Three vulnerabilities have been disclosed in certain versions of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote adversary to issue execute commands on the underlying operating system as the root user. There is evidence that this vulnerability is being actively exploited in the wild.
Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20281 and has been rated critical with a CVSS score of 9.8.
Cisco ISE and Cisco ISE-PIC are at risk of an improper privilege management vulnerability in an internal API due to a lack of file validation checks to prevent uploaded files from being stored in privileged directories on an affected system. This could allow an unauthenticated, remote adversary to upload arbitrary files to an affected device and then execute those files on the underlying operating system as the root user. Successful exploitation could allow the adversary to store malicious files on an affected system and then execute arbitrary code or obtain root privileges on an affected device. This vulnerability has been designated CVE-2025-20282 and has been rated critical with a CVSS score of 10.0
Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20337 and has been rated critical with a CVSS score of 10.0.
The following versions are affected
Cisco ISE or ISE-PIC release 3.3 prior to version 3.3 Patch 7
Cisco ISE or ISE-PIC release 3.4 prior to version 3.4 Patch 2
Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.
Cisco has released updates in the form of patches for releases 3.3 and 3.4. Users should update to the latest version of the affected software.
Cisco ISE or ISE-PIC release 3.3 to version 3.3 Patch 7 and later releases
Cisco ISE or ISE-PIC release 3.4 to version 3.4 Patch 2 and later releases
Since the initial (version 1.0) advisory publication, Cisco released an improved fix for release 3.3 and recommends upgrading as follows:
Release 3.3 Patch 6 should be up upgraded to Release 3.3 Patch 7
Hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be up upgraded to Release 3.3 Patch 7 or Release 3.4 Patch 2
How do I find Cisco ISE installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted installations:
vendor:="Cisco" AND product:="Identity Services Engine"
A vulnerability has been disclosed in certain cloud-deployed versions of Cisco Identity Services Engine (ISE) in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability exists due to improper credential generation in cloud platform deployments resulting in shared credentials across deployments based on release and cloud platform.
It is important to note that Cisco ISE is affected by this vulnerability when the Primary Administration node is deployed in the cloud. An on-premises Primary Administration node is not affected.
The following platforms and versions are affected
AWS Cisco ISE 3.1, 3.2, 3.3 and 3.4
Azure Cisco ISE 3.2, 3.3 and 3.4
OCI Cisco ISE 3.2, 3.3 and 3.4
This vulnerability has been designated CVE-2025-20286 and has a CVSS score of 9.9 (critical).
Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SharePoint Server deserializes untrusted data without sufficiently ensuring that the resulting data will be valid resulting in a remote code execution (RCE) vulnerability. The vulnerability allows an unauthenticated adversary to remotely execute code on the vulnerable server. This vulnerability has been designated CVE-2025-53770 and has been rated critical with a CVSS score of 9.8. This vulnerability is a variant of a remote code execution vulnerability designated CVE-2025-49704 that was patched earlier this month. There is evidence that this vulnerability is being actively exploited in the wild.
SharePoint Server improperly limits a pathname to a restricted directory allowing path traversal in Microsoft Office SharePoint resulting in a spoofing vulnerability. The vulnerability allows an authorized adversary to perform spoofing over a network. This vulnerability has been designated CVE-2025-53771 and has been rated medium with a CVSS score of 6.3. This vulnerability is a variant of a spoofing vulnerability designated CVE-2025-49706 that was patched earlier this month.
The following versions are affected
Microsoft SharePoint Enterprise Server 2016 versions currently unknown
Microsoft SharePoint Server 2019 versions currently unknown
Microsoft SharePoint Server Subscription Edition versions 16.0.0 prior to 16.0.18526.20508
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
As of 7/20/2025 security updates are available for Microsoft SharePoint Server Subscription Edition. A patch is currently unavailable for other affected versions, but Microsoft is actively working on a security update.
Mitigate attacks against on-premises SharePoint Server environments by configuring the Windows Antimalware Scan Interface (AMSI) integration in SharePoint and deploying Defender AV on all SharePoint servers. This should stop an unauthenticated adversary from successfully exploiting the vulnerability.
Rotate SharePoint Server ASP.NET machine keys.
Upgrade affected systems to the new versions when a patch is available.
How do I find Microsoft SharePoint Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:="Microsoft" AND product:="SharePoint Server%"
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
German Cybersecurity Specialist Appointed as Primary Distributor for runZero to Drive Expansion in the DACH-Region
London, United Kingdom – July 24, 2025 – runZero, a leader in exposure management, today announced a strategic partnership with Aqaio, a German value-added distributor specializing in advanced IT security solutions. As runZero’s primary channel partner in Germany, Aqaio will spearhead regional growth efforts by delivering runZero’s expanded exposure management platform to organizations navigating today’s increasingly complex cyber threat landscape.
This alliance represents a significant milestone in runZero’s wider EMEA growth strategy. Leveraging Aqaio’s deep market expertise and established channel network, runZero can now accelerate its European expansion while offering localized support tailored to the specific needs of German organizations.
Partnership highlights include:
Localized Expertise: Aqaio brings in-depth knowledge of the German cybersecurity market, enabling specialized customer engagement and faster time-to-value.
Expanded Channel Reach: A top-tier network of resellers and systems integrators gain access to runZero’s powerful exposure management platform, enabling them to offer comprehensive proactive cyber defense to their end customers.
Streamlined Distribution and Support: Aqaio will facilitate seamless implementation via dedicated consulting, logistics, and certified training services for partners and end users.
