Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from September that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-20352
CVE-2025-20352 describes a high-severity stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software. The flaw arises from improper handling of SNMP packets, which makes the SNMP process vulnerable to memory corruption when it processes a crafted request. Exploitation requires an attacker to have access to an SNMPv2c community string or SNMPv3 credentials, but the impact varies based on the attacker’s privilege level. A remote attacker with only low-privileged SNMP access can send specially crafted packets that trigger a denial-of-service condition by forcing the affected device to reload, disrupting availability. More critically, a remote attacker with high-privileged credentials, such as administrative or privilege 15 rights, can exploit the same flaw to execute arbitrary code with root privileges on the underlying IOS XE device, granting them complete control. The attack vector is network-based and does not require user interaction, which broadens the exposure for organizations with SNMP enabled over IPv4 or IPv6 on internet-facing Cisco devices. Since this vulnerability affects all versions of SNMP on IOS and IOS XE, any unpatched system configured with SNMP is at risk.
This vulnerability has been assigned a CVSS v3 base score of 7.7 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H, reflecting its high impact on availability and potential for privilege escalation when combined with high-level credentials. Cisco acknowledged that exploits were already active in the wild at the time of disclosure in September 2025, with millions of routers and switches potentially exposed. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply Cisco’s security updates immediately, as successful exploitation could either cripple network availability through repeated reboots or allow takeover of critical infrastructure systems. Cisco’s advisory provides the patched releases and mitigations, and organizations running IOS or IOS XE should prioritize updates without delay to reduce the risk of both denial-of-service and full system compromise.
CVE-2025-10035
CVE-2025-10035 is a critical deserialization vulnerability discovered in the License Servlet of Fortra’s GoAnywhere Managed File Transfer (MFT). The issue arises from the way the application handles license validation responses. An attacker who can forge a valid license response signature is able to feed the servlet with arbitrary, attacker-controlled objects. This unsafe deserialization pathway can be exploited to achieve command injection on the affected system, granting the attacker the ability to execute arbitrary code. Because the attack is carried out over the network and does not require prior authentication, it poses an especially high risk to exposed GoAnywhere MFT deployments.
The attack vector centers on the forged license response. By manipulating the serialized data contained within the response, the adversary can cause the server to interpret crafted objects as trusted inputs. Once deserialized, these malicious objects enable execution of arbitrary commands with the privileges available to the GoAnywhere MFT process. Since GoAnywhere is often deployed as a mission-critical platform for secure file transfers across enterprise and government environments, the consequences of successful exploitation extend far beyond the compromise of a single server. Attackers could use this flaw to gain persistence, steal sensitive data in transit, or pivot deeper into corporate networks.
This vulnerability has been assigned the maximum CVSS v3 base score of 10.0 with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, reflecting its low complexity, lack of prerequisites, and full impact on confidentiality, integrity, and availability. The CVSS v2 base score is also rated at 10.0, underscoring the severity of the flaw. Published on September 19, 2025, the issue was quickly classified as a vulnerability of interest by Tenable and has an Exploit Prediction Scoring System (EPSS) rating of 0.00231, signaling active monitoring of exploitation potential. Given the history of GoAnywhere being targeted in high-profile attacks, organizations running vulnerable versions should immediately apply the latest vendor patches or mitigations. More details and technical analysis are provided in the advisory and exploit breakdown published by WatchTowr Labs, which highlighted real-world exploitation scenarios for this bug.
CVE-2025-10585
CVE-2025-10585 is a high-severity vulnerability in Google Chrome’s V8 JavaScript engine. The flaw stems from a type confusion issue, which occurs when V8 misinterprets the type of an object during execution. In this case, the vulnerability allowed a crafted HTML page to trigger heap corruption, potentially leading to remote code execution. Google rated the issue as “High” under Chromium’s severity scale, but its real-world risk is elevated by the fact that it was exploited as a zero-day in active attacks before being patched.
The vulnerability was fixed in Chrome version 140.0.7339.185, released in mid-September 2025. This release was pushed as an emergency update after reports of in-the-wild exploitation. The attack surface is broad since exploitation requires nothing more than convincing a victim to visit a malicious or compromised webpage. Attackers were observed using this flaw as part of targeted campaigns, and it was quickly added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, mandating patching across federal civilian agencies.
