Vulnerability Review – September 2025
This blog is a recap of the most critical vulnerabilities disclosed between 01 September and 30 September 2025 that most likely impact software utilized by managed service providers (MSPs). While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint’s APG due to the overall number of MSPs/organizations that use it.
Key Findings
- There were more than 4,000 vulnerabilities disclosed between 01 September and 30 September 2025, with more than 1,600 vulnerabilities being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- There are several that have been actively exploited and 16 that have been added to the U.S. CISA Known Exploited Vulnerabilities (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Vulnerabilities
Network Edge Devices
Network edge devices – firewalls, routers, VPN gateways, etc. – are the critical gatekeepers between internal networks and the internet. These devices manage and filter traffic, enforce security policies, and often provide remote access capabilities making them high-value targets for threat actors. Edge devices often operate with elevated privileges and are typically exposed to the internet, they’re frequently targeted via vulnerabilities, exposed devices, or misconfigurations.
Cisco ASA & FTD
Cisco released patches for two zero-day vulnerabilities this month impacting the Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software.
- CVE-2025-20333 (CVSS 9.9) is a remote code execution vulnerability in the WebVPN component that allows remote attackers to execute arbitrary code in the context of privileged firewall processes.
- CVE-2025-20362 (CVSS 6.5) is an unauthorized access vulnerability in the WebVPN component that allows remote attackers to access restricted URL endpoints or functions without proper authentication.
Successful exploitation of these vulnerabilities allows attackers to gain control of perimeter firewalls or virtual private network (VPN) gateways. Once compromised, an attacker could intercept or redirect network traffic, manipulate VPN sessions, and establish persistence on the environment.
Threat actors could then conduct a multitude of activities including deploying malware, moving laterally, stealing credentials, and exfiltrating data. Additionally, threat actors could exploit these vulnerabilities to bypass authentication controls, granting them access to restricted functions and enabling further malicious activity.
These vulnerabilities were added to the U.S. CISA KEV Catalog on September 26, 2025. Additionally, the U.S. CISA released an Emergency Directive to patch these vulnerabilities.
WatchGuard Firebox iked
WatchGuard released patches for a critical vulnerability impacting WatchGuard Fireware OS 11.10.2 up to and including 11.12.4_Update1, 12.0 up to and including 12.11.3 and 2025.1. The vulnerability, CVE-2025-9242 (CVSS 9.3), is an out-of-bounds vulnerability.
The vulnerability impacts both the Mobile User VPN with IKEv2 and the Branch Office VPN using IKEv2 when configured with a dynamic gateway peer. Additionally, the advisory states that if the Firebox was previously configured with the mobile user VPN with IKEv2 or a branch office VPN using IKEv2 to a dynamic gateway peer, and both of those configurations have since been deleted, that Firebox may still be vulnerable if a branch office VPN to a static gateway peer is still configured.
A threat actor could exploit this by sending crafted network traffic to the affected iked service to trigger memory corruption and execute code on the device without prior authentication. Successful exploitation can give a threat actor full control of the appliance allowing persistence, traffic interception, lateral movement, and the ability to use the device as a pivot point for wider compromise.
Browsers
Browsers, such as Google Chrome, Microsoft Edge, and Mozilla Firefox/ESR, are often attractive targets for threat actors due to the user-level privileges these run with, sit at the intersection of user interaction and the internet, and the large attack surface. Targeting browsers can allow threat actors to access and steal browser-stored credentials, execute code on the system; and escape browser-based protections and sandboxing to access the operating systems.
Google Chrome
Google released updates for Chrome to address three vulnerabilities, including one that could allow threat actors to compromise user systems and one zero-day.
- CVE-2025-10200 (CVSS 8.8): Use-After-Free Vulnerability impacting Chrome’s ServiceWorker component. ServiceWorkers are background scripts that enable web applications to function offline and handle network requests.
- CVE-2025-10201 (CVSS 8.8): Inappropriate Implementation Vulnerability impacting Chrome’s Mojo inter-process communication system. Mojo facilitates secure communication between different Chrome processes.
