Rapid7 has conducted an internal investigation and is not impacted by this incident. As part of our due diligence, we are also monitoring the situation with our third-party vendors.  

All known detections have been implemented across the Rapid7 portfolio, and threat hunts across our MDR customer base are being rolled out proactively.  Further details are provided below, and this publication will be updated as new information becomes available. 

Scope and investigation

F5 commissioned independent assessments by IOActive and NCC Group. Both parties confirmed no tampering in build pipelines or release artifacts had occurred.

Connection to BRICKSTORM

Public reporting has linked the F5 breach with the BRICKSTORM malware family, based on customer communications from F5. Mandiant’s BRICKSTORM report links the adversary to campaigns targeting software and cloud vendors to harvest source code and credentials for downstream supply-chain exploitation. 

CISA and NCSC actions

Following coordinated disclosure, CISA issued Emergency Directive 26-01 instructing federal agencies to audit and patch affected F5 systems, while the UK NCSC confirmed compromise of F5 development infrastructure and is advising UK operators to validate firmware and signatures.

Patch cycle and clarification

F5 emphasized that its October 2025 quarterly patches — released the same day as the SEC filing — are unrelated to the breach, and part of its regular maintenance cadence. However F5 is strongly advising customers to apply the patches, which remediate 44 newly disclosed vulnerabilities, as soon as possible. This is due to the context of the breach, whereby the threat actor was able to learn sensitive information on previously undisclosed vulnerabilities, which may give the attacker a tactical advantage in terms of leveraging these vulnerabilities.

Rapid7 InsightVM and Nexpose customers will have coverage for all the vulnerabilities affecting BIG-IP (all modules), BIG-IP APM, BIG-IP AFM, BIG-IP ASM and BIG-IP PEM in the October 16, 2025 content release.

The Rapid7 Labs perspective

The Rapid7 Labs research team assesses that, while there is no evidence of active exploitation of undisclosed F5 vulnerabilities, the compromise of internal development systems represents a long-tail risk.

Adversaries with access to proprietary source code or vulnerability research may attempt to identify latent weaknesses in future operations.

Rapid7 Labs continues to track the BRICKSTORM cluster and any follow-on exploitation of network-edge technologies derived from this intrusion. We will update customers as new intelligence emerges and share it through Intelligence Hub. 

What you should do now

Organizations using F5 technologies should take immediate, prioritized action to validate the integrity of their environments and reduce potential exposure stemming from this incident.

1. Identify and assess your footprint

• Inventory all deployed F5 assets — including hardware appliances, software instances, and virtualized deployments.

• Determine whether any of these systems provide remote management access or administrative interfaces that are reachable from the public internet.

2. Restrict management exposure and validate configurations

• F5 management interfaces should never be internet-facing. If external exposure is detected, assume potential compromise and conduct a focused assessment of logs, configurations, and credentials.

• Implement F5’s published hardening guidance and align configurations with vendor best practices for access control, authentication, and telemetry.

3. Apply updates and replace unsupported systems

• Immediately install the latest F5 security updates released in October 2025.

• Retire or replace any F5 products that have reached end-of-support, as these devices will not receive future security fixes.

4. Enhance monitoring and detection coverage

• Conduct continuous monitoring and proactive threat hunting for anomalous activity related to management logins, credential use, and system modifications.

5. Report and coordinate if compromise is suspected

• If indicators of compromise or unauthorized access are detected, contact F5’s Security Incident Response Team (SIRT) for coordinated remediation.

• Engage your national cybersecurity authority or incident response partner where applicable.

How Rapid7 is supporting customers

At present there are no known exploited CVEs associated with the disclosure. Rapid7 has implemented honeypot sensors to detect if exploitation of affected F5 products does begin. In addition, we are undertaking the following measures for our customers.

Vulnerability management

Vulnerability Management (InsightVM and Nexpose) customers that run F5 BIG-IP models will be able to assess exposure to the vulnerabilities affecting BIG-IP (all modules), BIG-IP APM, BIG-IP AFM, BIG-IP ASM and BIG-IP PEM, with vulnerability checks available in the October 16 content release.

MDR and IDR customers

Rapid7 has proactively updated our threat detection capabilities in response to this threat. Our Threat Intelligence and MDR teams have launched targeted hunts for IOCs related to BRICKSTORM and are continuously refining our detection rules to identify these attacks early.

