Latest Citrix NetScaler vulnerability #

Citrix published Security Bulletin CTX694788 that documented a vulnerability that impacts customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are affected by a memory overflow vulnerability. This vulnerability has been designated CVE-2025-6543 and has been rated critical with a CVSS score of 9.2.

There is evidence that this vulnerability is being actively exploited in the wild.

The following versions are affected

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

What is the impact? #

Successful exploitation of this vulnerability could allow an adversary to make unintended changes to control flow, potentially allowing remote code execution (RCE) or causing denial-of-service (DoS).

Are updates or workarounds available? #

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway to version 14.1-47.46 and later releases
• NetScaler ADC and NetScaler Gateway to version 13.1-59.19 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix Netscaler Gateway" OR os:="Citrix ADC"

June 2025: (CVE-2025-5777, CVE-2025-5349) #

Citrix published Security Bulletin CTX693420 that documented two vulnerabilities that impact customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). There is evidence that one of the vulnerabilities, designated by CVE-2025-5777, is being actively exploited in the wild.

• NetScaler configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are at risk of an insufficient input validation vulnerability leading to memory out-of-bounds read in the NetScaler Management Interface which could allow access to secret values, bypass of protection mechanism, DoS or other unexpected results. This vulnerability has been designated CVE-2025-5777 and has been rated critical with a CVSS score of 9.3.
• An attacker with access to the NetScaler appliance IP (NSIP) address, Cluster Management IP (CLIP) address or local Global Server Load Balancing (GSLB) Site IP (GSLBIP) address could utilize an improper access control vulnerability to gain access the the NetScaler Management Interface and its management functions. This vulnerability has been designated CVE-2025-5349 and has been rated high with a CVSS score of 8.7.

The following versions are affected

• NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS

What is the impact? #

Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, potentially disrupt system operations and cause a denial-of-service, or gain control over the NetScaler Management Interface and its management functions potentially leading to system compromise.

Are updates or workarounds available? #

Citrix recommends upgrading affected systems to one of the following versions as soon as possible:

• NetScaler ADC and NetScaler Gateway to version 14.1-43.56 and later releases
• NetScaler ADC and NetScaler Gateway to version 13.1-58.32 and later releases of 13.1
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
• NetScaler ADC 12.1-FIPS to version 12.1-55.328 and later releases of 12.1-FIPS

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:="Citrix Netscaler Gateway" OR os:="Citrix ADC"

February 2025: (CVE-2024-12284) #

Citrix issued a security bulletin for the on-premise NetScaler Console (formerly NetScaler ADM) and NetScaler Agent products. CVE-2024-12284 is rated high with a CVSS score of 8.8, which could lead to privilege escalation.

What is the impact? #

For customers running an on-premise installation of NetScaler Console with NetScaler Console Agents deployed, an authenticated remote attacker could “execute commands without additional authorization”. NetScaler emphasized that an attacker must be authenticated, which limits the potential impact. 

Are updates or workarounds available? #

Citrix recommends upgrading to one of the following versions as soon as possible:

• NetScaler Console 14.1-38.53 and later releases
• NetScaler Console 13.1-56.18 and later releases of 13.1
• NetScaler Agent 14.1-38.53 and later releases
• NetScaler Agent 13.1-56.18 and later releases of 13.1

How do I find potentially vulnerable systems with runZero? #

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

_asset.protocol:http AND protocol:http AND html.title:="NetScaler Console"

June 2024: (CVE-2023-6548, CVE-2023-6549) #

In January Citrix published Security Bulletin CTX584986 that documented two vulnerabilities that impact NetScaler ADCs and Gateways. The most severe of these, CVE-2023-6549, was discovered and documented by BishopFox.

CVE-2023-6549 is rated high with a CVSS score of 8.2. This vulnerability is an unauthenticated out-of-bounds memory read which could be exploited to collect information from the appliance’s process memory, including HTTP request bodies. While serious, this is not thought to be a bad as the Citrix Bleed vulnerability due to the new vulnerability being less likely to leak high risk data.

CVE-2023-6548 is rated medium with a CVSS score of 5.5. This vulnerability is a code injection flaw that allows remote code injection by an authenticated attacker (with low privileged) with access to a management interface on one of the NSIP, CLIP or SNIP interfaces.

