In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.

These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.

September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization (CWE-862). TP-Link devices also featured prominently, with authentication bypass, OS command injection, and missing authentication vulnerabilities across several router models.

In September, Recorded Future’s Insikt Group® created six Nuclei templates, including those for the Sitecore (CVE-2025-53690) and Adminer (CVE-2021-21311) vulnerabilities featured in this report. Additionally, Insikt Group identified public proof-of-concept (PoC) exploits for six of the sixteen vulnerabilities.

Recorded Future’s Insikt Group’s® CVE Findings from September 2025:

• CWE-502 (Deserialization of Untrusted Data) was the most commonly observed weakness, followed by command injection issues (CWE-77 and CWE-78) and various authorization and authentication flaws (CWE-862, CWE-863, CWE-290, and CWE-306).
• Two of the sixteen vulnerabilities were associated with malware campaigns: threat actors exploited CVE-2025-20333 and CVE-2025-20362 in legacy Cisco ASA devices to deploy the multi-stage bootkit RayInitiator and the modular shellcode LINE VIPER; and exploited CVE-2025-53690 (Sitecore) to deliver WEEPSTEEL, EARTHWORM, and SharpHound.
• Seven of the sixteen vulnerabilities (CVE-2025-59689, CVE-2025-10035, CVE-2025-20352, CVE-2025-20333, CVE-2025-5086, CVE-2025-53690, and CVE-2025-9377) allowed attackers to execute arbitrary code (RCE) or inject commands. These seven vulnerabilities affected Libraesva, Fortra, Cisco, Dassault Systèmes, Sitecore, and TP-Link products.

Exploitation and Detection Highlights

This section analyzes the highest-impact, actively exploited vulnerabilities this month, each with a Very Critical or Critical Recorded Future Risk Score. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Group, which can be accessed by Recorded Future customers. This section focuses on vulnerabilities with available PoCs or technical analyses. It does not highlight vulnerabilities whose public information is limited to a description of the CVE.

Threat Actors Exploit Cisco ASA Vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to Deploy RayInitiator and LINE VIPER

On September 25, 2025, the UK National Cyber Security Centre (NCSC), in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA) and Cisco, published a technical analysis detailing a persistent malware campaign that exploits vulnerabilities (CVE-2025-20333 and CVE-2025-20362) in legacy Cisco Adaptive Security Appliance (ASA) 5500-X series devices, affecting firmware versions 9.12(4)67 and 9.14(4)24 without secure boot and with virtual private network (VPN) web services enabled, to deploy a multi-stage bootkit called RayInitiator and a modular shellcode called LINE VIPER.

CVE-2025-20333 is a buffer overflow vulnerability resulting from improper validation of user-supplied input in HTTP(S) requests to Cisco web services. A remote, authenticated attacker with valid VPN credentials can achieve remote code execution (RCE). CVE-2025-20362 is a missing authorization vulnerability resulting from improper validation of user-supplied input in HTTP(S) requests in the VPN web server of Cisco Secure Firewall ASA and FTD.

Successfully exploiting the vulnerability could allow remote, unauthenticated attackers to access a restricted URL by sending crafted HTTP requests. According to Cisco, when chained, CVE-2025-20333 and CVE-2025-20362 enable an unauthenticated, remote threat actor to gain complete control over vulnerable VPN and WebVPN services on affected ASA devices. On September 25, 2025, Cisco released patches to fix CVE-2025-20333 and CVE-2025-20362. On the same day, CISA added CVE-2025-20333 and CVE-2025-20362 to its Known Exploited Vulnerabilities (KEV) catalog.