• Suspicious Process - BRICKSTORM targets U.S. Tech and Legal sectors with Stealthy Espionage

• Suspicious Network Connection - BRICKSTORM targets U.S. Tech and Legal sectors with Stealthy Espionage

The Rapid7 MDR team has completed all threat hunts utilizing the available indicators of compromise (IOCs) and did not find any indications of customer exposure. Threat hunting will continue in an effort to identify new activity.

Intelligence Hub

Customers leveraging Rapid7’s Intelligence Hub can track the latest developments surrounding the F5 breach and associated indicators.

Updates

• Oct 17, 20925: Updated the Vulnerability management section to confirm that VM checks were successfully shipped on Oct 16.

TPM 2.0: zero-day information disclosure

When the Trusted Computing Group (TCG) consortium’s TPM 2.0 reference implementation contains a flaw, under normal circumstances that flaw is likely to be replicated in the downstream implementation by each manufacturer. That is the case with CVE-2025-2884, an information disclosure vulnerability which Microsoft is treating as a zero day despite the curious circumstance that Microsoft is a founder member of TCG, and thus presumably privy to the discovery before its publication. Windows 11 and newer versions of Windows Server receive patches. In place of patches, admins for older Windows products such as Windows 10 and Server 2019 receive another implicit reminder that Microsoft would strongly prefer that everyone upgrade.

Remote Access Connection Manager: zero-day EoP

Local elevation of privilege (EoP) is always attractive to an attacker, since even if it doesn’t get them where they need to be, it can provide an important link in the chain. Microsoft is already aware of exploitation in the wild for CVE-2025-59230, a vulnerability in the Windows Remote Access Connection Manager. With no user interaction required, this will go straight into an attacker’s standard toolkit. There’s very little information in the advisory itself, but someone out there knows exactly how to exploit this vulnerability. Credit where credit is due: Microsoft detected the exploitation, and now we have patches for all supported versions of Windows.

Agere fax modem driver: pair of zero-day EoP

Are you a doctor, a lawyer, or a hipster? If so, you might be one of the holdouts who still feels the need to connect a fax machine to a computer, and you should brace yourself for some bad news, then some good news, and then some more bad news. For starters, Microsoft has published two zero-day vulnerabilities in the Agere Modem driver: CVE-2025-24052, which is publicly disclosed, and CVE-2025-24990, which has already been exploited in the wild. The vulnerable driver ships with every version of Windows, up to and including Server 2025. Maybe your fax modem uses a different chipset, and so you don’t need the Agere driver? Perhaps you’ve simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator. The good news is that Microsoft is patching both of these vulnerabilities today. The sting in the tail is that they’re fixing the glitch by removing the vulnerable driver altogether, so if you are still using a fax modem with an Agere chipset, no fax for you!

IGEL OS: UEFI zero-day

If you don’t run thin clients targeting Windows environments, you might be unaware of the existence of IGEL OS, but today’s publication of the advisory for CVE-2025-47827 — which is a zero-day vulnerability — may put it on the radar a little more widely. Successful exploitation abuses overly lax cryptographic verification of root filesystem, and allows bypass of Secure Boot. Microsoft is aware of exploitation in the wild, and is offering patches for the usual array of Windows products.

The advisory doesn’t explain what the Windows patches are protecting against when the flaw is in IGEL OS itself. However, the write-up by the original discoverer contains a significant amount of interesting backstory, and we can infer that the Windows patches will include additions to the UEFI revocation list, theoretically rendering a specific asset immune to this attack.

AMD: zero-day information disclosure

Every so often, a processor vulnerability gets some attention. When they are included in a set of Patch Tuesday vulns, processor vulnerabilities tend to march to the beat of their own drummer, since Microsoft likely has very little control over how or when these are announced. AMD published CVE-2025-0033 yesterday, and Microsoft has responded with their own advisory today. The flaw affects only fairly recent AMD EPYC processors, which are more likely to be found in a cloud data centre than they are in a metal box underneath your desk.

This is technically a zero-day vulnerability, since Microsoft is acknowledging that at least some products are affected, and there’s no patch yet. Specifically, Microsoft acknowledges that patches are needed for several variants of Azure Confidential Compute VM, and that they are working towards providing those patches. There isn’t anything much to do here yet from a Windows administration perspective, since AMD’s advisory understandably addresses only the underlying hardware, and Microsoft hasn’t said anything yet about any possible impact on Windows itself.