What is the impact? #

The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. CVE-2023-6549 is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker. CVE-2023-6548 could be used by an attacker with credentials to execute code.

Are updates or workarounds available? #

Citrix recommends limiting access to management interfaces as well as upgrading to one of the following versions:

• NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
• NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

Warning: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one supported version that addresses the vulnerabilities.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:netscaler OR product:"citrix adc"

July 2023: (CVE-2023-3519) #

In July, 2023, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities included a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations included a critical infrastructure entity in the U.S., where attackers gained access the previous month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.

What was the impact? #

The three reported vulnerabilities affecting NetScaler ADC and Gateway products were of various types, and each include different preconditions required for exploitation:

• Unauthenticated remote code execution (CVE-2023-3519; CVSS score 9.8 – “critical”)
  • Successful exploitation required the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or “authentication, authorization, and auditing” (AAA) virtual server.
• Reflected cross-site scripting (XSS) (CVE-2023-3466; CVSS score 8.3 – “high”)
  • Successful exploitation required the victim to be on the same network as the vulnerable NetScaler target when the victim loaded a malicious link (planted by the attacker) in their web browser.
• Privilege escalation to root administrator (nsroot) (CVE-2023-3467; CVSS score 8.0 – “high”)
  • Successful exploitation required an attacker having achieved command-line access on a vulnerable NetScaler target.

U.S.-based CISA reported attackers exploiting CVE-2023-3519 to install webshells used in further network exploration and data exfiltration, causing CVE-2023-3519 to be added to CISA’s Known Exploited Vulnerabilities Catalog. Other common attacker goals, like establishing persistence, lateral movement, and malware deployment, were all potential outcomes following successful exploitation.

Citrix made patched firmware updates available. Admins were advised to update older firmware on vulnerable NetScaler devices as soon as possible.

CISA also made additional information available around indicators of compromise and mitigations.

How to find potentially vulnerable NetScaler instances with runZero #

From the Asset inventory, they used the following prebuilt query to locate NetScaler instances on their network:

hw:netscaler or os:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.

The following query could also be used in on the Software and Services inventory pages to locate NetScaler software:

product:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.

Latest Wing FTP Server vulnerabilities #

Multiple vulnerabilities were disclosed in certain versions of Wing FTP Server. There is evidence that one of the vulnerabilities, designated by CVE-2025-47812, is being actively exploited in the wild.

• The web interface authentication process improperly neutralizes a NULL byte appended to the username. This vulnerability would allow a remote authenticated adversary, or an unauthenticated adversary through use of an anonymous FTP account if one is enabled, to inject arbitrary Lua code into the user session file. The Lua code would be executed whenever the session file is loaded, for example upon request to any of the authenticated portions of the web interface. This would allow remote code execution with the privileges the service (root or SYSTEM by default). This vulnerability has been designated CVE-2025-47812 and has been rated critical with a CVSS score of 10.0.
• The loginok.html endpoint does not correctly validate the UID session cookie. When provided a cookie value that exceeds the operating system’s maximum path size, it results in an error message that discloses the full local installation path of the application. An authenticated adversary may exploit the vulnerability to obtain the local installation path, which may aid in exploiting CVE-2025-47812. This vulnerability has been designated CVE-2025-47813 and has been rated medium with a CVSS score of 4.3.
• The downloadpass.html endpoint does not properly validate and sanitize the URL parameter, allowing injection of an arbitrary link. Successful exploitation by an adversary may result in cleartext password disclosure to the injected link by convincing a victim to navigate to a specially crafted URL, enter their password and submit the form. This vulnerability has been designated CVE-2025-27889 and has been rated low with a CVSS score of 3.4.

The following versions are affected

• Wing FTP Server versions prior to 7.4.4

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.

Are any updates or workarounds available? #

Users are encouraged to update Wing FTP Server to version 7.4.4 or later as quickly as possible.

How to find Wing FTP Server installations with runZero #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=WFTPServer AND product:"Wing FTP Server"

As a follow-up to our recent post on the crucial role of attack surface visibility in M&A, we wanted to demonstrate how to apply runZero in an M&A transaction with a real-world example.