“This partnership with runZero is a strategic win for our channel ecosystem,” said Richard Hellmeier, CEO at Aqaio. “They are no longer selling just another product — they’re delivering a vital capability. runZero’s technology is fast to deploy, easy to integrate, and solves a foundational security challenge. It aligns perfectly with our mission to deliver holistic and forward-looking solutions to the market.”
“In today’s rapidly shifting threat landscape, partnerships like this are essential to delivering resilient, scalable cybersecurity,” said Joe Taborek, Chief Revenue Officer at runZero. “Aqaio’s proven expertise and reach across the German market empower us to extend access to the runZero Platform and strengthen cyber readiness from the ground up. Together, we’re helping build a safer, smarter digital future.”
About Aqaio
Aqaio partners with resellers, system integrators, and OEMs. We focus on new technological developments, which we supplement and expand with complementary solutions from market and technology leaders in the IT security field. We also provide 2nd level support and training for our partners and their end-customers. The product portfolio consists of high-end IT products that complement each other and can be combined to create integrated solutions. Additionally, Aqaio offers services such as consulting, marketing support, logistics, training, and technical support. For more information, visit: https://aqaio.com/
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Broadcom has disclosed four vulnerabilities in certain versions of VMware ESXi, Workstation, Fusion, and Tools that, when combined, allow an adversary who already has privileged access (administrator or root) in a VM’s guest OS or has compromised a VM’s guest OS or services and gained privileged access to escape into the hypervisor and execute arbitrary code on the vulnerable system.
VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability due to an out-of-bounds write in the VMXNET3 virtual network adapter. An adversary with local administrative privileges on a virtual machine with the VMXNET3 virtual network adapter may exploit the vulnerability and execute arbitrary code on the host. Non-VMXNET3 virtual adapters are not affected by the vulnerability. This vulnerability has been designated CVE-2025-41236 and has been rated critical with a CVSS score of 9.3.
VMware ESXi, Workstation, and Fusion contain an integer-underflow vulnerability due to an out-of-bounds write in the VMCI (Virtual Machine Communication Interface). An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine. This vulnerability has been designated CVE-2025-41237 and has been rated critical with a CVSS score of 9.3.
VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and execute arbitrary code as the virtual machine’s VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the Workstation or Fusion host machine. This vulnerability has been designated CVE-2025-41238 and has been rated critical with a CVSS score of 9.3.
VMware ESXi, Workstation, Fusion, and VMware Tools contain an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. An adversary with local administrative privileges on a virtual machine may exploit the vulnerability and leak memory from processes communicating with vSockets. This vulnerability has been designated CVE-2025-41239 and has been rated high with a CVSS score of 7.1.
The following versions are affected
VMware ESXi versions 7.0 prior to 7.0.3 build-24784741
VMware ESXi versions 8.0 prior to 8.0.2 build-24789317
VMware ESXi versions 8.0 prior to 8.0.3 build-24784735
VMware Workstation version 17.x prior to 17.6.4
VMware Fusion version 13.x prior to 13.6.4
VMware Tools on Windows version 11.x.x or 12.x.x prior to 12.5.3
VMware Tools on Windows version 13.x.x prior to 13.0.1.0
Successful exploitation of these vulnerabilities would allow an adversary with privileged access in a VM’s guest OS to escape into the hypervisor and execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.
VMware has released updates for supported versions of the impact products to address these vulnerabilities. All users are urged to update as quickly as possible.
From the Asset Inventory, use the following query to locate assets running vulnerable versions of VMware ESXi:
os:"vmware esxi" AND ((os_version:>7 AND os_version:<"7.0.3 build-24784741") OR (os_version:>8 AND (os_version:<"8.0.2 build-24789317" OR os_version:<"8.0.3 build-24784735")))
Vulnerable versions of Workstation and Fusion can be found in the Software inventory using the following query:
vendor:vmware AND ((product:Workstation AND version:<17.6.4) OR (product:Fusion AND version:<13.6.4))
All versions of Workstation and Fusion can be found in the Software inventory using the following query:
vendor:vmware AND (product:Workstation OR product:Fusion)
March 2025: (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) #
On March 4th, 2025, Broadcom disclosed several vulnerabilities in all versions of its VMware ESXi, Workstation, and Fusion products. They also indicated that these are known to be exploited in the wild. Public information indicates that these vulnerabilities are potentially being leveraged by ransomware groups.
CVE-2025-22224 is rated critical with a CVSSv3 base score of 9.3. Successful exploitation of this vulnerability would allow a local administrative user in a guest virtual machine to execute arbitrary code as the guest virtual machine’s VMX process on a vulnerable host system. Impacts VMware ESXi and Workstation.
CVE-2025-22225 is rated important with a CVSSv3 base score of 8.2. Successful exploitation of this vulnerability would allow a malicious actor with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox. Impacts VMware ESXi.
CVE-2025-22226 is rated important with a CVSSv3 base score of 7.1. Successful exploitation of this vulnerability would allow a local administrative user in a guest virtual machine to leak memory from the VMX process on a vulnerable host system. Impacts VMware ESXi, Workstation, and Fusion.
Upon successful exploitation of these vulnerabilities, an attacker with administrative rights in a guest virtual machine would be able to perform a VM Escape and execute code on the hypervisor host.
VMware has released updates for supported versions of the impact products to address these vulnerabilities. All users are urged to update as quickly as possible. Users of unsupported version should review the download portals for their product to see if Broadcom has made patches available. They have reportedly done so for VMware ESXi 6.5 and 6.7. That said, Broadcom strongly encourages all customers using vSphere 6.5 and 6.7 to update to vSphere 8.
