In August 2025, Recorded Future’s Insikt Group® identified eighteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the 22 identified in July.
However, the number of Very Critical vulnerabilities has remained the same (16) compared to July. These vulnerabilities have affected the following vendors: Trend Micro, WinRAR, N-able, Cisco, Apple, Citrix, FreePBX, Git, Microsoft, D-Link, and Fortinet.
August was dominated by Citrix and D-Link flaws, which represented six of the eighteen
vulnerabilities. Threat actors actively exploited Citrix NetScaler ADC, NetScaler Gateway, and Citrix Session Recording products, as well as D-Link DNR-322L and DCS-2530L routers.
Recorded Future Insikt Group’s CVE Findings from August 2025:
- CWE-78 (OS Command Injection) was the most commonly exploited weakness, followed by CWE-502 (Deserialization of Untrusted Data) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
- One of the eighteen vulnerabilities was associated with a malware campaign: the Russia-linked threat group RomCom exploited CVE-2025-8088 to deliver a SnipBot backdoor variant, a RustyClaw downloader, and a Mythic C2 agent.
- Six of the 18 vulnerabilities (CVE-2025-8088, CVE-2025-7775, CVE-2025-57819, CVE-2024-8069, CVE-2013-3893, and CVE-2007-0671) allowed attackers to conduct remote code execution (RCE). These six vulnerabilities affected WinRAR, Citrix, FreePBX, and Microsoft products.
Exploitation and Detection Highlights
This section highlights a sample of the highest-impact vulnerabilities this month, each with a Very Critical or Critical Recorded Future Risk Score; where applicable, it also highlights the availability of Nuclei templates created by Insikt Group. This section focuses on vulnerabilities with available PoCs or technical analyses. It does not highlight vulnerabilities whose public information is limited to a description of the CVE.
Threat Actors Actively Exploiting Citrix NetScaler Instances: CVE-2025-7775
On August 26, 2025, Citrix confirmed active exploitation of CVE-2025-7775, a critical memory overflow vulnerability (CWE-119) affecting Citrix NetScaler ADC and Gateway appliances. The vulnerability allows unauthenticated threat actors to achieve RCE or denial of service (DoS). The United States Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog and mandated that federal agencies patch or discontinue affected products by August 28, 2025.
Threat actors have exploited this vulnerability in the wild to deploy web shells that establish persistence. The attack chain involves exploitation of the pre-authentication RCE flaw on internet-exposed NetScaler instances, enabling arbitrary code execution and long-term access via dropped web shells. Successful exploitation can result in data exfiltration, lateral movement, and full network compromise. Affected configurations include appliances operating as Gateway/AAA virtual servers, load balancing (LB) virtual servers bound to IPv6 or DBS IPv6, and content routing (CR) virtual servers with HDX. At the time of writing, there were 8,926 instances vulnerable to CVE-2025-7775, according to the Shadowserver Foundation. Most of these are geolocated in North America (3,364) and Europe (3,112). Overall, there are 58,192 exposed NetScaler instances on Shodan; however, not all of these are necessarily vulnerable, as their specific versions are unknown.
Citrix has released patches for the following builds: 14.1-47.48 and later, 13.1-59.22 and later, 13.1-FIPS/NDcPP 13.1-37.241 and later, and 12.1-FIPS/NDcPP 12.1-55.330 and later. No workarounds are currently available, and Citrix strongly advises administrators to upgrade immediately. Additionally, Citrix disclosed two other high-severity vulnerabilities: CVE-2025-7776, a memory overflow vulnerability leading to denial of service, and CVE-2025-8424, an improper access control flaw on the management interface. While less critical, these vulnerabilities further increase the urgency for patching.
RomCom Exploited CVE-2025-8088 to Deliver a Snipbot Variant, RustyClaw, and Mythic Agent
On August 12, 2025, Insikt Group published a Validated Intelligence Event (VIE) summarizing ESET’s report on Russia-linked threat group RomCom (which overlaps with the threat group Recorded Future tracks as the Cuba Ransomware Gang) exploiting CVE-2025-8088, observed between July 18 and July 21, 2025. CVE-2025-8088 is a path traversal vulnerability in WinRAR that allows a threat actor to use alternate data streams (ADS) to hide and deploy malicious files from seemingly benign archives upon extraction. According to ESET, RomCom exploited CVE-2025-8088 to deliver a SnipBot backdoor variant, a RustyClaw downloader, and a Mythic C2 agent. On August 12, 2025, CISA added CVE-2025-8088 to its KEV catalog. Users should upgrade to WinRAR version 7.13.