- CVE-2025-10585 (CVSS 9.8): Type Confusion Vulnerability impacting the V8 JavaScript and WebAssembly engine that allowed an attacker to potentially exploit heap corruption via a crafted HTML page.
A threat actor could exploit CVE-2025-10200 to cause heap corruption, execute arbitrary code, or compromise the user’s browser and system. A threat actor could exploit CVE-2025-10201 to bypass site isolation security mechanisms, execute arbitrary code, gain unauthorized access to browser-based systems, and compromise user data. A threat actor could also chain these vulnerabilities together to break out of the sandbox, steal cookies and session tokens, hijack active logins, gain persistence, and more.
CVE-2025-10585 was added to the U.S. CISA KEV Catalog on September 23, 2025.
Enterprise Software
Enterprise software solutions are essential to business operations and are frequently targeted by threat actors due to the level of access, the ability to deploy malware, gain persistence on a network, and the ability to move laterally through a compromise environment.
SAP NetWeaver
SAP released patched three critical severity vulnerabilities impacting NetWeaver, CVE-2025-42944; CVE-2025-42922; CVE-2025-42958.
- CVE-2025-42944 (CVSS 10): Insecure Deserialization Vulnerability impacting NetWeaver, ServerCore 7.50 that could allow an unauthenticated threat actor to achieve arbitrary OS command execution by sending a malicious Java object through the RMI-P4 module to an open port.
- CVE-2025-42922 (CVSS 9.9): Insecure File Operations Vulnerability impacting NetWeaver AS Java, J2EE-APPS 7.50 that could allow a threat actor with non-administrative authenticated access to upload arbitrary files, potentially allowing full system compromise.
- CVE-2025-42958 (CVSS 9.1): Missing Authentication Vulnerability impacting NetWeaver that could allow unauthorized high-privileged users to read, modify, or delete sensitive data and access administrative functionality.
SAP NetWeaver has historically been an attractive target for threat actors due to the level of access that can be achieved and the ability to conduct a destructive cyberattack.
Workflow Automation Tools
Workflow automation tools are critical for streamlining business processes by connecting appliances, orchestrating tasks, and automating data flows across systems. These tools are often deeply integrated and maintain elevated permissions within an organization’s environment indicating they are attractive targets for threat actors. Threat actors target these platforms to hijack automated workflows, deploy malware at scale, exfiltrate sensitive data, and move laterally through these connected systems. Compromising these tools provides attackers with a powerful foothold to disrupt operations or abuse trusted automation channels.
Fortra GoAnywhere MFT
Fortra released an advisory warning of a critical vulnerability, CVE-2025-10035, impacting the License Servlet of GoAnywhere MFT,
CVE-2025-10035 (CVSS 10) is a deserialization vulnerability impacting all GoAnywhere MFT versions up to 7.8.3. Successful exploitation of this vulnerability could allow threat actors to conduct remote, unauthenticated command execution if the Admin Console is internet accessible.
Attackers who can reach the Admin Console are able to exploit this vulnerability by sending crafted license responses that trigger the unsafe deserialization routine. This would then allow them to run arbitrary code on the server enabling a complete compromise of the managed file transfer environment. Due to GoAnywhere systems often handling sensitive data, successful exploitation could lead to significant data exfiltration.
Beyond data theft, threat actors could deploy malware, including ransomware, pivot to other areas of the network, and disrupt business operations. This vulnerability was added to the U.S. CISA KEV Catalog on September 29, 2025.
Blackpoint’s APG Analysis
Blackpoint’s SOC consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.
These vulnerabilities are attractive targets for threat actors of all types due to the level of access granted, the ubiquity of the impacted software/device, and impact successful exploitation can have. Financially motivated, nation-state, and initial access brokers are likely to target these vulnerabilities to gain initial access, persistence, and defense evasion with the intent of deploying malware, stealing sensitive information, or selling access to additional threat groups.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.