But first — not a hypothetical scenario, but a real runZero customer story. A conglomerate initially planned to use the runZero Platform to assess risk in M&A transactions. Upon completing a deal, they would scan the new subsidiary’s environment to better understand infrastructure risks. This allowed them to quickly identify issues, prioritize critical assets, and address vulnerabilities. Over time, this approach evolved into a full-scale asset discovery and exposure management service, now deployed across all subsidiaries to ensure continuous risk analysis and attack surface visibility.

Now let’s go through a scenario about two fictional companies, RZ Corporation, who is in the process of acquiring ACME Corp.

Example Scenario: RZ Corporation’s Acquisition of ACME Corp #

As in most cases, Legal teams from both organizations have agreed on terms as part of the M&A discussions and as part of those, important considerations has been put in place.

To illustrate the challenges of M&A security due diligence, let’s consider a scenario where RZ Corporation is in the process of acquiring ACME Corp. As is common in such transactions, legal teams from both organizations have negotiated and agreed upon the terms of the acquisition. Alongside these discussions, key considerations have been established to ensure a smooth transition:

ACME Corporation has given RZ Corporation the right to:

• Perform internal and external attack surface discovery to inventory all network connected assets;

• Perform an API integration with no more than three pre-selected solutions (CrowdStrike, Tenable and Wiz);

• Provide access to the data to only a select number of RZ Corp security personnel as part of the security due diligence;

One of the first things to do prior to deploying runZero is agreeing on how the data will be organized, especially with data access requirements in place. There has to be data segregation between the M&A environment and any other tenants. The concept of runZero Organization and Project becomes very important.

Phase 1: Data Organization #

An organization in runZero refers to a distinct entity, which could be a business, a specific department within an organization, or even one of your customers. All actions, tasks, Explorers, scans, and other objects within runZero are associated with a specific organization and are kept separate from one another to ensure proper isolation.

In a similar manner, Projects function as a specialized form of organization, designed for temporary use. While Projects behave like organizations, they offer the added benefit of supporting up to five times the number of project assets as the total number of licensed live assets. For instance, if your runZero license covers 1,000 assets, you can manage up to 5,000 project assets. This feature is particularly valuable when dealing with mergers and acquisitions (M&A) environments, where the asset count may be unknown. The ability to scale up by 5x provides greater flexibility, helping to avoid concerns about exceeding license limits while effectively segregating different environments.

RZ Corporation creates a runZero Project for “ACME Corp” where they will populate all of the attack surface details and is completely separated from RZ Corporation’s attack surface.

An additional critical aspect of segregating M&A data is enforcing a strict need-to-know access policy, ensuring that only a limited number of individuals can access sensitive information. This step is vital for due diligence, as it guarantees that confidential data is shared solely with those who need it to carry out their responsibilities. By limiting access in this way, risks are minimized, and the integrity of the transaction is better protected.

Each runZero Project is equipped with its own role-based access control configuration, allowing not only the separation of data into distinct entities but also the enforcement of specific access permissions. Below is an example of a user, illustrating which Organizations or Projects they have access to and the roles they are permitted to perform within each.

Once the data organization is in place, the next step is to start discovering ACME Corporation. We will be leveraging two out of the three solution approaches, Active scanner and API integration as per the agreement.

Phase 2: Internal, External and Cloud Attack Surface discovery #

We will begin by deploying the runZero active scanner, known as “Explorer,” at ACME Corp. There are multiple deployment options for the Explorer, including shipping a pre-configured Raspberry Pi with the Explorer installed or providing the Explorer binaries to ACME Corp for installation on a system, such as a laptop, server, or desktop. This approach eliminates the need for hardware shipments or the installation of agents on every asset, streamlining the data collection process.

runZero leverages an Explorer to perform the active scanning technology, proprietary unauthenticated active scanner. The Explorer can be installed on a VM server, laptop, desktop or even Raspberry Pi.

Ensuring the right Project is selected called “ACME Corp” and depending on the preferred OS and architecture. In our case we’ll pick a Red Hat Enterprise Linux (RHEL) virtual machine that ACME Corp has allocated for the M&A project and provided the required network access.

For air-gapped networks or environments where an offline data collection is required, runZero offers a command-line tool, CLI scanner, that can be used to discover those assets.

This ensures that regardless of the type of networks, runZero can provide visibility to the attack surface of the M&A organization.