Based on ESET’s blog, RomCom sent phishing emails that contain RAR archive attachments disguised as resumes. Once opened, the RAR archive dropped a malicious shortcut file (LNK) inside the Windows Startup folder for persistence and a malicious dynamic-link library (DLL) or executable (EXE) inside the %TEMP% or %LOCALAPPDATA% directory respectively, depending on the execution chain.
In the first execution chain, the LNK file used COM hijacking to execute the dropped DLL file (msedge.dll). The msedge.dll file decrypted embedded shellcode, then checked the target system’s domain name against a hard-coded value. If it matched, msedge.dll executed the decrypted shellcode containing the Mythic agent. Once active, the Mythic agent established an encrypted connection to RomCom’s command-and-control (C2) server at hxxps://srlaptop[.]com/s/0.7.8/clarity[.]js. At the time of writing, the URL returns an error message (403 Forbidden).
In the second execution chain, the LNK file executed the dropped EXE file (ApbxHelper.exe), which ESET identified as a trojanized PuTTY CAC binary signed with an invalid code-signing certificate. The ApbxHelper.exe file decrypted embedded shellcode, then checked the RecentDocs registry key to confirm that at least 69 documents had been recently opened. If the system met the condition, the ApbxHelper.exe file executed the shellcode, which ESET identified as a SnipBot backdoor variant. Once running, SnipBot connected to RomCom’s C2 at hxxps://campanole[.]com/TOfrPOseJKZ to download additional payloads. At the time of writing, the URL returns an error message (403 Forbidden).
In the third execution chain, the LNK file ran the dropped EXE file (Complaint.exe), which ESET identified as a RustyClaw downloader written in Rust and signed with an invalid code-signing certificate. The RustyClaw downloader retrieved a file named install_module_x64.dll from hxxps://melamorri[.]com/iEZGPctehTZ. At the time of writing, the URL was inactive. According to ESET, the install_module_x64.dll partially matched characteristics of the MeltingClaw downloader, which then connected to a C2 server at hxxps://gohazeldale[.]com for further malicious operations. At the time of writing, the URL returns an error message.
Insikt Group obtained the following samples related to RomCom’s campaign shared by ESET from Recorded Future Malware Intelligence:
Compliant.exe(RustyClaw): 0517d413beb3e124e773d7ccc1983b226d6593d1f46a81ba7e79a8b48d6242faMsedge.dll(Mythic agent): e0cbe8f18315a2ee781de48565dc8a087a1564557c42c66067f65c267120c894ApbxHelper.exe(SnipBot backdoor variant): 8082956ace8b016ae8ce16e4a777fe347c7f80f8a576a6f935f9d636a30204e7
Sandbox analysis detected the RustyClaw sample as malicious. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:
- Retrieves system information
- Enumerates files and directories
- Terminates running processes
- Detects debuggers using the IsDebuggerPresent application programming interface (API) function
- Retrieves system time
Sandbox analysis detected the Mythic agent as malicious due to its privilege escalation and persistence capabilities. The sample requires regsvr32.exe to execute. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:
- Executes malicious code through COM hijacking
- Retrieves system information
- Detects debuggers using the IsDebuggerPresent API function
- Delays execution using the Sleep API function for evasion
- Terminates running processes
- Retrieves system time
Sandbox analysis detected the SnipBot backdoor variant as malicious. Based on sandbox and static code analysis, the sample performs the following actions on a victim’s machine:
- Captures desktop screenshots
- Creates a reverse shell
- Checks for mouse activity to detect virtual machine (VM) and sandbox environments
- Logs the victim’s keystrokes
- Retrieves the username of the currently logged-in user
- Retrieves system information
- Enumerates files and directories
- Retrieves the system language and the machine’s geolocation
- Accesses and modifies the victim’s clipboard data
- Terminates running processes
- Detects debuggers using the GetTickCount API function to compare the timing and the IsDebuggerPresent API function
- Retrieves system time
Alleged PoC for High-Severity Directory Traversal Vulnerability Affecting WinRAR (CVE-2025-8088), Published on GitHub
On August 11, 2025, GitHub user jordan922 published an alleged PoC for CVE-2025-8088. CVE-2025-8088 is an actively exploited, high-severity directory traversal vulnerability affecting WinRAR versions 7.11 and earlier. WinRAR is a Windows software for compressing, decompressing, and managing archive files in formats like RAR and ZIP. CVE-2025-8088 allows a threat actor to craft malicious archives that override extraction paths, dropping executables into autorun directories like Windows Startup folders to trigger automatic execution at the next login and enable RCE. On July 30, 2025, WinRAR developers released WinRAR version 7.13 to fix CVE-2025-8088.