Figure 1: Vulnerability Intelligence Card® for CVE-2025-20333 in Recorded Future (Source: Recorded Future)

Based on NCSC and Cisco, after gaining RCE, threat actors patch a compromised Cisco ASA’s GNU Grand Unified Bootloader (GRUB) to invoke RayInitiator Stage 1 early in boot by hooking the firmware and kernel load path at the console string Booting…/Booting the kernel. In some non‑Secure‑Boot ASA 5500‑X models, threat actors modify the Read-Only Memory Monitor (ROMMON) to retain persistence across reboots and upgrades. RayInitiator Stage 1 performs the following actions on a victim’s device:

1. Scans the hard-coded firmware memory region 0x400000–0x600000 for the console boot string
2. Subtracts 0x10000 from the found string address and searches that area for a specific assembly pattern to locate the kernel‑load routine
3. Verifies the match by comparing the assembly pattern’s address operand ([addr]) with the boot string location to ensure it has the correct patch target
4. Saves the original bytes of the legitimate code for later use
5. Patches the kernel‑load routine to transfer control to Stage 2
6. Restores and re‑executes the original bytes to ensure the device outputs the expected boot message

For Stage 2, RayInitiator performs the following actions on a victim’s device:

1. Searches the previous stack frame for candidate Kernel Address Space Layout Randomization (KASLR) base values
2. Checks each candidate's base address for 0x10000 alignment and filters out unaligned addresses
3. Adds fixed offset 0x600490 to aligned candidates and checks whether that address points to the kernel substring nmi_max_ to confirm the correct KASLR base
4. Saves the verified KASLR base and adjusts subsequent kernel addresses and offsets using that base
5. Copies Stage 3 into KASLR base at offset 0x300 (a large no-operation [NOP]‑filled code cave)
6. Locates the sched_getparam system call (syscall) table entry at a fixed offset, saves the original pointer, and overwrites the entry to point to the Stage 3 kernel copy
7. Manipulates the stack and return addresses to ensure that when lina calls sched_getparam during load, execution transfers into the Stage 3 install phase; lina is a Cisco ASA user‑space binary that implements the device’s core functionality and handles services such as WebVPN
8. Restores the original sched_getparam pointer from the Stage 3 install phase to ensure normal sched_getparam behavior resumes after install runs

For Stage 3, RayInitiator performs the following actions on a victim’s device:

1. Searches lina’s memory to locate the WebVPN XML element parsing table and the “form” element entry
2. Overwrites the form element handler to point at the sched_getparam hook, causing processing of a form element to invoke Stage 3’s deploy phase
3. Parses the first form element of an incoming WebVPN request to verify a hard‑coded victim ASCII group token as the first identifier
4. Scans XML elements for the second victim identifier (an eight‑byte hex token) immediately followed by the LINE VIPER shellcode stub
5. Copies the LINE VIPER shellcode stub into the lina data area and marks that page executable via a direct mprotect system call
6. Overwrites the form handler to point to the executable shellcode stub, causing the next processed form element to trigger shellcode execution
7. Deletes the initial shellcode stub and adjusts handlers as required to allow LINE VIPER to stage itself and hook into VPN client authentication processing for persistent tasking

Following RayInitiator Stage 3, LINE VIPER performs the following actions on a victim’s device:

• Executes an in‑memory stub and XOR‑deobfuscates staged code using a 32‑byte victim key from a WebVPN xml element
• Deletes the transient stub and RayInitiator install artifacts, copies staged sections into a lina code cave and the .data region, and hooks lina to intercept VPN client authentication requests
• Verifies victim-specific tokens embedded in XML attributes before running payloads, enforcing execution on intended targets
• Performs an RSA-based key exchange to derive per-victim key material, stores random key sets, and returns RSA-encrypted key material in an XML message for the threat actors to use
• Accepts AES-CBC-256 encrypted tasking over HTTPS WebVPN using the derived keys and returns AES-encrypted responses inside XML message elements
• Supports an Internet Control Message Protocol (ICMP) tasking method tunneled over the VPN for requests and sends exfiltration via raw transmission control protocol (TCP) from the ASA WAN interface to threat actor VPN IP addresses on high ephemeral ports
• Executes modular payloads to run command-line interface (CLI) commands, perform hidden packet captures (RADIUS, LDAP, TACACS), bypass Authentication, Authorization, and Accounting (AAA) for threat actor devices using a device‑ID table, harvest user CLI commands, and schedule delayed reboots
• Hides activity by suppressing specific syslog entries, temporarily changing memory permissions to avoid artifacts, altering core‑dump handling to force reboots, and returning legitimate hashes to conceal tampering
• Exfiltrates collected data either inside encrypted WebVPN XML responses or via the ICMP to raw-TCP channel using a lina proxy process that constructs TCP connections and streams data to threat actors’ addresses