From the Asset Inventory, use the following query to locate assets running vulnerable versions of VMware ESXi:
os:"vmware esxi" AND (os_version:<6 OR (os_version:>6 AND os_version:<"6.7.0 build-24514018") OR (os_version:>7 AND os_version:<"7.0.3 build-24585291") OR (os_version:>8 AND os_version:<"8.0.2") OR (os_version:>"8.0.2" AND os_version:<"8.0.2 build-24585300") OR (os_version:>"8.0.3" AND os_version:<"8.0.3 build-24585383"))
Additionally, using the runZero VMware integration, use the following Asset Inventory query to locate virtual machines running inside VMware, which could be potential sources of exploitation:
source:vmware
Vulnerable versions of Workstation and Fusion can be found in the Software inventory using the following query:
vendor:vmware AND ((product:Workstation AND version:<17.6.3) OR (product:Fusion AND version:<13.6.3))
All versions of Workstation and Fusion can be found in the Software inventory using the following query:
vendor:vmware AND (product:Workstation OR product:Fusion)
Broadcom has disclosed a vulnerability in their ESXi product that involves a domain group that could contain members that are granted full administrative access to the ESXi hypervisor host by default without proper validation.
CVE-2024-37085 is rated medium with CVSS score of 6.8 and allows an attacker with sufficient Active Directory (AD) permissions to bypass authentication.
A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD. The three ways this can be exploited are:
1. Creating the AD group ‘ESX Admins’ to the domain and adding a user to it (known to be exploited in the wild) 2. Renaming another AD group in the domain to ‘ESX Admins’ and adding a new or existing user to it 3. Refreshing the privileges in the ESXi hypervisor when the ‘ESX Admin’ group is unassigned as the management group.
How to find potentially vulnerable systems runZero #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:ESXi
Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:
The CVSS scores range from 7.1 (high) to 9.3 (critical); the vulnerabilities affecting ESXi are limited to high severity, but the vendor has indicated that taken together the vulnerabilities should be considered critical.
Upon successful exploitation of these vulnerabilities, an attacker who can execute code inside a virtual machine can access the host system and perform actions ranging from arbitrary code execution to sensitive information disclosure.
From the Asset Inventory, use the following query to locate assets running potentially vulnerable versions of VMware ESXi or running VMware products:
os:ESXi
Additionally, using the runZero VMware integration, use the following query to locate virtual machines running inside VMware, which could be potential sources of exploitation:
source:vmware
Additional fingerprinting research is ongoing, and additional queries will be published as soon as possible.
In February 2023, popular hypervisor ESXi made the news due to fresh targeting by a new strain of ransomware. Known as ESXiArgs, this ransomware leveraged a 2-year old heap overflow issue in the OpenSLP service that can be used to execute remote code on exploitable targets (CVE-2021-21974). Many vulnerable public-facing ESXi servers had already been affected by this malware (at the time over 1,900 via Censys search results).
Targets of this new ransomware campaign were older ESXi servers running certain versions of 6.5, 6.7, or 7 releases and also had the OpenSLP service enabled (it has not been enabled by default in ESXi releases since 2021). Upon successful exploitation of CVE-2021-21974, the ESXiArgs ransomware encrypted a number of file types on the target system, including VM-related files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. Ransom notes were saved as HTML files on compromised systems for admins and users to subsequently discover. While some of these ransom notes claim to have stolen data from vulnerable targets, no data exfiltration had been observed at the time.
VMware made patches available when the OpenSLP heap-overflow vulnerability was initially reported in 2021. The following ESXi releases had been patched against this attack vector and exploited by the ESXiArgs campaign:
ESXi version 7+ (ESXi70U1c-17325551 and later)
ESXi version 6.7+ (ESXi670-202102401-SG and later)
ESXi version 6.5+ (ESXi650-202102101-SG and later)
VMware also offered patched releases for Cloud Foundation (ESXi), which included an ESXi component:
Cloud Foundation (ESXi) version 4.2+
Patching instructions for Cloud Foundation (ESXi) version 3.x can be found here
Patching (and also ensuring that your ESXi servers were running a supported, not end-of-life/end-of-support version) was the best course of action. If patching was not a near-term option, VMware recommended mitigation via disabling the OpenSLP service.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
CrushFTP disclosed a vulnerability in certain versions of their file transfer product, which fails to protect the alternate channel AS2 (Applicability Statement 2) data transfer protocol via HTTP(S) when a DMZ proxy instance is not used. The mishandling of AS2 validation allows a remote adversary to bypass the intended security measures, and obtain administrative access via HTTP(S). This vulnerability has been designated CVE-2025-54309 and has been rated critical with a CVSS score of 9.0. There is evidence that this vulnerability is being actively exploited in the wild.
Successful exploitation of this vulnerability would allow an adversary to execute administrative functions within the CrushFTP service without authentication, potentially leading to complete system compromise and data integrity issues.
CrushFTP disclosed that a vulnerability in their file transfer product allows an unauthenticated remote attacker to bypass authentication on some HTTPS interfaces. Since the original disclosure, a CVE was assigned, CVE-2025-2825, and later, CVE-2025-31161. This vulnerability is being exploited in the wild.
Successfully exploiting this vulnerability would allow an attacker to execute administrative functions within the CrushFTP service without authentication. Versions of CrushFTP 11 prior to 11.3.1 and CrushFTP 10 prior to 10.8.4 are vulnerable.
CrushFTP has released versions 11.3.1 and 10.8.4 to address this issue. The vendor has also indicated that enabling the DMZ setting in the CrushFTP configuration will mitigate this issue. CrushFTP administrators are advised to update at their earliest opportunity.