Windows Server Update Service: critical pre-auth RCE

The Windows Server Update Service (WSUS) provides admins with some very handy features. You can download updates from Microsoft once, and then redistribute them locally. It also allows scheduling of deployments to minimize impact on business activities, as well as centralized monitoring of updates. What’s not to love, right? Answer: CVE-2025-59287, a critical RCE which allows an attacker to execute code remotely. Although Microsoft isn’t currently claiming knowledge of disclosure or exploitation in the wild, they do consider exploitation more likely. Although the advisory doesn’t explicitly mark this one out as a pre-authentication RCE, the CVSS v3 base score of 9.8 tells an alarming story: a network attack vector, no privileges required, and low attack complexity. Patches are available for all versions of Windows Server. Taking all that into account, along with the Acknowledgements section of the advisory, a good time to apply these patches is right meow.

Microsoft lifecycle update

Today marks the end of an era, sort of. As Rapid7 has previously noted, today marks the end of support for non-LTSC versions of Windows 10. Of course, there’s a lot of nuance here. First, let’s address Windows 10 Long Term Support Channel (LTSC) installations, which are Microsoft’s way of providing risk-averse enterprise customers with the same exact OS almost indefinitely. An LTSC installation never has to worry about huge feature updates, but instead receives only security patches.

All versions of Windows 10 LTSC will continue to receive security updates for quite some time, with the exception of Windows 10 Enterprise LTSC 2015, which is now too old even for Microsoft to support. Still, that’s been an extra eight-and-a-half years of security updates vs. the equivalent non-LTSC version of Windows 10. When you’re relying on Windows 10 for the safe operation of an MRI scanner or a critical industrial control system at a steel plant, stability is key. A frank discussion of whether or not Windows is the optimal choice in these scenarios is beyond the scope of this analysis. Regular LTSC runs until 2027, whereas IoT Enterprise LTSC 2021 is scheduled to limp onwards all the way until January 2032.

It’s likely that Microsoft’s Extended Security Update (ESU) offering will be much more widely discussed in the coming weeks than is typical. Via the ESU program, Microsoft offers further security updates for software which has moved past the end of support. It is generally a paid “cash for updates” service, although consumers in the European Union can take advantage of Microsoft’s offer of one free year of ESU for Windows 10 Home or Professional. It may well be a coincidence that Microsoft has extended this generous offer only to consumers in a large jurisdiction with strong consumer rights. Users without spare cash or an EU home address can consider syncing their PC settings to OneDrive — make sure to enable multi-factor authentication on your Microsoft account if you do this — or spending 1000 Microsoft Rewards points, if you know what those are and have some to spare.

Microsoft, of course, has been pushing us all to upgrade to Windows 11 for a long time, but this leaves some people out in the cold. Windows 10 users without the cash to upgrade to Windows 11-compatible PC hardware or the IT situational awareness to realize that they are now at increased risk of compromise will now drift further and further away from a solid security stance. Not for the first time, the most vulnerable users with the fewest resources will end up in the most precarious situation.

Also receiving their final guaranteed patches today: Office 2016 and Office 2019. Another significant change: both Exchange 2016 and Exchange 2019 are now entirely replaced by Exchange Server Subscription Edition. A huge amount of lifecycle change today, and one which Microsoft has been building towards for many years now. The full impact may not become clear for a while, especially the retirement of Windows 10.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Developer Tools ESU Windows vulnerabilities

ESU Windows vulnerabilities

Mariner Open Source Software vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

SQL Server vulnerabilities

Server Software vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Update history

• 2025-10-20: added Summary Tables.

SQL Server: zero-day DoS

What happens if you ask SQL Server to deserialize a JSON object with thousands of levels of nested objects? If you guessed denial of service, then you are good at guessing, because that’s what CVE-2024-21907 describes. As zero-day vulnerabilities go, it doesn’t seem particularly terrifying, since presumably the worst an attacker can do is knock down a service, which can then be picked up again. Of course, that’s all relative, since some SQL Server instances are doing very important work: think hospitals, airports, and other critical infrastructure. Taking a step back: if an unauthenticated attacker can send arbitrary queries directly into your SQL Server instances, then that’s already a broader security architecture issue.

Perhaps the most interesting thing about CVE-2024-21907 is its long and convoluted history. The underlying defect is not in SQL Server, but in Newtonsoft.Json, which is the de facto standard for handling JSON in .NET applications, including SQL Server and many other products. Versions of Newtonsoft.Json prior to 13.0.1 are vulnerable, and this isn’t new information; CVE-2024-21907 was originally made public on 2024-01-03 with some help from VulnCheck, so Microsoft is playing catch-up here. The underlying defect has been public knowledge for way longer than that, however, since Aleph Security first flagged it up way back in 2018 without attaching a CVE number. It remains unclear why Microsoft chose to address this now, but better late than never.