CVE-2025-8088 stems from WinRAR’s improper handling of file paths when extracting archive contents. Specifically, WinRAR fails to adequately sanitize and restrict directory traversal sequences such as ..\\ in filenames within crafted archives. This flaw allows a threat actor to manipulate extraction paths so that files land outside the intended destination folder, including sensitive Windows directories like the Startup folder. As a result, the threat actor can place malicious executables or scripts inside these locations that trigger automatic execution on the next user login, bypassing normal user consent and enabling arbitrary code execution.
Based on the repository, the alleged PoC requires a payload file path and an output RAR file path. Once provided, it sets a path to the WinRAR command-line executable and crafts a malicious path containing ..\..\ sequences that point toward the current user’s Startup folder, appending the specified payload’s filename. The PoC then deletes any existing temporary workspace named rar_temp and creates a fresh one, constructing a matching folder structure inside this workspace. Afterward, the PoC copies the payload file into the target location within rar_temp. Following this, the PoC calls WinRAR with the arguments a -ep to create a RAR archive that preserves the malicious relative path so the payload lands inside the Startup folder when extracted on a vulnerable WinRAR version. The process stops on any WinRAR error, and upon success, the PoC prints confirmation of successful archive creation along with warnings to exclusively test in a controlled environment.
Recorded Future’s Insikt Group® did not test this PoC for accuracy or efficacy. At the time of writing, the PoC has gained nine “stars” and has been forked four times on GitHub.
Insikt Group® Validated TTP: Using Nuclei to Detect CVE-2025-8875 and CVE-2025-8876, Two Critical Insecure Deserialization and Command Injection Vulnerabilities in N-able N-central
On August 13, 2025, CISA added CVE-2025-8875 and CVE-2025-8876 to its KEV catalog. Both flaws affect N-able N-central before version 2025.3.1; users should therefore upgrade to version 2025.3.1 or later. N-central is a remote monitoring and management (RMM) platform used by managed service providers (MSPs) to centrally administer, automate, and secure client IT environments.
CVE-2025-8875 is a critical insecure deserialization vulnerability that allows authenticated attackers to execute code locally. CVE-2025-8876 stems from improper sanitization of user input and allows authenticated attackers to inject operating system commands. Further technical details are unavailable.
Insikt Group® created Nuclei templates, which are available to Recorded Future customers, to detect CVE-2025-8875 and CVE-2025-8876. Both templates send an HTTP GET request to N-central’s login page and check that the response contains the string class="ncentral", returns a 200 OK status code, and that the detected version is earlier than 2025.3.1.
This template performs a low-impact version detection by issuing a standard GET request to the server’s /login endpoint. It passively inspects the returned page content and status code to confirm product identity and compares the reported version against a known vulnerable range. No payloads are sent, no authentication is attempted, and no system state is modified. Expected observables are limited to a routine HTTP request in access logs. Insikt Group’s Nuclei templates are for use in authorized environments only.
At the time of writing, there were 2,554 exposed N-central instances on Shodan, most of which are geolocated in the US, followed by Germany, Australia, the United Kingdom (UK), and the Netherlands. However, not all of these are necessarily vulnerable, since Shodan does not reveal the specific version strings that can be extracted through targeted requests like the one used in this template.