CrushFTP disclosed that a vulnerability in their file transfer product allows an unauthenticated attacker to access the host’s file system. No CVE has yet to be assigned for this issue and CrowdStrike has indicated that this issue is being actively exploited in the wild. Additional details can be found in this article by Sergiu Gatlan at BleepingComputer.
This issue affects all CrushFTP versions prior to 10.7.1 and CrushFTP 11 releases prior to patch 11.1.0. An unauthenticated attacker can abuse this issue to read files from the host’s file system.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Citrix published Security Bulletin CTX694788 that documented a vulnerability that impacts customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are affected by a memory overflow vulnerability. This vulnerability has been designated CVE-2025-6543 and has been rated critical with a CVSS score of 9.2.
There is evidence that this vulnerability is being actively exploited in the wild.
The following versions are affected
NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP
Successful exploitation of this vulnerability could allow an adversary to make unintended changes to control flow, potentially allowing remote code execution (RCE) or causing denial-of-service (DoS).
Citrix recommends upgrading affected systems to one of the following versions as soon as possible:
NetScaler ADC and NetScaler Gateway to version 14.1-47.46 and later releases
NetScaler ADC and NetScaler Gateway to version 13.1-59.19 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw:="Citrix Netscaler Gateway" OR os:="Citrix ADC"
Citrix published Security Bulletin CTX693420 that documented two vulnerabilities that impact customer-managed installations of NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). There is evidence that one of the vulnerabilities, designated by CVE-2025-5777, is being actively exploited in the wild.
NetScaler configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or Authentication, Authorization and Auditing (AAA) virtual server are at risk of an insufficient input validation vulnerability leading to memory out-of-bounds read in the NetScaler Management Interface which could allow access to secret values, bypass of protection mechanism, DoS or other unexpected results. This vulnerability has been designated CVE-2025-5777 and has been rated criticalwith a CVSS score of 9.3.
An attacker with access to the NetScaler appliance IP (NSIP) address, Cluster Management IP (CLIP) address or local Global Server Load Balancing (GSLB) Site IP (GSLBIP) address could utilize an improper access control vulnerability to gain access the the NetScaler Management Interface and its management functions. This vulnerability has been designated CVE-2025-5349 and has been rated high with a CVSS score of 8.7.
The following versions are affected
NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP
Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information, potentially disrupt system operations and cause a denial-of-service, or gain control over the NetScaler Management Interface and its management functions potentially leading to system compromise.
Citrix recommends upgrading affected systems to one of the following versions as soon as possible:
NetScaler ADC and NetScaler Gateway to version 14.1-43.56 and later releases
NetScaler ADC and NetScaler Gateway to version 13.1-58.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP to version 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS to version 12.1-55.328 and later releases of 12.1-FIPS
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) and no longer supported. It is recommended to upgrade to one of the currently supported versions that address the vulnerabilities.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
hw:="Citrix Netscaler Gateway" OR os:="Citrix ADC"
Citrix issued a security bulletin for the on-premise NetScaler Console (formerly NetScaler ADM) and NetScaler Agent products. CVE-2024-12284 is rated high with a CVSS score of 8.8, which could lead to privilege escalation.
For customers running an on-premise installation of NetScaler Console with NetScaler Console Agents deployed, an authenticated remote attacker could “execute commands without additional authorization”. NetScaler emphasized that an attacker must be authenticated, which limits the potential impact.
In January Citrix published Security Bulletin CTX584986 that documented two vulnerabilities that impact NetScaler ADCs and Gateways. The most severe of these, CVE-2023-6549, was discovered and documented by BishopFox.
CVE-2023-6549 is rated high with a CVSS score of 8.2. This vulnerability is an unauthenticated out-of-bounds memory read which could be exploited to collect information from the appliance’s process memory, including HTTP request bodies. While serious, this is not thought to be a bad as the Citrix Bleed vulnerability due to the new vulnerability being less likely to leak high risk data.
CVE-2023-6548 is rated medium with a CVSS score of 5.5. This vulnerability is a code injection flaw that allows remote code injection by an authenticated attacker (with low privileged) with access to a management interface on one of the NSIP, CLIP or SNIP interfaces.
The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. CVE-2023-6549 is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker. CVE-2023-6548 could be used by an attacker with credentials to execute code.
Citrix recommends limiting access to management interfaces as well as upgrading to one of the following versions:
NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
Warning: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Citrix advises customers to upgrade their appliances to one supported version that addresses the vulnerabilities.
How do I find potentially vulnerable systems with runZero? #
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
In July, 2023, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities included a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations included a critical infrastructure entity in the U.S., where attackers gained access the previous month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.
The three reported vulnerabilities affecting NetScaler ADC and Gateway products were of various types, and each include different preconditions required for exploitation:
Successful exploitation required the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or “authentication, authorization, and auditing” (AAA) virtual server.
Successful exploitation required the victim to be on the same network as the vulnerable NetScaler target when the victim loaded a malicious link (planted by the attacker) in their web browser.
Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.
The following query could also be used in on the Software and Services inventory pages to locate NetScaler software:
product:netscaler
Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Multiple vulnerabilities were disclosed in certain versions of Wing FTP Server. There is evidence that one of the vulnerabilities, designated by CVE-2025-47812, is being actively exploited in the wild.