SMB server: zero-day(?) EoP

How’s your SMB server configuration? Is it fully hardened, with SMB server signing and Extended Protection for Authentication enabled? If not, then CVE-2025-55234 set out clearly why you should be worrying about SMB Server relay attacks, where an attacker pretends to be a legitimate server using ARP spoofing, DNS poisoning, or some other suitable trickery. Any pen testers or threat actors reading this will no doubt be thinking of the popular OSS tool Responder, which streamlines exactly this sort of attack. Options for attackers include credential relaying (which is mitigated by SMB signing), as well as offline cracking of the hash to reveal the password.

The key takeaway from the CVE-2025-55234 advisory, other than the explanation of the well-known attack surface around SMB authentication, is that this is one of those times where simply patching isn’t enough; in fact, the patches provide administrators with more auditing options to determine whether their SMB Server is interacting with clients that won’t support the recommended hardening options. Other Microsoft server products (e.g. Exchange) offer a similar tough choice: lock out less capable clients, or leave your server in a state which permits relay attacks. None of the attack techniques covered are new, so this isn’t really a zero-day vulnerability, except inasmuch as it was published today, and describes an attack which is already publicly disclosed.

Azure Networking: critical EoP

It’s not every day that we see a perfect(?) 10.0 CVSS v3 base score, but CVE-2025-54914 is one such rare beast, thanks to the seldom-seen scope change described by the CVSS v3 vector. However, that’s all we get; the aggressively minimalist advisory fails to explain the nature of the vulnerability in any way at all. Mercifully, the advisory does pour a little oil on its own troubled waters by clarifying that this is a cloud service vulnerability, Microsoft has already fixed it, and there is no action to be taken by users of the service. Other reasons to consider not panicking: the Acknowledgements section lists only Microsoft researchers, so we can hope that no one else knows enough to do any damage. For anyone wondering which cloud service was impacted, the answer is Azure Networking, which is probably only important if your cloud assets ever need to communicate with anything at all.

Azure HPC: critical RCE

Azure High Performance Computer (HPC) admins should pay close attention to CVE-2025-55232, a critical unauthenticated RCE exploitable over the network. The advisory sets out the pre-requisites for the actual patch, and also hints that appropriate firewall rules should be in place, especially for TCP port 5999. The advisory doesn’t describe exactly what those firewall rules should look like or what they’re protecting, but port 5999 is the default port for the HpcScheduler, which orchestrates HPC jobs, resource management, and cluster communication.

Microsoft lifecycle update

There are no significant changes to Microsoft product lifecycles this month. A few Azure services move into retirement towards the end of September: Azure Basic Load Balancer, Azure Database for MariaDB, Azure HPC Cache, Azure Remote Rendering, Azure Service Map, Azure SQL Edge, Azure Unmanaged Disks, and Azure vFXT. As Rapid7 noted previously, there will be a number of significant changes in October, including the categorical end of support for non-LTSC versions of Windows 10.

Summary charts

⠀

⠀

Update history

• 2025-09-10: corrected link to Microsoft Security Update Guide and a small typo in a product name.

Summary tables

Apps vulnerabilities

Azure vulnerabilities

Browser vulnerabilities

ESU Windows vulnerabilities

ESU Windows Microsoft Office vulnerabilities

Mariner vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

Open Source Software vulnerabilities

At time of writing, Microsoft has published patches for these OSS vulnerabilities, but without providing an accompanying advisory for most of them.

SQL Server vulnerabilities

Windows vulnerabilities

While performing continuous red teaming exercises through Rapid7’s Vector Command service, Rapid7 discovered a total of four vulnerabilities in Securden Unified PAM. Three vulnerabilities were identified that allow an attacker to bypass authentication and view stored passwords or execute system commands on the server. The fourth identified vulnerability allows a malicious actor to access Securden’s gateway portal with low privileges, which could potentially be leveraged to exploit other customers running Securden Unified PAM. 

Securden effectively coordinated with Rapid7 and quickly provided a patch to remediate all four vulnerabilities.

Product description

Securden Unified PAM can generally be described as an all-purpose server for access control. It can store, manage, and log access to credentials, as well as log when users request admin privileges. Remote access connections such as RDP and SSH can be initialized from the web application. Videos of these sessions can be recorded and saved for administrators’ review. User accounts can be integrated from Active Directory and can be managed to only have access to specific sets of credentials. For more information, visit Securden’s site.