NCSC identifies RayInitiator and LINE VIPER as an evolution of LINE DANCER and LINE RUNNER from the April 2024 ArcaneDoor campaign due to their shared use of victim-specific tokens, targeting of legacy Cisco ASA devices, abuse of WebVPN authentication traffic for shellcode delivery, and modular shellcode architecture.

Cisco and CISA provided the following mitigations and remediation to counter persistent exploitation of CVE-2025-20333 and CVE-2025-20362 and the infection of RayInitiator and LINE VIPER malware:

• Apply Cisco security updates released for CVE-2025-20333 and CVE-2025-20362
• Disconnect unsupported ASA devices reaching end-of-support
• Collect and submit core dumps from all public-facing ASA devices to CISA
• Verify ROMMON integrity on ASA 5500-X without Secure Boot and rebuild or reset compromised devices following Cisco eviction guidance
• Restrict VPN and WebVPN management interfaces and monitor for indicators of compromise (IoCs), including abnormal XML tokens, suppressed logs, and unusual outbound traffic

Additionally, Cisco released a fix for CVE-2025-20363, a related heap-based buffer overflow vulnerability that could allow remote, unauthenticated attackers to execute arbitrary code (RCE) as root. At the time of writing, there is no evidence of in-the-wild exploitation of CVE-2025-20363.

Insikt-Validated TTP: Using Nuclei to Detect CVE-2025-53690, an Actively Exploited Deserialization of Untrusted Data Vulnerability in Sitecore

On September 3, 2025, cybersecurity firm Mandiant published an analysis of an active exploitation of a ViewState deserialization vulnerability, tracked as CVE-2025-53690, in Sitecore deployments. CVE-2025-53690 is a deserialization of untrusted data vulnerability affecting Sitecore Experience Manager (XM), Experience Platform (XP), and Experience Commerce (XC). In this incident, the affected deployments had retained a sample machine key that had been exposed in Sitecore deployment guides (from 2017 and earlier). The threat actors leveraged this exposed machine key to execute arbitrary code (RCE).

They achieved initial access by targeting /sitecore/blocked.aspx, a legitimately reachable page that accepts ViewState. POST requests to this endpoint coincided with ASP.NET Application log Event ID 1316 (ViewState verification failed), consistent with signed/encrypted ViewState being forged via the exposed machine key. A decrypted payload contained an embedded .NET assembly named Information.dll (tracked as WEEPSTEEL), which enumerates host, disk, network adapter, and process information and returns results disguised as a benign __VIEWSTATE value.

Following code execution with NETWORK SERVICE privileges (equivalent to the IIS process w3wp.exe), the threat actors archived the Sitecore Content Delivery web root (\inetpub\sitecore\SitecoreCD\Website) to collect sensitive configuration files (for example, web.config), then staged tooling under public user directories (for example, C:\Users\Public\Music).

The threat actors deployed EARTHWORM to establish reverse SOCKS tunnels to command-and-control (C2) servers at 130[.]33[.]156[.]194[:]443 and 103[.]235[.]46[.]102[:]80; installed DWAgent as a SYSTEM service for persistent remote access and Active Directory (AD) reconnaissance; executed SharpHound (saved as sh.exe) to map Active Directory; and used GoToken.exe, which Mandiant links with a public token-stealing tool GoTokenTheft. Additionally, a launcher script (1.vbs) was used to start EARTHWORM, and 7za.exe (a command-line executable for the 7-Zip file archiver) was employed to archive collection output for exfiltration.

