Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from October that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-59287
CVE-2025-59287 is a critical deserialization vulnerability in Microsoft’s Windows Server Update Services (WSUS) that allows an unauthenticated, remote attacker to execute arbitrary code across a network. The flaw lies in the way WSUS processes serialized input data sent during communication with update clients or administrative tools. When crafted malicious data is sent to the vulnerable component, WSUS improperly deserializes the input without sufficient validation, enabling attackers to inject and execute arbitrary code in the context of the WSUS service. Because the service typically runs with high privileges, successful exploitation provides full control of the underlying Windows Server.
This vulnerability is particularly dangerous in enterprise and government environments where WSUS acts as a central patch management hub. By compromising the update service itself, an attacker could distribute malicious payloads masquerading as legitimate Microsoft updates, undermining the integrity of the entire patching process. The attack requires no authentication or user interaction, making it a prime candidate for remote exploitation campaigns. Once exploited, adversaries could use the WSUS system as a stepping stone to deploy malware across all connected endpoints, modify update metadata, or disrupt update delivery through denial-of-service actions.
The vulnerability carries a CVSS v3 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), emphasizing its ease of exploitation and severe potential impact on confidentiality, integrity, and availability. It was published on October 14, 2025, and updated on October 28, 2025, after Microsoft confirmed active exploitation attempts in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate remediation. Proof-of-concept exploit code is already publicly available, as noted in repositories such as the one maintained by Hawktrace, suggesting that exploitation could spread quickly beyond targeted attacks.
Organizations using WSUS should apply Microsoft’s security update immediately or, if patching is temporarily unfeasible, restrict network access to the WSUS server, disable external connections, and monitor for anomalous serialized traffic. Given WSUS’s role in distributing software updates, exploitation of this vulnerability could enable a widespread supply-chain compromise similar in nature to earlier enterprise-level patching system attacks.
CVE-2025-61882
CVE-2025-61882 is a critical vulnerability in Oracle E-Business Suite’s Concurrent Processing product, specifically within the BI Publisher Integration component. Versions 12.2.3 through 12.2.14 are affected. The flaw can be exploited remotely without authentication through HTTP requests, allowing attackers to completely compromise Oracle Concurrent Processing. Because this component controls job scheduling and report generation, successful exploitation could lead to total system takeover, giving attackers the ability to access or alter sensitive enterprise data.
This vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its ease of exploitation and severe potential for impact across confidentiality, integrity, and availability. It was first published on October 5, 2025, and updated on October 27, 2025, after evidence of active exploitation surfaced. Reports indicate that the Cl0p ransomware group exploited this zero-day along with CVE-2025-61884 to breach unpatched Oracle E-Business Suite systems. Once inside, attackers leveraged the BI Publisher interface to inject commands into concurrent manager processes, gaining administrative control over databases and report workflows.
The Exploit Prediction Scoring System (EPSS) lists this vulnerability with a probability of 0.80291, indicating a high likelihood of exploitation. Given the centrality of Oracle E-Business Suite in enterprise operations—handling ERP, HR, and financial data—successful attacks could have significant operational and financial consequences.
Organizations should apply Oracle’s official security patch immediately and ensure that external network access to E-Business Suite administrative functions is tightly restricted. Logging and alerting should be configured to monitor for unusual BI Publisher activity or unauthorized concurrent processing jobs.
CVE-2025-41244
CVE-2025-41244 is a high-severity local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. The issue arises when a virtual machine running VMware Tools is managed by Aria Operations with the Software Defined Monitoring Platform (SDMP) feature enabled. In such configurations, a local, non-administrative user can exploit improper permission handling to escalate privileges to root on the same virtual machine.
This flaw is particularly concerning in enterprise environments where SDMP is widely deployed for monitoring and telemetry collection across multiple virtual machines. Because exploitation requires only local access, it may serve as a key post-compromise technique within larger intrusion campaigns. Once elevated, an attacker could modify system configurations, install persistent malware, or pivot to adjacent hosts within the virtual infrastructure.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting the high potential for system takeover once access is gained. While exploitation requires some initial foothold, the attack complexity is low, and the resulting control is complete. Reports from multiple cybersecurity outlets, including The Hacker News and SecurityWeek, indicate that Chinese state-linked threat actor UNC5174 has already exploited this zero-day in targeted attacks against organizations in North America and Europe.
CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities (KEV) catalog on October 31, 2025, urging all organizations using VMware Aria Operations to apply available patches or disable SDMP until updates are deployed. Broadcom, which now owns VMware, faced criticism for not immediately disclosing active exploitation despite internal awareness of the issue, delaying defensive action for many enterprises.
Administrators should verify whether their VMware Tools and Aria Operations deployments are running vulnerable builds and prioritize patching on high-value systems. Logging should be enabled to monitor privilege escalation events and anomalous Aria Operations activity. Isolation of management VMs from general workloads is strongly recommended to prevent lateral movement following potential exploitation.
CVE-2025-6205
CVE-2025-6205 is a critical missing authorization vulnerability affecting Dassault Systèmes’ DELMIA Apriso manufacturing execution platform from Release 2020 through Release 2025. The flaw allows a remote attacker to gain unauthorized privileged access to the application without prior authentication. This means that attackers can potentially take administrative control of the system, manipulate production processes, access sensitive manufacturing data, or disrupt connected industrial operations.
The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on October 28, 2025, after reports confirmed active exploitation targeting organizations in manufacturing and industrial automation sectors. According to advisories from multiple security researchers, attackers have been leveraging this flaw to infiltrate factory control systems tied to DELMIA Apriso environments, particularly those connected to wider enterprise networks. Because the vulnerability lies in authorization checks, exploitation requires no user interaction and can be triggered directly over a network via HTTP requests.
With a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), the vulnerability poses a severe threat to data confidentiality and system integrity. While the primary impact centers on unauthorized access and data manipulation, the lack of availability impact suggests attackers are focused on persistence and control rather than outright disruption. Its CVSS v2 score of 9.4 and an EPSS likelihood of 0.42044 indicate both ease of exploitation and ongoing attacker interest.
SecurityWeek and The Hacker News report that exploitation campaigns have been attributed to threat groups with a focus on industrial espionage, including actors linked to prior intrusions against manufacturing firms. These operations often leverage DELMIA Apriso’s integration with ERP systems, allowing attackers to pivot laterally into supply chain management environments or exfiltrate intellectual property.
Organizations using affected versions should immediately apply the latest vendor patches or follow CISA’s mitigation guidance if immediate patching is not feasible. Network segmentation between operational technology (OT) and IT systems, alongside close monitoring of HTTP traffic targeting Apriso management interfaces, can help reduce exposure. Unusual administrative activity, particularly involving configuration or workflow changes, may indicate ongoing compromise attempts.
CVE-2025-24893
CVE-2025-24893 is a critical remote code execution vulnerability in XWiki Platform, an open-source enterprise wiki and application development framework. The flaw exists in the SolrSearch component, which fails to properly sanitize user-supplied input before passing it to server-side code evaluation routines. This allows an unauthenticated attacker to execute arbitrary Groovy code on the affected instance simply by sending a specially crafted HTTP request to the /xwiki/bin/get/Main/SolrSearch endpoint.
The vulnerability impacts all XWiki installations that expose their SolrSearch endpoint without authentication, giving remote actors the ability to compromise the confidentiality, integrity, and availability of the entire system. Exploitation does not require prior access or complex techniques, an attacker can inject Groovy code directly through the request parameter. If the server returns an RSS feed containing the string “Hello from search text:42” after sending the proof-of-concept payload, it confirms that the instance is vulnerable and executing attacker-supplied code.
This issue affects XWiki versions prior to 15.10.11, 16.4.1, and 16.5.0RC1. The developers have patched the flaw by modifying the Main.SolrSearchMacros file to enforce proper content-type handling and sanitize user input in the rawResponse macro, preventing direct code interpretation.
The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a near-total compromise potential with low attack complexity and no authentication required. It also has one of the highest Exploit Prediction Scoring System (EPSS) ratings, 0.94117, signifying widespread attacker interest and active exploitation.
CISA added CVE-2025-24893 to the Known Exploited Vulnerabilities (KEV) catalog on October 31, 2025, following reports of real-world exploitation. Threat intelligence sources, including The Hacker News and Security Affairs, revealed that attackers have hijacked vulnerable XWiki servers to deploy cryptocurrency mining malware and establish persistent backdoors. Since the flaw is reachable without authentication, compromised XWiki instances can also be leveraged for lateral movement across networks or for hosting malicious payloads disguised as legitimate documentation pages.
Administrators should immediately update to a patched version or apply the provided mitigation by editing SolrSearchMacros.xml and restricting public access to /xwiki/bin/get/Main/SolrSearch. Continuous monitoring for unusual Groovy script execution or high CPU load may also help identify compromised instances.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