All of this functionality related to access control makes it a prime target for malicious actors. 

Impact

The first vulnerability, CVE-2025-53118, allows an attacker to bypass authentication protections to read saved credentials through access to application backup endpoints. The second vulnerability, CVE-2025-53120, allows an attacker to upload a file to any directory with any filename without authentication due to path traversal. The third vulnerability, CVE-2025-53119, allows an attacker to upload a file of any file type and any file content as a result of a lack of sufficient filetype validations. The last vulnerability, CVE-2025-6737, allows an attacker to authenticate to Securden’s gateway server with low-level permissions using shared credentials across installations.

Based on testing, exploitation of CVE-2025-53119 and CVE-2025-53120 was not viable on version 9.0.1, but was viable on version 11.1.x. While an attacker can leverage any of the disclosed vulnerabilities to achieve unauthenticated remote code execution (RCE), an attack performed from an authenticated context would not require the authentication bypass to gain code execution capabilities.

Credit

These issues were discovered by Aaron Herndon, Principal Security Consultant, and Marcus Chang, Security Consultant, both of Rapid7. They are being disclosed in accordance with Rapid7's vulnerability disclosure policy.

Vendor statement

The following statement has been provided by Securden CEO, Bala Venkatramani.

"These vulnerabilities have been addressed in version 11.4.4 of Securden Unified PAM. At Securden, customer security is our top priority. We actively collaborate with esteemed researchers like Rapid7 to swiftly identify and remediate vulnerabilities. We appreciate the efforts of the security researchers at Rapid7 for their responsible disclosure and professionalism throughout the process. We have already sent advisories to all our customers individually.”

CVE-2025-53118: Authentication Bypass

Browsing to /thirdparty-access within the application will redirect the user to / and assign a securdensession cookie value. This cookie can be used when requesting the /get_csrf_token URL to obtain a CSRF token and securdenpost cookie, which are used for POST requests. While the cookie has not yet been authorized through a valid login, Rapid7 identified several API endpoints within the application that do not check for authorization, and instead only the presence of the securdensession cookie, securdenpost cookie, and a CSRF token generated from the /thirdparty-access request.

Note: POST requests sent by the application typically have an X-Requested-With header. However, if this header is present during authentication bypass requests, the server will respond with an error. Successful exploitation requires removing this header.

While reviewing API endpoints which are vulnerable to the authentication bypass, Rapid7 determined the /configure_schedule request to have the highest impact, allowing unauthenticated users to perform the encrypted password backup functionality with their own specified password and location to drop the file. The encrypted password backup can only be performed if a superadmin account is present. In the case of a superadmin account not being present, an attacker could still leverage the endpoint to repeatedly perform full database backups and steal active session cookies to authenticate as logged in users.

/thirdparty-access

Rapid7 navigated to /thirdparty-access and obtained a securdensession cookie:

/get_csrf_token

Using the securdensession cookie, Rapid7 browsed to /get_csrf_token and obtained a CSRF token and securdenpost cookie.

Exploiting the backup features

Rapid7 then obtained the application server’s next start time for its scheduled tasks, using the authentication bypass to query /get_date_picker_format:

A request was then sent to /configure_schedule with the SCHEDULE_ENCRYPTED_HTML_BACKUP type, next task start date, a passphrase, and a location to write the backup file to. An attacker can choose to host an SMB share and have the file dropped there, or place it in the Unified PAM’s /static/ webroot folder, allowing unauthenticated download of the file via the application’s web server. This request required the obtained CSRF token along with the securdenpost and securdensession cookies.

Note: The written filename is not controlled by the attacker, nor is it a static name. However, as it is based on the date of the backup, the name can be guessed via brute forcing to download it from the web server.

After waiting for the task to start, we see an SMB connection from PAM, writing the backup file to Rapid7’s SMB share.

Note: This SMB connection could also be leveraged in a pass-back and NTLMv2 relay attack, as well as offline NTLMv2 hash cracking of the service account running the Unified PAM application. 

The backup file can be decrypted using the password defined by the attacker, revealing a full backup of all passwords stored in the Unified PAM:

Database backups when the “superadmin” is not enabled

When the superadmin user is not enabled, the application won’t create the encrypted password file. Still, it is possible to extract a backup of the entire Unified PAM application’s database. This database stores the credentials in an encrypted format, which cannot be decrypted unless the attacker has a key file on the application server. Instead, an attacker can extract active session tokens (cookies) from the database and impersonate user sessions, which can then be used to extract passwords through normal application workflows.

