Week of 2025-10-12

Posted on 2025-10-18 by skip

Urgent Alert: Critical Vulnerabilities Demand Immediate Action

The cybersecurity landscape is buzzing with critical threats, including multiple maximum-severity flaws (CVSS 10.0) and actively exploited zero-days across major platforms. Security professionals must prioritize patching and securing infrastructure immediately.

Here is a concise overview of the key vulnerabilities dominating recent reports:

Maximum Severity Flaws (CVSS 10.0)

Two distinct issues have recently received the highest possible severity rating, indicating ease of exploitation and devastating impact:

  1. Adobe Experience Manager (AEM) RCE (CVE-2025-54253): This flaw is a maximum-severity misconfiguration bug that results in arbitrary code execution and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
    • Mechanism: The vulnerability stems from the dangerously exposed /adminui/debug servlet, which evaluates user-supplied OGNL expressions as Java code without requiring authentication or input validation.
    • Impact: Arbitrary code execution. Federal Civilian Executive Branch agencies are advised to apply fixes by November 5, 2025.
  2. Redis Shell RCE (CVE-2025-49844): This remote code execution vulnerability affects all Redis server versions and has a CVSS score of 10.0.
    • Root Cause: The flaw is a 13-year-old use-after-free memory corruption bug in the Lua interpreter.
    • Exposure Risk: Approximately 330,000 Redis instances are publicly exposed, with about 60,000 of those requiring no authentication whatsoever, creating an extremely dangerous scenario.

Actively Exploited Windows Zero-Days

Microsoft’s October 2025 Patch Tuesday addressed 172 flaws, including six zero-day vulnerabilities. Several of these were confirmed to be under active exploitation.

  1. Agere Modem Driver EoP (CVE-2025-24990): This Elevation of Privilege (EoP) vulnerability (CVSS 7.8) is particularly dangerous because the underlying driver is legacy code installed by default on every version of Windows, up to and including Windows Server 2025, regardless of whether the associated hardware is in use. A local attacker can elevate privileges to administrator.
  2. Remote Access Connection Manager EoP (CVE-2025-59230): This EoP flaw (CVSS 7.8) in Windows Remote Access Connection Manager (RasMan) was exploited to gain SYSTEM privileges.
  3. IGEL OS Secure Boot Bypass (CVE-2025-47827): This vulnerability (CVSS 4.6) involves a Secure Boot bypass in IGEL OS before version 11. Its exploitation allows threat actors to deploy a kernel-level rootkit, potentially leading to credential capture and tampering with Virtual Desktops.

Other notable critical Microsoft issues fixed include an RCE bug in Windows Server Update Service (CVE-2025-59287, CVSS 9.8) and a privilege escalation flaw in Microsoft Graphics Component (CVE-2025-49708, CVSS 9.9) that can lead to a full Virtual Machine (VM) escape.

Infrastructure Targeting: Cisco Rootkits

Threat actors operating under the name ‘Operation Zero Disco’ exploited a recently patched Remote Code Execution vulnerability in older Cisco networking devices (CVE-2025-20352).

  • Attack Summary: The flaw affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE. Hackers leveraged this issue to deploy a Linux rootkit on targeted devices (such as the Cisco 9400, 9300, and legacy 3750G series) to gain persistent access.
  • Rootkit Capabilities: The deployed rootkit includes a UDP controller with functions to disable logging, bypass AAA and VTY ACLs, and enable/disable a universal access password.

Windows 10 End-of-Life: A Security Liability

Finally, note that Windows 10 reached its official end of support on October 14, 2025.

  • The Risk: Without free security patches, continuing to use Windows 10 instantly transforms the system from a reliable workhorse into a serious security liability.
  • Mitigation: Users must upgrade to Windows 11 or enroll in the Extended Security Updates (ESU) program for Critical and Important security updates (at a cost, currently available to consumers until October 2026).