Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from August that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-7775
CVE-2025-7775 describes a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway when configured in several modes, including Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, and load balancing virtual servers bound with IPv6 services or DBS IPv6 servers, as well as CR virtual servers of type HDX. The vulnerability arises from improper memory handling that can be triggered remotely, allowing an attacker to achieve remote code execution or denial of service depending on the exploitation path. With network-based access, an attacker could craft malicious packets targeting exposed NetScaler services, leading either to the execution of arbitrary code on the device or the crash and disruption of critical VPN and proxy services.
This flaw is particularly dangerous in enterprise and cloud environments where NetScaler appliances serve as critical access gateways, since exploitation could result in full compromise of infrastructure, service outages, and lateral movement into internal networks. The vulnerability has been assigned a CVSS v3 base score of 9.8, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting its low attack complexity, lack of required privileges, and ability to compromise confidentiality, integrity, and availability. Under CVSS v4, the score remains severe at 9.2, further underscoring the risk in production environments. Public reporting confirms that this issue has already been exploited as a zero-day, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and multiple security researchers tracking widespread attacks. Reports indicate that over 28,000 NetScaler appliances remained exposed to the flaw at the time of disclosure, amplifying the urgency for remediation.
Citrix addressed CVE-2025-7775 in emergency updates released on August 26, 2025, as part of a security bulletin that also included two additional NetScaler vulnerabilities. Organizations running affected versions of NetScaler ADC and Gateway should immediately apply the patches provided by Citrix, or implement compensating controls such as disabling IPv6 bindings and restricting external exposure of management and gateway interfaces until patching is complete. Exploitation of this flaw can grant attackers direct access to internal systems by hijacking critical VPN or load balancing infrastructure, making rapid patching and hardening of NetScaler environments an operational priority. More detailed guidance and official mitigation steps are available from Citrix’s advisory and the CISA KEV catalog.
CVE-2025-53771
CVE-2025-53771 describes a medium-severity improper authentication vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to perform spoofing attacks over a network. The flaw stems from insufficient validation within SharePoint’s authentication mechanisms, which permits a malicious actor to manipulate requests and impersonate legitimate users or services. By exploiting this weakness, an attacker could craft specially designed network requests to trick SharePoint into granting them access under a falsified identity, undermining the trust model of the platform. This can allow further exploitation when chained with other vulnerabilities, particularly in the ToolShell exploit chain where spoofing was used to bypass protections and gain entry into sensitive administrative interfaces.
The vulnerability poses a significant risk in enterprise environments because SharePoint often serves as a central hub for collaboration, document storage, and workflow automation. Spoofing attacks targeting SharePoint can compromise the confidentiality of business-critical data and may facilitate privilege escalation or lateral movement if an attacker manages to impersonate privileged users. While this issue requires network access, the attack complexity is low and no user interaction is necessary, meaning it can be reliably executed once the attacker identifies a vulnerable system. The vulnerability has been assigned a CVSS v3 base score of 6.5 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, highlighting the impacts to confidentiality and integrity but not availability. Under CVSS v2 scoring, the base score is listed at 7.5 due to differences in weighting methodology.
Microsoft patched CVE-2025-53771 in July 2025 as part of updates addressing the ToolShell exploit chain, which included several interlinked SharePoint flaws. The vulnerability is actively monitored in security advisories and was quickly added to exploitation watchlists because of its role in enabling bypasses of earlier mitigations. Organizations running affected SharePoint environments should apply Microsoft’s July 2025 security updates without delay and ensure that their SharePoint instances are not directly exposed to the internet. CISA and Microsoft advisories emphasize the importance of restricting external access, applying network segmentation, and enabling strict authentication controls to reduce the impact of any spoofing attempts. Since this flaw fits into broader exploit chains, especially those demonstrated during Pwn2Own and later expanded by attackers in the wild, administrators should consider it a priority to patch and monitor for signs of exploitation.
CVE-2025-54948
CVE-2025-54948 is a critical command injection vulnerability affecting the Trend Micro Apex One on-premises management console. The flaw allows a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands on affected systems. Since this vulnerability does not require prior authentication, exploitation is trivial once an attacker can reach the exposed management console, making it particularly dangerous for organizations that have not restricted external access. Exploitation can lead to full compromise of the endpoint security platform, granting adversaries administrative control over large fleets of protected systems.