Once the Explorer is deployed, the next step will be managed from the runZero Console to kick-off the network scans. We will start with the internal attack surface and will scan the full RFC1918 to discover all of the assets that exist at ACME Corp. We can also do targeted scans of certain networks that were provided by the M&A organization. Here is a screenshot showing the RFC1918 scan:

After scanning the internal attack surface, RZ Corporation will enhance the runZero active scanner data by integrating with existing security solutions. This integration will involve importing data from CrowdStrike and Tenable through the CrowdStrike Falcon and Tenable Nessus APIs. These integrations will enrich the asset inventory and provide valuable insights into vulnerabilities and software. An additional benefit of the integration is the ability to identify endpoints lacking an EDR agent and/or Vulnerability Management agent/scanner, further strengthening the organization’s security posture.

Next will be discovering ACME Corp’s external attack surface by leveraging runZero’s Hosted Explorer that can scan all of the external IP ranges as well as all of the public IP addresses that were found by the internal scan.

From the scan configuration page below:

• Choose US – New York as the Hosted zone (this is a runZero-hosted Explorer in the cloud).

• In the Discovery scope, enter the following data:

  • public:all: This will scan all the public IPs found with the internal network scanned with runZero.

  • asn4:12345: Enter all ASNs in this format to target all IP addresses registered to this ASN. Note the digit 4 after ASN in the notation.

  • domain:acme.org: Add all domains that you are targeting. runZero will add all subdomains connected to these domains.

Finally we will be covering the Cloud attack surface to complement the full ACME Corp environment and complete the visibility portion. We will leverage the API integration with AWS to pull in all of the cloud assets that exist in all of the accounts that belong at ACME Corp.

Once the integration is complete and the cloud asset inventory is established, we will proceed with a comprehensive external discovery of all publicly facing cloud assets. Using runZero, RZ Corporation can create a custom discovery scope that includes all AWS assets configured with a public IP range, as demonstrated in the query result below. This approach ensures a thorough assessment of external exposure across the organization’s cloud infrastructure.

source:aws and has_public:t

You can quickly kick-off an external scan task with all of the public IP ranges returned from the query above by selecting all of the resulting assets and clicking “Scan”.

Phase 3: Post-discovery review #

Dashboards & Outliers #

runZero’s goal is to empower security teams to fully manage the risk lifecycle: finding, prioritizing, and remediating all classes of exposures across internal and external attack surfaces, all in one place. As a single source of truth for exposure management across all of your M&A organizations.

Having the ability to highlight key post-discovery exposures and findings are critical to assess and understand the risk of ACME Corp

Typically one of the first available resources that our customers leverage for due diligence are Dashboards. They provide a customizable, visual view into your attack surface and can be created to serve different use cases such as compliance, vulnerability remediation, or asset visibility.

The Risk Management Dashboard is your centralized hub for taking action on risks, delivering actionable, data-driven insights with advanced findings widgets and customizable visualizations. As a cornerstone of runZero’s holistic exposure management, it provides comprehensive visibility and actionable context to help your team minimize exploitability windows, optimize resources, and reduce operational risks.

A wide range of visualization widgets is available to display operational information, trends, insights, goals, sources, and the most and least observed data. Additionally, you can create custom widgets based on specific queries to surface the exact data you need, which can be displayed as either a trend line or a latest count.

The Risk Management dashboard streamlines the entire risk management and remediation lifecycle by organizing exposures by type, mapping them to affected assets and services, applying context-driven criticality, and enabling tracking over time.

Let’s drill down a bit further into the Dashboard data. While exploring the available dashboard widgets, we focused on the Operating Systems and Type widgets, which provide a side-by-side comparison of the most and least observed OS/Type instances.

In the OS breakdown, we identified a few Hikvision cameras, which are listed as prohibited vendors for RZ Corporation due to NDA Section 889, as well as some legacy operating systems, such as Microsoft Windows CE.

As for the Type breakdown, nothing alarming jumped at first, but might require a bit more analysis, specially with the likes of Camera and DVR, making sure that those types of devices are being monitored by the ACME Corp security team or at least aware of it.

The breakdown of least seen and most seen dashboard widgets for the different datapoints (there are also breakdowns for Products, Protocols, MAC vendors to name a few) are very good at finding Outliers or anomalies in the network that are typically unmanaged or missed by security teams. Helping pinpoint what should be investigated first by the due diligence team.

runZero also offers the ability to create custom widgets, enabling users to track key metrics across their attack surface. Customers often configure different dashboards tailored to the specific aspects of the attack surface that are most relevant to their needs, such as Incident Response, Attack Surface Management, or M&A activities. runZero delivers the visibility and insights necessary to ensure that any security program or use case effectively covers the entire attack surface.

