Vulnerability Review – October 2025

This blog is a recap of the most critical vulnerabilities disclosed between 01 October and 31 October 2025 that most likely impact software utilized by managed service providers (MSPs). While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint’s APG due to the overall number of MSPs/organizations that use it.

Key Findings

• There were more than 4,200 vulnerabilities disclosed between 01 October and 31 October 2025, with more than 1,700 vulnerabilities being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.

• There are several that have been actively exploited and 31 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
• Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.

Vulnerabilities

Network Edge Devices

Network edge devices – firewalls, routers, VPN gateways, etc. – are the critical gatekeepers between internal networks and the internet. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet, they’re frequently targeted via vulnerabilities, exposed devices, or misconfigurations.

Fortinet FortiOS
On October 14, 2025, Fortinet disclosed a FortiOS vulnerability, CVE-2025-58325 (CVSS 6.7), that allows a privileged local user to bypass restricted command line interface (CLI) commands and execute arbitrary system actions. The vulnerability impacts FortiOS 7.6, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, 7.0.0 through 7.0.15, and 6.4 all versions.

While not a “mass-exploitable” vulnerability, once an attacker gains admin-level access, they could exploit this vulnerability to take full control of the device, alter network policies, or establish persistence.

Backup and Disaster Recovery

Backup and Disaster Recovery (BDR) solutions are considered a critical business software for MSPs as they ensure business continuity, support regulatory compliance, and serve as a last line of defense during incidents, such as ransomware attacks. BDR platforms often centralize data across multiple clients, making them an attractive target for threat actors. A successful attack on a BDR solution could allow threat actors to delete or encrypt backups, exfiltrate sensitive client data, move laterally through the network, or launch devastating supply chain attacks.

Veeam Backup & Replication
On October 14, 2025, Veeam announced patches for three vulnerabilities, including two that were scored as critical severity.

• CVE-2025-48983 (CVSS 9.9): Remote code execution (RCE) vulnerability impacting Veeam Backup & Replication version 12 (all builds up to 12.3.2.3617) that could allow an authenticated domain user to execute arbitrary code remotely on backup infrastructure hosts.
• CVE-2025-48984 (CVSS 9.9): RCE vulnerability impacting Veeam Backup & Replication version 12 (all builds up to 12.3.2.3617) allows an authenticated domain user to execute arbitrary code on domain-joined environments.

The third vulnerability, CVE-2025-48982 (CVSS 7.3), impacts Veeam Agent for Microsoft Windows and allows local privilege escalation if a system administrator is tricked into restoring a malicious file. It impacts Veeam Agent for Microsoft Windows 6.3.2.1205 and all earlier version 6 builds.

Patch Management

Patch management solutions are considered a high value target because these often have privileged access to every managed endpoint and the authority to deploy code system-wide. If a threat actor compromises it, they can weaponize that trust channel to push malicious updates, disable security tooling, or move laterally across entire customer environments. A single exploit in a patch management platform can turn a simple foothold into an organization-wide compromise.

Microsoft Windows Server Update Service (WSUS)

On October 14, 2025, Microsoft released out-of-band security updates to address a critical-severity Windows Server Update Service (WSUS) vulnerability.

• CVE-2025-59287 (CVSS 9.8) is a remote code execution (RCE) vulnerability in WSUS that was first updated in October Patch Tuesday.

The out-of-band security update applies to the following versions: Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025.

The vulnerability is due to the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges.
A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization.

Enterprise Software

Enterprise software solutions are essential to business operations and are frequently targeted by threat actors due to the level of access, the ability to deploy malware, gain persistence on a network, and the ability to move laterally through a compromise environment.

SAP NetWeaver

On October 14, 2025, SAP released their patch day updates and provided patches for 13 vulnerabilities, including a maximum severity vulnerability impacting SAP NetWeaver AS Java.

• CVE-2025-42944 (CVSS 10) is an insecure deserialization vulnerability that could allow a threat actor to conduct arbitrary command execution.
• This vulnerability was originally addressed in September 2025; however, this fix provides additional safeguards to secure against the risk posed by deserialization.
• SAP also provided a patch for two other critical severity vulnerabilities:
• CVE-2025-42937 (CVSS 9.8): Directory traversal vulnerability impacting SAP Print Service that could allow an unauthenticated attacker to reach the parent directory and overwrite system files.
• CVE-2025-42910 (CVSS 9.0): Unrestricted file upload vulnerability impacting SAP Supplier Relationship Management that could allow an attacker to upload arbitrary files.

File Sharing

File sharing software enables organizations to store files on a server and transfer them to a computer, another user, or another server. This type of software is frequently used by MSPs to enable secure remote access, collaboration, and data mobility across client environments. Threat actors often target this type of software because it allows widespread access to sensitive information, can provide threat actors an opportunity to elevate privileges, gather credentials, and move laterally; and can be utilized to exfiltrate data that can be sold or used for extortion purposes.

The most well-known targeting of this type of software has been conducted by the Clop Ransomware operation. This group has consistently targeted zero-day vulnerabilities in file transfer protocol (FTP) software, including Cleo, MoveIT, GoAnywhere, and more since at least 2020.

Gladinet CentreStack and TrioFox

On October 9, 2025, a zero-day vulnerability was reported in Gladinet CentreStack and TrioFox products, impacting all versions prior to 16.7.10368.56560.

• CVE-2025-11371 (CVSS 6.1) is an unauthenticated local file inclusion (LFI) vulnerability. This vulnerability was added to the U.S. CISA Known Exploited Vulnerability (KEV) Catalog on November 4, 2025.

A patch for the vulnerability was released by Gladinet on October 14, 2025. Threat actors can exploit this vulnerability to read Web.config and extract secrets, such as machineKey and credentials. Extracted secrets can be used to craft malicious ViewState payloads that bypass deserialization protections.
Additionally, the vulnerability could be chained with a previously disclosed vulnerability, CVE-2025-30406 (CVSS 9), that could allow a threat actor to perform remote code execution.

Blackpoint’s APG Analysis

Blackpoint’s SOC consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.

These vulnerabilities are attractive targets for threat actors of all types due to the level of access granted, the ubiquity of the impacted software/device, and impact successful exploitation can have. Financially motivated, nation-state, and initial access brokers are likely to target these vulnerabilities to gain initial access, persistence, and defense evasion with the intent of deploying malware, stealing sensitive information, or selling access to additional threat groups.

Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.

References

• Fortinet Advisory
• Veeam Advisory
• Microsoft Advisory
• SAP Advisory
• CentreStack Release Page
• KEV Catalog