Vulnerability Review – June 2025

This blog is a recap of the most critical vulnerabilities disclosed between 01 June and 25 June 2025 that most likely impact software utilized by managed service providers (MSPs). While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint’s APG due to the overall number of MSPs/organizations that use it.  

Key Findings 

  • There were more than 4,300 vulnerabilities disclosed between 01 June and 26 June 2025, with more than 2,300 vulnerabilities being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating. 
  • There are several that have been actively exploited and 19 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.  
  • Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.   

Vulnerabilities 

Backup and Disaster Recovery (BDR) Solutions   

Backup and Disaster Recovery (BDR) solutions are considered a critical business software for MSPs as they ensure business continuity, support regulatory compliance, and serve as a last line of defense during incidents, such as ransomware attacks. BDR platforms often centralize data across multiple clients, making them an attractive target for threat actors. A successful attack on a BDR solution could allow threat actors to delete or encrypt backups, exfiltrate sensitive client data, move laterally through the network, or launch devastating supply chain attacks.  

Veeam Backup & Replication (VBR) 

Veeam released an advisory warning of three vulnerabilities impacting Veeam Backup & Replication (VBR), including one critical that could lead to remote code execution (RCE).  

  • CVE-2025-23121 (CVSS 9.9): A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user, which reportedly only impacts domain-joined installations. 
  • CVE-2025-24286 (CVSS 7.2): A vulnerability allowing an authenticated user with the Backup Operator role to modify backup jobs, which could execute arbitrary code. 
  • CVE-2025-24287 (CVSS 6.1): A vulnerability allowing local system users to modify directory contents, allowing for arbitrary code execution on the local system with elevated permissions. 

Veeam’s products are used by over 500,000 organizations worldwide, indicating a large attack surface for threat actors. Ransomware groups Akira, Fog, and Frag have all been reported to target VBR instances in the previous 12 months.  

HPE StoreOnce 

HPE issued a security bulletin to warn about eight vulnerabilities impacting StoreOnce, its disk-based backup and deduplication solution.  

  • CVE-2025-37089: Remote Code Execution 
  • CVE-2025-37090: Server-Side Request Forgery 
  • CVE-2025-37091: Remote Code Execution 
  • CVE-2025-37092: Remote Code Execution 
  • CVE-2025-37093: Authentication Bypass 
  • CVE-2025-37094: Directory Traversal Arbitrary File Deletion 
  • CVE-2025-37095: Directory Traversal Information Disclosure 
  • CVE-2025-37096: Remote Code Execution 

These vulnerabilities could be exploited to bypass authentication where threat actors could then execute arbitrary code, access and manipulate sensitive data, and more. StoreOnce also integrates with backup software like HPE Data Protector, Veeam, Commvault, and Veritas NetBackup. 

Network Edge Devices 

Network edge devices – firewalls, routers, VPN gateways, etc. – are the critical gatekeepers between internal networks and the internet. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet, they’re frequently targeted via vulnerabilities, exposed devices, or misconfigurations.   

Citrix NetScaler Application Delivery Controller (ADC) #add a comment about NetScaler Gateway 

Citrix released an advisory warning of a critical vulnerability impacting NetScaler ADC and Gateway.  

CVE-2025-5777 (CVSS 9.3) is an Insufficient input validation leading to memory overread vulnerability. 

On June 17, 2025, the vulnerability was reported to impact the “NetScaler Management Interface”; however, on June 23, 2025, the vulnerability was updated to remove this portion of the description. The vulnerability allows an attacker to read memory from the NetScaler when configured as a Gateway or AAA virtual server, which is a common setup in larger organizations. 

Additionally, Citrix released a second advisory warning of another vulnerability impacting NetScaler ADC, CVE-2025-6543. This vulnerability is a memory overflow vulnerability that could result in unintended control flow and denial-of-service.   

Vulnerability Management and Scanning 

Vulnerability management and scanning tools are essential for organizations, including MSPs, because they provide visibility into client asset exposures, prioritize patching, and enable organizations to meet compliance requirements. Threat actors that successfully target this type of software can identify vulnerable systems, evade detection, steal credentials, and manipulate scan data.   

Tenable Nessus 

Tenable released an advisory warning of three high severity vulnerabilities impacting Tenable Nessus agents that could be exploited to perform file operations and execute code with elevated privileges.  

  • CVE-2025-36631 (CVSS 8.4): An improper privilege management vulnerability that could allow a threat actor with low privileged access to manipulate system files.  
  • CVE-2025-36632 (CVSS 7.8): An arbitrary code execution vulnerability that could allow a threat actor to execute arbitrary code with SYSTEM privileges.  
  • CVE-2025-36633 (CVSS 8.8): An improper privilege management vulnerability that could allow a threat actor with low privileges to delete critical system files, cause instability or system failure, or elevate their privileges. 

Software Development/Code Repositories 

Software development/code repositories are an environment used by developers to create and maintain code and software. These products are considered priority software as they are a critical part of a business’s profile full of proprietary information. Threat actors that successfully target this type of software can access highly sensitive data, identify credentials, delete existing code, and contaminate code that can be delivered as part of a supply chain attack. 

GitLab Community Edition (CE)/Enterprise Edition (EE) 

GitLab released updates for multiple high-severity vulnerabilities that could enable threat actors to take over accounts and inject malicious jobs into future pipelines. Three of the highest severity vulnerabilities include:  

  • CVE-2025-4278 is a HTML injection vulnerability that impacts GitLab CE/EE and could allow a successful threat actor to achieve account takeover by injecting code into the search page.  
  • CVE-2025-2254 is a cross-site scripting issue impacting GitLab CE/EE and could allow an attacker to act in the context of a legitimate user by injecting a malicious script into the snippet viewer. 
  • CVE-2025-5121 is a missing authorization issue impacting GitLab Ultimate EE that could allow an attacker with authenticated access to a GitLab instance with a GitLab Ultimate license applied (paid customer or trial) to inject a malicious CI/CD job into all future CI/CD pipelines of any project. 

These vulnerabilities were patched in 18.0.2, 17.11.4, 17.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). 

Collaboration and Communication Tools 

Collaboration and communication tools are essential for MSPs to manage their internal operations, coordinate with clients, and streamline service delivery. These types of tools often store sensitive conversations, documentation, credentials, and product data. A successful attack targeting collaboration and communication tool could allow a threat actor to intercept communications, harvest sensitive data, hijack projects, or impersonate MSP staff to conduct phishing attacks. 

Cisco Customer Collaboration Platform (CCP) 

Cisco released patches for a vulnerability impacting the Customer Collaboration Platform (CCP). CVE-2025-20129 is an information disclosure vulnerability that could allow an unauthenticated, remote attacker to persuade users to disclose sensitive information.  

The vulnerability is reportedly due to improper sanitization of HTTP requests that are sent to the web-based chat interface. Successful attacks could allow the attacker to redirect chat traffic to a server that is under their control.  

Roundcube Webmail 

Roundcube released patches for a vulnerability, CVE-2025-49113, impacting the last 10 years of Roundcube webmail versions.  

CVE-2025-49113 is a post-authenticated RCE vulnerability caused by PHP object deserialization. Successful exploitation could allow authenticated threat actors to run malicious commands on the mail server. 

Roundcube webmail is widely used by both public and private sectors. Its open source and customizable nature make it a popular webmail solution, often bundled with popular hosting providers.  

Blackpoint’s APG Analysis 

Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.  

References  

DATE PUBLISHEDJune 30, 2025
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!