Reports #

Some of the out-of-the-box reports that are leveraged during due diligence are the External Asset Report and the Organization Overview Report.

The External assets report provides a point in time overview of your external assets. It shows all external facing assets and services in the organization.

The Organization Overview report offers a snapshot of the entire organization at a specific point in time, including details on the types of assets discovered and, optionally, information on each asset, such as screenshots. This report is valuable for internal stakeholders, providing an at-a-glance understanding of the attack surface’s state at any given moment. It can also be scheduled for regular distribution (weekly, monthly, quarterly, etc.) to key stakeholders who need to review the report.

Inventory and Queries #

One of the unique propositions that runZero offers is the full depth and breadth of your total attack surface. The platform delivers superior visibility across IT, OT, IoT across on-prem, external, remote and cloud environments ensuring you have a complete understanding of your assets and their risk. runZero’s advanced fingerprinting goes deeper to uncover critical insights into services, connections, ownership, hygiene and more, building detailed profiles of each asset leveraging a library of almost 1,000 attributes. This unparalleled level of detail provides the insights you need to clearly understand what’s in your environment, identify vulnerabilities, expose risks, and act quickly to secure your networks.

Here we are showing an asset details page scanned by a runZero Explorer and not found in other security platforms we integrated with. As you can see, the level of details collected by the unauthenticated active scanner is second to none, providing insight into OS, Type, Hardware as well as additional information.

The following asset has been scanned by the runZero Explorer but also found in ACME Corp current tools (CrowdStrike/Tenable Nessus/AWS). runZero doesn’t only show the Explorer collect details but also cross references the datapoints from the 3rd party integration so at any time, users can view the CrowdStrike attributes, or Tenable Nessus attributes straight from the runZero Console without having to jump between 3 to 4 different consoles.

The screenshots above only show a section of the asset details page, more information is available such as what vulnerabilities are impacting that asset, what software is installed and what services/protocols/ports are exposed on the network.

Due to runZero’s unique ability to combine safe active scanning, passive discovery and API integrations, RZ Corporation is able to understand blind spots, or assets that are missing critical security controls. Examples are what compute endpoints are missing the Crowdstrike agent that should have it.

The below query surfaces unmanaged endpoints that were not managed by Crowdstrike that runZero’s Explorer found in ACME Corp’s network.

source:runzero AND NOT source:Crowdstrike (type:server or type:desktop or type:laptop or type:mobile)

From the runZero console the results of the query shows you the list of assets that match:

Another exposure that RZ Corporation were keen to uncover were whether there are any risky or mis-configured assets such as potential bridges. Essentially assets bridging public and private networks but also running any remote management protocols such as RDP with an end-of-life operating system.

has_public:t and has_private:t and has_os_eol:t and protocol:rdp

The same query can be used in conjunction with runZero’s Network Bridges report that represents the resulting assets in a topology format. Please refer to this blog post that speaks to how runZero finds unmanaged devices for more details.

Latest Phoenix Contact vulnerabilities #

In July 2025, Phoenix Contact disclosed vulnerabilities in certain models and versions of their AC charging controller and Programmable Logic Controller (PLC) firmware.

July 2025: AC charging controller vulnerabilities #

Nine vulnerabilities have been disclosed, across two advisories VDE-2025-019 and VDE-2025-014, in certain models and versions of Phoenix Contact CHARX SEC-3XXX series AC charging controller firmware.

