Welcome to another edition of VulnCheck’s monthly research highlights. This past month saw in-the-wild exploitation of plenty of new vulnerabilities, including several that alarmed global incident response teams. A good chunk of new Known Exploited Vulnerabilities (KEVs) come from VulnCheck Canaries, which are live, vulnerable production systems that identify real-world exploitation firsthand. Finally, VulnCheck’s CNA team hit a major milestone that has long-term benefits for the security community. Want more? Read VulnCheck’s October Research Highlights here.
Latest Emerging Threats
The top story among late October emerging threats is likely CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) arising from a deserialization of untrusted data issue. The vulnerability was patched in an out-of-band update on October 23 after its original Patch Tuesday fix was, apparently, incomplete. Proof-of-concept exploit code has been available since October 17, and a variety of firms have reported ongoing exploitation in the wild. VulnCheck researchers spotted between 2,500 and 6,000 WSUS servers exposed to the public internet.
Other vulnerabilities VulnCheck’s research team is watching include:
- CVE-2025-11371: Gladinet CentreStack and TrioFox unauthenticated local file inclusion, exploited since October 9
- CVE-2025-54236: Adobe Commerce and Magento improper input validation, exploited since October 21
- CVE-2025-49844: Redis use-after-free, PoC available; our research team assesses this vulnerability is unlikely to be used at scale, but exploit code availability increases the chances of seeing exploit attempts in the wild
New VulnCheck KEVs
The VulnCheck team added 95 new vulnerabilities to VulnCheck KEV in October 2025, the vast majority of which (80 CVEs) were not yet on CISA KEV as the month ended. CISA added 31 CVEs to CISA KEV in October, 21 of which had been previously incorporated into VulnCheck KEV (e.g., Adobe Experience Manager CVE-2025-54253, which was added to VulnCheck KEV in August).
Following the mid-October rollout of VulnCheck Canaries, canary-observed exploit activity resulted in 25 new VulnCheck KEVs, 22 of which had no prior publicly reported exploitation evidence. As of November 3, VulnCheck Canary Intelligence includes in-the-wild detections of more than 220 CVEs, just over half of which (113) are on CISA KEV. More than 40 of the CVEs observed in the wild are known to be exploited by ransomware groups. Read more Canary stats here.
Want alerts about known exploited vulnerabilities earlier in the exploit lifecycle? VulnCheck KEV is free!
VulnCheck-Observed Canary Exploitation
In February 2025, VulnCheck’s Initial Access Intelligence team shipped an exploit for a code injection flaw in XWiki, an open-source alternative to enterprise knowledge-sharing platforms like Atlassian Confluence. At the time, the team wrote about CVE-2025-24893: “We expect this to be exploited in the wild in the future due to ease of exploitation and number of targets online.”
As expected, CVE-2025-24893 was added to VulnCheck KEV in Q1 of this year, and that was that — or not, as it turns out. A few weeks ago, VulnCheck Canaries began detecting a two-stage attack originating from Vietnam that dropped a coinminer on victim systems. FOFA still shows more than 6,000 XWiki installations on the public internet. CVE-2025-24893 was added to CISA KEV on October 30, 2025. Read more about XWiki exploitation, including payload analysis and IOCs, from VulnCheck CTO Jacob Baines.
VulnCheck Canaries also unearthed exploitation of another notable issue in October: An unauthenticated command injection vulnerability in call center software ICTBroadcast, tracked as CVE-2025-2611. The vulnerability, which had no prior evidence of exploitation in the wild, was leveraged in a two-phase attack that attempted to establish a reverse shell on victim systems. VulnCheck Canaries are still detecting regular exploit attempts for CVE-2025-2611, which at time of writing is not yet on CISA KEV. Details and IOCs are here.
Other notable CVEs VulnCheck Canaries have observed in the wild since mid-October:
- CVE-2024-6235: Citrix NetScaler Console sensitive information disclosure
- CVE-2023-34124: SonicWall GMS and Analytics Web Services authentication bypass
- CVE-2024-23917: JetBrains TeamCity authentication bypass
- CVE-2024-20419: Cisco Smart Software Manager unverified password change
VulnCheck CNA: CVEs for the CVE Gods
As a high-volume research CNA (CVE Numbering Authority), VulnCheck assigned 162 new CVEs in October for vulnerabilities lacking CVE identifiers, including 13 vulnerabilities with exploitation evidence.
VulnCheck CNA assigns CVEs for vulnerabilities discovered across a variety of audit and exploit research projects. October’s breakdown:
- Nagios vulnerability audit: 97 CVEs
- Reported to VulnCheck by security researchers: 42 CVEs
- Detected by VulnCheck Canaries: 10 CVEs
- Other exploitation research: 13 CVEs
VulnCheck has roughly a dozen coordinated vulnerability disclosure (CVD) projects in flight at any given time for vulnerabilities reported to us by third-party researchers. Our team has disclosed a number of neat finds from the research community over the past month, including:
- 8 mixed severity issues, including several critical vulnerabilities, in Ilevia EVE X1 Server 4.7.18.0.eden discovered by Gjoko Krstic of Zero Science Lab
- 18 separate high- and medium-severity issues in IPFire < 2.29 discovered by Alex Williams of Pellera Technologies (e.g., CVE-2025-34311)
- CVE-2025-34226: OpenPLC Runtime input validation vulnerability leading to persistent DoS discovered by Eyodav (Mike G.A.)
Have a vulnerability you’re looking to disclose? Report it to VulnCheck and we’ll handle disclosure coordination and CVE assignment on your behalf!
About VulnCheck
The VulnCheck research team is always on the lookout for new attack vectors and fresh vulnerability intelligence. For more research like this, see State of Exploitation: A Look Into 1H 2025 Vulnerability Exploitation and Threat Activity, VulnCheck Research Highlights: October 2025, and Still Up, Still Evil: A Look at Attacker Infrastructure Longevity.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.