Trend Micro confirmed that this vulnerability, alongside CVE-2025-54987, was exploited in the wild as zero-days in August 2025. Reports indicated active targeting of enterprises, with attackers leveraging the flaw to gain persistence, disable defenses, and deploy secondary payloads. Security researchers and CISA flagged the issue as part of the Known Exploited Vulnerabilities (KEV) catalog, further underscoring its active use in attacks. Temporary mitigation tools were released by Trend Micro to limit exposure until full security patches could be applied, but these mitigations should be treated only as stopgaps.
The vulnerability has been assigned a CVSS v3 base score of 9.8 (vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical nature across confidentiality, integrity, and availability. Under CVSS v2, the vulnerability carries a base score of 10. The EPSS probability sits at 0.18488, indicating a significant likelihood of widespread exploitation.
Organizations using Apex One should immediately apply Trend Micro’s latest patches or, at minimum, deploy the mitigation tools provided while restricting console access to trusted networks. Network monitoring for suspicious uploads, reviewing Apex One administrative activity logs, and implementing compensating controls such as firewall rules and intrusion prevention signatures are recommended until systems are fully remediated. Given its exploitation in the wild, unpatched instances remain high-value targets and should be prioritized for immediate remediation.
CVE-2025-8088
CVE-2025-8088 is a high-severity path traversal vulnerability in the Windows version of WinRAR that enables attackers to execute arbitrary code by crafting malicious archive files. Discovered by security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, the flaw was confirmed to be exploited in the wild before disclosure, which led to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog.
The attack vector relies on specially crafted archive files that bypass WinRAR’s intended directory restrictions. When a user extracts such a file, the embedded payload can overwrite critical files or be executed outside the intended extraction path. Because WinRAR is widely used to handle compressed files, especially in enterprise environments where email attachments and downloads are common, this flaw presents a strong opportunity for attackers to distribute malware, gain persistence, or escalate access within targeted networks. Social engineering campaigns could easily weaponize the vulnerability by disguising malicious archives as legitimate content, tricking users into extraction.
The vulnerability has been rated as critical under CVSS v2 with a score of 10, while CVSS v3 assigned it a high score of 8.8 (vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Under the updated CVSS v4 framework, it carries a score of 8.4, with the primary risk centered on confidentiality, integrity, and availability impacts through unauthorized code execution. EPSS data places its exploitation probability at 0.05624, underscoring that active use has been observed and further exploitation is likely.
Organizations should prioritize mitigation by ensuring they are running patched versions of WinRAR and restricting the use of outdated builds. Since exploitation requires users to interact with malicious archives, endpoint detection and monitoring of suspicious archive extraction behavior should also be employed. Where possible, implementing application control, disabling automatic script execution, and limiting the use of WinRAR in high-risk environments can reduce exposure. Security advisories also suggest deploying Windows Software Restriction Policies (SRP) or Image File Execution Options (IFEO) to mitigate exploitation attempts until full remediation is in place.
CVE-2025-21479
CVE-2025-21479 describes a high-severity memory corruption vulnerability affecting Qualcomm GPU micronodes, where unauthorized command execution during the processing of a specific sequence of GPU instructions can lead to code execution. This flaw allows an attacker to trigger memory corruption by exploiting improperly validated GPU command streams, potentially resulting in arbitrary command execution within the GPU environment. Since GPUs are heavily leveraged for both graphics rendering and compute workloads, exploitation could allow an attacker to interfere with trusted processes, inject malicious operations, or escalate their control over the device.
The attack vector is local in nature, as exploitation requires the attacker to execute crafted GPU command sequences on a vulnerable system. This can occur through malicious applications distributed via app stores or sideloaded APKs on Android devices. Once executed, the malicious commands can corrupt GPU memory structures, allowing an attacker to achieve code execution in the context of GPU processes, which can then be leveraged for persistence or to escape into higher-privilege components of the operating system. Reports have confirmed that this vulnerability has been actively exploited in the wild, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the likelihood of targeted attacks against Android and other Qualcomm-powered devices.
The vulnerability carries a CVSS v3 base score of 8.6 (vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its high impact across confidentiality, integrity, and availability once triggered. Under CVSS v2, it is rated 7.2, with exploitation requiring local access but relatively low complexity. EPSS data places the probability of exploitation at 0.12787, reinforcing the fact that attackers are already using it against exposed devices.
Google addressed the flaw in the August 2025 Android security bulletin, patching affected devices through firmware updates. Qualcomm also issued fixes for impacted Adreno GPU drivers and urged OEMs to push updates to their devices as quickly as possible. Organizations and end-users are strongly encouraged to apply the latest Android security updates immediately, as devices running outdated GPU firmware remain at significant risk. Mitigations such as restricting the installation of untrusted apps and monitoring for abnormal GPU behavior should be applied until patches are fully deployed.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
