CVE Updates (September 22 – 28, 2025)

Vuln Recap Editor,

Here are the CVE updates for the week of September 22nd through the 28th.

🔴 Critical Severity Vulnerabilities

Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Buffer Overflow Vulnerability (CISA KEV) | CVE-2025-20333

Description:
A vulnerability in the VPN web server of Cisco ASA and Cisco FTD allows an authenticated remote attacker to execute arbitrary code. The flaw occurs because the server does not properly validate user input in HTTP(S) requests. Therefore, attackers with valid VPN credentials can send crafted requests and trigger code execution as root, which may result in complete device compromise.

Potential Impacts:

  • Remote Code Execution (RCE): Attackers with VPN credentials can run arbitrary commands as root.
  • Full Device Compromise: Successful exploitation results in full control of the firewall or threat defense appliance.
  • Persistence & Lateral Movement: Consequently, attackers could use the compromised device to move across the protected network.
  • Data Exposure & Manipulation: Sensitive VPN and firewall configurations, credentials, and network traffic may be stolen or altered.
  • Service Disruption: In addition, exploitation may crash services or disrupt VPN and firewall operations.

Mitigation Recommendations:

  • Apply Cisco Patches: First, upgrade to the latest fixed release as advised by Cisco.
  • Restrict VPN Access: In addition, enforce MFA and limit VPN access to trusted users.
  • Network Segmentation: Isolate VPN web server interfaces from untrusted networks.
  • Input Validation Controls: Deploy WAFs or reverse proxies with strict sanitization.
  • Monitor & Detect: Furthermore, enable logging of VPN web activity and watch for anomalies.
  • Incident Response: If compromise is suspected, rebuild from trusted images, rotate secrets, and audit persistence mechanisms.

SSRF via Open Proxy in cors-anywhere Deployments | CVE-2020-36851

Description:
Deployments of cors-anywhere configured as open proxies are vulnerable to SSRF. Because they forward arbitrary requests and headers, attackers without authentication can abuse them. For example, they can encode the target resource in the request URL to reach internal services and metadata endpoints. Since many deployments also forward unsafe methods like PUT, the attack surface extends to IMDSv2 workflows and internal APIs.

Potential Impacts:

  • Cloud Credential Theft: Attackers can retrieve sensitive data, such as instance role credentials.
  • Unauthorized Access: Internal APIs and services not meant for public exposure become reachable.
  • Remote Code Execution / Privilege Escalation: If backend systems expose management endpoints, attackers may escalate privileges.
  • Data Exfiltration: Consequently, internal resources and data may be leaked through proxy requests.
  • Full Cloud Resource Compromise: As a result, adversaries could gain complete control of cloud infrastructure.

Mitigation Recommendations:

  • Restrict Access: Require authentication or limit use of cors-anywhere to trusted origins.
  • Whitelist Targets: Explicitly allow only safe domains and block internal IP ranges.
  • Harden Proxy Behavior: Disable unsafe methods such as PUT and DELETE.
  • Apply Cloud Provider Protections: For example, enforce IMDSv2 tokens in AWS.
  • Network-Level Security: Deploy firewalls or WAFs to filter outbound requests.
  • Replace with Safer Tools: Finally, consider alternatives that support CORS securely.

Remote Code Execution in Cisco Firewall and IOS/IOS XE/IOS XR Web Services | CVE-2025-20363

Description:
A vulnerability in Cisco ASA, FTD, IOS, IOS XE, and IOS XR web services allows attackers to execute arbitrary code. In ASA and FTD, unauthenticated attackers can exploit the flaw. In IOS, IOS XE, and IOS XR, attackers with low-level privileges can also abuse it. By sending crafted HTTP requests and bypassing built-in mitigations, they can execute code as root, leading to full device compromise.

Potential Impacts:

  • Remote Code Execution (RCE): Attackers may run arbitrary commands as root.
  • Complete Device Compromise: Full control of firewalls, routers, or appliances could be obtained.
  • Denial of Service (DoS): Exploitation may crash or destabilize devices, disrupting critical services.
  • Information Disclosure: Sensitive configs, credentials, and system details may be revealed.
  • Lateral Movement: Moreover, attackers may use compromised devices to pivot across the network.
  • Network Manipulation: They could alter routing or firewall rules to intercept or redirect traffic.