Alleged PoC Scanner Tool for Critical RCE Vulnerability Affecting Cisco Secure FMC (CVE-2025-20265), Published on GitHub
On August 15, 2025, GitHub user jordan922 published an alleged PoC scanner tool for CVE-2025-20265. CVE-2025-20265 is a critical RCE vulnerability affecting the Cisco Secure Firewall Management Center (FMC) software versions 7.0.7 and 7.7.0 if Remote Authentication Dial-In User Service (RADIUS) authentication is enabled. RADIUS is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) for users who connect to and use a network service. The Cisco Secure FMC software manages, monitors, and enforces security policies across Cisco Secure Firewalls. CVE-2025-20265 allows a remote, unauthenticated threat actor to inject and execute arbitrary commands with elevated privileges on a vulnerable Cisco Secure FMC software, potentially leading to full system compromise. On August 14, 2025, Cisco released Cisco Secure FMC software versions 7.0.8 and 7.7.1 to fix CVE-2025-20265.
CVE-2025-20265 stems from Cisco Secure FMC’s improper handling of user-supplied input during the RADIUS authentication process. Specifically, FMC fails to properly validate and sanitize credential strings provided by a remote user when RADIUS authentication takes place. This flaw allows a threat actor to embed crafted shell commands inside the credential input, which the system processes as part of the authentication routine. As a result, these commands execute with elevated privileges on the vulnerable Cisco Secure FMC software, granting the threat actor complete control over the system and the ability to control all connected firewalls.
Based on the repository, the alleged PoC requires a username and password and either a target URL or a file containing target URLs. Once provided, the PoC authenticates to each Cisco FMC system by requesting an access token from the /api/fmc_platform/v1/auth/generatetoken endpoint. With this token, it queries the /api/fmc_platform/v1/info/serverversion endpoint to retrieve the system’s reported software version. The PoC then normalizes the version string (for example, trimming off build identifiers) and compares it against known affected versions. If it matches, the PoC outputs a warning message, indicating the system is vulnerable. Otherwise,the PoC prints an “OK” message with a reminder to check Cisco’s official advisory. Regardless of the result, the PoC concludes each report by noting that exploitation requires RADIUS to be enabled for web or secure shell (SSH) management.
Recorded Future’s Insikt Group® did not test this PoC for accuracy or efficacy. At the time of writing, the PoC has gained three “stars” and has been forked once on GitHub.
Technical Blog and Alleged PoC for Critical Pre-Authentication Command Injection Vulnerability Affecting Fortinet FortiSIEM (CVE-2025-25256)
On August 15, 2025, cybersecurity firm watchTowr (watchtowrlabs on GitHub) published a technical blog detailing CVE-2025-25256. CVE-2025-25256 is a critical pre-authentication command injection vulnerability in Fortinet FortiSIEM, affecting version 5.4.x and all versions from 6.1 through 7.3.1. FortiSIEM is Fortinet’s enterprise Security Information and Event Management (SIEM) platform that provides real-time event correlation, threat detection, and incident response across cloud, network, and endpoint environments. CVE-2025-25256 allows unauthenticated threat actors to achieve RCE on the SIEM host, granting full control over a system intended as the central security monitoring platform of an enterprise. According to Fortinet’s advisory, exploit code had already circulated in the wild at the time of disclosure. On August 12, 2025, Fortinet published FortiSIEM versions 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10 to fix CVE-2025-25256, while requiring older versions to migrate to a fixed release. If upgrading is not possible, users can limit access to the phMonitor port (7900) as a workaround.
CVE-2025-25256 stems from FortiSIEM’s phMonitor component, a C++ binary listening on port 7900 over a transport layer security (TLS)-wrapped proprietary remote procedure call (RPC) that monitors process health and task distribution. Within this binary, the function phMonitorProcess::handleStorageArchiveRequest processes XML input received from clients. In vulnerable versions, the XML parser extracts parameters, including NFS, the function constructs a command string that invokes /opt/phoenix/deployment/jumpbox/datastore.py with the extracted parameters. Specifically, the vulnerable logic occurs when the function passes the network file system (NFS) server IP and archive directory into the command using ShellCmd::addParaSafe, a flawed sanitization routine that exclusively escapes quotes instead of validating or constraining input. This weak routine allows shell metacharacter injection.