• An unauthenticated remote adversary can alter the device configuration in a way to achieve remote code execution as the root user with specific configurations. This vulnerability has been designated CVE-2025-25270 and has been rated critical with a CVSS score of 9.8.
• An unauthenticated adjacent adversary can modify device configuration by sending specific requests to an API endpoint resulting in read and write access due to missing authentication. This vulnerability has been designated CVE-2025-25268 and has been rated high with a CVSS score of 8.8.
• An unauthenticated adjacent adversary can configure a new OCPP backend due to insecure defaults for the configuration interface. This vulnerability has been designated CVE-2025-25271 and has been rated high with a CVSS score of 8.8.
• An unauthenticated local adversary can inject a command that is subsequently executed as the root user, leading to a privilege escalation. This vulnerability has been designated CVE-2025-25269 and has been rated high with a CVSS score of 8.4.
• An unauthenticated remote adversary can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service (DoS) for these stations. This vulnerability has been designated CVE-2025-24003 and has been rated high with a CVSS score of 8.2.
• A local adversary with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. This vulnerability has been designated CVE-2025-24005 and has been rated high with a CVSS score of 7.8.
• A low-privileged local adversary can leverage insecure permissions via SSH on the affected devices to escalate privileges to root. This vulnerability has been designated CVE-2025-24006 and has been rated high with a CVSS score of 7.8.
• An unauthenticated remote adversary can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24002 and has been rated medium with a CVSS score of 5.3.
• An adversary with physical access to the device can send a message to the device via the USB-C configuration interface which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24004 and has been rated medium with a CVSS score of 5.3.

The following models and versions are affected

• CHARX SEC-3000 firmware versions before 1.7.3
• CHARX SEC-3050 firmware versions before 1.7.3
• CHARX SEC-3100 firmware versions before 1.7.3
• CHARX SEC-3150 firmware versions before 1.7.3
• CHARX SEC-3000 firmware versions through 1.6.5
• CHARX SEC-3050 firmware versions through 1.6.5
• CHARX SEC-3100 firmware versions through 1.6.5
• CHARX SEC-3150 firmware versions through 1.6.5

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.

Are any updates or workarounds available? #

Phoenix Contact has released updates to fix most of these issues. Users are encouraged to update to the latest firmware version 1.7.3 as quickly as possible, which fixes all but three vulnerabilities (CVE-2025-24002, CVE-2025-24003 and CVE-2025-24004) related to the German Calibration Law (Eichrecht) functionality in firmware versions through 1.6.5. There is no vendor planned fix for these three issues.

• CHARX SEC-3000 upgrade to firmware version 1.7.3 or later
• CHARX SEC-3050 upgrade to firmware version 1.7.3 or later
• CHARX SEC-3100 upgrade to firmware version 1.7.3 or later
• CHARX SEC-3150 upgrade to firmware version 1.7.3 or later

How to find affected Phoenix Contact AC charging controllers with runZero #

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="Phoenix Contact CHARX SEC-3000" OR hw:="Phoenix Contact CHARX SEC-3050" OR hw:="Phoenix Contact CHARX SEC-3100" OR hw:="Phoenix Contact CHARX SEC-3150"

July 2025: Programmable Logic Controller vulnerabilities #

Four vulnerabilities have been disclosed in certain models and versions of Phoenix Contact Programmable Logic Controller (PLC) PLCnext firmware.

• A low-privileged remote adversary is able to trigger the watchdog service to reboot the device due to incorrect default permissions of a config file. The vulnerability may be used to perform denial-of-service (DoS) attacks against the device or to gain unauthorized access by triggering the vulnerabilities identified below. This vulnerability has been designated CVE-2025-41665 and has been rated medium with a CVSS score of 6.5.
• A low-privileged remote adversary with file access is able to replace a critical file used by the watchdog service. Once the watchdog service has been initialized the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41666 and has been rated high with a CVSS score of 8.8.
• A low-privileged remote adversary with file access is able to replace a critical file used by the arp-preinit script. Through replacing the critical file the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41667 and has been rated high with a CVSS score of 8.8.
• A low-privileged remote adversary with file access is able to replace a critical file or directory used by the security-profile service. Through replacing the critical file or directory the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41668 and has been rated high with a CVSS score of 8.8.
• In addition, multiple vulnerabilities exist in Linux components within the device firmware. Please refer to VDE-2025-053 for the extensive list.

The following models and versions are affected:

• AXC F 1152 firmware versions before 2025.0.2
• AXC F 2152 firmware versions before 2025.0.2
• AXC F 3152 firmware versions before 2025.0.2
• BPC 9102S firmware versions before 2025.0.2
• RFC 4072S firmware versions before 2025.0.2

What is the impact? #

Successful exploitation of CVE-2025-41665 would allow an adversary to perform denial-of-service (DoS) attacks against the device, but in combination with CVE-2025-41666, CVE-2025-41667 or CVE-2025-41668 an adversary may gain full control over the device.