Mitigation Recommendations:

  • Apply Vendor Patches: Upgrade affected systems to Cisco’s fixed versions.
  • Restrict Web Service Access: Limit HTTP/HTTPS management to trusted IPs or disable if not required.
  • Use Strong Authentication: Enforce MFA and RBAC for management logins.
  • Network Segmentation: Isolate management interfaces using VLANs or firewalls.
  • Monitor & Alert: Continuously log HTTP(S) access and alert on suspicious activity.
  • Temporary Workarounds: If no patch is available, disable web services and use CLI/SSH.
  • Post-Incident Response: If compromise is suspected, rotate credentials, rebuild from trusted firmware, and audit configs.

Code Injection in Gardener Extensions for Cloud Providers | CVE-2025-59823

Description:
Gardener Extensions for AWS (before 1.64.0), Azure (before 1.55.0), OpenStack (before 1.49.0), and GCP (before 1.46.0) contain a code injection flaw. Attackers with administrative access on a Gardener project can exploit this to compromise the seed cluster. Since the seed cluster manages shoot clusters, exploitation may cascade into broader infrastructure compromise.

Potential Impacts:

  • Seed Cluster Compromise: Attackers could gain full control of the seed cluster.
  • Remote Code Execution (RCE): Malicious code may run in the context of the seed cluster.
  • Data Breach: Consequently, sensitive Kubernetes secrets and workloads may be exposed.
  • Service Disruption: Provisioning and lifecycle management of shoot clusters may fail.
  • Lateral Movement: Moreover, attackers may pivot into tenant clusters and other environments.

Mitigation Recommendations:

  • Upgrade Immediately: Move to fixed versions: AWS 1.64.0, Azure 1.55.0, OpenStack 1.49.0, GCP 1.46.0.
  • Restrict Admin Privileges: Enforce least privilege and limit project-level admin rights.
  • Harden Access: Use strong authentication, RBAC, and segmentation for seed clusters.
  • Audit Terraformer Usage: Review if Terraformer is enabled and disable it if not needed.
  • Monitor Activity: Continuously log provisioning activity and flag anomalies.
  • Post-Incident Response: If compromise is detected, rotate secrets, rebuild seed clusters, and conduct audits.

🟠 High Severity Vulnerabilities

Google Chromium V8 Type Confusion Vulnerability (CISA KEV) | CVE-2025-10585: A flaw in the V8 JavaScript engine in Google Chrome before 140.0.7339.185 allows remote attackers to corrupt memory through crafted HTML. Consequently, heap corruption may lead to remote code execution.

Buffer Overflow in Wavlink M86X3A_V240730 | CVE-2025-55847: A flaw in /cgi-bin/ExportAllSettings.cgi caused by improper Cookie validation allows buffer overflow. Therefore, remote attackers can execute code or trigger DoS.

Improper Access Control in Syrotech SY-GPON-2010-WADONT FTP Service | CVE-2025-10957: Default credentials and weak access controls allow attackers to connect via FTP without authentication. As a result, they gain unauthorized access to sensitive files.

🟡 Medium Severity Vulnerabilities

Cisco ASA and FTD Missing Authorization Vulnerability (CISA KEV) | CVE-2025-20362: Cisco VPN web servers allow unauthenticated attackers to access restricted endpoints. This occurs because of improper input validation. By sending crafted requests, attackers can bypass access controls.

Cross-Site Scripting (XSS) in IBM Storage TS4500 Library | CVE-2025-36239: Versions 1.11.0.0 and 2.11.0.0 allow XSS via injected JavaScript in the Web UI. Consequently, attackers may alter functionality or steal user credentials.

Cross-Site Scripting (XSS) in Changsha iView Editor | CVE-2025-10949: Versions up to 1.1.1 allow unsanitized Markdown input to execute JavaScript in victims’ browsers. Since no vendor fix exists, the risk remains.

Information Disclosure in Dell PowerScale OneFS | CVE-2025-36601: Versions 9.5.0.0 through 9.11.0.0 expose sensitive information to unauthenticated users. Consequently, attackers may leverage leaked details for further attacks.

Post Views: 21
What You Missed Last Week

Leave a Reply

Your email address will not be published. Required fields are marked *