For privilege escalation and credential access, the threat actors created local administrator accounts (asp$ and sawadmin), dumped SAM and SYSTEM registry hives, attempted token theft, and disabled password expiration on targeted administrator accounts. asp$ was created by executing helper.exe wrapping net user/net localgroup commands; sawadmin was created during a DWAgent session.

Lateral movement relied heavily on remote desktop protocol (RDP) pivoting through the EARTHWORM tunnel, with additional AD discovery (for example, nltest /DCLIST and findstr searches for cpassword in SYSVOL). During one RDP session under asp$, the threat actors downloaded dwagent.exe and main.exe into C:\Users\asp$\Downloads. After establishing access to the compromised admin accounts, the previously created local accounts were removed.

Recorded Future’s Insikt Group® created a Nuclei template, which is available to Recorded Future customers, to detect CVE-2025-53690. The template sends a GET request to the /sitecore/shell/sitecore.version.xml endpoint, verifies that the HTTP status code is 200, and checks whether the response body contains <major> and <minor> tags indicating a major version of 0-8 or exactly 9.0 (major 9 with minor 0). If confirmed, it extracts the Sitecore major and minor numbers from the XML body using regex and formats them into a normalized string (Sitecore Version: X.Y). If the XML is unavailable, the template performs a fallback GET request to /sitecore/login, verifies that the status code is 200, and checks for the login banner text matching Sitecore.NET x.y for versions 0-8.x or 9.0.

This template fingerprints two Sitecore endpoints and flags instances reporting versions before or equal to 8.x, or exactly 9.0, ranges historically associated with deployment guides that included a sample ASP.NET <machineKey>. It does not verify whether a static or compromised <machineKey> is present, nor whether a ViewState endpoint is reachable. Exploitability for CVE-2025-53690 depends on the use (or compromise) of a static machine key, not the version alone.

This template performs non-invasive fingerprinting by issuing two GET requests to the Sitecore version and login endpoints and evaluating their response. It verifies the presence of identified keywords in the body, confirms 200 status codes, and extracts version strings using regex. No payloads are sent, no authentication is attempted, and no system state is modified (no file writes, configuration changes, or persistence). Expected observables are limited to a routine HTTP GET request recorded in access logs. This Nuclei template is intended for use in authorized environments only.

Sitecore recommends customers who deployed XM, XP, or XC with the sample ASP.NET machine key from legacy guidance (XP 9.0 or earlier and Active Directory 1.4 or earlier) to immediately:

• Examine their environments for suspicious or anomalous activity
• Rotate the machine keys defined in web.config
• Ensure any <machineKey> elements in web.config are encrypted
• Restrict web.config access to application administrators only
• Adopt timely, recurring rotation of static machine keys

For configurations that require static machine keys, Sitecore recommends that customers follow its machine-key rotation procedure as a best practice and to rotate keys if compromise is suspected. Additionally, Mandiant also recommends hardening ASP.NET itself by enabling ViewState Message Authentication Code (MAC), moving to automatic per-app machine-key rotation, and encrypting other plaintext secrets in web.config beyond the <machineKey> element.

Additionally, Mandiant provided the following indicators of compromise (IoCs):

• asp$ (created account)
• Sawadmin (created account)
• H496883 (workstation from the RDP connection)
• 1.vbs (EARTHWORM loader)
• SHA-256: a566cceaf9a66332470a978a234a8a8e2bbdd4d6aa43c2c75c25a80b3b744307 (WEEPSTEEL; Information.dll)
• SHA-256: b3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b (EARTHWORM; lfe.ico, ufp.exe, and ufp.ico)
• SHA-256: 61f897ed69646e0509f6802fb2d7c5e88c3e3b93c4ca86942e24d203aa878863 (SharpHound)
• SHA-256: 223b873c50380fe9a39f1a22b6abf8d46db506e1c08d08312902f6f3cd1f7ac3 (executable for 7-Zip archiver)
• MD5: f410d88429b93786b224e489c960bf5c (Helper.ico and helper.exe)
• MD5: be7e2c6a9a4654b51a16f8b10a2be175 (main.exe file downloaded from hxxp://130[.]33[.]156[.]194/main.exe)
• MD5: 62483e732553c8ba051b792949f3c6d0 (GoToken.exe)
• 130[.]33[.]156[.]194[:]443 (C2 server
• 130[.]33[.]156[.]194[:]8080 (unspecified, likely C2 server)
• 103[.]235[.]46[.]102[:]80 (C2 server)