To backup the entire database instead of the encrypted passwords file, because of the superadmin user not being enabled, the /configure_schedule request can also be sent with DATABASE_BACKUP as the schedule_type and the backup_location can once again be set to PAM’s static folder or an external share. 

The backup file will have a predictable filename: Securden-<version>_postgresql_db_backup_<day>_<Month>_<year>_<hour>_<minute>_<second>.zip. By sending brute-force requests to the /static/ folder, the attacker can reliably guess the last two <second> digits of the file name and access the backup file.

While passwords and other sensitive information is encrypted in the backup file, Django session cookies are not. The exploit can be automated to run a backup every five minutes; when a user signs in, their cookie can be found in the database. 

If the timing is right and the cookie is still valid, it can be used to login as the user.

CVE-2025-53119 / CVE-2025-53120: Unauthenticated Unrestricted File Upload and Path Traversal In File Upload

• CVE-2025-53119 - The /accountapp/upload_web_recordings_from_api_server request allows for unrestricted file upload without authentication. Attackers can upload any file with any filetype to the server’s web recordings directory.

• CVE-2025-53120 - Arbitrary files can be overwritten with path traversal characters in the file_name and relative_path parameters of the /accountapp/upload_web_recordings_from_api_server request . 

These can be leveraged for remote code execution in multiple ways. As an example, in the screenshot below, the postgresBackup.bat file was overwritten with a malicious PowerShell command that would send a reverse shell to the attacker. The file was overwritten by editing the file_name and relative_path parameters to point to the postgresBackup.bat file. In this request, the exact value of the relative_path parameter is arbitrary. It only needs to traverse one directory back with .../<arbitrary_string>. The postgresBackup.bat batch script is present by default and runs whenever a database backup occurs.

By exploiting the authentication bypass mentioned previously, CVE-2025-53118, a database backup can be triggered:

On backup, the application server runs the batch script containing the PowerShell reverse shell, and the attacker can run privileged OS commands on the PAM server:

CVE-2025-6737: Shared SSH Key and Cloud Infrastructure

While reviewing application logs produced by Securden’s Unified PAM (version 11.2.5), Rapid7 discovered an entry indicating that the application server had established a reverse SSH tunnel to a remote server, using a key placed on disk, exposing the login page for Rapid7’s local Unified PAM used for testing:

At first, Rapid7 investigated the IP, as it was foreign, and reviewing additional logs within “reversetunnelcreator.log” revealed an IP address that was hosted in South Korea:

Additionally, Rapid7 discovered that the SSH key tunnel-user-key.pem was deleted from disk after the tunnel was established. Using PowerShell, Rapid7 wrote a small loop to monitor file write events for the key and copy it, and then restarted the Securden service, noticing that SSH log entries aligned with service and server restart times:

Rapid7 executed the SSH command which their Unified PAM server utilized, connecting to 18.217.245.55’s SSH service on port 443. Without context into the functionality, Rapid7 originally thought this may have been an update server deployed by Securden to push down new packages. 

To check if the server was exposing the admin panel for Rapid7’s local PAM server used for testing, Rapid7 ran a netstat command, discovering several other tunnels and connections from various IP addresses:

Realizing that this server was Securden’s infrastructure with shared connections between multiple software deployments, Rapid7 exited the host. Rapid7 then reviewed the Unified PAM application’s functionality, focusing in on what created the SSH tunnel and where it was being used. Rapid7 discovered that it was a part of the Vendor Access Portal, which allows customers to expose a vendor login page on the internet to their internally-hosted Unified PAM instance. However, while testing with different deployed instances and vendor names, Rapid7 observed that the key generation process, username, and host IP address SSHed into and used to establish this tunnel were the same across installations.

Remediation

To remediate the issues described in this disclosure, customers should update Securden Unified PAM to version 11.4.4 or higher. Securden has declined to publish a public advisory on these issues. More details about Securden Unified PAM can be found here.

Rapid7 customers

Nexpose and InsightVM customers can assess their exposure to CVE-2025-53118, CVE-2025-53119, CVE-2025-53120, and CVE-2025-6737 with unauthenticated/remote checks made available in the August 25 content release.

Disclosure timeline

• May 2025: First three vulnerabilities (CVE-2025-53118, CVE-2025-53119, CVE-2025-53120) discovered by Marcus Chang, Vendor Portal vulnerabilities (CVE-2025-6737) discovered by Aaron Herndon, both of Rapid7.