The web interface authentication process improperly neutralizes a NULL byte appended to the username. This vulnerability would allow a remote authenticated adversary, or an unauthenticated adversary through use of an anonymous FTP account if one is enabled, to inject arbitrary Lua code into the user session file. The Lua code would be executed whenever the session file is loaded, for example upon request to any of the authenticated portions of the web interface. This would allow remote code execution with the privileges the service (root or SYSTEM by default). This vulnerability has been designated CVE-2025-47812 and has been rated critical with a CVSS score of 10.0.
The loginok.html endpoint does not correctly validate the UID session cookie. When provided a cookie value that exceeds the operating system’s maximum path size, it results in an error message that discloses the full local installation path of the application. An authenticated adversary may exploit the vulnerability to obtain the local installation path, which may aid in exploiting CVE-2025-47812. This vulnerability has been designated CVE-2025-47813 and has been rated medium with a CVSS score of 4.3.
The downloadpass.html endpoint does not properly validate and sanitize the URL parameter, allowing injection of an arbitrary link. Successful exploitation by an adversary may result in cleartext password disclosure to the injected link by convincing a victim to navigate to a specially crafted URL, enter their password and submit the form. This vulnerability has been designated CVE-2025-27889 and has been rated low with a CVSS score of 3.4.
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Users are encouraged to update Wing FTP Server to version 7.4.4 or later as quickly as possible.
How to find Wing FTP Server installations with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=WFTPServer AND product:"Wing FTP Server"
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
As a follow-up to our recent post on the crucial role of attack surface visibility in M&A, we wanted to demonstrate how to apply runZero in an M&A transaction with a real-world example.
But first — not a hypothetical scenario, but a real runZero customer story. A conglomerate initially planned to use the runZero Platform to assess risk in M&A transactions. Upon completing a deal, they would scan the new subsidiary’s environment to better understand infrastructure risks. This allowed them to quickly identify issues, prioritize critical assets, and address vulnerabilities. Over time, this approach evolved into a full-scale asset discovery and exposure management service, now deployed across all subsidiaries to ensure continuous risk analysis and attack surface visibility.
Now let’s go through a scenario about two fictional companies, RZ Corporation, who is in the process of acquiring ACME Corp.
Example Scenario: RZ Corporation’s Acquisition of ACME Corp #
As in most cases, Legal teams from both organizations have agreed on terms as part of the M&A discussions and as part of those, important considerations has been put in place.
To illustrate the challenges of M&A security due diligence, let’s consider a scenario where RZ Corporation is in the process of acquiring ACME Corp. As is common in such transactions, legal teams from both organizations have negotiated and agreed upon the terms of the acquisition. Alongside these discussions, key considerations have been established to ensure a smooth transition:
ACME Corporation has given RZ Corporation the right to:
Perform internal and external attack surface discovery to inventory all network connected assets;
Perform an API integration with no more than three pre-selected solutions (CrowdStrike, Tenable and Wiz);
Provide access to the data to only a select number of RZ Corp security personnel as part of the security due diligence;
Fig 1: runZero deployment workflow
One of the first things to do prior to deploying runZero is agreeing on how the data will be organized, especially with data access requirements in place. There has to be data segregation between the M&A environment and any other tenants. The concept of runZero Organization and Project becomes very important.
An organization in runZero refers to a distinct entity, which could be a business, a specific department within an organization, or even one of your customers. All actions, tasks, Explorers, scans, and other objects within runZero are associated with a specific organization and are kept separate from one another to ensure proper isolation.
In a similar manner, Projects function as a specialized form of organization, designed for temporary use. While Projects behave like organizations, they offer the added benefit of supporting up to five times the number of project assets as the total number of licensed live assets. For instance, if your runZero license covers 1,000 assets, you can manage up to 5,000 project assets. This feature is particularly valuable when dealing with mergers and acquisitions (M&A) environments, where the asset count may be unknown. The ability to scale up by 5x provides greater flexibility, helping to avoid concerns about exceeding license limits while effectively segregating different environments.
RZ Corporation creates a runZero Project for “ACME Corp” where they will populate all of the attack surface details and is completely separated from RZ Corporation’s attack surface.
Fig 2: Creating a new Project in runZero to segregate the M&A data
An additional critical aspect of segregating M&A data is enforcing a strict need-to-know access policy, ensuring that only a limited number of individuals can access sensitive information. This step is vital for due diligence, as it guarantees that confidential data is shared solely with those who need it to carry out their responsibilities. By limiting access in this way, risks are minimized, and the integrity of the transaction is better protected.
Each runZero Project is equipped with its own role-based access control configuration, allowing not only the separation of data into distinct entities but also the enforcement of specific access permissions. Below is an example of a user, illustrating which Organizations or Projects they have access to and the roles they are permitted to perform within each.
Fig 3: User based access control in runZero
Once the data organization is in place, the next step is to start discovering ACME Corporation. We will be leveraging two out of the three solution approaches, Active scanner and API integration as per the agreement.
Phase 2: Internal, External and Cloud Attack Surface discovery #
We will begin by deploying the runZero active scanner, known as “Explorer,” at ACME Corp. There are multiple deployment options for the Explorer, including shipping a pre-configured Raspberry Pi with the Explorer installed or providing the Explorer binaries to ACME Corp for installation on a system, such as a laptop, server, or desktop. This approach eliminates the need for hardware shipments or the installation of agents on every asset, streamlining the data collection process.
runZero leverages an Explorer to perform the active scanning technology, proprietary unauthenticated active scanner. The Explorer can be installed on a VM server, laptop, desktop or even Raspberry Pi.
Ensuring the right Project is selected called “ACME Corp” and depending on the preferred OS and architecture. In our case we’ll pick a Red Hat Enterprise Linux (RHEL) virtual machine that ACME Corp has allocated for the M&A project and provided the required network access.