At the time of writing, there were 330 exposed Sitecore instances on Shodan, most of which were geolocated in the United States (US), followed by Australia, the United Arab Emirates (UAE), South Africa, and the United Kingdom (UK). However, not all of these are necessarily vulnerable, since Shodan does not reveal the specific version strings that can be extracted through targeted requests.

Figure 2: Vulnerability Intelligence Card® for CVE-2025-53690 in Recorded Future (Source: Recorded Future)

Insikt-Validated TTP: Using Nuclei to Detect CVE-2021-21311, an Actively Exploited Server-Side Request Forgery Vulnerability in Adminer

On September 29, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-21311 to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2021-21311 is a high-severity server-side request forgery (SSRF) vulnerability in Adminer versions 4.0.0 through 4.7.8, affecting users of Adminer bundling all drivers (for example, adminer.php). Users should therefore upgrade to version 4.7.9. Adminer is an open-source database management tool that natively supports Structured Query Language (SQL) database systems (for example, MySQL, PostgreSQL, SQLite, MS SQL, MariaDB, and Oracle) and can be extended via plugins to support systems like Elasticsearch and MongoDB.

CVE-2021-21311 enables SSRF via Adminer’s HTTP-based drivers, allowing a remote unauthenticated attacker to coerce the application into issuing arbitrary HTTP GET requests to internal endpoints and echoing the response body in the user interface.

Security researchers demonstrated a proof-of-concept that starts a simple Python HTTP server that replies with a 301 redirect to an AWS Instance Metadata Service (IMDS) endpoint; when Adminer “logs in” to the attacker-controlled server using the Elasticsearch module, it follows the redirect and prints the IMDS response, confirming access to metadata and enabling retrieval of sensitive information such as AWS access keys.

Successfully exploiting the vulnerability can therefore expose sensitive information, enable access to internal resources, and in environments where internal HTTP services are reachable (for example, Elasticsearch/ClickHouse application programming interfaces [APIs]), permit data modification or unauthorized administrative actions. An attacker can also automate SSRF to probe and enumerate internal services; in cloud deployments, any exfiltrated credentials inherit the permissions of the instance profile, enabling lateral movement or escalation consistent with that role.

Recorded Future’s Insikt Group® created a Nuclei template, which is available to Recorded Future customers, to detect CVE-2021-21311. The template sends a POST request to common Adminer paths (for example, /adminer.php and /index.php), setting auth[driver]=elastic and auth[server]=example.com with placeholder credentials (username and database default to test). This prompts vulnerable builds to attempt an outbound fetch and surface an error page. A target is flagged when the HTTP status is 200, 400, or 403 and the response body contains a 400 - Bad Request title (raw or HTML-escaped), indicating Adminer displayed a 400 error page during the external fetch attempt. On patched Adminer versions (4.7.9 and later), non-200 response bodies are not printed (see commit ccd2374).

This template performs a non-intrusive SSRF check against Adminer by sending a crafted POST request to a small set of common Adminer paths. No authentication is attempted, no database content is modified, and no system state is altered (for example, no file writes, configuration changes, or persistence). Expected observables are limited to a small number of HTTP POST requests recorded in access logs and an HTML response containing a 400 - Bad Request title (consistent with the external fetch attempt outlined above). An outbound HTTP request from the target toward example.com may also be visible in egress logs. This Nuclei template is intended for use in authorized environments only.

At the time of writing, there were 9,651 exposed Adminer instances on Shodan, most of which are geolocated in Germany, the US, Russia, France, and Singapore. However, not all of these are necessarily vulnerable, as their specific versions are unknown.