• May 22, 2025: Initial email to Securden asking for confirmation of a point of contact to send vulnerability information.

• May 22, 2025: Securden confirmed the point of contact.

• May 22, 2025: Vulnerability details provided to Securden.

• May 30, 2025: Securden sent patch intended to remediate the issues.

• June 3, 2025: Rapid7 tested the patch and confirmed all vulnerabilities were remediated.

• June 5, 2025: Aaron Herndon reported further vulnerabilities with the Vendor Portal functionality.

• June 6, 2025: Securden provided another patch intended to remediate newly identified vulnerabilities.

• June 9, 2025: Rapid7 tested the patch provided on June 6 and confirmed vulnerabilities discovered on June 5 were remediated.

• June 26, 2025: Securden provided a general timeframe for public disclosure.

• July 29, 2025: Securden provided a specific public disclosure date.

• July 29, 2025: Rapid7 requested a different public disclosure date.

• July 29, 2025: Rapid7 informed Securden of the assigned CVE IDs.

• August 5, 2025: Securden provided a specific public disclosure date.

• August 21, 2025: Rapid7 requested specific vulnerable version numbers.

• August 21, 2025: Securden provided specific vulnerable version numbers.

• August 22, 2025: Securden provided Vendor Statement.

• August 25, 2025: Public disclosure via publication of this blog post.

What's changing?

InsightVM is being upgraded to use a newer version of Nmap, moving from version 7.92 to 7.95, bringing significant improvements to how UDP ports are assessed. Our testing has revealed that the new version of Nmap is much more precise in identifying ambiguous ports, resulting in a significant decrease in ports being definitively marked as closed and a corresponding increase in ports being correctly identified as open|filtered.

This industry-wide improvement highlighted that our existing method for handling the ambiguous open|filtered state during unauthenticated SNMPv1 and SNMPv2 fingerprinting could report false positives to customers. With the new UDP port detection in Nmap, the frequency of these false positives would likely increase, so we have updated our fingerprinting process to be more reliable.

Increasing reliability and reducing false positives

For unauthenticated scans, our platform will now adopt a more direct approach to identifying SNMP services. This change is designed to deliver more accurate results and reduce the noise from potential false positives. 

Authenticated scans that use valid SNMP credentials are not affected by this change. Also, due to the nature of the protocol, this update does not affect SNMPv3 scanning.

What this means for your scans

With this new, more accurate behavior, reliable fingerprinting of SNMPv1 and v2 services will be achieved under the following conditions:

1. An unauthenticated scan against an SNMP asset that is using one of the common, default community strings that our scanner checks for.

2. An authenticated scan against any SNMP asset where you have provided valid credentials.

A key benefit of this change is a reduction in false positives, particularly for certain types of SNMPv1 and SNMPv2 servers. 

Which SNMPv1 and SNMPv2 servers will see this change?

This change is unlikely to affect most Linux SNMPv1 and SNMPv2 servers, as they typically respond with an authentication error to incorrect community strings, allowing our scanner to confirm the service is running. 

The native SNMP service on Windows is designed to silently drop packets when a non-default community string is used. Our previous method may have incorrectly flagged these open|filtered ports as a running service. With the new logic, our scanner will no longer attempt to fingerprint SNMP in these ambiguous cases, significantly improving accuracy for these assets. This also applies to other network devices that adopt a similar "silent drop" security posture.

Our recommendations

For the most accurate and reliable fingerprinting of your SNMPv1 and v2 servers, we strongly recommend configuring your scans with credentials. Authenticated scanning is a security best practice that provides the most detailed and accurate information about the services running on your assets.

We are confident that this enhancement will improve the quality of your scan data and help you focus on what matters most.

You can check out Rapid7’s Vulnerability Management solution, InsightVM, in greater detail here.

Kerberos: zero-day EoP

What do attackers want in a Windows context? Domain admin! When do they want it? Now! Today’s lone zero-day vulnerability might be just what they need to break through the final layers of protection and swipe the crown jewels. CVE-2025-53779 is an elevation of privilege (EoP) vulnerability in the Windows implementation of Kerberos, which is enabled via abuse of dMSA configuration. The advisory FAQ provides more clues as to the nature of the attack than many comparable Microsoft advisories, but misses a golden opportunity for clarity, since it never sets out what it means by dMSA, leaving us scouring for contextual clues. Ultimately, we can determine from context that today’s hot topic is the Delegated Managed Service Account, rather than the Defender Microservices Architecture or some other piece of Microsoft paraphernalia with matching initials. Microsoft’s motivation is unimpeachable: the dMSA supports automated rotation of credentials for service accounts, and is specifically designed to prevent credential harvesting using Kerberoasting. Indeed, CISA has described Kerberoasting as one of the most time-efficient ways to elevate privileges and move laterally throughout an organization’s network.