As a result, threat actor-controlled values inside phMiscUtils::do_system_cancellable, the system shell directly interprets the malicious input. The checks performed before execution, such as verifying the process role, parsing valid XML, and ensuring required XML elements exist, fail to mitigate this injection vector. Therefore, by sending a crafted XML payload to port 7900, a remote unauthenticated threat actor can trigger command execution with FortiSIEM’s privileges.
watchTowr shared an alleged PoC XML payload that exploits CVE-2025-25256 to write a file inside the /tmp/boom directory. The XML payload contains the malicious string touch${IFS}/tmp/boom inside the phMonitorProcess::handleStorageArchiveRequest function parses the XML, it extracts this value and passes it into the command line through ShellCmd::addParaSafe. Since this routine exclusively escapes quotes and does not validate or constrain the input, the injected backticks and ${IFS} sequence remain intact. The function then constructs a command string intended to run /opt/phoenix/deployment/jumpbox/datastore.py with normal parameters; however, the malicious archive directory value breaks out of the argument context. Once the command string reaches phMiscUtils::do_system_cancellable, the system shell interprets the injected payload and executes touch /tmp/boom, achieving arbitrary command execution with FortiSIEM’s privileges.
watchTowr also shared a Python-based detection artifact generator to detect FortiSIEM instances vulnerable to CVE-2025-25256. The script requires a target IP address and a command argument. Once provided, the script inserts the command into a crafted XML payload under the phMonitorProcess::handleStorageArchiveRequest function parses the XML and passes the malicious archive directory value into the command string using the flawed ShellCmd::addParaSafe routine. Since the routine exclusively escapes quotes and fails to constrain input, the injected value remains intact and flows into phMiscUtils::do_system_cancellable, where the system shell interprets and executes it. This sequence causes the supplied command to run on the host, resulting in an observable effect that defenders can monitor to validate exploitability and test detection coverage.
At the time of writing, the detection artifact generator has gained sixteen “stars” and has been forked four times on GitHub.
Insikt Group created a Nuclei template, which is available to Recorded Future customers, to detect CVE-2025-25256. The template makes a TLS connection to FortiSIEM’s phMonitor service on port 7900 and sends an XML payload wrapped in a phMonitor RPC header. The XML sets archive_storage_type=nfs and executes a backticked `echo${IFS}/` command into archive_nfs_archive_dir. The template's matcher looks for the 4-byte \x01\x00\x00\x00 success code as evidence that the request was accepted and processed.
This template uses a low-impact proof-of-execution payload that does not modify system state (no file writes or persistence). It sends the aforementioned crafted XML that executes a benign command (echo${IFS}/) and then matches on the service's protocol-level response rather than the command's output. Expected observables may include a short-lived child process and FortiSIEM service logs; no outbound network traffic is expected. Insikt Group’s Nuclei templates are for use in authorized environments only.
At the time of writing, there were 413 FortiSIEM instances on Shodan, most of which are geolocated in the US, Canada, India, Kenya, and Singapore. However, not all of these are necessarily vulnerable, since Shodan does not reveal the specific version strings that can be extracted through targeted requests.
Prominent Vulnerability Disclosures from August 2025
Recorded Future Risk Scores range from “None” (0) to “Very Critical” (90-99) and can change with new analytics and sources. Insikt Group® identified 1,037 vulnerabilities disclosed in August with Risk Scores of 65 or above (High to Very Critical) per Recorded Future® data. The table below lists the eighteen vulnerabilities that were actively exploited in August based on Recorded Future data.
The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
Score
Table 1: List of vulnerabilities that were actively exploited in August based on Recorded Future data.
How Recorded Future reduces risk from CVEs
Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.
Vulnerability Intelligence – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.
Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.
Third-Party Intelligence – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.
Insikt Group – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group. Download Nuclei templates created by Insikt Group for select CVEs to test potentially vulnerable instances.
Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)
About Insikt Group:
Recorded Future’s Insikt Group threat research team is comprised of analysts, linguists, and security researchers with deep government and industry experience.
Insikt Group publishes threat intelligence to the Recorded Future analyst community in blog posts and analyst notes.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/august-2025-cve-landscape