Attack Chain Scenario for WhatsApp Zero-Click (CVE-2025-55177) and Apple OOB Write (CVE-2025-43300) Vulnerabilities Published

On August 30, 2025, security researcher Vaibhav Kanada published a technical blog detailing an attack chain scenario for CVE-2025-55177 and CVE-2025-43300. CVE-2025-55177 is a zero-click authorization bypass vulnerability in WhatsApp’s linked-device synchronization feature, affecting WhatsApp for iOS versions before 2.25.21.73, WhatsApp Business for iOS versions prior to 2.25.21.78, and WhatsApp for Mac versions prior to 2.25.21.78. CVE-2025-43300 is an out‑of‑bounds (OOB) write vulnerability in Apple’s ImageIO framework, affecting iOS, iPadOS, and macOS versions before iOS 18.6.2, iPadOS 18.6.2, and macOS Sequoia 15.6.1. CVE-2025-55177 allows threat actors to deliver crafted synchronization messages containing malicious URLs, forcing vulnerable devices to download and process untrusted online content. When combined with CVE-2025-43300, threat actors can escalate privileges and compromise targeted iOS, iPadOS, and macOS systems.

On August 20, 2025, WhatsApp released client updates to fix CVE-2025-55177, and Apple released iOS 18.6.2, iPadOS 18.6.2, and macOS Sequoia 15.6.1 to patch CVE-2025-43300. Additionally, WhatsApp stated that CVE-2025-55177 and CVE-2025-43300 may have been exploited in the wild against targeted users before the release of the patches. On August 20, 2025, CISA added CVE-2025-43300 to its KEV catalog, and added CVE-2025-55177 on September 2, 2025.

CVE-2025-55177 stems from the incomplete authorization in WhatsApp’s linked-device synchronization feature. This feature authenticates and synchronizes messages and activity between a user’s primary device and linked companion devices, ensuring that devices paired by the user can securely exchange and process synchronization messages. However, WhatsApp fails to enforce proper authorization checks, which allows unauthorized devices to send crafted synchronization messages that force the victim’s client to process malicious remote content.

CVE-2025-43300 stems from insufficient bounds checking in Apple’s ImageIO framework. This framework parses and renders common image formats, such as JPEG and TIFF, to display media across iOS, iPadOS, and macOS. However, ImageIO fails to properly validate image metadata structures, which allows crafted files to trigger OOB writes that corrupt memory and enable threat actors to execute arbitrary code with elevated privileges.

Kanada provided the following attack chain scenario for the exploitation of CVE-2025-55177 and CVE-2025-43300:

1. The threat actor exploits CVE-2025-55177 by sending a malicious synchronization message with a crafted URL to the target’s linked device.
2. The victim’s WhatsApp client processes the remote content without proper authorization and executes malicious payloads hosted on threat actor-controlled infrastructure. If the payload contains a malicious image exploiting CVE-2025-43300, it runs with escalated privileges and bypasses Apple’s security mechanisms.
3. The threat actor installs persistent malware, exfiltrates data, or further compromises the device with escalated privileges.

This attack chain scenario demonstrates a critical exploitation path combining application-level authorization bypass with kernel-level privilege escalation.

Figure 3: Vulnerability Intelligence Card® for CVE-2025-43300 in Recorded Future (Source: Recorded Future)

Prominent Vulnerability Disclosures from September 2025

Recorded Future Risk Scores range from “None” (0) to “Very Critical” (90-99) and can change with new analytics and sources. Insikt Group identified 1,096 vulnerabilities disclosed in September with Risk Scores of 65 or above (High to Very Critical). The table below lists the sixteen vulnerabilities that were actively exploited in September based on Recorded Future® data.

The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

Table 1: List of vulnerabilities that were actively exploited in September based on Recorded Future data.

How Recorded Future reduces risk from CVEs

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Figure 4: Signature for CVE-2025-53690 in Recorded Future Attack Surface Intelligence® (Source: Recorded Future)

Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group. Download Nuclei templates created by Insikt Group for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

About Insikt Group®:

Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.