Fig 4: Deployment options for the runZero Explorer
For air-gapped networks or environments where an offline data collection is required, runZero offers a command-line tool, CLI scanner, that can be used to discover those assets.
This ensures that regardless of the type of networks, runZero can provide visibility to the attack surface of the M&A organization.
Once the Explorer is deployed, the next step will be managed from the runZero Console to kick-off the network scans. We will start with the internal attack surface and will scan the full RFC1918 to discover all of the assets that exist at ACME Corp. We can also do targeted scans of certain networks that were provided by the M&A organization. Here is a screenshot showing the RFC1918 scan:
Fig 5: Configuring a runZero scan task of the internal attack surface
After scanning the internal attack surface, RZ Corporation will enhance the runZero active scanner data by integrating with existing security solutions. This integration will involve importing data from CrowdStrike and Tenable through the CrowdStrike Falcon and Tenable Nessus APIs. These integrations will enrich the asset inventory and provide valuable insights into vulnerabilities and software. An additional benefit of the integration is the ability to identify endpoints lacking an EDR agent and/or Vulnerability Management agent/scanner, further strengthening the organization’s security posture.
Fig 6: Setting up the CrowdStrike API integration
Next will be discovering ACME Corp’s external attack surface by leveraging runZero’s Hosted Explorer that can scan all of the external IP ranges as well as all of the public IP addresses that were found by the internal scan.
From the scan configuration page below:
Choose US – New York as the Hosted zone (this is a runZero-hosted Explorer in the cloud).
In the Discovery scope, enter the following data:
public:all: This will scan all the public IPs found with the internal network scanned with runZero.
asn4:12345: Enter all ASNs in this format to target all IP addresses registered to this ASN. Note the digit 4 after ASN in the notation.
domain:acme.org: Add all domains that you are targeting. runZero will add all subdomains connected to these domains.
Fig 7: Configuring an external runZero scan task
Finally we will be covering the Cloud attack surface to complement the full ACME Corp environment and complete the visibility portion. We will leverage the API integration with AWS to pull in all of the cloud assets that exist in all of the accounts that belong at ACME Corp.
Fig 8: Setting up the AWS API integration
Once the integration is complete and the cloud asset inventory is established, we will proceed with a comprehensive external discovery of all publicly facing cloud assets. Using runZero, RZ Corporation can create a custom discovery scope that includes all AWS assets configured with a public IP range, as demonstrated in the query result below. This approach ensures a thorough assessment of external exposure across the organization’s cloud infrastructure.
source:aws and has_public:t
Fig 9: Inventory view of the query results
You can quickly kick-off an external scan task with all of the public IP ranges returned from the query above by selecting all of the resulting assets and clicking “Scan”.
Fig 10: Setting up a new scan task with the public IP ranges from the Inventory
runZero’s goal is to empower security teams to fully manage the risk lifecycle: finding, prioritizing, and remediating all classes of exposures across internal and external attack surfaces, all in one place. As a single source of truth for exposure management across all of your M&A organizations.
Having the ability to highlight key post-discovery exposures and findings are critical to assess and understand the risk of ACME Corp
Typically one of the first available resources that our customers leverage for due diligence are Dashboards. They provide a customizable, visual view into your attack surface and can be created to serve different use cases such as compliance, vulnerability remediation, or asset visibility.
The Risk Management Dashboard is your centralized hub for taking action on risks, delivering actionable, data-driven insights with advanced findings widgets and customizable visualizations. As a cornerstone of runZero’s holistic exposure management, it provides comprehensive visibility and actionable context to help your team minimize exploitability windows, optimize resources, and reduce operational risks.
A wide range of visualization widgets is available to display operational information, trends, insights, goals, sources, and the most and least observed data. Additionally, you can create custom widgets based on specific queries to surface the exact data you need, which can be displayed as either a trend line or a latest count.
Fig 11: runZero Risk Management Dashboard
The Risk Management dashboard streamlines the entire risk management and remediation lifecycle by organizing exposures by type, mapping them to affected assets and services, applying context-driven criticality, and enabling tracking over time.
Fig 12: runZero Risk Management Dashboard widgets
Let’s drill down a bit further into the Dashboard data. While exploring the available dashboard widgets, we focused on the Operating Systems and Type widgets, which provide a side-by-side comparison of the most and least observed OS/Type instances.
In the OS breakdown, we identified a few Hikvision cameras, which are listed as prohibited vendors for RZ Corporation due to NDA Section 889, as well as some legacy operating systems, such as Microsoft Windows CE.
Fig 13: Least seen: OS (Zebra)
As for the Type breakdown, nothing alarming jumped at first, but might require a bit more analysis, specially with the likes of Camera and DVR, making sure that those types of devices are being monitored by the ACME Corp security team or at least aware of it.
Fig 14: Least seen: Type (Gaming console / 3D printer)
The breakdown of least seen and most seen dashboard widgets for the different datapoints (there are also breakdowns for Products, Protocols, MAC vendors to name a few) are very good at finding Outliers or anomalies in the network that are typically unmanaged or missed by security teams. Helping pinpoint what should be investigated first by the due diligence team.
runZero also offers the ability to create custom widgets, enabling users to track key metrics across their attack surface. Customers often configure different dashboards tailored to the specific aspects of the attack surface that are most relevant to their needs, such as Incident Response, Attack Surface Management, or M&A activities. runZero delivers the visibility and insights necessary to ensure that any security program or use case effectively covers the entire attack surface.
The External assets report provides a point in time overview of your external assets. It shows all external facing assets and services in the organization.