The good news here is that successful exploitation of CVE-2025-53779 requires an attacker to have pre-existing control of two attributes of the hopefully well protected dMSA: msds-groupMSAMembership, which determines which users may use credentials for the managed service account, and msds-ManagedAccountPrecededByLink, which contains a list of users on whose behalf the dMSA can act. However, abuse of CVE-2025-53779 is certainly plausible as the final link of a multi-exploit chain which stretches from no access to total pwnage. Finally, it’s important to note that Microsoft is only publishing patches for Windows Server 2025, and that’s because msds-ManagedAccountPrecededByLink was first implemented in Server 2025. Migrating to newer operating systems sooner rather than later remains good advice, but so is remediation of zero-day vulnerabilities which could give an attacker total control of your estate.

Windows Graphics: critical RCE

The publication of any pre-authentication RCE in Windows will naturally spark discussion. Of course, not all pre-auth RCEs are created equal, and while CVE-2025-50165 has a hefty CVSSv3 base score of 9.8, and is certainly a cause for concern, it is not the worst of the worst, since it presumably isn’t wormable. Despite that, a degree of alarm is amply justified, since the advisory FAQ mentions — twice! — that user interaction isn’t required. Exploitation is via a malicious JPEG file, which could be delivered within an Office document or other means; perhaps even visiting a website would be sufficient, or receiving an email within Outlook, although the advisory doesn’t explicitly confirm or deny these other possible attack routes. The malformed JPEG tricks the Windows Graphics Component into code execution via an untrusted pointer dereference. The context of execution isn’t specified, so in the standard spirit of caution, we’ll assume SYSTEM. This is hardly a new class of problem: we can cast our minds back a dozen years, for instance, and consider the broadly similar MS13-096. However, the specific flaw underlying CVE-2025-50165 is presumably a recent introduction, since only Windows 11 24H2 and Server 2025 receive patches. Patch this one sooner rather than later, since it could provide a skilled attacker with a valuable foothold from which to launch further attacks, including perhaps even today’s CVE-2025-53779.

Windows GDI+: critical RCE

The Windows GDI+ (Graphics Device Interface Plus) is at the center of how almost all two-dimensional graphics are rendered on Windows assets. CVE-2025-53766 is a critical RCE in how GDI+ interprets metafiles, which are often used to store vector graphics. An attacker can achieve code execution via buffer overflow without privileges or user interaction. As with today’s CVE-2025-50165, it’s unlikely that this vulnerability could be wormable, but the most alarming path to exploitation involved simply uploading a malicious metafile to a Windows machine running unspecified web services. There is no mention of SharePoint, Exchange, Office, or other non-Windows products in the Security Updates section of the advisory, but that still leaves an essentially limitless potential attack surface; for example, anyone running a custom ASP.NET application offering file uploads could find themselves vulnerable to an attacker wielding a dodgy WMF file. On the bright side, the Preview Pane is not a vector in this case. A patch is available for Server 2008, but not Server 2012, a curious and possibly concerning pattern that we see from time to time with RCEs which affect the full historic range of Windows products.

DirectX graphics kernel: critical RCE

Today is certainly a good day for fans of critical RCE vulnerabilities which target weaknesses in how Windows interprets graphics. Exploitation of CVE-2025-50176, a flaw in the DirectX graphics kernel, could lead to execution in a kernel context. Microsoft considers exploitation more likely, which may be why the advisory doesn’t provide a great deal of information about the means of exploitation, beyond a terse statement that type confusion is involved. Type confusion is where the kernel receives a pointer which it expects to be for one type of object, but is in fact for another, which is a bit like asking someone to read out loud from a restaurant menu, but then handing them their secret diary and hoping they won’t notice the difference. Most people will not be fooled, but under the right circumstances, anything is possible.

Microsoft lifecycle update

There are no significant changes to Microsoft product lifecycles this month. However, October will bring a flurry of changes, including the categorical end of support for non-LTSC versions of Windows 10.

Summary charts

Summary tables

Apps vulnerabilities

Azure vulnerabilities