEM Forms on JEE up to 6.5.23.0. Adobe released fixes in version 6.5.0-0108 along with a related flaw CVE-2025-54254 rated at 8.6. Agencies must apply patches by November 5, 2025, and isolate any exposed admin interfaces. Organizations outside federal circles should assess their AEM installations as well.
Eli Guy Says:
“Debug servlets often expose expression evaluators or diagnostic commands; attackers feed them crafted expressions to escape sandboxed contexts and execute OS commands. In AEM’s case, exploit chains frequently corrupt the Sling request pipeline or drop JSP/servlets into the author instance. Indicators include POST requests with payloads containing OGNL-like or script expression syntax, increases in requests that trigger stack traces containing org.apache.sling or com.adobe.granite classes, and new write-able files under /crx-quickstart/install or /apps. Block these endpoints at the perimeter and scan for JSPs and newly modified bundle JARs as immediate cleanup actions.”
The Takeaway: Lock down AEM by:
Veeam Patches Critical Backup Infrastructure Threats
Veeam released Patch 12.3.2.4165 to address three serious security flaws in Backup & Replication and Agent components. Among them are CVE-2025-48983 and CVE-2025-48984, both rated critical (CVSS 9.9) and affecting domain-joined backup servers. A privilege elevation flaw also impacts Veeam Agent for Windows and allows SYSTEM escalation from maliciously crafted restore operations.
These updates apply to Veeam Backup & Replication versions up to 12.3.2.3617 and Agent for Windows up to 6.3.2.1205. Veeam highlights that unsupported versions may remain at risk.
Teams should verify their Veeam installations, deploy the patch across all relevant systems, and restrict domain-joined exposure where feasible.
Eli Guy Says:
“Backup servers run with high privileges and often have broad network access to storage and host snapshots; RCE here is catastrophic. The mount service RCE can be exploited by an authenticated user to run arbitrary code in the backup server context, and crafted restore payloads can escalate via agent behavior to SYSTEM. Look for abnormal restore tasks creating executable files, unexpected child processes launched by backup services, and suspicious SMB or NFS operations writing into unexpected paths. Harden by moving backup servers onto isolated subnets, enforcing allow-lists for which hosts can initiate restores, and storing catalog exports offline and encrypted to prevent attacker tampering.”
The Takeaway: Keep backup resilience strong:
Closing Thoughts
That’s all for this week’s roundup. Stay vigilant, patch promptly, and remember: the best time to harden your environment was yesterday; the second‑best time is now.
Can CTEM Address the Hidden Gaps in Your PAM Program?
Impressive updates! Staying ahead with quick patching is key to staying secure. Thanks for sharing these alerts. Cheers, Cacheon - Lightning-Fast Global In-Memory Database