Fig 15: A sample runZero External assets reports
The Organization Overview report offers a snapshot of the entire organization at a specific point in time, including details on the types of assets discovered and, optionally, information on each asset, such as screenshots. This report is valuable for internal stakeholders, providing an at-a-glance understanding of the attack surface’s state at any given moment. It can also be scheduled for regular distribution (weekly, monthly, quarterly, etc.) to key stakeholders who need to review the report.
One of the unique propositions that runZero offers is the full depth and breadth of your total attack surface. The platform delivers superior visibility across IT, OT, IoT across on-prem, external, remote and cloud environments ensuring you have a complete understanding of your assets and their risk. runZero’s advanced fingerprinting goes deeper to uncover critical insights into services, connections, ownership, hygiene and more, building detailed profiles of each asset leveraging a library of almost 1,000 attributes. This unparalleled level of detail provides the insights you need to clearly understand what’s in your environment, identify vulnerabilities, expose risks, and act quickly to secure your networks.
Here we are showing an asset details page scanned by a runZero Explorer and not found in other security platforms we integrated with. As you can see, the level of details collected by the unauthenticated active scanner is second to none, providing insight into OS, Type, Hardware as well as additional information.
Fig 17: PLC asset details scanned by runZero
The following asset has been scanned by the runZero Explorer but also found in ACME Corp current tools (CrowdStrike/Tenable Nessus/AWS). runZero doesn’t only show the Explorer collect details but also cross references the datapoints from the 3rd party integration so at any time, users can view the CrowdStrike attributes, or Tenable Nessus attributes straight from the runZero Console without having to jump between 3 to 4 different consoles.
Fig 18: Ubuntu Linux scanned by runZero and found in Crowdstrike, Tenable Nessus and AWS
The screenshots above only show a section of the asset details page, more information is available such as what vulnerabilities are impacting that asset, what software is installed and what services/protocols/ports are exposed on the network.
Due to runZero’s unique ability to combine safe active scanning, passive discovery and API integrations, RZ Corporation is able to understand blind spots, or assets that are missing critical security controls. Examples are what compute endpoints are missing the Crowdstrike agent that should have it.
The below query surfaces unmanaged endpoints that were not managed by Crowdstrike that runZero’s Explorer found in ACME Corp’s network.
source:runzero AND NOT source:Crowdstrike (type:server or type:desktop or type:laptop or type:mobile)
From the runZero console the results of the query shows you the list of assets that match:
Fig 19: Computes endpoints missing the Crowdstrike agent
Another exposure that RZ Corporation were keen to uncover were whether there are any risky or mis-configured assets such as potential bridges. Essentially assets bridging public and private networks but also running any remote management protocols such as RDP with an end-of-life operating system.
has_public:t and has_private:t and has_os_eol:t and protocol:rdp
Fig 20: Assets running EOL OS and are public facing and running RDP
The same query can be used in conjunction with runZero’s Network Bridges report that represents the resulting assets in a topology format. Please refer to this blog post that speaks to how runZero finds unmanaged devices for more details.
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
In July 2025, Phoenix Contact disclosed vulnerabilities in certain models and versions of their AC charging controller and Programmable Logic Controller (PLC) firmware.
July 2025: AC charging controller vulnerabilities #
Nine vulnerabilities have been disclosed, across two advisories VDE-2025-019 and VDE-2025-014, in certain models and versions of Phoenix Contact CHARX SEC-3XXX series AC charging controller firmware.
An unauthenticated remote adversary can alter the device configuration in a way to achieve remote code execution as the root user with specific configurations. This vulnerability has been designated CVE-2025-25270 and has been rated critical with a CVSS score of 9.8.
An unauthenticated adjacent adversary can modify device configuration by sending specific requests to an API endpoint resulting in read and write access due to missing authentication. This vulnerability has been designated CVE-2025-25268 and has been rated high with a CVSS score of 8.8.
An unauthenticated adjacent adversary can configure a new OCPP backend due to insecure defaults for the configuration interface. This vulnerability has been designated CVE-2025-25271 and has been rated high with a CVSS score of 8.8.
An unauthenticated local adversary can inject a command that is subsequently executed as the root user, leading to a privilege escalation. This vulnerability has been designated CVE-2025-25269 and has been rated high with a CVSS score of 8.4.
An unauthenticated remote adversary can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service (DoS) for these stations. This vulnerability has been designated CVE-2025-24003 and has been rated high with a CVSS score of 8.2.
A local adversary with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. This vulnerability has been designated CVE-2025-24005 and has been rated high with a CVSS score of 7.8.
A low-privileged local adversary can leverage insecure permissions via SSH on the affected devices to escalate privileges to root. This vulnerability has been designated CVE-2025-24006 and has been rated high with a CVSS score of 7.8.
An unauthenticated remote adversary can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24002 and has been rated medium with a CVSS score of 5.3.
An adversary with physical access to the device can send a message to the device via the USB-C configuration interface which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service (DoS) for the stations until they are restarted by the watchdog service. This vulnerability has been designated CVE-2025-24004 and has been rated medium with a CVSS score of 5.3.
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable device, potentially leading to complete system compromise.
Phoenix Contact has released updates to fix most of these issues. Users are encouraged to update to the latest firmware version 1.7.3 as quickly as possible, which fixes all but three vulnerabilities (CVE-2025-24002, CVE-2025-24003 and CVE-2025-24004) related to the German Calibration Law (Eichrecht) functionality in firmware versions through 1.6.5. There is no vendor planned fix for these three issues.
