Threat Research

September 2025 CVE Landscape

RecordedFuture
September 2025 CVE Landscape

Recorded Future’s Insikt Group identified sixteen high-impact vulnerabilities in September 2025 that should be prioritized for remediation, a slight decrease from August’s eighteen, with Cisco and TP-Link accounting for six of the sixteen issues and several vulnerabilities enabling RCE or command injection. Threat actors exploited Cisco ASA flaws (CVE-2025-20333, CVE-2025-20362) to deploy RayInitiator and LINE VIPER and abused Sitecore CVE-2025-53690 to deliver WEEPSTEEL, EARTHWORM, and SharpHound. #CVE-2025-20333 #CVE-2025-53690

Keypoints

  • Recorded Future’s Insikt Group flagged sixteen actively exploited, high-impact CVEs for September 2025, down from eighteen in August, with 11 Very Critical risk scores decreasing month over month.
  • Cisco and TP-Link dominated September disclosures, together representing six of the sixteen prioritized vulnerabilities impacting IOS, IOS XE, Secure Firewall, and multiple TP-Link router models.
  • Two Cisco ASA vulnerabilities (CVE-2025-20333 and CVE-2025-20362) were actively exploited to deploy the multi-stage bootkit RayInitiator and modular shellcode LINE VIPER, allowing persistent in-boot compromises and extensive data exfiltration capabilities.
  • Sitecore CVE-2025-53690 (ViewState deserialization) was actively exploited using exposed/static machine keys to deliver WEEPSTEEL, EARTHWORM, and SharpHound, enabling reconnaissance, RDP pivoting, and credential theft.
  • Insikt Group created six Nuclei templates in September (including for Sitecore CVE-2025-53690 and Adminer CVE-2021-21311) and identified public PoCs for six of the sixteen vulnerabilities.
  • Common weaknesses included CWE-502 (deserialization), command injection (CWE-77/CWE-78), and various authorization/authentication flaws (CWE-862, CWE-863, CWE-290, CWE-306), with seven vulnerabilities enabling RCE or command injection across multiple vendors.
  • Mitigations recommended include applying vendor patches (Cisco, WhatsApp, Apple), removing unsupported devices, rotating static machine keys, restricting management interfaces, and monitoring for IoCs and abnormal traffic/log suppression.

MITRE Techniques

  • [T1210] Exploitation of Remote Services – Exploited Cisco ASA HTTP(S)/WebVPN vulnerabilities CVE-2025-20333 and CVE-2025-20362 to achieve remote code execution and persistence (“…enable an unauthenticated, remote threat actor to gain complete control over vulnerable VPN and WebVPN services…”).
  • [T1547] Boot or Logon Autostart Execution – RayInitiator patches GRUB/ROMMON and hooks kernel load path to invoke Stage 1 early in boot for persistence (“…patch a compromised Cisco ASA’s GNU Grand Unified Bootloader (GRUB) to invoke RayInitiator Stage 1 early in boot…”).
  • [T1608] Exploit Public-Facing Application – Sitecore CVE-2025-53690 exploited via ViewState deserialization using an exposed machine key to execute Information.dll (WEEPSTEEL) (“…leveraged this exposed machine key to execute arbitrary code (RCE)…”).
  • [T1040] Network Sniffing – LINE VIPER/RayInitiator supports hidden packet captures of protocols like RADIUS, LDAP, TACACS to harvest credentials and traffic (“…perform hidden packet captures (RADIUS, LDAP, TACACS)…”).
  • [T1105] Ingress Tool Transfer – Threat actors delivered modular payloads and tools (EARTHWORM, DWAgent, SharpHound, GoToken.exe) to compromised Sitecore hosts for persistence and reconnaissance (“…deployed EARTHWORM to establish reverse SOCKS tunnels… installed DWAgent as a SYSTEM service… executed SharpHound… and used GoToken.exe…”).
  • [T1078] Valid Accounts – Attackers used valid VPN credentials or created local admin accounts (asp$, sawadmin) and used VPN/WebVPN authentication bypasses to escalate or maintain access (“…a remote, authenticated attacker with valid VPN credentials can achieve remote code execution… created local administrator accounts (asp$ and sawadmin)…”).
  • [T1020] Automated Exfiltration – LINE VIPER exfiltrates data via encrypted WebVPN XML responses or ICMP tunneled to raw-TCP channels to threat actor IPs (“…exfiltrates collected data either inside encrypted WebVPN XML responses or via the ICMP to raw-TCP channel…”).
  • [T1190] Exploit Public-Facing Application (SSRF) – CVE-2021-21311 in Adminer allowed SSRF to access internal services and metadata (e.g., AWS IMDS) by coercing HTTP GET requests (“…allows a remote unauthenticated attacker to coerce the application into issuing arbitrary HTTP GET requests to internal endpoints…”).
  • [T1055] Process Injection/Hijacking – RayInitiator/LINE VIPER hook and overwrite function pointers (sched_getparam, form handlers) to redirect execution into staged kernel and userland payloads (“…overwrites the form element handler to point at the sched_getparam hook… overwrites the sched_getparam table entry… to point to the Stage 3 kernel copy…”).

Indicators of Compromise

  • [File Hashes] malware and tooling – SHA-256 a566ccea…4307 (WEEPSTEEL Information.dll), SHA-256 b3f83721…0a52b (EARTHWORM components), and other hashes (SharpHound, 7-Zip executable).
  • [File Names] artifacts observed on compromised hosts – Information.dll (WEEPSTEEL), sh.exe (SharpHound), 1.vbs (EARTHWORM loader), helper.exe/main.exe/GoToken.exe and helper.ico.
  • [IP Addresses] C2 servers used by Sitecore campaign – 130[.]33[.]156[.]194:443 and 130[.]33[.]156[.]194:8080, 103[.]235[.]46[.]102:80.
  • [Accounts/Hostnames] local accounts and workstation identifiers – asp$ (created admin account), sawadmin (created admin account), H496883 (RDP workstation identifier).
  • [CVE Identifiers] exploited vulnerabilities referenced – CVE-2025-20333, CVE-2025-20362, CVE-2025-53690, CVE-2021-21311, and others from the September list (e.g., CVE-2025-59689, CVE-2025-10035).

Read more: https://www.recordedfuture.com/blog/september-2025-cve-landscape

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint