Welcome to VulnCheck’s NEW monthly research round-up! Our vulnerability intelligence, initial access intelligence, and CVE Numbering Authority (CNA) teams collectively evaluate and produce thousands of pieces of vulnerability and exploit intelligence a month. In the background, we’re also enhancing VulnCheck’s core products and shipping new features for community resources like go-exploit, our open-source exploit framework.
Staying on top of new vulnerabilities and threats is a Sisyphean task with increasingly high costs to teams and organizations. VulnCheck is committed to empowering the broader security community with best-in-class vulnerability and exploit data that’s well-vetted, machine-readable, and integration-ready out of the box. For more about us, visit vulncheck.com.
The Stuff You Couldn’t Miss: Recent Emerging Threats
It’s easy for vulnerability news cycles to over-focus on zero-day flaws, but the past six weeks or so have seen some real bangers. If you’re a vulnerability responder who’s attuned to big swaths of enterprise software, you have our sympathy and respect for the last month and a half.
Recent Zero-Day Vulnerabilities
Behold — a whole lot of classic initial access and extortion targets in one table, all exploited as zero-day and disclosed between the end of August and first few days of October. These weren’t the only 0days that hit the scene in September, but they were arguably the most impactful at scale.
| Vulnerability | Impact | CVSS-B | Threat Actors | Public PoC |
|---|---|---|---|---|
| CVE-2025-7775: Citrix NetScaler memory overflow | RCE | 9.2 | Unattributed | No |
| CVE-2025-20352: Cisco IOS and IOS XE stack-based buffer overflow | RCE | 7.7 | Unattributed | No |
| CVE-2025-20333: Cisco ASA and FTD classic buffer overflow | RCE | 9.9 | UAT4356 (ArcaneDoor) | Partial |
| CVE-2025-20362: Cisco ASA and FTD missing authorization | Auth bypass | 6.5 | UAT4356 (ArcaneDoor) | Yes |
| CVE-2025-10035: Fortra GoAnywhere MFT command injection | RCE | 10 | Storm-1175 | Partial |
| CVE-2025-61882: Oracle E-Business Suite remote code execution | RCE | 9.8 | Graceful Spider, Cl0p | Yes |
The top four vulnerabilities in the table above are thus far only known to be exploited in a limited fashion by adversaries. The last two are a different story: Exact details are still murky on CVE-2025-10035, a CVSS-10 vulnerability in Fortra file transfer software GoAnywhere MFT that VulnCheck and two other research teams came to similar conclusions upon analyzing: Exploitation didn’t appear to be possible without access to a private key. Initially VulnCheck’s research team thought it was possible that a weird internal developer bug of some sort accidentally got disclosed with a max-severity score (it happens!); then reports of zero-day exploitation started surfacing from sources who weren’t the vendor — one of which included ransomware deployment.
Finally, as September came to a close, Oracle customers began reporting extortion emails claiming to be from Cl0p (or Clop), a financially motivated threat group well-known for using complex exploit chains to access and exfiltrate large volumes of data from victim systems. Cl0p confirmed their involvement in a campaign they implied made use of one or more zero-day vulnerabilities; then, in a groan-inducing turn that many enterprise organizations probably wish they could have ignored, a rival threat group released the full exploit that Cl0p appears to have deployed in a large-scale attack dating back at least two months. The exploit leverages CVE-2025-61882, a net-new zero-day vulnerability in Oracle E-Business Suite (EBS) that comprises at least four or five different weaknesses rather than being a single issue. Mass exploitation is now being reported.
All of the CVEs above are on VulnCheck’s Known Exploited Vulnerabilities (KEV) list.
Notable VulnCheck KEV Additions
Speaking of KEV! VulnCheck KEV added 54 vulnerabilities in September 2025 after evidence of exploitation was published for the first time. Roughly 78% of these (42 CVEs) weren’t yet on CISA KEV as of October 2, 2025. We also incorporated an additional 47 CVEs into VulnCheck KEV based on historical evidence we discovered while researching older exploits and data sources.
CISA added 16 CVEs to CISA KEV in September. Of these, 11 were added to VulnCheck KEV at least a day ahead of CISA KEV inclusion. Want alerts about known exploited vulnerabilities earlier in the exploit lifecycle? VulnCheck KEV is free and open to the security community.
While September was a busy month for emerging threats, read on for a few of our favorite recent KEV stories.
TP-Link CVE-2023-50224 and CVE-2025-9377: After discussing TP-Link security over lunch with Tom Lawrence, VulnCheck researcher Patrick Garrity started looking at old TP-Link advisories. In the process, he stumbled across historical exploitation evidence that tied two TP-Link vulnerabilities to the 7777 botnet — one of which (CVE-2023-50224) we added to VulnCheck KEV on August 21. The other vulnerability had no CVE when VulnCheck reviewed the evidence, but was assigned CVE-2025-9377 several days later. TP-Link updated their advisory, and both CVEs were added to CISA KEV on September 3. It’s unclear if that was a lucky coincidence or if VulnCheck’s KEV addition triggered new CISA and vendor awareness of vulnerabilities that were previously overlooked. Ed: Patrick’s bet is on the latter!
Sitecore CVE-2025-53690: On the surface, this is a deserialization vulnerability in Sitecore XM, XP, XC, and Managed Cloud deployments. Under the covers, it turns out that old (2017) Sitecore docs included a sample machine key for learning purposes, some Sitecore customers chose to use that key in production, and threat actors found out and exploited it. Mandiant has a write-up noting that despite the wildly insecure customer configuration choice, the unattributed threat actors had “deep understanding” of the compromised product.
Other notable additions include Cisco Small Business router CVE-2022-20705) and Shenzhen Aitemi M300 CVE-2025-34152, both of which had botnet activity observed in recent weeks and have exploits available for VulnCheck initial access intelligence customers.
Initial access intelligence and go-exploit highlights
VulnCheck’s Initial Access Intelligence team creates exploits, detections, queries, and more for vulnerabilities that can be used as initial access vectors. The team covered 25+ new CVEs over the past month, most of which include PCAPs, network rules, and ASM search engine queries for initial access customers.
In addition to signature and PCAP coverage for recent threats like Cisco ASA and Oracle EBS, our research team snuck in some interesting post-auth exploits in September. Those include:
- Original post-auth exploits for N-able N-central CVE-2025-8875 and CVE-2025-8876, both of which were added to CISA KEV as zero-days in August but had virtually no other information available. N-central is a remote monitoring and management (RMM) platform, a technology category that attackers are fond of abusing. Nearly two months post-disclosure, both FOFA and ZoomEye still show a few thousand internet-exposed instances of N-central, mostly in North America.
- A weaponized exploit for CVE-2025-58443 in FOG open-source cloning and inventory management software, which has a small internet footprint but is more often used internally for labs and other shared systems. The team’s exploit allows for unauthenticated database recovery and password hash access; the “shared system” deployment pattern also means that theoretically, there’s potential for wormability. CVE-2025-58443 isn't known to be exploited in the wild yet, but proof-of-concept exploit code is publicly available.
Other more traditional initial access exploit coverage was also released in September for FreePBX, Burk Technology ARC Solo ICS devices, generative AI platform Flowise, LibreNMS, and a quartet of Fortinet FortiSIEM command injection vulnerabilities, to name just a few. Customers interested in the Cisco ASA and ASDM ecosystem might also be interested in a recent exploit the team added for Cisco ASDM CVE-2021-1585, a well-known RCE vulnerability still present in the latest version of the ASDM launcher.
Want to follow along with initial access exploits and vulnerabilities? Check out the team’s weekly threat-oriented release notes or learn more here.
VulnCheck CNA: Issuing CVEs to Surface Hidden Risk
As one of the CVE world’s major research CNAs, VulnCheck assigned 60 new CVEs in September for vulnerabilities that were either reported to us by third-party researchers or discovered in our team’s analysis of exploited, weaponized, or otherwise-public vulnerabilities without CVE identifiers.
Of those 60 new CVE assignments:
- 55 came through external security researchers who engaged VulnCheck CNA’s “Report a Vulnerability” service that conducts coordinated vulnerability disclosure (CVD) outreach with vendors on behalf of researchers.
- 15 were issues with public exploit code but no known CVE identifier (some of these also came from external researcher observations, hence the overlap).
- Two vulnerabilities (CVE-2022-4980 and CVE-2024-13990) had exploitation evidence from 2022 and 2024, respectively — but did not have CVEs.
VulnCheck has dozens of coordinated vulnerability disclosure (CVD) projects in flight at any given time for vulnerabilities reported to us by community researchers. Recent community research disclosures reported through VulnCheck CNA have included multiple vulnerabilities in Netgate pfSense (via Alex Williams of Pellera Technologies) and a slew of Vasion Print (formerly PrinterLogic) CVEs as a result of a beast-mode research report by Pierre Barre. You can see all VulnCheck vulnerability advisories here.
Have a vulnerability you’re looking to disclose? Report it to VulnCheck and we’ll handle disclosure coordination on your behalf! You get the credit, we do the software supplier outreach. Huge thanks to the research community for their help and input on vendor coordination and timely CVE assignment!
About VulnCheck
The VulnCheck research team is always on the lookout for new attack vectors and notable attacker behavior. For more research like this, see State of Exploitation: A Look Into 1H 2025 Vulnerability Exploitation and Threat Activity and Still Up, Still Evil: A Look at Attacker Infrastructure Longevity.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.