Critical RADIUS Authentication Flaw in Cisco Secure Firewall Management Center

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high.

A critical security flaw in the Sudo command-line utility for Linux and Unix-like operating systems, identified as CVE-2025-32463, is being actively exploited. This vulnerability affects Sudo versions 1.9.14 through 1.9.17 and allows local attackers to run arbitrary commands as root, even if they are not listed in the sudoers file. The flaw was disclosed in July 2025 and added to CISA's Known Exploited Vulnerabilities (KEV) catalog on September 30, 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised Federal Civilian Executive Branch (FCEB) agencies to apply necessary mitigations by October 20, 2025, to secure their networks. The vulnerability was disclosed by Stratascale researcher Rich Mirch in July 2025. The flaw affects sudo versions 1.9.14 through 1.9.17 and has received a critical severity score of 9.3 out of 10. A proof-of-concept exploit for the CVE-2025-32463 flaw was released on July 4, 2025, and additional exploits have circulated publicly since July 1, 2025.

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat. Nearly 50,000 Cisco ASA and FTD appliances are vulnerable to actively exploited flaws. The vulnerabilities CVE-2025-20333 and CVE-2025-20362 enable arbitrary code execution and access to restricted URL endpoints. The Shadowserver Foundation discovered over 48,800 internet-exposed ASA and FTD instances still vulnerable to the flaws. The majority of vulnerable devices are located in the United States, followed by the United Kingdom, Japan, Germany, Russia, Canada, and Denmark. The Shadowserver Foundation's data is as of September 29, indicating a lack of response to the ongoing exploitation activity. Greynoise had warned on September 4 about suspicious scans targeting Cisco ASA devices, indicating upcoming undocumented flaws. CISA's emergency directive gave 24 hours to FCEB agencies to identify and upgrade vulnerable Cisco ASA and FTD instances. CISA advised that ASA devices reaching their end of support should be disconnected from federal networks by the end of September. The U.K. NCSC reported that the hackers deployed Line Viper shellcode loader malware and RayInitiator GRUB bootkit.

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.

Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.