Are any updates or workarounds available? #

Phoenix Contact has released updates to fix these issues. Users are encouraged to update to the latest firmware version as quickly as possible.

• AXC F 1152 upgrade to firmware version 2025.0.2 or later
• AXC F 2152 upgrade to firmware version 2025.0.2 or later
• AXC F 3152 upgrade to firmware version 2025.0.2 or later
• BPC 9102S upgrade to firmware version 2025.0.2 or later
• RFC 4072S upgrade to firmware version 2025.0.2 or later

How to find affected Phoenix Contact PLC devices with runZero #

From the Asset Inventory, use the following query to locate potentially impacted assets:

hw:="Phoenix Contact AXC F 1152" OR hw:="Phoenix Contact AXC F 2152" OR hw:="Phoenix Contact AXC F 3152" OR hw:="Phoenix Contact BPC 9102S" OR hw:="Phoenix Contact RFC 4072S"

Latest Microsoft SQL Server vulnerabilities #

Microsoft has disclosed three vulnerabilities in certain versions of Microsoft SQL Server:

• SQL Server is affected by a heap-based buffer overflow vulnerability that may allow an authorized adversary to escape the SQL server context and remotely execute code on the target host. Successful exploitation of the vulnerability requires the adversary to prepare the target environment prior to executing a specially crafted query. This vulnerability has been designated CVE-2025-49717 and has been rated high with a CVSS score of 8.5.
• SQL Server is affected by an information disclosure vulnerability due its use of an uninitialized resource. Successful exploitation may allow an unauthorized adversary to remotely inspect heap memory from a privileged process running on the target host. This vulnerability has been designated CVE-2025-49718 and has been rated high with a CVSS score of 7.5.
• SQL Server is affected by an information disclosure vulnerability due to improper input validation. Successful exploitation may allow an unauthorized adversary to remotely inspect uninitialized memory on the target host. This vulnerability has been designated CVE-2025-49719 and has been rated high with a CVSS score of 7.5.

It may be possible that the information returned via CVE-2025-49718 and CVE-2025-49719 could aid in the successful exploitation of CVE-2025-49717, as these vulnerabilities may be useful for disclosing sensitive authentication information or for manipulating heap memory to be more amenable to exploitation.

The following versions are affected by CVE-2025-49717 and CVE-2025-49718

• Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
• Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
• Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
• Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6

The following versions are affected by CVE-2025-49719

• Microsoft SQL Server 2016 for Service Pack 2 (GDR) versions 13.x prior to 13.0.6460.7
• Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack versions 13.x prior to 13.0.7055.9
• Microsoft SQL Server 2017 (GDR) versions 14.x prior to 14.0.2075.8
• Microsoft SQL Server 2017 (CU 31) versions 14.x prior to 14.0.3495.9
• Microsoft SQL Server 2019 (GDR) versions 15.x prior to 15.0.2135.5
• Microsoft SQL Server 2019 (CU 32) versions 15.x prior to 15.0.4435.7
• Microsoft SQL Server 2022 (GDR) versions 16.x prior to 16.0.4200.1
• Microsoft SQL Server 2022 (CU 19) versions 16.x prior to 16.0.1140.6

What is the impact? #

Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise, or leak sensitive information.

Are any updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible.

• Microsoft SQL Server 2016 for Service Pack 2 (GDR) upgrade to version 13.0.6460.7 or later
• Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack upgrade to version 13.0.7055.9 or later
• Microsoft SQL Server 2017 (GDR) upgrade to version 14.0.2075.8 or later
• Microsoft SQL Server 2017 (CU 31) upgrade to version 14.0.3495.9 or later
• Microsoft SQL Server 2019 (GDR) upgrade to version 15.0.2135.5 or later
• Microsoft SQL Server 2019 (CU 32) upgrade to version 15.0.4435.7 or later
• Microsoft SQL Server 2022 (GDR) upgrade to version 16.0.4200.1 or later
• Microsoft SQL Server 2022 (CU 19) upgrade to version 16.0.1140.6 or later

If the SQL Server version is not represented above then it is no longer supported. It is advised users upgrade their software to the latest Service Pack or SQL Server product in order to apply current and future security updates.