CHARX SEC-3000 upgrade to firmware version 1.7.3 or later
CHARX SEC-3050 upgrade to firmware version 1.7.3 or later
CHARX SEC-3100 upgrade to firmware version 1.7.3 or later
CHARX SEC-3150 upgrade to firmware version 1.7.3 or later
How to find affected Phoenix Contact AC charging controllers with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
hw:="Phoenix Contact CHARX SEC-3000" OR hw:="Phoenix Contact CHARX SEC-3050" OR hw:="Phoenix Contact CHARX SEC-3100" OR hw:="Phoenix Contact CHARX SEC-3150"
July 2025: Programmable Logic Controller vulnerabilities #
A low-privileged remote adversary is able to trigger the watchdog service to reboot the device due to incorrect default permissions of a config file. The vulnerability may be used to perform denial-of-service (DoS) attacks against the device or to gain unauthorized access by triggering the vulnerabilities identified below. This vulnerability has been designated CVE-2025-41665 and has been rated medium with a CVSS score of 6.5.
A low-privileged remote adversary with file access is able to replace a critical file used by the watchdog service. Once the watchdog service has been initialized the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41666 and has been rated high with a CVSS score of 8.8.
A low-privileged remote adversary with file access is able to replace a critical file used by the arp-preinit script. Through replacing the critical file the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41667 and has been rated high with a CVSS score of 8.8.
A low-privileged remote adversary with file access is able to replace a critical file or directory used by the security-profile service. Through replacing the critical file or directory the adversary gains read, write and execute permissions to the whole file system on the device. This vulnerability has been designated CVE-2025-41668 and has been rated high with a CVSS score of 8.8.
In addition, multiple vulnerabilities exist in Linux components within the device firmware. Please refer to VDE-2025-053 for the extensive list.
Successful exploitation of CVE-2025-41665 would allow an adversary to perform denial-of-service (DoS) attacks against the device, but in combination with CVE-2025-41666, CVE-2025-41667 or CVE-2025-41668 an adversary may gain full control over the device.
Phoenix Contact has released updates to fix these issues. Users are encouraged to update to the latest firmware version as quickly as possible.
AXC F 1152 upgrade to firmware version 2025.0.2 or later
AXC F 2152 upgrade to firmware version 2025.0.2 or later
AXC F 3152 upgrade to firmware version 2025.0.2 or later
BPC 9102S upgrade to firmware version 2025.0.2 or later
RFC 4072S upgrade to firmware version 2025.0.2 or later
How to find affected Phoenix Contact PLC devices with runZero #
From the Asset Inventory, use the following query to locate potentially impacted assets:
hw:="Phoenix Contact AXC F 1152" OR hw:="Phoenix Contact AXC F 2152" OR hw:="Phoenix Contact AXC F 3152" OR hw:="Phoenix Contact BPC 9102S" OR hw:="Phoenix Contact RFC 4072S"
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
SQL Server is affected by a heap-based buffer overflow vulnerability that may allow an authorized adversary to escape the SQL server context and remotely execute code on the target host. Successful exploitation of the vulnerability requires the adversary to prepare the target environment prior to executing a specially crafted query. This vulnerability has been designated CVE-2025-49717 and has been rated high with a CVSS score of 8.5.
SQL Server is affected by an information disclosure vulnerability due its use of an uninitialized resource. Successful exploitation may allow an unauthorized adversary to remotely inspect heap memory from a privileged process running on the target host. This vulnerability has been designated CVE-2025-49718 and has been rated high with a CVSS score of 7.5.
SQL Server is affected by an information disclosure vulnerability due to improper input validation. Successful exploitation may allow an unauthorized adversary to remotely inspect uninitialized memory on the target host. This vulnerability has been designated CVE-2025-49719 and has been rated high with a CVSS score of 7.5.
It may be possible that the information returned via CVE-2025-49718 and CVE-2025-49719 could aid in the successful exploitation of CVE-2025-49717, as these vulnerabilities may be useful for disclosing sensitive authentication information or for manipulating heap memory to be more amenable to exploitation.
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise, or leak sensitive information.
Users are encouraged to update to the latest version as quickly as possible.
Microsoft SQL Server 2016 for Service Pack 2 (GDR) upgrade to version 13.0.6460.7 or later
Microsoft SQL Server 2016 Service Pack 3 Azure Connect Feature Pack upgrade to version 13.0.7055.9 or later
Microsoft SQL Server 2017 (GDR) upgrade to version 14.0.2075.8 or later
Microsoft SQL Server 2017 (CU 31) upgrade to version 14.0.3495.9 or later
Microsoft SQL Server 2019 (GDR) upgrade to version 15.0.2135.5 or later
Microsoft SQL Server 2019 (CU 32) upgrade to version 15.0.4435.7 or later
Microsoft SQL Server 2022 (GDR) upgrade to version 16.0.4200.1 or later
Microsoft SQL Server 2022 (CU 19) upgrade to version 16.0.1140.6 or later
If the SQL Server version is not represented above then it is no longer supported. It is advised users upgrade their software to the latest Service Pack or SQL Server product in order to apply current and future security updates.
How do I find Microsoft SQL Server installations with runZero? #
From the Software Inventory, use the following query to locate potentially impacted assets:
vendor:=Microsoft AND (product:="SQL Server" OR product:="SQL Server 20%") AND ((version:>=13.0.0 AND version:<13.0.7055.9) OR (version:>=14.0.0 AND version:<14.0.3495.9) OR (version:>=15.0.0 AND version:<15.0.4435.7) OR (version:>=16.0.0 AND version:<16.0.4200.1))
About runZero runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
About Version 2 Limited Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