From a scoring standpoint, the flaw carries a CVSS v3 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting its network accessibility, low attack complexity, and high potential impact across confidentiality, integrity, and availability. CVSS v2 rated it even higher, with a critical score of 10. Given Chrome’s dominance as a browser, this vulnerability represents a significant target for threat actors—especially those relying on drive-by-download or watering hole campaigns.
Security researchers have pointed out that this was the sixth actively exploited Chrome zero-day patched by Google in 2025, underscoring the sustained targeting of browser vulnerabilities. Organizations are strongly advised to verify their endpoints are running Chrome 140.0.7339.185 or later and to ensure automatic updates are enabled. Since this flaw affects V8, other Chromium-based browsers like Microsoft Edge and Brave may also require updates to stay protected.
CVE-2025-53691
CVE-2025-53691 describes a high-severity deserialization of untrusted data vulnerability in Sitecore’s Experience Manager (XM) and Experience Platform (XP). The flaw exists in multiple supported versions—XM from 9.0 through 9.3 and 10.0 through 10.4, as well as XP across the same ranges. An attacker with limited privileges over the network could exploit the deserialization process to execute arbitrary code on the affected server, escalating their access and potentially taking full control of the Sitecore environment.
The risk posed by this vulnerability is significant given how widely Sitecore is used for enterprise content management and digital experience delivery. Exploitation could enable attackers to manipulate business-critical data, compromise sensitive information, and pivot to additional systems integrated with the platform. Researchers at WatchTowr Labs demonstrated how cache poisoning could be used as an entry point to trigger the deserialization pathway, chaining it into remote code execution. This highlights not only the technical severity of the bug but also how attackers can pair it with creative attack vectors to achieve a deeper compromise.
According to the National Vulnerability Database (NVD), CVE-2025-53691 carries a CVSS v3 base score of 8.8 (vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), placing it firmly in the high-risk category. The older CVSS v2 rating is even higher at 9.0, with an attack vector requiring only network access and low complexity. The Exploit Prediction Scoring System (EPSS) currently sits at 0.0028, suggesting limited but possible exploitation attempts are being tracked. While public exploit availability has not yet been confirmed, advisories and research articles emphasize the urgency of applying the vendor patches. Sitecore has published security guidance in its knowledge base (KB1003667), urging customers to upgrade to patched versions to prevent compromise.
CVE-2025-4428
CVE-2025-4428 is a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) up to version 12.5.0.0. The flaw lies in the API component, where crafted API requests allow an authenticated attacker to execute arbitrary code remotely. Because exploitation requires only valid credentials with limited privileges, the barrier to entry for attackers is relatively low once they achieve access. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming its use in real-world intrusions.
Reports from CISA and several security researchers show that this vulnerability has been actively leveraged by advanced persistent threat (APT) groups, including China-linked operators such as UNC5221. Attackers chained CVE-2025-4428 with other Ivanti flaws like CVE-2025-4427 in multi-step compromises of government agencies and enterprises across the U.S. and Europe. Once exploited, adversaries deployed custom malware kits—referred to in analysis reports as BadSuccessor—to maintain persistence, exfiltrate data, and facilitate further lateral movement. The vulnerability has proven to be especially dangerous when combined with Ivanti’s role in managing mobile and endpoint access for large organizations, giving attackers deep footholds into sensitive infrastructure.
From a risk perspective, the vulnerability carries a CVSS v3 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and an EPSS rating of 0.37092, which is notably high, indicating a substantial likelihood of exploitation. The scope of the impact spans confidentiality, integrity, and availability—meaning successful attacks can lead to full compromise of affected systems. For defenders, mitigations require upgrading to patched versions of EPMM and reviewing all API-related access logs for indicators of suspicious behavior. Given the consistent exploitation of Ivanti flaws across 2023–2025, organizations running Ivanti EPMM should treat this as a priority patching issue and also consider applying compensating controls like strict API request monitoring and additional authentication layers where possible.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