How do I find Microsoft SQL Server installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted assets:

vendor:=Microsoft AND (product:="SQL Server"  OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.7055.9) OR (version:>=14.0.0 AND version:<14.0.3495.9) OR (version:>=15.0.0 AND version:<15.0.4435.7) OR (version:>=16.0.0 AND version:<16.0.4200.1))

Mergers and acquisitions (M&A) are accelerating across industries, with companies racing to gain market share, adopt new technologies, and outpace competitors. Global M&A value nearly doubled in a decade, rising from $2.4T in 2010 to over $5T in 2021.

But with compressed timelines and rising stakes, security teams face mounting pressure to move fast — often with incomplete information. Cybersecurity is no longer just a checkpoint in M&A. It’s a critical component. Hidden vulnerabilities, unknown assets, and compliance gaps can derail even the most strategic deals. 80% of organizations said that previously unknown or undisclosed cybersecurity risks were uncovered during the integration process. That’s too late. 

In this post, we explore how security teams can facilitate a successful M&A — and how runZero can help.

Align Your Stakeholders #

Security due diligence isn’t the responsibility of one team. It’s a collaborative effort across business, legal, and technical functions, all of whom bring different lenses to the risks that could be inherited. Here are the key stakeholders, and the roles they play:

Key stakeholders include:

• Information Security Teams evaluate the target’s cybersecurity posture, uncover vulnerabilities, review incident history, and assess exposure.

• Legal and Compliance ensure alignment with data privacy regulations (e.g., GDPR, HIPAA, CCPA) and identify areas of potential legal risk.

• CIO & CISO lead the technical and security evaluation of the target and align security findings with integration planning.

• Chief Risk Officer & General Counsel oversee broader risk management, regulatory exposure, and reputational impact.

These teams must work together — quickly and decisively — to understand the full scope of the target’s cyber risk. But to do that, they need one thing above all: visibility.

How to Navigate the Visibility Challenge #

Modern M&A deals move fast, and traditional security tools can’t keep up. Compressed timelines and limited documentation often leave security teams with an incomplete view of the target’s environment — especially across nontraditional assets like IoT, OT, remote devices, and cloud infrastructure.

The visibility gap is real:

Sources: Forward Network Insights, Forescout, Fortinet, Business Wire, Myriad360.

Legacy solutions typically focus on managed IT assets and overlook everything else. Many rely on siloed tools that don’t integrate, leaving teams to manually stitch together fragmented data. They struggle to detect remote endpoints and unmanaged devices, OT and IoT assets, air-gapped environments and external facing infrastructure.

The result? Blind spots, missed vulnerabilities, and costly surprises post-acquisition.

M&A activity instantly expands an organization’s attack surface, increasing exposure to:

• Outdated and unpatched systems
• Misconfigured infrastructure
• Devices that may already be compromised
• Compliance failures and unknown risks
• Shadow IT and unmanaged technology

And once the acquisition is finalized, these risks become your responsibility. Without proactive, full-spectrum discovery, organizations may face:

• Data breaches
• Operational disruptions
• Regulatory penalties
• Delayed IT integration and inflated post-deal costs

In today’s high-pressure environment, the lack of visibility makes it even harder to identify these threats in time to act. To fully assess risk and protect your investment, security teams need real-time, unified visibility across every environment — without agents, credentials, or installed software.

The runZero Advantage #

runZero is a Total Attack Surface and Exposure Management solution built for speed, depth, and coverage, delivering the visibility needed to support M&A cyber due diligence across all environments.

With runZero, security teams get:

• Active scanning: Proprietary scanning identifies assets in both online and air-gapped networks. These scans are designed to be safe and non-intrusive, ensuring minimal impact on network performance and device operations.
  • Hosted Explorer: For discovering internet-facing assets.
  • CLI Scanner: Ideal for disconnected environments — no runZero Console required.

• Passive discovery: Captures network traffic to identify devices without actively probing them.
• Third-party API integrations: Pulls data from EDR, MDM, network management systems, and vulnerability tools to enrich asset context.
• Advanced fingerprinting: Uncovers OS, services, misconfigurations, and security posture—without credentials.

This multifaceted approach uncovers hidden risks, eliminates blind spots, and empowers security teams to:

• Accurately identify assets before the deal closes
• Prioritize real risks over noisy vulnerabilities
• Avoid costly surprises post-acquisition
• Work faster and smarter across legal, compliance, and risk teams